Novell Directory Services

Directory Server

For a long time, Novell NetWare has been the Network Operating System (NOS) of choice for most networks of IBM-compatible PCs that used to run Microsoft DOS or Windows 3.1. A dedicated server offered file- and print-services for a number of client PCs. All administrative information about objects in such a network such as users, groups, printers and print queues was stored in a proprietary directory called the Bindery. However, this information was not shared between servers. If a user needed access to multiple servers, his account had to be created on all of them separately. This changed in 1993 when Novell Directory Services (NDS) [78] were introduced with version 4 of NetWare. Although NDS is not an X.500 DSA, its design is based heavily on concepts laid out in X.500. NDS follows the models specified therein but uses the Novell Directory Access Protocol (NDAP), which is built on top of the NetWare Core Protocol (NCP). With NDS, centralized management of large computer networks, which could expand over workgroups, organizational units and sites, from a single administrative point, became feasible [54].

An additional component called LDAP services for NDS was made available in 1997, which allowed LDAP access to the directory. The LDAP services for NDS would translate LDAP operations into native NDS calls. This resulted in a degraded performance and the need arose to create mappings between LDAP object classes and attributes types to their respective NDS equivalents.

Due to strong competition in its core business of file- and print-services from Windows NT and increasingly Unix--especially Linux--based solutions with Samba, Novell has lost a lot of its market share in this sector. The strategy in recent years has thus been to expand into new business areas where existing technology and available knowledge could be put to good use.

Figure: DENIM Architecture [79]

[IMAGE png]

This approach has been called Directory-Enabled Net Infrastructure Model (DENIM, see Figure ). Building on existing products, new value added services and solutions are provided. The key component in this model is NDS. All higher-level services rely on it for data management. To expand the usage of NDS, it has been ported to platforms other than NetWare and has subsequently been renamed to Novell eDirectory. eDirectory, whose first version (Version 8.5) was released in October 2000, is a standalone LDAP server that is available for NetWare, Windows NT/2000, Solaris, Tru64 and Linux.

eDirectory posseses a very versatile replication architecture. Generally, all servers have multi-master capabilities but can become a read-only replica if necessary. Also, so-called filtered replicas are possible. Such a replica will only hold a subset of attributes. Such a replica can be used to create a publicly accessible server, which holds only non-confidential information such as email addresses and telephone numbers. In this way the directory as a whole can still be used for more sensitive data like, for example, social security numbers. Another way to distribute a directory is by subtrees--partitions in Novell terms. Each host that runs eDirectory can handle multiple partitions, i.e. it is not limited to a single subtree of the DIT.

Another interesting feature is eDirectory's ability to automatically generate indices. It analyzes query patterns by looking for frequent searches on unindexed attributes and will then create new indices for the effected attributes to increase performance.

Administration Tools

Novell's administration utilities have come a long way, i.e. from DOS based applications like pconsole to the now very powerful ConsoleOne. ConsoleOne is a Java application, which underlines Novell's cross platform strategy. With all operating systems where eDirectory is available, it presents the same user interface to the administrator. Besides the normal management tasks, the administrator can use ConsoleOne to access the PKI component of eDirectory for issuing or revoking X.509 certificates. The application further allows for the management of DirXML settings.

iMonitor is another tool that comes with NDS. It is an embedded web server and allows browsing of the server's configuration and statistics as well as the directory data itself.

Directory-enabled Applications

Additional software from Novell that relies on eDirectory is GroupWise, Novell's messaging and time management solution, and BorderManager, the company's firewall suite, and DirXML.

Figure: DirXML

[IMAGE png]

DirXML [80] is a framework that allows synchronization of different data sources. The ``XML'' in its name stems from the fact that the rules and style sheets (see Figure ) that govern the data exchange, are written in XML. The publisher/subscriber schema enables DirXML to preserve data ownership: employee's personal information is usually managed by the human resource department, whereas email addresses and network accounts fall into the responsibility of the IT department. To keep a department from writing to data it is not authoritative for, the join engine will accept updates only from publishers. DirXML ships with drivers for Lotus Notes, Microsoft Active Directory, Microsoft Exchange, NDS and Netscape's directory server. It also includes a C++ and Java API which allows the development of drivers for legacy applications.