al enterprise directory is designed to manage all network resources throughout the enterprise in a unified manner.
For instance, instead of entering the same user name into an e-mail database, a human resources system, and a network OS (NOS), you enter it into the global directory, where applications can access it directly and other directories can synchronize with it. Users also log in to the entire network, rather than to each server or resource separately. Furthermore, users get location-independent, desktop-independent access to applications and services, as exemplified, for instance, in the Novell Application Launcher and Workstation Manager.
Those who have moved in the direction of global directories, usi
ng a directory developed in-house, Novell Directory Services (NDS), or Banyan's StreetTalk, for instance, generally believe that reduced administrative costs more than make up for the implementation effort.
Global directories can also make life easier for developers who need directory functions in their programs. Instead of having to implement an application-specific directory, they can use the global directory. The result is more sophisticated directory functions at a lower cost.
The barriers to implementing this vision include organizational politics, privacy concerns, data cleansing, multivendor interoperability, and specific products.
Hands Off My Data
Typically, you bring data into a global directory from existing application- and NOS-specific directories. Alternatively, you may "federate" directories, stitching them together into an apparently seamless whole without moving any data. Either way, as soon as you try to lay your hands on someone's data, you are into organizational
politics.
"Payroll, personnel, and human resources departments are not accustomed to coughing up their data for these types of activities [i.e., building global enterprise directories] or modifying them to accommodate somebody else," says Larry Gauthier, director and senior analyst, network strategy services, with the Burton Group (Midvale, UT) consultancy. "If, through some bureaucratic process, you decide that human resources is the center of the universe [for directories], and you say, 'We'd like you to modify your PeopleSoft database to include an IP address or an e-mail address,' they'll look at you like you're crazy."
As the former director of operations management at the University of Michigan, Gauthier had operational responsibility for the X.500 directory -- the same project that produced LDAP. He also served as chair of the Network Applications Consortium (NAC), a group of large user organizations (including Compaq, Nike, Texaco, the U.S. Marine Corps, Pacific Gas & Electric, MCI, t
he University of Michigan, and the World Bank) that has played an influential role in the development of enterprise directories.
Organizational politics may derail any global-directory project unless you have a powerful champion in the organization, Gauthier notes. "Ideally, it should be the president or the CTO [chief technology officer]. It's nearly impossible to do it from the grass roots up."
A compromise may be to set up a system where the central repository only reads information from other directories. This is usually not ideal, because a central repository that cannot write to other directories cannot replicate to those directories in real time. Instead, it must write out files that can be integrated into the other directories in batch mode. While this economizes processing resources and network bandwidth, it also means that some directories will have old, incorrect information until the batch job runs.
The Burton Group believes that geopolitical issues (i.e., problems posed by geogr
aphy, for example, time zones, distances, and foreign nations and laws) and bureaucracy are the major impediments to the deployment of global directories.
Count Me Out
When you move information from limited-access systems such as payroll or human resources to a much more widely available global directory, privacy and unwanted phone calls and e-mail become an issue. You may want to protect certain information with passwords or certificates. Integrating strong security complicates the directory system but also makes it suitable for a wider range of information, as well as applications such as Web-based commerce.
In addition, you may want to limit searches so people can't download the whole directory into their mailing lists, notes Ken Bauer, a systems analyst in the IS department at the University of Texas at Houston. At UT, students can also request not to be listed, though fewer than 5 percent exercise this option.
Dirty Data
Every database is likely to contain entries that
are improperly formatted, missing, duplicated, outdated, or just plain wrong. The bad data may be wreaking no havoc where it is. However, when you put it into a global directory, there is no telling how new applications will react to it. You must check and usually clean data extensively before you can use it. The problem is compounded by the fact that data from each source will be bad in unique ways.
"You have to view the organization as a big data warehouse," says Tim Howes, directory server architect for Netscape Communications and cochair of the directories working group of the Internet Engineering Task Force (IETF). Howes recalls the "nightmare scenario" at the University of Michigan, where he found his name stored in 17 locations. Data cleansing, says Howes, may take a month to years.
