Sounds great. But then why are so many network managers still struggling in directory limbo? The problem, according to users and analysts, is that directory services have evolved within networks over time, leaving users mired in, well, network hell.

"As the industry has evolved, each application got embedded directory functionality," explains Daniel Blum, senior vice president at The Burton Group. "Yet the applications were managing duplicate or related information. In a large company, there may be more than 100 things you could call directories, and your name might be in 20 or 50 of them."

That can be costly. "There are huge hidden costs from redundant administration and unnecessary complexity," Blum says. "You have quality problems, where information is out of date. You have security problems, where people are able to access accounts six months after they’ve left. And you have application problems, where applications can’t get data they need to personalize service."

The answer should be general- purpose directory services such as eDirectory or Active Directory, and in many cases, it is.

"The goal of an enterprisewide directory service like eDirectory is simple," explains Chip DiComo, global network manager at Hellmann Worldwide Logistics, a longtime Novell shop in Miami. "It’s a single source for everything in your network. It gives you one place to go to manage your entire IT environment, a prerequisite in a global operation."

But getting a multitude of directories consolidated in something like Active Directory or eDirectory is not easy.

"It’s a huge re-engineering project," says Blum, who recently published guidelines for handling such a project. "The directories that need to be consolidated and integrated cross the gamut of corporate functions. They’re in [human resources], security, customer-facing organizations, and in IT. It takes a huge cross-functional effort."

Top that off with integrating new applications, and the directory ordeal gets even worse.

Vendors just don’t get it

"Even the vendors who have been in the directory space the longest have had trouble recognizing directory basics," says Dave Kearns, a consultant in Austin, Texas. "The current shipping version of Exchange uses a different directory structure than Windows 2000, and the current version of GroupWise uses a different directory system than eDirectory. In both cases, you need to synchronize between them, and that’s not really the idea."

Users agree. "I’ve had to explain directory services to people who should understand them better than I do," Hellmann’s DiComo says. "I’m tired of beating vendors over the head about this."

In addition to "just not getting it," vendors on the whole hesitate to write to directory services. "Vendors aren’t willing to bet yet that there will be a [general-purpose] directory available where their products are installed," Kearns says. "And even if there is a directory, they aren’t sure they’ll be able to read and write to it. So they have to hedge their bets."

In some cases, this means just doing it the old way, writing proprietary authentication and directory-like services into their products. Or some have tried to play it safe by writing to the Lightweight Directory Access Protocol (LDAP).

When vendors write to LDAP, it means their applications should be able to use any of the major LDAP-compliant directories, such as eDirectory, Active Directory, iPlanet’s iPlanet Directory Server or Critical Path’s InJoin. This way, vendors are fairly assured their applications can run in a variety of end-user environments.

The problem is that LDAP is not that robust a standard, and every major directory service player has made its own set of proprietary improvements to the protocol.

"Developers can write to LDAP, provided they’re just looking to retrieve some very basic information that’s standardized across the different LDAP directories," Blum says. "But if they’re looking to go beyond that, they can run into trouble."

Directory services vendors differ primarily in the way they allow modifications to the directory schema and how they manage access controls.

"If developers need to create nonstandard information structures and to change the directory schema, they are forced to write to a particular vendor’s directory," Blum says. "Or if developers need to have special security roles to manage their application data, they need to manipulate the directory access control systems. That also means they need to write to a particular directory."

So what do vendors do?
"Having to write to three or four directories is a significant effort," Blum says. "And when they don’t know which directory will be in the customer environment, some application developers may still be tempted to take the easy way out and keep their own directory functionality."

That brings us back to the start.
Users and vendors say a few things need to happen before we can successfully emerge from directory services limbo. First, users need to settle on a general-purpose directory and embark on that huge re-engineering effort to ensure internal directories are consolidated and integrated. Second, users need to insist that all vendors write to their chosen general-purpose directory, or at least to LDAP.

"When we look at new vendors, one of our first check-off items is to make sure they’re directory-enabled," DiComo says. "If they’re not, we write them off the list."

But most important, vendors need to standardize beyond LDAP’s bare-bones functionality. "But they’re not really moving in that direction," Blum says. "Microsoft isn’t even participating in the [Internet Engineering Task Force] access control or replication work. And without it, the chances of standards are not great."

One area all the vendors seem to be pursuing is XML and its directory-focused extension, Directory Services Mark-up Language (DSML).

"XML is definitely an integration opportunity," Blum says. "It lets applications communicate more easily with directories. Rather than communicating data between applications and directories, you have applications and directories communicating metadata, or data about the data."

Blum says this would increase directory interoperability. "But someone still has to standardize the metadata," he says.

Currently, the major directory services players are participating in DSML.org, which is hammering out these standards.

"They’re making progress, but they have a long way to go before they can achieve the ideal of making directories transparent to applications," Blum says.

That means users could be struggling with this for some time.