You are responsible for managing 15,000 user accounts and 20,000 computers in your company. It is 9 a.m. on Monday. Do you know where your users’ computers are? If you are working for a typical company, almost certainly you do not. “British Telecom recently audited their IT assets and found that they had 20,000 more computers than they thought,” says Dave Bingham, Consulting Director, Fujitsu Consulting UK. Now that is a serious systems management problem!
Many companies are sinking under the weight of their existing legacy network identity, access control, and provisioning systems. Some of the warning signs that you might have a problem:
- Users cannot remember all their passwords because each application requires its own authentication
- Directory information is out of date, or incomplete
- Ex-employees still have access to local/remote network services
- It takes on average, 22 steps to create a new employee e-mail address
- Little or no auditing of accounts and privileges, including cross application comparisons to get a true sense of user actions
- Redundant administration points and no pre-established delegation policies
- Proprietary access, authentication, and provisioning APIs for each application
As large and small companies alike struggle to control IT assets and costs, global network identity management systems are looking increasingly attractive. The Forrester Group predicts most Fortune 100 companies will be implementing these systems to reduce TCO (total cost of ownership), eliminate manual/legacy systems, and streamline business processes.
What do Novell, identity management and LDAP (Lightweight Directory Access Protocol) have to do with any of this? Is this the same moribund company known for the mature NetWare, NDS (Novell Directory Service), and GroupWise product lines? Yes, a revitalized Novell is aggressively pursuing the network identity management and directory services market with a new generation of LDAP-based products and technologies. By building on Novell’s traditional strengths in directory management and de-coupling these products from their flagship NDS NOS product, it is hoping to compete directly with iPlanet, Oblix, Critical Path, Microsoft, and other identity management vendors. The next few years will be a battleground for network identity vendors and consultants as they struggle to establish themselves in this new marketplace. Let us take a more in depth look at Novell’s LDAP implementation and directory service products to see why you should be seriously considering them if you need an enterprise scale LDAP system.
Why Novell and LDAP?
Novell realized it needed an open standard for its front-end application software. LDAP was the obvious choice because Novell had historically based both the NetWare and NDS systems on the X.500 protocol and LDAP was originally designed as the X.500 front end. In March 1999, Novell released a copy of open source LDAP as part of its SDK (software developer’s kit) indicating its full support for the LDAP standard. At the time Kurt Zeilenga, chief architect of the OpenLDAP Project, noted, “Global adoption of technologies requires that developers have access to open and reusable code. We are pleased that Novell has chosen to use OpenLDAP software and has made its changes available to the community so all may benefit. We look forward to working with Novell in furthering open source LDAP software.” It clearly had the full support of the developer community.
Although LDAP has been around as a standard protocol since 1995 until recently it has been a strictly back-office enterprise network service. Previously, the only open standard for directories was X.500, introduced in 1988. Since X.500 was OSI model based, LDAP was designed to serve as a translation protocol between the TCP/IP and OSI models. Because it is the most open and flexible of all the network services protocols, the network ID management community has embraced it as the core technology to connect user and machine identity information together into one seamless whole. It is now the de facto standard for most major identity management services applications. Openwave and iPlanet both use LDAP as the underlying address directory technology for enterprise e-mail services products. LDAP is an established, robust, scalable open directory standard — an extremely attractive solution.
Novell NDS and LDAP
How has that changed Novell’s products? First, let us look at the details of how the NDS system has fully incorporated LDAP. NDS 8 provides robust LDAP support by allowing access directly to a NDS data store. This affords the best of both worlds — open standards for directory access while leveraging Novell’s security strengths such as strong authentication and server-server replication. This enhanced support includes:
- LDAP Services are installed by default, which means that LDAP clients can transparently access NDS objects using SSL without requiring any additional client software.
- Ability to write directly to LDAP schema. To change an LDAP-NDS mapping, go to the ConsoleOne (Novell’s Java-based server/workstation management software) screen and select LDAP Group Object. Right click this object and select Properties. You can then go to the Attribute map or Class Map tab to add/modify/delete the appropriate object.
