Directory design, architecture and nostalgia

It's time, once again, to look back 10 years and to see what was important in the identity arena in March 2001.

Most of the month was given over to a dissection of what I considered, at the time, to be a very important (and wrong) white paper by Creative Networks CTO Edward Owens.

Creative Networks seems to have disappeared later that year, but -- surprisingly -- the white paper can still be downloaded ("Directory Services Sorting Through The Miasma"). Get a copy if you want to feel nostalgic.

MORE NOSTALGIA: Relational database: An ongoing debate

It was directory design and architecture that raised my hackles in the piece:

"Owens states, 'A better mechanism is to have all people directly under a node named, for example, "people."' That is, create a single OU and put all of the enterprise's employees in it. This is, by far I believe, the worst possible advice to give someone designing anything but the smallest of directory trees.

"It is true that most directory architects favor a geographical-departmental-workgroup arrangement of users in a NOS directory. This places the authentication factors close to where they'll be minimizing response time and eliminating most uncontrollable network outages.

"But other than the NOS, what needs access to the users and their attributes in the Enterprise directory?

"Applications (of which NOS logon is simply one category) need access to users and attributes in the Directory.

"Now authentication -- logon -- happens once, perhaps twice a day. How often does a user start an application during the day? How often does the user browse to a website? The information that these applications need, the data that the browser uses -- it all needs to be close to the point of usage, not stored in a single container in an Enterprise directory which could be several WAN-jumps away from the user.

"Trees need to be designed so that data is both geographically and logically close to where it will be used."

That's all still very true today.

There was another white paper published that month, by Microsoft's then Active Directory honcho Peter Houston -- and it, too, is still available (gotta love the Internet!). "Understanding the Role of Directory Services Versus Relational Databases" is still relevant to identity storage discussions -- read that one to learn.

Do you suppose that, 10 years from now, we'll still be discussing relational vs. xml vs. LDAP/x.500 as the best storage for identity data? I'd say we will be -- come back in February 2021 to find out!

Learn more about this topic

Princeton student discovers university LDAP server leaves personal data exposed

Future of directories in question

Using your Active Directory for VPN authentication on ASA


Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022