Introduction
If computers and networks are
so smart, why aren't they more self-aware, why can't they take care of
themselves, and why should I have to know so much to use a network? It's
complex and it's expensive to build, manage, use or even replace your existing
network. But are you only managing one network? You have or you're probably
planning to build a corporate intranet, create an extranet with your trusted
business partners or make connections to the Internet. And while you're
doing all that you need to manage your file storage, printing, faxing,
messaging and collaboration on your existing systems.
Wouldn't you like to be able
to make those changes using your existing technology while simplifying
the current technology management challenges you face? Sound too good to
be true? Well, a technology has emerged that is making it all possible_directory
services. You will hear a lot about directory services in the near future
and how directory services will reduce the complexity and lower your total
cost of owning a network. We want you to know about this quantum leap in
networking and how it is available today from much of your existing network.
To discover more about directory
services, we will discuss the following:
-
Vision of network computing
-
What a directory service is in
computing terms
-
The components of your network
and how a directory can tie them together
-
The benefits or advantages of
an NDS-enabled network
-
Network services built on NDS
-
Large, scaleable NDS-enabled networks
-
Building NDS on standards
-
Developing NDS-enabled applications
-
Proof that we make no empty promises
The vision of an environment that
is secure, ubiquitous, easy-to-use, and integrated with everything is worth
investigating. We are partnering with the leading players in the networking
world to directory-enable their network solutions. Life is getting simpler.
Another
Quantum Leap In Computing
You've already seen the future.
We can look to science fiction to find a great vision for computing. There
are television shows that take us centuries into the future and show us
how computers should work. "Computer, where is Ensign Berk? Computer, a
hot cup of Jarvarian tea. Or Computer, initialize self-destruct sequence
Alpha 4069." All of these futuristic commands require the computer to know
who is talking, their access privileges to such information or commands
and the ability to make the commands from anywhere, even on a distant planet.
The computer must also have access to an enterprise database, engineering
database, and personal databases. Yet, all commands are carried out with
very little personal intervention or forethought. They just happen.
Sun Microsystems aptly states,
"the network is the computer." Maybe the same is true of futuristic starship
computing. Maybe the Starship Captain is really talking to the network
when he asks, "Computer, how long until the Zertoc star becomes a red dwarf?"
If this is the vision and the vision is science fiction, what missing components
do we need to make fiction a reality? There has to be something that knows
what the relationships are between people and machines and between one
machine and another. Otherwise where is the benefit of the network? That
missing piece is an integrated directory service at all levels of an enterprise
network.
The overall goal is to make
all needed network services available to everyone and bring the network
to the point that it actually works for you. In other words, the network
is so easy that users don't have to worry about where their resources are
or if they will be available when they need them. It's all invisible to
the user and more easily managed by the administrator. This is what our
CEO, Eric Schmidt, calls "world of me." Having your own little world of
information and resources and choosing to share what you want, whenever
you want, with whomever you want.
Similar
Cycles
The futuristic logic that, "the
needs of the many outweigh the needs of the few," is what networking is
all about. Yet in real life, the needs of the few often come before the
needs of the many. Only a few individuals are privileged to use new technology
until it becomes easy enough, prevalent enough and inexpensive enough that
everyone can reap the benefits.
Just think about the emergence
of the computer. At first, computers were huge, expensive things made with
vacuum tubes and only the people who built the computers could use them.
Then came mainframes, minicomputers, workstations, PCs and now they're
talking about Network Computers. With each computing landmark, computers
became more complex in design but less expensive and easier to use. User
interfaces developed in a like manner. It started with punch cards, then
came cryptic languages, then the mouse and windowing environments. Each
advancement taking technology closer to the end user. Networking is going
through the same cycle. First, dumb terminals linked to mainframe computers
accessible only to a few people. Next, isolated PCs were connected into
Local Area Networks where more people understood and could use the network.
Today with the Internet, intranets and extranets, you can browse enormous
amounts of information and collaborate with people anywhere in the world.
However, it isn't a plug-and-play world yet for printing across the Internet,
for having secure connections to others or for sharing your information
with a select group of people. Each step brings us closer to the vision
of a personal, invisible network that we call the "world of me". The next
step in getting there is the role of directory services.
Directory
Services
Defining a directory service is
simple, what it does for your network isn't. Here is an easy way to think
of a directory:
-
Database of objects. A database
of users, applications, network devices and other resources you might find
on a network. A directory service, at least in part, is an object-oriented
database representing network users and resources. Within each object is
stored specific information about the individual user or network resource.
