117
Chapter 9:
Exploring Directory Services
Trees are then aggregated into a larger forest structure. According to Microsoft, Active
Directory can handle millions of objects through this approach.
Active Directory does not require the management of trust relationships, except when
connected to Windows NT 4.x servers that are not using Active Directory. Otherwise, all
domains within a tree have automatic trust relationships.
X.500
The X.500 standard was developed jointly by the International Telecommunications
Union (ITU) and the International Standards Organization (ISO). The standard defines a
directory service that can be used for the entire Internet. Because of its broad applicability,
the X.500 specification is too complex for most organizations to implement. Also, because
of its design, it is intended to publish specific organizational directory entries across the
Internet, which is something most companies would not want to do. Just the same, the
X.500 standard is extremely important, and most directory services mimic or incorporate
parts of it in some fashion.
The X.500 directory tree starts with a root, just like the other directory trees, and then
breaks down into country (C), organization (O), organizational unit (OU), and common
name (CN) fields. To specify an X.500 address fully, you provide five fields, as in the
following:
CN=user name, OU=department, OU=division, O=organization, C=country
For example, you might configure the fields as follows:
CN=Bruce Hallberg, OU=Networking Books, OU=Computer Books, O=McGraw-Hill,
C=USA
LDAP
To address the complexity problems involved with full X.500 DAP, a consortium of
companies came up with a subset of X.500, called LDAP. LDAP's advocates claim that
it provides 90 percent of the power of X.500, but at only 10 percent of the processing
cost. LDAP runs over TCP/IP and uses a client/server model. Its organization is much
the same as that of X.500, but with fewer fields and fewer functions.
LDAP is covered predominantly by RFC 1777 (for version 2) and RFC 2251 (for
version 3). (Some other RFCs also describe aspects of LDAP.) The LDAP standard
describes not only the layout and fields within an LDAP directory, but also the methods
to be used when a person logs in to a server that uses LDAP, or queries or updates the
LDAP directory information on an LDAP server. (Because directory services might fulfill
many simultaneous authentications, run simultaneous queries, and accept simultaneous
updates, it is important that these methods be clearly defined to avoid collisions and other
potentially corrupting uses of the directory by client applications and administrative
tools.)