“Directory” is a common term in computing that can mean a range of things. However, in networking, the directory is usually related to user data and a list of resources that can be contacted on the network.
So, there are two types of directories to look after on a network: one lists people, and the other lists equipment. In this guide we will investigate the different directory systems that are commonly in operation on networks today.
Directory storage format
Any list of data can be held on a computer in the form of a file, or in a database. Early directory systems were file-based. However, the development of database management systems made the database option more efficient. Databases are easier and quicker to search through and the query languages used for them (usually SQL) allow for Boolean operators (AND, OR, NOT, DIVIDE, TIMES, SELECT, PROJECT) to be included in searches.
Directory access procedures
Employing a directory system that relies on an openly available protocol is preferable to buying in a proprietary system that uses its own communication formats. Directory services require two basic components, which are a client and a server. The server is the program that holds the database and manages access to data. The client is usually embedded in an interface that either displays retrieved data, allows that data to be altered, or enables actions to be performed conditionally on receipt of that information.
If you choose to install a directory system that is based on universal protocols, you will be able to “mix and match” the client and server systems because they will be guaranteed to be able to interact with one another no matter who wrote them. Furthermore, the information contained in network directories can be exploited by monitoring and activity reporting tools, such as intrusion detection systems (IDSs). Installing a directory manager that implements commonly used protocol ensures that the information contained in those directories will be accessible to those user monitoring and resource control packages.
Lightweight Directory Access Protocol (LDAP)
LDAP is a service protocol that has been widely implemented as the access mechanism to a wide range of network directories. A number of the network directory systems that are listed here below use LDAP procedures.
As it is a protocol and not a piece of software, you can’t buy LDAP and install it. Rather, you would acquire and run a program that implements the LDAP rules. A protocol outlines a list of standards and working procedures that will achieve a goal, so the protocol itself is not operating system-dependent. That means that anyone can develop an LDAP implementation for Windows, Linux, Unix, or any other operating system.
An important element of the LDAP definition is that it sets out a command language that enables clients to communicate with the LDAP server. As the standard is publicly available, anyone can use it to create an application that interacts with an LDAP server. This means that LDAP can be integrated into commercial software and can also be integrated into any in-house custom program that you might develop. This flexibility and universality has made LDAP the de facto standard for the operating procedure of directory services.
LDAP is used for all DNS servers (Domain Name Service) so you will employ the LDAP system regularly on your network, whether you realize it or not.
As the name suggests, OpenLDAP is the purest implementation of the LDAP system that you will find. This is a library of procedures that can be integrated into other programs. OpenLDAP is an open source project and so anyone can access its code for free. The code is also implemented by the OpenLDAP project as Java libraries and so it is possible to access the system through GUI interfaces on any operating system.
As this package is a library of code, few network administrators implement the OpenLDAP procedure directly. Instead, you should look out for commercial applications that state their use of OpenLDAP.
Microsoft’s Active Directory was a ground breaking user management system, created for Windows. It was invented in 1999 and was so well planned that it is still widely in use.
Active Directory keeps a list of authorized users for a network. It is able to categorize those users by permission levels, so a user with administrator privileges is recognized and allowed greater access that regular users. A secondary benefit of Active Directory is that it also checks the rights of the computers on the network. So, this is a great security service because it makes sure that only authorized devices are connected to the network and only authorized users can log in on those computers. It is possible to block off access to some equipment to certain user groups and reserve access to specific applications to those with administrator rights.
The main limitation of Active Directory is that it only integrates with other Microsoft products, so you can’t use it on Linux. Also, it isn’t able to control access to non-Microsoft productivity suites, such as Google Docs. As the list of successful competitor services and cloud-based systems extends the usability of Active Directory decreases.
Novell Directory Services (NDS)
The NDS system was invented to provide directory services to Novell Netware networks. However, it is also able to operate on networks that don’t have Netware installed. The software can run on Windows, Sun Solaris, and IBM OS/390. This was an early implementation of LDAP and so it became a benchmark for other directory service implementations. Its use of LDAP particularly pointed the way for later developments and formed a model for Active Directory.
Access Control List (ACL)
ACL is a rival access management system to LDAP. Although not as widely implemented as LDAP, ACL is still a very well known system and it has been implemented enough times to flag it in the industry as a reliable authentication service.
The ACL system relies on a data storage format that creates a tree of attributes. In ACL terminology, the resource that is being protected is called an “object.” Each object is allocated a list of permitted users and, depending on the type of object being protected, each user is attributed one or more permissions.
