If it's not one thing, it's another. Deploying the new Windows 2000 directory took a superhuman effort. Now, managing it seems like a job for Superman. Fortunately, AD administrators/superheroes can enlist the aid of a sidekick, Lightweight Directory Access Protocol (LDAP), which can cut AD management tasks down to size.
Directory software protocols make keeping track of the user, password and IT resource information stored in directories more straightforward, according to Gregoire Michel. LDAP uses a hierarchical approach to do that, and an LDAP management tool can simplify management substantially. Michel is chief marketing officer of Aubagne, France-based Calendra, Inc., which recently released Calendra Directory Manager 3.0, an LDAP-based directory content manager. He recently spoke to searchWindowsManageability about the benefits of LDAP-based directories.
sWM:
What are the benefits to having a directory as a business application?
Michel:
Directory services are about sharing business critical information. The main benefit is that the directory is a central repository for very basic information that will be shared throughout an entire enterprise and IT system. In the directory, you put information about people, IT and non-IT resources, and information about rights. Directories are often used as a central directory for authorization and authentication information and the relationship between those. Who has what rights on different applications or resources, for example. So that information is being stored and maintained in one place, but can be used by all the applications.
sWM:
Are all directory services LDAP-based?
Michel:
Not necessarily, some are based on relational or SQL databases.
sWM:
What makes LDAP a preferred protocol?
Michel:
LDAP technology has standardized schemas and a performance level that make it the de facto standard. In relational or SQL databases, if you want to access data, you have to know the schema, such as how the tables are set up and what information they are containing. You also have to know the name of the tables. They are not standardized. LDAP standardizes these kinds of things. It's hierarchical. You always query an LDAP by the top hierarchy, and then you drill down in the tree. It's auto discovery.
The second aspect is about performance. LDAP directories are usually tuned for getting 90% of read queries and 10% of write queries. It's very efficient to read information and less efficient to write it. Usually, relational databases are tuned for 50/50. So LDAP would be faster in read and slower in write than a relational database. When you need a fast response time because you need to get a new password for somebody, it makes sense to use an LDAP database.
sWM:
What are the headaches inherent in managing a directory?
Michel:
The first one is having to chose a technology. The second is to find the skilled people to administer it. It's still a new, complex technology, and the skills are scarce and expensive. The third is a political problem. Companies may not want to put sensitive information in a central place. The last headache comes with how you integrate the directory services in your IT systems.
sWM:
Active Directory is the Windows 2000 directory. Can you tell me what the headaches are in managing Active Directory specifically?
Michel:
Active Directory is basically an LDAP directory. It has an LDAP interface, and so if you have an LDAP tool you can access AD. The difficulty with AD is that some of the functions you normally find in an LDAP directory are not yet implemented in AD. AD is not compliant to the password management standard, for example. If you want to change someone's password, you have to go through the OS, not directly through the LDAP.
There are also specific difficulties in using AD in LDAP as a corporate directory. They come from the specifics of the schema, or how the information is being modeled in the directory. Microsoft has implemented lots of object classes that are required for the Window 2000 environment. Windows 2000 needs that information. This information is not LDAP standard. So you need to be able to handle that if you want to effectively manage AD and use it as a LDAP data source.
sWM:
What are the benefits of using an LDAP management tool?
Michel:
The main benefit is delegated administration and self-service. Editing all the content in the directory can only be done by highly skilled people who can use the LDAP interface if you don't have this kind of tool.
If you have a directory content management tool, you can decide that phone numbers should managed by office managers, not IT people. You could give end users the capacity to implement some very strict security enforcement mechanism so you don't have everyone accessing any data. You can delegate the administration of the information in the directory to people who own that information. It saves a lot of time and money because those people post to the directory instead of sending an e-mail to the IT people who receive hundreds of e-mails like that every day. Those IT people often make mistakes because sometimes they just don't type in the right information. You can cut the costs of administering the directory data by two to three times.
Directories decrease the cost of administering IT environments, including the security. They allow you to move to a place where you're doing things once, instead of two, three, four times, or as many times as the number of your applications.