Some related problems include "clean" data that is formatted differently in different databases and data that you cannot legally make public (e.g., Social Security numbers).
Costs can run into tens or eve
n hundreds of thousands of dollars -- although, hopefully, the more you spend, the faster the job will go. Taking that strategy to extremes, you can outsource the whole mess to consultants.
Sync Me Up
To integrate or synchronize directories from multiple vendors, three issues have to be addressed: standards, architecture, and schemata.
Huge strides have been made in the standards arena since April 1996, when 40 vendors, led by Netscape, made the first major announcement about LDAP. Since then, LDAP has been almost universally endorsed.
However, we are still in the early stages of what will be a long process: Infrastructure vendors implementing LDAP, OS vendors deploying the infrastructure on various platforms, developers taking advantage of that infrastructure, and users deploying the resulting applications. On the replication front, we are probably a year or more away from robust LDAP-based replication, says Howes. (See the sidebar "Replication in LDAP".)
Once directory acces
s and
replication protocols
(whether standards-based or proprietary) have been worked out, it's necessary to build a system based on them. The most basic architectural question is whether to have a central repository (see the sidebar "Physical and Virtual Meta-Directories").
To read from and write to directories, the synchronization function must understand the directory schemata, which define directory objects and their attributes. In February, a group of eight major directory vendors -- Banyan, IBM, Lotus Development, Microsoft, Netscape, Novell, Worldtalk, and Zoomit International -- released the Lightweight Internet Person Schema (LIPS). It's designed to extend and enhance LDAP by providing a minimum definition of the attributes of a "person" object, such as e-mail address and name.
LIPS, which you must implement in both directory clients and servers, is not an official standard. However, it performs an invaluable function in telling LDAP clients what to look for in the
directory. Today, LIPS defines 37 attributes, more than enough for a typical LDAP browser, though certainly not enough for every conceivable application.
Multiple Choice
We come to the place where the rubber meets the road: specific vendors and their directory products. Here, we find that most organizations will have serious problems with the available products. Vendors are trying to address these problems, and we may see significant progress in 1998.
Let's start with two prominent meta-directory vendors, Zoomit and Worldtalk. Worldtalk's products (the NetTalk directory and mail server, and NetJunction, a higher-end X.500-based directory server) are mature and well regarded. The company and its partners have a good ability to provide the consulting and implementation assistance that most customers will need.
On the other hand, most observers think Zoomit's
meta-directory
functionality is stronger. For instance, Netscape has been regularly recommending Zoomit's
Via to its customers who need a meta-directory. "We've recognized that our customers have a problem that is solved by a meta-directory," says Howes. "Zoomit seems to have a good one. Up to this point, we've been working with them to help solve the customer's problem." Howes also notes that Netscape has no plans to build its own meta-directory.
"Zoomit has spent tons of time thinking about issues relating to data, about creating object containers for attributes, and about how to propagate only what you want, while keeping other things secure," says Gauthier.
Although Via 1.0 is only a year old, it builds on a previous directory-synchronization product, Enterprise Directory Management Service (EDMS), released in 1993. EDMS is being used in the messaging backbones of 200 companies of the Fortune 500, says Kim Cameron, Zoomit's vice president of technology.
Zoomit is a tiny company that could be an attractive target for acquisition or simply a light snack for a larger competitor. But its substan
tial technical lead insulates it somewhat from competition. The Burton Group estimates that it would take Netscape or Microsoft about two years to catch up, starting from scratch.
Cameron also notes that Zoomit is in "friendly discussions" with large directory vendors about partnering. The large vendors would either sell Via or bundle it with their products. This strategy will be successful because of the strength of Zoomit's product, says Bob Lewin, an analyst at Dataquest (San Jose, CA), a market research firm. (Though neither Cameron nor Lewin named vendors, Netscape is a likely possibility, with Microsoft perhaps next in line. A partnership with Novell looks more doubtful.)
The meta-directory market, which was about $5 million this year, according to Lewin, could be three or four times that in 1998 -- and Zoomit is poised to take most of it, he says. However, until its partnerships emerge, some companies may hesitate to bet the enterprise on Zoomit.