ACL can be applied to file access or network access. Network-based ACLs can be useful for intrusion preventions systems (IPSs) because they control access to specific host addresses and can even selectively block access to ports. On networks, the access rights documented by ACL are implemented on switches and routers.
Modern ACLs use SQL databases for permission storage rather than files. This advancement also made it possible for ACL to evolve beyond user access controls to user group management. This simplifies the administration of access permissions, particularly on networks, where the ACL may need to log each user many times over in order to give access to even the basic resource requirements of a typical office-based user.
Identities and Access Management Solutions (IAMs)
A category of network utility that you might come across when investigating user authentication systems is Identity and Access Management Solutions, or IAMs. This term describes a broader solution to user authentication than just a directory service. However, a directory, or even several directories will lie at the heart of any IAM. So, when shopping for access and authentication systems, aim for tools that have a much wider remit than just directory management. However, be aware that you need the directory service at the core of the IAM to implement an open protocol, such as LDAP so that directory access will also be available to other monitoring applications.
Suggestions for network directory services
This list presents a few suggestions for applications that you could try as specific directory services on your network. However, other applications that you use regularly, such a web servers or IP address managers will also integrate directory services.
The “DaaS” part of this product’s name stands for “directory as a service.” This is an emulation of the term “software as a service.” Online, cloud-based software services use the SaaS/software as a service term to describe their configuration. So, JumpCloud’s name instantly tells you that it is an online service delivering a directory server over the internet.
This is a paid product that implements Active Directory. However, JumpCloud extends Active Directory’s capabilities to Unix and Linux systems by emulating AD with an LDAP implementation for those operating systems. JumpCloud offers a neat way to get AD working for all of your resources not just those provided by Microsoft. You don’t have to pay for JumpCloud DaaS if you only use it for up to 10 users.
Running security services over the internet creates an extra component that could fail and it also creates an extra opportunity for hackers to intercept you traffic and break through your authentication processes. Fortunately, JumpCloud encrypts all communications between your client and the server held on the JumpCloud remote site.
Putting AD on the web is an interesting solution for those who don’t use many onsite resources but rely on cloud servers and SaaS for user applications. The cloud-based model is also interesting for those businesses who have a lot of workers based from home, or with agents, consultants, or craftsmen who work on client sites all the time.
JumpCloud DaaS is an example of how traditional site-based applications can easily be adapted for delivery on remote servers, and how it is never too late for an innovator to come in and revamp or extend the functionality of established services.
Amazon Web Services offers an alternative to JumpCloud DaaS. This is another cloud-based Active Directory implementation and it is provided by one of the Cloud’s big hitters. You can choose to just use this directory service as your current on-site setup, or use it to migrate your storage and software to other AWS services.
Unlike JumpCloud, the AWS Directory Service doesn’t extend the capabilities of AD to Unix and Linux. Rather, this is a pure Microsoft Active Directory implementation that is hosted on the Cloud.
Amazon doesn’t offer AWS Directory Service for free. However, the pricing model is very scalable and based on an hourly meter rate, covering two domains, with a lower rate for each additional domain added to the plan. This isn’t quite as good as free. However, you can try the service for free for 30 days.
The website of 389 Directory Server claims that this software is “hardened by real-world use.” As a hardened network administrator, you will probably relate to that use of words. This is an open source project and is a no-frill product. If you’re OK about compiling the programs yourself and don’t mind combing through code, you will love this directory system. The package includes a GUI font-end for Gnome environments to give you point-and-click ease of use.
The 389 Directory Server is available for Linux and it is free to use. The procedures of the service are written to the LDAP standards, so this is like Active Directory for Linux.
If you run a website, it is very likely that you also have Apache Web Server. Apache Directory is a free LDAP implementation that is managed by the same organization that curates the web server software. There is no strict interoperability between Apache Directory and Apache Web Server — they are two distinct products. However, the fact that you rely on the Web Server package from Apache should give you confidence to try the Apache Directory, which is free to use.
You need to download and install two pieces of software in order to have a full Apache Directory implementation. However, both are fully compliant with LDAP, so you can substitute either with a different application, as long as that is LDAP-based as well. The server module is called Apache DirectoryDS and the client is called Apache Directory Studio. The second of these two packages allows you to view and alter directory records that are held on the server. Both the client and the server are completely free to use and both run on Windows, Unix, Linux, and Mac OS.