Objects are structured hierarchically in a directory tree which provides
the framework that can be organized the way your business is organized.
-
Manages relationships. Every user
and resource has relationships with other users and resources on the network.
A directory controls the relationships between people and machines and
between one machine and another. Two ways that a directory manages relationships
is through authentication and authorization. Authentication. Both the user
and the network components need to identify themselves to each other to
ensure both are who they say they are and prevent anyone from getting in
between to steal information.
-
Authorization. Once a user is
authenticated, the network allows the authenticated user to manage or use
network resources he or she has rights to. Rights are distributed globally,
organizationally or across workgroups and then managed by exception at
the individual user levels.
NDS-Enabled
Networking
An integrated directory service
spans all the components of your network. To get a better picture of how
a directory fits in your network, think of the network as comprised of:
-
physical devices like modem banks,
access servers, routers
-
operating systems like IntranetWare,
UNIX, NT
-
applications that run over the
network
-
services that improve how people
work with the network and that transcends both your intranet and the Internet
-
the intranet and the Internet
- for doing business, not just public advertising
-
A flexible, powerful, secure directory
service is what ties all the network levels together and makes the network
easy to use and easy to manage. And NDS is the only directory service that
addresses all aspects of your network, enabling single sign-on, single
point of administration and a foundation for developers to build upon.
Advantages
of Being NDS-Enabled
The advantages are simple in that
they make your life less complex. Making things simpler also lowers your
cost of ownership.
Single Sign-On
You log in to the network once,
using one password. You are then given seamless access to all the network
resources you are authorized to use. Access to resources after initial
login is handled automatically through background authentication. We say
background because you'll be unaware that authentication is taking place.
Your login is the same no matter where you are physically located on the
network. NDS allows you to access your applications, files, printers, services
and other network resources from any geographic location and have a consistent
network view regardless of your workstation. The hierarchical database
structure of NDS reduces network traffic and makes your searches and operations
fast and efficient. You can find a required network resource by searching
or browsing the tree with Novell or third-party utilities.
Single Point Of
Administration
A Gartner Group study revealed
that 79 percent of the total cost of owning a network is incurred in administration
costs alone. Without a directory-enabled network, you are often required
to perform the same operations multiple times, either for each user or
each server. NDS eliminates the need for redundant administration by providing
a single point of administration for your entire enterprise. NDS reduces
the total cost of managing and maintaining network. You can manage the
entire network from a single location, with a single graphical user interface
(GUI) administration utility.
NDS also allows for freedom
of management. In most organizations there is a need for both centralized
and distributed administration. Many of our customers centralize management
and administration services that reach across departmental boundaries.
Other administration may then be delegated to the department or workgroup
level. With both administration focuses, you only need to use one tool,
NWAdmin, to manage all your network resources.
Secure
You want a secure network environment.
Luckily, y you can build a full range of security and access control with
NDS. NDS allows you to quickly and reliably define the security rights
associated with a particular branch of the directory tree, and all objects
within or below that branch inherit those rights. Such rules-based administration
simplifies security so only the exceptions to the rules require special
attention. Rules-based security greatly reduces administrative costs and
prevents the ultimate cost, losing your information to your competition.
NDS uses an authentication
service based on the RSA public-key/private-key encryption technology.
This authentication mechanism uses a private key attribute and a digital
signature to verify a user's identity. Authentication is session-oriented
and the client's signature is only valid for the duration of the current
session. Ongoing (background) authentication is transparent and takes place
when you access other services. Only during login (user ID and password
exchange) are you involved in the authentication process.
Fault Tolerant and
Accessible
NDS is a fully distributed and
replicated database. But why should that matter to you? By segmenting the
NDS database into manageable pieces (partitioning) and distributing it
across the network (replicating) fault tolerance is achieved. In addition,
NDS data can be placed close to your users who need it, thereby providing
optimal performance when you access the network.
NDS partitions are copied or
replicated across the entire network as many times as necessary. If a primary
or master partition is lost, the network begins using other copies of the
partition. This dynamic directory increases your network's reliability
and allows for construction of a system where server failure, maintenance
of a server, or temporary loss of a communications link do not affect your
users. The benefit of maintaining a constant network, as well as being
able to recover from a disaster, can be immeasurable in today's networks.
