Network directory services made popular by vendors such as IBM, Microsoft and Novell Inc. are in the process of being transformed from single-use platforms to specialized directories that interoperate with each other across the enterprise.
Analysts at Burton Group, a Midvale, Utah-based consultancy, offered their vision on the evolutionary role of directories during a recent corporate conference call. They say directories are moving from their traditional role as general-purpose platforms serving one application in one area of the company to serving as the foundation for identity management products. That role could further change as the concept of distributing identity services takes hold.
Monolithic directories are overloaded
Past conventional wisdom held that centralization in a single Lightweight Directory Access Protocol (LDAP) directory would make directories easier to administer, said Mike Neuenschwander, a Burton Group analyst. The thinking was that the directory would be the central repository for all the identity data needed for applications. But today's monolithic directories are cracking under the strain of solving the application requirements that are placed on them, due in part to their convergence
with vendors' identity management products.
Nick Nikols, also a Burton Group analyst, said he sees a new wave of directories as specific to one platform and having one role, but interoperating with other directories across the enterprise. Directories are moving from isolation to consolidation -- and finally to a distributed phase that can support multiple, persistent use of the same information, he said.
"Now we can start managing these distributed environments as a single logical entity, but getting the benefits of tailoring the schemas and directory structures to meet the specific needs of applications throughout the environment," Nikols said.
Indeed, customers need to think of identity services as something more than just directories. Identity services won't require consolidation as the previous architecture did, Neuenschwander added.
"There is a role for virtualization, for proxy services, for meta directory and for certain types of provisioning," he said. "Mix it all together, and you can create not just a single place for applications to go in the physical sense to get identity information, but also the ability for identity information to be shared without taxing the architecture beyond its capacity."
More standards needed
What's driving directory development is the fact that the products are mature, so vendors need to make them more distinctive. Almost all vendors have support for LDAP Version 3, for example, and each continues to improve their directory's performance.
But even though the trend to align directories with identity management services is real, end-to-end distributed identity services are still in the future. Vendors need standard interfaces, such as Security Assertion Markup Language (SAML) and WS-Federation, to interact with other identity systems throughout the federation, Nikols said.
A future identity management service model will let customers determine which applications might use a directory or help determine which requirements might be placed on a directory.
Today, IT staff can consider how centralized or distributed the enterprise should or could be and which tools might best suit the job. "Realize that no one directory offering will satisfy all the roles you require in your environment," Nikols said. "You might have multiple instances of a given directory or multiple directories, but realize that in the grander context, you are having an integrated environment."
Single directory not the answer
IT experts say they have long struggled with the problem of sharing information between multiple directories. "There are always some people in every large company who say, 'We need one directory, as long as it is the one I want,' " said John McGlinchey, an Active Directory administrator at Bristol-Myers Squibb Co., a global pharmaceutical company based in New York.
"But we need various directories for various purposes," he said. "You don't need just one directory, you just need a way to tie all these different directories together."
Customers need to realize that directories are not going away, but they may move toward broader identity management services, Nikols said. They are the best option for a persistent data repository, and they are good for storing rules and roles. "LDAP is also not going away, but it won't be the only interface," he said. "There will be others."