The three major competitors in the dir
ectory market itself are Microsoft, Netscape, and Novell. At press time, Microsoft had announced its Active Directory; a beta release is expected by early 1998, with final shipment later in the year. Microsoft also made an agreement with Cisco to integrate Active Directory with Cisco's Internetwork Operating System (IOS), the fundamental OS of Cisco's routers and switches.
A number of large companies, including Compaq and Pacific Gas & Electric (PG&E), made strategic commitments to Active Directory as far back as 1996. Both are large Banyan shops transitioning from Banyan Vines and its StreetTalk directory to Windows NT and Active Directory.
Microsoft is also sure to have strong third-party support. For instance, one of the reasons that PG&E went with Active Directory was that it is a big Cisco and SAP R/3 shop, and both Cisco and SAP have announced agreements with Microsoft to integrate Active Directory with their products. Cisco will port Active Directory to Unix platforms.
On
the downside, Microsoft has little interest in supporting multiple OSes. "The purpose of Active Directory is to make NT Server a better platform for enterprise networking," says Jeff Price, Microsoft's product manager for NT Server. "I don't think the goal in most customers' minds is to own five different OSes. I think we will see a consolidation to NT Server."
Also, Microsoft may not be too unhappy if Active Directory does not provide optimal support for products from competitors such as Netscape and Novell. Companies looking for a vendor-neutral, aggressively multiplatform global-directory solution will have to look outside Microsoft. PG&E has looked at Via, which could play a role in connecting Active Directory with the Netscape Directory Server, says Rob Batey, strategic planner in PG&E's computer and telecommunications services department.
Netscape differentiates itself by leadership in the Internet standardization process. Also, its browsers, which dominate the market, give it a foot
in the door. In the directory arena, Netscape hired chief LDAP architect Howes and has led the market in evolving LDAP's capabilities.
UT-Houston is considering implementing the Netscape Directory Server, partly because it will integrate well with other Netscape products the university intends to implement, including the Netscape mail server, Web server, and certificate server, says Phil Mitchell, assistant director in the office of academic computing at UT's Houston Health Science Center. Tightly integrated management and security are among the advantages the university would gain. It currently has nearly 9000 employees, students, and medical center staff on an X.500 directory, developed in-house based on source code from the ISODE Consortium.
Netscape is generally viewed as a company with strong momentum, but it is not yet clear to what extent this will translate into success in global directories. If Microsoft and Novell implement standards while adding significant proprietary value in crucial
areas such as replication, administration, security, and scalability, customers may choose big vendors and more features over standards purity.
Although it's promoted as a distributed enterprise directory, the Netscape Directory Server has significant limitations in that role. These include a master-slave (or single-master) architecture, which limits scalability because it forces all writes to come to a single point, and a new and largely untested replication scheme.
Howes notes that customers are running the Netscape Directory Server in production environments with over 2 million entries. However, these may be highly centralized, or even single-server, implementations, where issues of master-slave architecture and replication are irrelevant. On the whole, the Netscape Directory Server, while evolving toward being a distributed enterprise directory, is best suited for highly centralized environments or departmental applications.
Novell is almost the exact opposite of Netscape: Novell's prod
uct is proven, but the company's image is shaky. NDS is a capable and proven global enterprise directory, with a robust and mature multimaster replication scheme. Furthermore, in contrast to Microsoft, Novell is fundamentally committed to OS heterogeneity and has given NDS royalty-free to IBM (which will offer it on its RS/6000 AIX systems and S/390 mainframes) and to major Unix vendors, including Sun, The Santa Cruz Operation (SCO), Hewlett-Packard, and Fujitsu.
According to Novell, this achieves its goal of bringing NDS to more than 75 percent of all Unix platforms before the end of the year. By the middle of 1998, all these platforms will have versions of NDS that support LDAP. NDS replication will be available at an extra charge, from either the Unix vendor or Novell.
By the time you read this, Novell should also have released NDS for NT. (Michael Simpson, director of marketing for Novell's network services group, told BYTE he expected it to be released early in the fourth quarter.)