- Full auxiliary class support, which means if an NDS or LDAP object is a member of multiple object classes, it inherits the attributes of all these object classes. Note there are three default auxiliary classes in NDS.
eDirectory – Novell’s Directory Service Product
eDirectory, which evolved from NDS, is a directory service that is scalable, extensible, and high performance. In fact, Novell has publicly demonstrated that eDirectory can manage more than a billion objects in a single tree. This capability far exceeds what most enterprise networks or e-businesses will ever require. Some of eDirectory’s major components like global printing services are incorporated into NetWare 6.
Some of eDirectory’s new or enhanced features included in version 8.7 – codenamed “Falcon” are:
- Full support on multiple platforms, Netware, Windows NT/2000, and UNIX flavors (Linux, AIX, and Solaris). This is great news for multi-platform enterprises.
- eDirectory has full support for replication (multiple distributed copies of the directory in case of failover) and portioning (splitting directory logically to support decentralized administration and improved network performance). This is especially critical in a 7×24, five 9s, mission critical deployments.
- Full Support of LDAP over SSL/TLS (Secure Socket Layer & Transport Layer Security protocols). This feature is very important in the web-based services arena.
- Supports SNMP monitoring. Both directory monitoring and management consoles are available. ConsoleOne is a Java-based for servers/workstations, and iMonitor is a web-based monitoring and diagnostics for all company eDirectories.
- IManager is a web-based directory manager that performs operations on directory objects, including access, creation, directory portioning, and replication.
- It includes an import/export utility using LDAP Directory Interchange Format (LDIF) for simplified ports and integration with legacy systems. It can be executed from either the command line or the ConsoleOne or iManager products.
Here is a brief overview of the Novell directory structure from top to bottom. Novell calls its directories “container objects.”
- TREE (once called [ROOT]) is the top of the directory hierarchy and contains all objects in the directory. Primarily used to grant or deny global rights.
- ORGANIZATION contains all objects for an organization or enterprise. This includes the Administrator user. A COUNTRY object can also be created at this level for more refinement.
- ORGANIZATIONAL UNIT (OU) – is a further subdivision of an organization structure (such as divisions, geographical, etc). Users are created at this level.
- DOMAIN (DNS Domains) – allows eDirectory interaction with DNS for location of services.
Dir XML provides bi-directional and Meta-directory capabilities between e-Directory and other enterprise and legacy systems. The systems communicate by directly processing XML documents. DirXML runs on a variety of platforms — Linux, NetWare, Solaris, and Windows NT/2000, but requires eDirectory 8.5 or later. Currently available DirXML drivers include:
- LDAP Directories – IPlanet/Netscape Directory Server, Critical Path InJoin Directory, IBM SecureWay
- Electronic Messaging – Groupwise, Lotus Notes, Microsoft Exchange
- Enterprise Applications – Peoplesoft, IBM WebSphere MQ, Oracle, IBM DB2, and Sybase
- Operating System Domains – NT, Active Directory, NIS
- Delimited Text – Miscellaneous
Between eDirectory/DirXML there are two different types of data flows.
- Publisher Channel – Sends data from various systems to eDirectory.
- Subscriber Channel.- Sends data from eDirectory to various systems.
- DirXML Driver – Handles the communication between DirXML engine and the application but not the rule processing. This includes receiving the XML document and translating it into a set of commands, which are then sent to the appropriate data store. Note that DirXML 1.1 no longer requires eDirectory and DirXML running on the server allowing remote drivers to be dynamically loaded.
- DirXML Engine – Translates directory events such as add, modify, or delete to an XML document. Translation involves processing various filters, rules, and style sheets to achieve the desired result.
- Objects – eDirectory operations involve certain key objects, DirXML-DriverSet, DirXML-Driver, DirXML-Publisher, and DirXML-Subscriber.
- Filters — determine which attributes such as name or address will be affected for this particular channel session.
- Rules Sets
- Object mapping — Associates an object in the eDirectory schema with an object in the external application.
- Matching — Determines the attributes and values in eDirectory and the corresponding application that must match before creating an association attribute.
- Create Object — Specifies the attribute and values that must be in place before a new object or record is created.
- Placement — Specifies the location in the application the objects are stored. Multiple rules are typically used.
- XSLT Style sheets – Define the XLST transformation rules that transforms commands or directory events found in the XML documents.
Additional services and products Novell offers specifically designed to aid developers include:
- Customized DirXML Drivers — Written in either C++ or Java. The Java drivers requires JDK 1.1.7b or later. Developers can use DSTrace facility and DirXML Trace log for debugging.
