Company Directories and Identity Management

Company Directories are an attempt to centralise the identity management for an organisation as discussed in the previous article. 

Company Directories do not just hold information about the users, but also on the systems, printers, scanners services etc within an organisation.  Directories come in a number of different flavours each with their own pros and cons. Most notably for its popularity – Microsoft’s Active Directory.

The data that is within a directory people can access it only if they have permission. Similarly, by the various services and systems within an organisation. This level of automation is highly useful when considering efficiencies, however, comes with the drawback that not all systems are capable, particularly older systems.

The four most common directory standards are X400, X500, Lightweight Directory Access Protocol (LDAP) and Active Directory (AD)

Different Kinds of Company Directories

X500

X500 is a composite of the following four separate protocols;

1. DAP – Directory Access Protocol,
2. DSP – Directory System Protocol
3. DISP – Directory Information Shadowing Protocol
4. DOP – Directory Operational Bindings Management Protocol

Items in the directory are called “Names”.  They are addressable in two formats, DN and RDN, Distinguished Name and Relative Distinguished Name respectively.  DN is the equivalent of an FQDN in DNS, RDN is the equivalent of non-FQDN DNS.  Early versions required the implementation of the OSI network stack.

LDAP

LDAP originated in the early 90’s as a result of demand for a simpler directory service. The acronym LDAP derives from X500 and shares common features such as the DN and RDN concepts.  There are four main common attributes; DN – Distinguished Name, CN – Common Name, DC – Domain Component, OU – Organisation Unit.  LDAP has basic CRUD functionality.  LDAP is typically run unencrypted over TCP port 389 but it is possible to encrypt it either using TLS over the standard port or using SSL on port 636.

AD

AD or Active Directory is Microsoft’s attempt at LDAP and as a result of their market share is inevitably very popular.  In its normal state AD is not cross platform compatible but using plugins etc can be made to work with *nix and other operating systems.

X400

X400 appears to be the geeky cousin of SMTP in that it developed lots of advanced features very early on but never quite made it with the girls.  It also doesn’t really fit in this section as it is an email protocol not a directory protocol but the official CISSP CBK puts it here anyway.