"Mic
rosoft will get third-party support," says Simpson, "but not from Unix platform vendors like Oracle. They can't afford a separate code path. But, since NDS is equal on all platforms, Oracle feels confident in committing to NDS on all shared platforms."
Furthermore, Novell offers powerful products that leverage NDS: the GroupWise groupware/e-mail package; BorderManager, a software-based firewall and Web proxy; Novell Application Launcher, for desktop management; and Workstation Manager, for software distribution and NT client management (so you don't have to deploy NT domains).
"These are the reasons why so many Fortune 1000 companies have committed to NDS," says Simpson.
Novell points to an installed base of over 20 million NDS users, including hundreds of thousands who access NDS through the three largest telecom carriers in the world (AT&T in the U.S., Nippon Telegraph and Telephone in Japan, and Deutsche Telekom in Germany). Those are some gigantic networks for NDS to develop its musc
les on.
Despite all this, Novell is widely perceived as having lost momentum. "Nobody is looking to Novell for leadership in the directory area anymore," says Gauthier. "It's sad, because it has a premium product. But it is still trying to tell people what NDS is."
"Novell is not looking all that stable," says Batey. "Its market share is eroding." Batey is more confident that Microsoft will have the resources to throw behind global directories over the long haul.
In summary, the industry is very much in the early-adopter phase for global enterprise directories.
"My view is that we're still in a period where most companies are frozen," says David Marshak, an analyst with the Patricia Seybold Group, a Boston-based consultancy. "Companies are both waiting for Microsoft and waiting to see if another solution comes up. They are loath to commit to Active Directory at this point, but they're also afraid of committing to something else that may not work well with Active Directory."
As an
alternative to stagnation, Marshak suggests that companies look to existing third-party products that are relatively inexpensive and easy to implement, and begin to work on data cleansing and directory rationalization now. "The investment [in tools] may be disposable, so you need to be sure the product is standards-based enough so that you'll be able to substitute something else for it without too much disruption," says Marshak. For instance, access to Zoomit's Via is LDAP-based, for both user access and management, raising its "exchangeability quotient."
"Organizations should go ahead," says Daniel Blum, a principal at Rapport Communication (West Chester, OH), a consultancy specializing in messaging, directories, and groupware. "Don't just throw your hands up and say we can't do anything." Blum suggest pilots and "proof of concept" installations with four goals:
- Reduce the number of directories and the cost of directory administration.
- Improve "data hygiene" by cleaning up dirty dat
a.
- Reduce the desktop administration burden by moving configuration information off the desktop and into the directory.
- Make a global directory available to enable applications, so programmers won't continue to create more directories.
What's Coming
Even though few companies can even implement enterprise directories today, forward-looking users and vendors are seeking ways to take things to the next level, making directories easier to use and leveraging the technology more fully.
For instance, organizations want to store directory information in relational databases, which have strong management, search, and security facilities. MCI has already done this on its own, storing information for its LDAP directory in an Informix database. UT-Houston plans to implement a similar system, probably with Netscape SuiteSpot directory servers.
In addition, companies want directories to deal with network (layer three) issues and manage a broader range of services. For instance
, MCI is using its global directory to manage its e-mail system (based on PostOffice, from Software.com), an in-house dial-in application, and Web services. However, MCI would like to use it to do IP address management and manage a much wider range of services, including Domain Name System (DNS), DHCP, and its Radius-based security services, says Brian Plackis, senior manager, messaging integration.
"Using a global directory to look up e-mail addresses is nice," says Plackis, "but the big payoff will be a single point of administration for all of our IT infrastructure and all of our applications. We're a ways away from that, though."
Still, there are hopeful signs. Early this year, Plackis says he got little response from major directory vendors when he brought up subjects such as using the directory to manage IP addresses, DNS, and DHCP. "Now, I have a bunch of vendors who want us to pilot with them on their next generation of products," says Plackis. "The bad news is that I needed this stuff six
months ago. The good news is that we may see some betas as early as November and real products as early as the first or second quarter of 1998."
Where to Find
Microsoft
Redmond, WA
Phone: 800-426-9400
Phone: 206-882-8080
Internet:
http://www.microsoft.com
Reach Out and Touch Everyone
