Previous section.

Directory: LDAP Features for Certification
Copyright © 2003 The Open Group

Directory Solutions

Many solutions to the problems of managing and operating enterprises rely on directory technology. The following is not an exhaustive list, and there is much overlap between its members, but it does give an indication of the prevalence and value of directory-based solutions.

Authentication and Discovery

These solutions use directory infrastructure to authenticate users' usage of the network, of system resources, or of applications.

A simple example that fits into this category is auth_ldap from the Apache.org module list. This is an LDAP authentication module that allows Apache to authenticate HTTP clients using user entries in an LDAP directory. This module performs:

Authentication and discovery solutions typically use features from all feature groups.

Data Storage

This is the use of a directory to store, manage, and retrieve data. Typically this data will encompass application configuration and application-specific data that pertains to the solution. Solutions in this category include basic data management functionality such as add, delete, rename, and modify.

Directory-Enabled Networking (DEN)

The Directory-Enabled Network (DEN) initiative is designed to provide the building blocks for more intelligent management by mapping concepts such as systems, services, and policies to a directory, and integrating this information with other elements in the management infrastructure. This utilizes existing user and enterprise-wide data already present in a company's directory, empowers end-to-end services, and supports distributed network-wide service creation, provisioning, and management.

The concepts that are mapped are derived from the Common Information Model (CIM) of the Distributed Management Task Force.

The goals of the DEN effort are to use a directory as follows: first to "direct" clients to relevant management services, and second to hold a subset of management data. Current efforts are focused on defining directory schema and usage for:

Identity Management

Identity Management is the process of identifying, storing, and managing individual, group, and network resource information. This is most often done using a directory as a repository for the managed information. Today, the information managed (identities) can be utilized in a myriad of applications from simple password verification to complex PKIs.

Facilities that utilize directory services include:

The ultimate (identity) information that is managed will have a plethora of uses including authentication, authorization, application access, role-based privilege determination, and information distribution.

For security purposes, the directory must also ensure that communication between the management applications and the directory can itself be secured using protocols such as TLS.

Public Directory

All companies and organizations manage information on their employees and customers, networks, devices and applications, products and services, and much more. These directories are used both for reference purposes and as the basis for a growing number of applications such as e-business, e-procurement, white/yellow pages, public key infrastructure services (PKI), single sign-on applications, messaging systems, or computer telephony integration, to name just a few. Directories are used as public directories in Internet, intranet, extranet, Web portal, or service provider environments. As a basis for identity management, they manage user and subscriber profiles, digital certificates for PKI services, authentication and authorization information, access permissions, and other relevant attributes for users and subscribers to provide secure access to information, network resources, or distributed services.

Directories are also incorporating solutions to allow their users to access directory information in a number of different ways. Besides web browser access and access via application programming interfaces, which today comes as standard with most directory products, the other trend is access via wireless devices, such as PDAs and cell phones. Since directories are designed to support multiple applications and platforms, it makes their adherence to standards a must to make sure that they are compatible with other directory solutions and applications on the market.

While data stored in a public directory is accessed in read-only mode by search and read operations, directory operations like add, modify, or delete operations are also required to manage directory contents. Many public directory solutions also require that users and applications authenticate when binding to a directory service. In the world of e-business, controlling access to security-critical information is of greater importance than ever before.

Reporting

Many directory applications read information from directories but do not add to or change the directory contents. They include "white pages", report creation, and auditing.

They typically use features from all the feature groups except Storage and Update.

Security

These solutions use directory resources and facilities, in conjunction with specific security functionality, to protect and safeguard all online resources. Common examples of directory-supported security applications include:

A common aspect of all these applications is authorization and, to a lesser degree, authentication.

For true security, the directory must also ensure that communication between the applications and the directory can itself be secured using protocols such as TLS.

Contents Next section Index