Conclusions and Future Work

Directory services are designed and developed for managing different aspects of modern computer networks. In this thesis, the use of directory services as central authentication backend and as central repository for provisioning email applications has been presented and analysed with regard to its resource requirements. The benchmarks that have been conducted in the frame of this thesis show that current directory servers running on commonly available hardware can easily keep up with the performance requirements of a typical academic institution (see Chapter ).

As the performance requirements are met by a number of products, other criteria become more important in the decision making process for a particular product. If costs are a primary concern, products that do not incur any license costs are likely to be chosen. This would include OpenLDAP and--when released--SecureWay Directory. Organisations, which own hardware from Sun Microsystems, could consider the Netscape Directory Server instead. The free binary license of Solaris 8 for the SPARC platform contains a 200,000-entry production license. If the intended use of the directory goes beyond user management, flexibility and full compliance to the standards becomes an issue. While Active Directory in its current version does a good job in fulfilling its primary task as NOS specific directory, it is not as capable and compliant as the standalone directory servers. As a result, a migration of the AMBIX directory, which offers a white-pages service for the German academic community, to Active Directory as provided in Windows 2000 is not feasible (see Chapter ).

Many German universities provide heterogeneous Windows/Linux computer pools to their students. Networks that consist of client PCs running Windows are generally connected to either a Windows NT/2000 or a NetWare server. In such an environment, integrating the Linux client PCs with the native Windows--pending an upgrade to Windows 2000, if Windows NT is still used--or NetWare directory services seems feasible ^13.1. This allows for investments, which have been put into the infrastructure in the past, to be retained and reused for new applications.

If the Linux clients in a heterogeneous Windows/Linux network should not to access Active Directory directly, but rather authenticate to a Linux based directory server, passwords need to be synchronised to provide users with a unified login. A prototype software that accomplishes this task has been developed in the frame of this thesis. It is comprised of two modules--one for each direction of synchronisation (see Appendix ). A dynamic link library, which implements the Windows password change notify API, handles the Windows to Linux side. Password changes originating on Linux can be forwarded to an Active Directory by means of a modified PAM module. Additionally, the password verification mechanism in OpenLDAP has been extended to support the hash function used by a Windows server. This allows for bootstrapping a Linux directory from a user base held in a Windows server (see Appendix ).

Directories are not limited to user white-pages and authentication services though. The technology offers the required flexibility for being used as information store in other areas as well. As an example, a schema for storing bibliographical references has been developed. Based on the information model specified therein, applications for provisioning the BibTeX program from the LaTeX typesetting suite and for managing the references by means of an HTTP-gateway have been written (see Chapter ).

Future work might concentrate on adapting nss_ldap to Active Directory. nss_ldap is a name service module, which allows the use of LDAP instead of a local /etc/password file. This would allow Linux clients to retrieve user information besides passwords directly from Active Directory and would eliminate the need to maintain a second directory server on Linux. The reverse approach, i.e. integrating a Unix Kerberos distribution with OpenLDAP, would also offer interesting possibilities.

Additionally, research could be carried out into the area of certificate based authentication mechanisms. As part of this work, the SASL EXTERNAL mechanism could be implemented in OpenLDAP. To make effective use of this mechanism, ways to associate a certificate with a directory entry need to be specified and implemented--including a check of the certificate's validity. One way of establishing this relationship would be to map the subject's name form the certificate to the distinguished name of an entry in the directory. Another possibility would be to store data that uniquely identifies a certificate in the associated entry. As part of this analysis, the role of the directory service as part of a Public Key Infrastructure could to be investigated.