Skip navigation

Active Directory and LDAP

Another Active Directory solution to the sins of NT

Last month, I started talking about what Windows NT 5.0's Active Directory will do for NT; I suggested that the current system, the Security Accounts Manager (SAM) database of users, committed deadly sins, two of which I discussed last month. This month, I'd like to take up the concept of the Lightweight Directory Access Protocol (LDAP) and how it fits with Active Directory. (For a detailed description of LDAP, see Craig Zacker, "LDAP and the Future of Directory Services: Part 1," October 1997.)

The Sin of Access
The SAM database of users makes it difficult for outside vendors to use (oh, sorry, correct softwarespeak is "leverage") that database. With LDAP, a third party can write a secure server of some kind, and when a user wants to access data on that server, the server can query an NT 5.0 domain controller via LDAP to find information about that user.

At one point in my firm, we ran an NT network, a Novell network, and a cc:Mail mail system. To add a new employee, we had to create three new user accounts: the account for NT that would go in SAM, the account for the Novell network that would go into the bindery, and an account for cc:Mail that would go into a cc:Mail configuration file. Each of these accounts had a password. None of these accounts talked to each other.

Every day, I'd have to prove to NT that I was Mark by punching in the password on the NT account. Then, I'd have to prove to Novell that I was Mark by punching in the password on the Novell account. Then, when I wanted to check my mail, I'd have to prove to cc:Mail that I was Mark by punching in that password.

This situation was (and still is) extremely annoying. Now, many of you might have multiple accounts but don't have to type passwords because some operating systems remember your username and password for other systems, in much the same way that my Web browser remembers the usernames and passwords that I use for the Web sites that require paid subscriptions. I just type in the username and password, and from that point on whenever I try to access the site, the browser supplies the username and password.

Back to my network: I want just one security authority to operate in my enterprise. My domain administrators create and maintain user accounts, and I don't want them to have to maintain so many user accounts. Password changing day is confusing for my users, who often get mixed up about how to change their Novell passwords versus their NT passwords versus their cc:Mail passwords.

What do Novell, NT, and cc:Mail have in common? They all want to know that you are who you say you are, and you prove that with a password. In other words, they want to authenticate you, and to that end, they keep a database of users. The NT, Novell, and cc:Mail folks all write code into their products that keeps a database of users. Those databases of users don't hold just passwords, either. They contain important personal information such as preferences, possibly access levels, rules (in the case of a mail system), and logon directories and scripts. User databases are useful, but they'd be more useful if they were unified in some way.

Because user databases are not unified, we end up with three different companies reinventing the wheel. Three different sets of database code also means incompatibilities. Let's look at an example. Acme Industries has cc:Mail, and Apex Technologies uses the similar MSMail. Acme buys Apex. Now Acme has two mail systems that must talk to one another. One answer to this problem is, of course, for Acme to tell Apex that a new sheriff is in town, and by the end of the month everyone will be using cc:Mail. Let's assume, however, that the Acme administrators decide that forcible conversion to cc:Mail isn't such a good idea.

Now, MSMail and cc:Mail store messages in some format in files on shared disk drives. Because both systems do basically the same thing, you can write a program that converts messages from cc:Mail format to MSMail format and vice versa. Such a program is called a mail gateway, and plenty of mail gateways are out there. The problem with building mail gateways, however, is that so many possible combinations exist. For example, if you have 20 major email packages in the world, you need 190 possible gateways.

About a decade ago, different mail systems stored messages in different ways, which was a big problem. To simplify the matter, the world settled on a standard format (X.400) for mail messages. This standard wasn't the mail format for any particular mail system, just an intermediate format that everyone agreed on. In theory, with X.400, you don't need to write gateways between cc:Mail and MSMail, PROFS, All-in-1, CEO, Simple Mail Transfer Protocol (SMTP), and so on. You write just one gateway from cc:Mail to X.400. Similarly, you get a gateway from MSMail to X.400, and mail can go from Acme to Apex as cc:Mail to X.400 to MSMail. Terrific. We've solved the "How do I send mail from a cc:Mail user to an MSMail user in a format MSMail can understand" problem. But that's not the whole mail interface problem because the user databases that MSMail and cc:Mail use present another point of incompatibility.

An Acme employee can fire up cc:Mail and create a new message, and cc:Mail will present the user with a list of the users that cc:Mail knows. At the end of that list, a bogus user such as X400GTW will appear. cc:Mail is conveniently showing the Acme employee its user database, but no MSMail users appear on the list. To send mail to an Apex user, the Acme employee must send mail to X400GTW. Then cc:Mail will prompt the employee for the name of the person on the other side of the gateway that she wants to communicate with. Bummer. Now she has to call the person she's mailing to and ask him his email name. The same kind of thing happens to an Apex user trying to use MSMail to email a cc:Mail person.

The problem of connecting mail systems is, then, twofold. First, different mail systems use different message formats; a standard intermediate format called X.400 solves this part of the problem. Second, different mail systems use different formats for querying their databases of recognized users. Again, the standards folks came to the rescue with something called X.500, a standard for accessing databases of users.

Is this situation starting to sound familiar? Many database vendors have very different database engines, but most vendors have agreed on a set of verbs for accessing a database: Structured Query Language (SQL). The beauty of SQL is (in theory) that a client accessing data on a database can be relatively ignorant of whether the data is stored in DB-2, Oracle, Informix, or SQL Server. (I say in theory because every vendor likes to enhance SQL, making for some incompatibilities.)

The Directory Server Solution
Now suppose the MSMail and cc:Mail programmers (and the Novell and NT programmers, for that matter) decide that they're tired of writing code to keep track of a database of users. Instead, they'll let anyone do it, so long as users can query that database in some standard way. Just as you can have file, print, and Web servers provide services on the network, you can also have a "user database server" (or directory server) keep the user database and respond to queries from MSMail, cc:Mail, Novell, NT, and the like. Ultimately, that's what a domain controller will do under NT 5.0. In NT 5.0, third-party client-server products such as databases, mail systems, and groupware systems could all "open hailing frequencies" to their nearby domain controller to find out about a user.

But those programs still need an interface, a standard set of programming commands to query the directory. Writing a program to interrogate an NT 3.x or 4.0 domain controller about what's in its SAM is possible, but the language and protocol to do that job is a proprietary Microsoft one. SQL could be the answer, but it's awfully resource-heavy. Making every domain controller speak SQL would be overkill, because SQL is designed to solve a wide range of data query problems in a relational model. In contrast, databases of users, directories, are simpler: They tend to be flat files, and they tend to be read more frequently than they are written. As Microsoft's Steve Judd said, "You put things into Active Directory that need to be visible in a lot of places but that don't change very often." The term for such a database is a directory. You can think of X.500 as SQL for directories.

Many people considered X.500 to be something of a cumbersome protocol, and the Internet world came up with LDAP, an alternative method of accessing X.500 directories. Running an LDAP client imposes less system overhead than X.500. Also, LDAP is an Internet protocol, and X.500 is a Consultative Committee for International Telegraphy and Telephony (CCITT) protocol. LDAP will definitely correct one of the sins of NT.

Before I go, let me add one more point. I've been referring to the Active Directory as a database of users, but that's not all you'll find in the Active Directory. Under NT 5.0, Active Directory will also contain information about the machines on the network, shares available on the network, and available applications. Active Directory will be the central repository of network configuration information.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.