2.2. Brief survey of common directory servicesThere are numerous different directory services. Here we will discuss some of the commonly used ones.
2.2.1. Directory Name Service (DNS)The roots of DNS are in the early (pre-Web) days of the Internet. DNS was developed to provide hostname and address resolution. Before DNS existed, the authorities for the Internet maintained a global flat text file of the mappings from hostname to IP address in a file called hosts.txt, which was then made available for all the nodes on the Internet to download via a program called gettable. This is analogous to the telephone company giving you an updated telephone book periodically. Systems like Unix would convert the file into /etc/hosts. This hosts.txt system worked fine for the Internet when it had only thousands of hosts. But when it reached tens of thousands of hosts, it wasn't practical, especially over the slow links available in the late 1980s. What was needed was a way to decentralize the process of looking up hostnames and addresses. The Internet was separated into domains, and each domain was left to identify its own authoritative server for hostnames and addresses within its domain. The only thing that needed to be maintained in a global database was the list of domain names, and the servers for that domain. Returning to the telephone directory analogy, when you live in one area code of the United States, and want to get directory information for another area code, you can prefix the area code to the number 555-1212 to get the appropriate directory service operator. By assigning authority for a domain's directory information to each domain, DNS can be described as being hierarchical. Similarly, the United States telephone system assigns authority for a given area code's directory information to one pool of directory service operators that answer the 555-1212 number. DNS also lets domains within subdomains further delegate authority, and subdomains in turn. For example, in DNS there is a top-level domain called ".com" that assigns authority for administering sun.com and oreilly.com to DNS servers that the owners of sun.com and oreilly.com each designate. Within sun.com, there are several subdomains, such as eng.sun.com, and east.sun.com. Within eng.sun.com, there might be a compiler.eng.sun.com, sunos.eng.sun.com, cde.eng.sun.com. Thus DNS is a multilevel hierarchy, whereas the United States telephone directory service has but two levels of hierarchy. DNS has stood the test of time. In 1993, a memorandum (RFC 1401) was written by the chair of the Internet Architecture Board that noted that the transition from hosts.txt to DNS was largely complete. This is fortuitous, as the World Wide Web was about to explode from tens of thousands of hosts to millions. DNS proved capable of handling that explosion.
2.2.2. Network Information Service (NIS)NIS was developed by Sun Microsystems in the mid-1980s to solve a problem that until then had no solution in the Unix world. Let's return to the telephone directory service concept. One nice thing about calling your telephone company's directory service is that the operator (the server) is more apt to have up-to-date information than you would. Your telephone book is replaced once a year, whereas the server's information is updated more frequently, perhaps instantly with each new telephone number assignment and de-assignment. When networking was added to Unix systems, system administrators very quickly ran into difficulties keeping files like /etc/hosts (holds hostname to host address mappings) and /etc/passwd (holds username, user identifier, password). If a system administrator had 100 systems, then adding a host to a network or a user to the organization meant the tedium of updating the /etc/hosts or /etc/passwd files on all 100 systems. NIS, originally called the Yellow Pages or YP, was invented to simplify management of these files by changing the underlying programming interfaces, such as gethostbyname( ) and getpwnam( ), to use NIS client libraries. While DNS was being developed around the time NIS was, DNS was mostly concerned with the directory of hostnames and addresses, whereas NIS went beyond that. In addition, DNS was designed so that a host in one domain could access information from other domains, whereas NIS shared the limitations of the early Internet's hosts.txt file: flat and not very dynamic. We will go into much more detail on how NIS operates in Chapter 3, "Network Information Service Operation".
2.2.3. NIS+In 1992, Sun Microsystems released NIS+ with Solaris 2.0. Despite its name, NIS+ was more different than it was similar to NIS. NIS+ was developed to address several deficiencies in NIS:
2.2.4. X.500Around the same time DNS and NIS were being designed and deployed, the International Standards Organization (ISO) started meeting to define an ISO standard directory, called X.500. X.500 shares DNS's and NIS+'s attributes for hierarchical operation, and NIS+'s attributes for security and simple update. X.500 differs from DNS, NIS, and NIS+ in the following ways:
2.2.5. Lightweight Directory Access Protocol (LDAP)X.500 has a protocol called the Directory Access Protocol (DAP) to allow clients to access X.500 servers. DAP was designed to operate over ISO's Open Systems Interconnect (OSI) transport and network protocols. Once upon a time, people believed that TCP/IP would wither away and be replaced by OSI. As it turned out, too many people had deployed TCP/IP-based networks, and they saw no compelling reason to switch to OSI. Despite OSI mandates by most governments in the developed world, the Internet transport and network protocols persisted, and it was obvious by 1994, if not earlier, that the OSI transport and network was dead. However, as discussed earlier, X.500 has some extremely attractive properties for a directory, but it comes with the baggage of OSI transport and complex ASN.1 encoding. The Lightweight Directory Access Protocol (LDAP) was invented to allow clients using TCP/IP and simpler encoding schemes, to take advantage of the richness of X.500 directory service. Another difference between LDAP and DAP is that LDAP is under the control of the Internet Engineering Task Force (IETF), the same organization that produced the standards behind the Internet. Whether intended or not, the effect is to get IETF to buy into X.500, whereas previously IETF had no control over OSI transport and network, and so it was much harder (and eventually impossible) to get IETF to accept OSI transport and network. LDAP specifies lots of different security flavors, including ones based on public key certificates and Kerberos V5. At the time this book was written, LDAP was only starting to be integrated with operating systems. Windows 2000 is the first such offering from Microsoft. Solaris 8 includes a fully integrated LDAP client, but no server.
2.2.6. NT DomainNT Domain is the directory service used in Windows NT. It was introduced by Microsoft in 1987 and was called Lan Manager at the time. NT Domain is intended to administer users, groups, printers, and hosts in a Windows environment. NT Domain now supports multilevel hierarchies, but requires a bilateral trust relationship between each domain. So if there are N domains in an organization, N * (N - 1) relationships need to be set up. NT Domain supports slightly better security than NIS. Perhaps the biggest issue with NT Domain is that it is an undocumented proprietary protocol, making it difficult for Windows and non-Windows systems to share NT Domain directory information. Microsoft is moving away from NT Domain in favor of Active Directory, which is a derivation of the LDAP protocol and X.500. While NT Domain is not supported on Solaris and most other Unix systems, if you have a mixed environment, you'll probably run into it.
Copyright © 2002 O'Reilly & Associates. All rights reserved.