InformationWeek.com

Learn IT strategies from the 500 most innovative companies in North America. Get the InformationWeek 500 Analytics Report FREE today!

Welcome Guest. | Log In| Register | Membership Benefits

July 12, 1999

The Directory Dilemma

Vendors are rolling out products and promoting standards to help manage scores of directories, but it's still a big problem

By Brian Riggs

Related links from our sister publications:

Network Computing Operating Systems & Network Services

InternetWeek Directory Services Provide Springboard For Novell

InternetWeek Help For Win 2000 Migration
irectories are becoming the main gatekeepers for giving employees, customers, and business partners access to enterprise networks, applications, intranets, and extranets. At some companies, however, the number of directories has climbed into triple digits, creating a pressing need for tools that can ensure that disparate directories can be easily updated as well as share information among themselves and with applications. Vendors are responding with product initiatives intended to help the problem-but even the new directory technology has some limitations.

Data Connection, IBM, Isocor, Lotus Development, Novell, and Oracle last week unveiled the Directory Integration Forum, a group formed to help develop standards for the interoperability of directory applications and to certify software that simplifies the management of directories from different vendors. The group won the backing of a host of other vendors-but Microsoft, Netscape, and Sun Microsystems were notably absent.

Microsoft made its own directory move last week when it acquired Zoomit Corp., a metadirectory vendor whose software it plans to integrate into Windows 2000. Zoomit's technology will be used by Microsoft to gather data from a variety of directories into a single repository, in effect creating a single master directory for an enterprise.

Novell this week plans to ship Novell Single Sign-on, directory software that lets users enter a name and password once to gain access to multiple applications. With Single Sign-on, identity and authentication information is stored in a Novell Directory Services database, reducing the number of passwords and other directory entries that IT managers need to administer. Novell also plans to roll out metadirectory software, code-named Virtual Replica, that's designed to tie directories to information stored in business and E-commerce applications, and restrict the availability of that information to specified users.

And to help IT managers handle growing numbers of directories, IT services firms Ernst & Young, Inacom, and Science Applications International this week will reveal plans to start offering directory-integration services later this year based on Isocor's Metaconnect and Global Directory Server directory and metadirectory software.

Directories are repositories or databases containing information on users, such as names, E-mail addresses, and phone numbers; data used for computer security, such as passwords and encryption keys; access rights to applications; and information on network devices, such as printers and servers. Directory services provide a way to locate and identify users and resources on a network, and let IT managers administer and change data about users.

As the number of applications and processes that use directory information grows, businesses are finding they are using scores of directories that all contain a variety of information on users, applications, and systems. Large companies support an average of 181 separate directories, according to Forrester Research. And many plan to continue using multiple directories rather than standardize on one, according to a survey of 105 IT managers by InternetWeek (see chart, p. 20).

The problem? "Having multiple entries in multiple directories is like having two watches. You never know which one is correct," says Roger Green, CIO of Cymer Inc., a San Diego laser-equipment developer.

That's why IT managers are looking for a better approach. "Since most companies have a large number of directories, integrating them and creating some kind of unified infrastructure is perhaps one of the biggest challenges that they'll face," says Jamie Lewis, president of the Burton Group, a consulting firm.

For some companies, the need to integrate directories is closely tied to their electronic-business plans. Directories can be used to link customer databases, billing applications, call centers, and other systems across an enterprise, says Larry Gauthier, a senior analyst at the Burton Group.

That's true at Cymer. "We would like to unify the way we manage identity, not only of our user base, but also customers and suppliers," says Green, who, like other IT executives, isn't sure how many directories his company uses. Green says being able to easily and quickly make changes to directories throughout the company is key to providing suppliers and customers access to Cymer's internal systems.

But getting directories to share information with applications and each other can be a difficult and labor-intensive task. In many cases, IT personnel manually enter new information into directories and synchronize the data to make sure it's consistent among directories (see chart, above).