Earlier you read about Identity managements systems (IMS) and FreeIPA is included on this list of directory services to try because it is a good example of an IMS. You don’t have to worry about wasting money giving this utility a try because it is free to use.
“IPA” stands for Identity, Policy, and Audit. Those three priorities encapsulate the authentication processes that you need for your network and all of your IT resources. As explained above, directory services are part of IMS systems. In the case of FreeIPA, the directory server component is provided by 389 Directory Server. So, you can choose to install 389 Directory Server to get an LDAP implementation, or expand your authentication services and access control by going for a full IMS with FreeIPA.
FreeIPA is an open source project, so you can examine the code to make sure that there aren’t any hidden data harvesting procedures contained within. The service gives you options over the authentication methodologies that you implement within the IMS framework — Kerberos is a good free open source option available within this category of IMS tasks.
This IMS runs on Unix or Linux. However, it is also able to monitor Windows systems and it can also install on and monitor the Unix-compatible Mac OS environment. The FreeIPA concept collects pre-existing technologies, including the Apache HTTP Server and Python programming APIs to provide a complete IMS that is based on components that you know are “hardened by real-world use.”
Network directory monitoring
The benefit of using a well-known directory service is that many system monitoring applications can exploit the information contained in your resource access control records in order to fully manage and control your network and its services.
There are a number of very useful network monitoring systems that exploit directory data to give you full control over your network’s activities. Here are the ones that you really need to know about:
SolarWinds products operate on Windows Server, so there is no problem of compatibility with Active Directory. As a monitoring system intended for Windows environments, SolarWinds made sure to build Active Directory monitoring into this tool. The AD records on your network enable the monitor to label server load by user demand and also track that activity through the network if you also have the company’s NetFlow Traffic Analyzer and User Device Tracker installed.
SolarWinds produces a range of resource monitoring utilities and all of them are written on a common platform, called Orion. This enables each module that you install to interact with the other SolarWinds products that you have running on your server. The PerfStack module of the Server and Application Monitor works best if you have network monitors installed as well, such as the SolarWinds Network Performance Monitor. This is because PerfStack shows each level of the service stack together, so you can quickly identify where performance issues really exist.
The User Device Tracker particularly exploits the information that you hold in Active Directory to inform the other monitors in the suite of the origin of resource load. The tracker helps you spot security breaches and the Network Performance Monitor and NetFlow Traffic Analyzer will show you excessive traffic that could signify intruder activities. You can get any and all of these SolarWinds products on a 30-day free trial.
PRTG is a unified network, server, and application monitor. If you take on this tool, you can choose to implement it as widely or as narrowly as you like because its scope is completely customizable. The PRTG system is made up of hundreds of sensors. Each sensor needs to be activated, so without your intervention, all of the capabilities of the system will remain dormant. A sensor focuses on one aspect of your network services or on one resource. For example, there is a Ping sensor for traffic monitoring and there is also a series of sensors that exploit your LDAP directories for information.
Paessler doesn’t charge for PRTG if you only activate up to 100 sensors. So, you could just use the tool as an Active Directory monitor. While you have the utility watch your AD activities, you also have space within that free service offer to monitor a couple of other activities on your network. You could activate the SNMP and NetFlow sensors to get feedback on network traffic or choose to activate port monitors or server status sensors.
If you want to use more than just 100 sensors, you can get PRTG on a 30-day free trial. PRTG installs on the Windows Server environment.
ManageEngine produces a suite of excellent resource monitors that run on Windows or Linux. In the ManageEngine stable, you will find a number of tools that are specifically tailored to Active Directory monitoring. ADAudit Plus is one of these utilities. This tool will help you administer AD through the ManageEngine interface and it will also track all user activities, including logon and logoff. This will help you spot illogical user activity and excessive login attempts that may indicate intruder presence.
ADAudit Plus is feature rich and it includes tracking and reporting facilities. You can get it in a 30-day free trial. If you don’t feel like paying after the trial period, you could opt for the free version of this ManageEngine tool. ManageEngine offers a number of free Active Directory tools, including the Active Director Query Tool, the CSV Generator, which extracts AD records, the Last Login Reporter, and the AD Replication Manager, among others.
You have a lot of options when you start to shop around for network directory services. Hopefully, this guide has given you a starting point for your search.
Do you use any of the utilities mentioned in this guide? Do you prefer a tool that we haven’t covered here? Leave a message in the Comments section below to share your knowledge with the community.