- XML Interfaces for C++ – Allows the developer to write messages to DSTrace facility and DirXML Trace log.
- LDAP Extensions and Control for JNDI (Java Naming and Directory Interface).
- Test Server for LDAP
- eDirectory Class Libraries for C and Java – Used to perform operations such as query or add on a LDAP directory. Part of the Novell Developer Kit (NDK), it uses open source code from the OpenLDAP Project.
Novell is moving the right direction by porting the package to multiple platforms, but if you really want to have a fully integrated system, you should still be using the other Novell products in conjunction with eDirectory. Although eDirectory has some great features that make it easier to develop enterprise scaled directory services based applications, it is still at heart an NDS based product. It will probably work best for you if you already have a NetWare installation and some familiarity with the Novell approach to network based enterprise services. Tony Neal, IT manager at Marriott International Inc. views Novell LDAP support as “another piece of the protocol puzzle that will tie everything together, with NDS as the real engine underneath”. It is not clear when talking to Novell how many of their eDirectory installations are truly new customers and not just additional sales to the existing Novell customer base.
A few years back Novell took a serious misstep when they proposed a new top-level .dir domain for the Internet. The proposed .dir domain was a so-called chartered domain and would have required .dir applicants to be fully compliant with LDAP 2000, an LDAP conformance test sponsored by DIF. Novell claimed that establishing the .dir domain was critical because it would guarantee the type of sites that would use it. The proposed domain immediately met with community resistance and was quickly withdrawn. “Why is everyone looking to ICANN to rubber-stamp their business models?” said Rick Wesson, CEO of Alice’s Registry, in Santa Cruz, Calif., a consultancy for ICANN-accredited registrars. “Novell wants to create a LDAP (Lightweight Directory Access Protocol) root, but it doesn’t need a TLD to do that. It can build the same infrastructure under the existing DNS domains.”
Is Novell serious about LDAP?
Novell has been active with two emerging IETF standards groups. These efforts will no doubt end up in future Novell web, operating system, and directory products.
- SAML (Security Assertion Markup Language) 1.0 allows applications to share authentication information. In July, Novell participated in a SAML Interoperability forum as part of the Burton Group. However, the single sign-on solution remains a work-in-progress.
- The same group OASIS (Organization for the Advancement of Structured Information Standards) that oversees SAML also is creating the UDDI (Universal Description, Discovery and Integration) specification. UDDI includes a protocol for describing web services and queries about businesses/products. Novell sponsored engineers authored a draft schema to place UDDI information in an LDAP directory.
- Liberty Alliance is creating a “federated” identity authentication protocol, called “a circle of trust”, that allows users to transparently navigate between affiliated organizations. There are various security access issues still to be determined before this becomes reality. It is not clear what advantage this schema has over existing certification systems, like PKI.
Novell developers are working on the next release of Netware code named “Nakoma.” It will include enhanced DirXML support for tighter integration between NetWare, Novell Portal Services, and legacy corporate directories that require directory-based identity and access services. Current projected availability is summer 2003.
Some enhancements that are part of “Project Destiny” the overall Novell eDirectory and directory enhancement effort include:
- UDDI server due by year-end.
- The future version of eDirectory will be more dynamic with enhanced rules-based “decision-making” about people, and directory data.
- “Saturn” is a Novell effort to make eDirectory and iChain (identity-driven web access) compatible with the Liberty Alliance specification. “Saturn” reportedly will be completed by year-end.
- Dynamic Identity services and access will be granted based on the application.
In conclusion, Novell has been working hard to position itself in the forefront of the LDAP development community. Novell has leveraged its expertise with X.500 and NDS to create a powerful set of tools using LDAP and the NDS architecture. If you are serious about large-scale identity management applications and you already have some familiarity with the Novell environment, eDirectory might be just the toolkit you need to build your application.
- NDS and LDAP documentation
- DirXML documentation
- eDirectory documentation
- SAML and UDDI
- Liberty Alliance
- LDAP Test Server
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently writing a book about IT for the small enterprise and pursuing an Information Age MBA from Bentley College.
Hallett German is an IT consultant who is experienced in implementing stable IT infrastructures with an emphasis on electronic messaging and directories. He is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. He is the author of three books on scripting languages.