Jim May, a senior member of the technical staff at Texas Instruments Inc. estimates that manually updating the 1,500 to 2,000 daily adds, moves, and changes to his company's IT infrastructure would be a full-time job for up to 15 IT staff members. However, TI has deployed Isocor's MetaConnect metadirectory software, which automatically sends changes to more than 20 of the company's directory servers worldwide. When a user is removed from the directory, applications such as Exchange, Notes, and others that require authentication automatically suspend that user's ability to access databases. As a result, TI needs just three staffers to manage directory services for a network that links more than 70,000 employees.

Competition Looms
Novell's NDS is the market-leading directory. Novell says NDS-8, the latest version, can handle as many as 1 billion directory entries. But NDS is expected to face tough competition from Microsoft's forthcoming Active Directory, an upgraded version of the directory in Windows NT. Active Directory is in beta tests and will ship with Windows 2000. While NDS and Active Directory can both provide directory services for a variety of apps and systems, they can't automatically handle all third-party network databases, operating system directories, E-mail directories, human-resources databases, and application directories. That limitation gave rise to metadirectories such as those offered by Isocor and Zoomit that act as master directories, merging and sharing information from other directories, network operating systems, and applications.

Microsoft plans to integrate the Zoomit metadirectory technology with Active Directory to create an identity-management system that will be able to gather data from network directories, E-mail address books, and application repositories into one metadirectory, and push information on adds, moves, and changes out to other systems. But Microsoft says that integration won't take place until next year so as not to delay the initial release of Active Directory and Windows 2000, due later this year.

Microsoft's acquisition of Zoomit came as a surprise to Chevron Information Technology Co., the IT arm of Chevron Corp. Chevron IT, in Houston, has been beta-testing Windows 2000 and Active Directory, but has also been building its own metadirectory because the oil company wasn't confident Active Directory could handle all its needs, says staff analyst Michael Lewis.

"Microsoft was saying that Active Directory would be the only directory you would ever need," says Lewis. "But we've got Unix directories, we've got Oracle, we've got mainframes. So Microsoft's approach wouldn't have worked for us." With the acquisition of Zoomit's metadirectory technology, "they've turned 180 degrees on us," says Lewis, who adds that it's too early to say just how the development could figure into Chevron's plans.

Other Ways To Share
Metadirectories aren't the only option for sharing directory information. The Lightweight Directory Access Protocol was designed as a standard way for applications to obtain directory information such as E-mail addresses and public encryption keys. But LDAP hasn't been widely implemented, making it difficult for some applications to share data with some directories. "As is the case with any specification, when vendors implement it, they interpret things differently and add proprietary extensions," says Burton Group's Lewis.

The Directory Interoperability Forum intends to create software development kits that provide interoperability across LDAP-enabled directories and to certify interoperable directory-enabled applications.

But not everyone is confident that the forum will succeed. "It seemed to us this was not the right medicine for the ailment," says Frank Chen, director of product management for directory and security products at Netscape. The company was invited to join the forum but declined, Chen says, calling the forum an "exclusive country club" that vendors will use to impose their technologies on independent software vendors.

For some IT managers, LDAP has limited usefulness. "The problem I had was that many of the directories were not LDAP-enabled," says Donald Johnson, director of advanced technology research for the state of New Jersey in Trenton.

New Jersey's 16 departments maintain separate directories of employee E-mail addresses, phone numbers, and other information. To ease communications, Johnson is deploying Netscape Directory and Oblix Inc.'s Corporate Directory to set up a centralized set of "white pages" that will contain all employee contact information and job functions. Internal users and contracted agencies will be able to use the central directory to locate state employees.

The growing sophistication of directory software and services promises to significantly reduce the complexity and costs involved in supporting multiple directories. But IT managers should not expect too much, too soon. The work proposed by the Directory Interoperability Forum will take months, and Microsoft's product integration could be a year away.

IT managers, analysts, and vendors agree that more work is needed before the capabilities of directory services can match the need to manage the growing number of directories used by most enterprises.

With additional reporting by Amy K. Larsen, Mary E. Thyfault, and Rick Whiting

Back to This Week's Issue