Customizable
The structure of a directory tree
is regulated by the directory schema, which is a rules system that defines
how the directory tree is structured. Such as what objects can be defined,
what attributes can be associated with objects, what properties objects
inherit, and what positions objects occupy in the directory tree. For example,
a user object can be extended to include a social security number or an
emergency contact name and telephone number. You could also add third party
services like fax server functionality to the network by adding a fax server
object and application to the directory tree.
Scaleable
You can customize NDS for any
size and type of network. Even if you were to merge with another company
and continue to grow in the future, NDS will easily accommodate your growth.
Adding new resources is as simple as a point-and-click of the mouse. And
because NDS has such powerful replication you get a network with unlimited
scalability.
NDS-Enabled
Network Services
Novell Application
Launcher
The Novell Application Launcher
works together with NDS to simplify your network applications management
by allowing you to centrally manage users' Windows desktops. You can install
new network applications or upgrade existing applications and have the
application icons dynamically appear on users' Windows desktops. Novell
Application Launcher also makes it easier for the user to be location independent.
Because Novell Application Launcher knows what applications and other resources
you need to work, you can go anywhere on the network and, by logging on,
get the same access to what you need regardless of whether or not the machine
you are using to log on with is yours or a co-worker's.
The Novell Application Launcher
uses the NDS-based NWAdmin utility giving you the ability to create NDS
objects that represent network-based applications. These objects contain
information about the physical location of network-based applications and
which users you authorize to use those applications.
Without leaving your workstation,
you can deploy applications to users' desktops across the network thus
making software distribution easier and quicker. You no longer have to
visit each user's workstation to install applications.
LDAP Services for
NDS
Agroup of people at the University
of Michigan realized that if they could reduce the overhead in the X.500
Directory Access Protocol (DAP) specification, they could get the same
directory information out quicker and with smaller clients. They named
this new protocol specification the Lightweight Directory Access protocol
(LDAP - RFC 1777). LDAP Services for NDS v1 allows you to easily publish
your organization's information to your intranet and to the Internet, while
still maintaining control, through NDS, over who can access your information.
The best example of an LDAP-enabled
application is your web browser like Netscape's Communicator or Microsoft's
Explorer. Because there are LDAP enabled applications readily available
you can publish information from your corporate directory to virtually
anyone.
The name Lightweight Directory
Access Protocol suggests that there is an accessible directory behind it,
right? That's where NDScomes in_providing the world's best LDAPdirectory
available.
RADIUS Services
for NDS
RADIUS Services for NDS v1 is
the power of NDS managing the physical or hardware level of your network
through modem banks, access routers and access servers. Remote Authentication
Dial-In User Service (RADIUS) is an emerging Internet Engineering Task
Force IETF) standard that has been adopted by Novell and many leading dial-in
and router hardware vendors.
With RADIUS Services for NDS,
NDSbecomes the only database necessary for remote access servers as well
as the entire network. It provides a centralized point of authentication
(verifying user name and password) and authorization to access or administer
network resources.
Built
Upon Standards
NDS and X.500
NDS is a full-function directory
service that is based on the X.500 international standard. The International
Standards Organization (ISO) and Consultative Committee for International
Telegraphy and Telephony (CCITT) created X.500 to provide standards to
enable the creation of a truly interoperable, distributed, worldwide directory
service. In fact, Sara Radicati, founder of the Radicati Group_a directory
services consultancy_ states in her book :
"X.500 Directory Services
Technology and Deployment that NDS uses the exact X.500 design specification
for the naming model, directory database, and the server to server operations.
Yes, all of the features and functions described in the X.500 standard
are implemented in NDS. NDS, however, provides significant functionality
beyond the X.500 specification, providing a complete networking infrastructure
that links users to network services, applications and data."
Although NDS is very closely aligned
with X.500, there are some differences between the two. These differences
are in the protocols used in NDS, not in the architecture. Novell chose
to implement lighter-weight protocols over the heavyweight Open System
Interconnection (OSI) defined by X.500. Because the differences are in
the protocols only, it is easy to provide interoperability solutions to
enable NDS and X.500 to fully interoperate.
It is also worth noting that
because NDSis based on X.500 and LDAP is based on the X.500 directory access
protocol (DAP) NDS and LDAP form a great synergistic fit due to their common
lineage.
Conclusion
A network that is invisible to
the user and begins to manage itself. However, the goal is in sight with
the new focus on directory services. The world of me where everything is
accessible and where you manage and collaborate freely with others is the
direct result of an integrated directory service. All of the benefits derived
from an NDS-enabled network simplify your life, save you lots of money,
and create an environment for the future of distributed computing.