Which directory offers the best LDAP ?

Directory Services www.novell.com

WHITE PAPER table of Which directory offers contents the best LDAP server?

2 eBUSINESS-READY LDAP DIRECTORY SERVICE

2 WHICH DIRECTORY OFFERS THE BEST LDAP SERVER?

2 THE LDAP LINEUP

18 THE eDIRECTORY ADVANTAGE

26 NOVELL DEVELOPMENT PARTNER COOL SOLUTIONS

26 eDIRECTORY: THE RIGHT CHOICE FOR LDAP Which directory offers the best LDAP server? 2 an eBusiNess-ready LDAP directory service

You need an LDAP directory, you really need one, but not just any LDAP directory. You need an enterprise-class, eBusiness-ready LDAP directory service with a rich feature set and superior developer supportÑand itÕd be nice if it ran on your existing platformsÉall of your existing platforms.

ª Novell¨ NDS¨ eDirectory is that directory.

Featuring a native implementation of LDAP, eDirectory runs on virtually every major commercial platform. It is scalable and secure. You can develop to it with Javaª, ActiveX*, C/C++ or scripting interfaces with confidence that your code will conform to the latest standards. And you donÕt have to write separate applications for all those platforms you currently support.

WHICH DIRECTORY OFFERS THE BEST Actually, weÕve saved you the trouble and done the LDAP SERVER? comparison for youÑall you have to do is read on.

NDS eDirectory has been awarded the directory THE LDAP LINEUP service ÒProduct of the YearÓ honor by Network

Magazine, a leading networking focused publication, LDAP Rocks! The Lightweight Directory Access

marking the third year in a row that an NDS product Protocol (LDAP) was created by a group of protocol

has taken this prize, but this award is just the engineers at the University of Michigan as an

latest in the list of industry honors received by NDS easy to implement method of accessing X.500

products in the last several years from Network directories over TCP/IP. LDAP has quickly become

Computing, Information Week, Network World and the de facto directory access standard for -

other internationally recognized organizations. ready user management and e-commerce solutions.

So, if you need a flexible and scalable LDAP LDAP is widely implemented; every major directory

directoryÑand you know you doÑwhen you compare supports LDAP, while LDAP clients are ubiquitous

the other directory products, weÕre sure youÕll (Web browsers, for example). There are even

decide that there is nothing that really competes LDAP-only directory servers. Unfortunately,

with NDS eDirectory. But donÕt take our word for it, each vendorÕs LDAP directory provides differing

look at the competition and compare the features. functionality using varying methods. Which directory offers the best LDAP server? 3

The X.500 specificationsÑthe industry standard in e-commerce, extranet and intranet for directoriesÑdescribe a massively scalable implementations. iPlanet is the foundation for directory service designed to serve in highly a suite of e-commerce products delivered by distributed environments. These standards define the Sun-Netscape alliance. Sun has recently distributed operations, methods of inter-server acquired Innosoft and is incorporating their communication, data management methods, and directory products, including an LDAP proxy describe a mechanism for providing secure access server, into the iPlanet line. to the directory. X.500 was originally developed as Functional aspects a means of creating an international ÒWhite PagesÓ iPlanet was created at Netscape by core members with many independent entities owning their own of the team that built the University of Michigan data, and yet having the totality of the information Standalone LDAP Server (SLAPD). It is a fully appear as a unified tree to users. X.500 defines a LDAP-compliant directory capable of using its own general-purpose directory design and is easily datastore or plugging into a relational database. extensible to allow for ongoing enhancements. The just released version 5 has supposedly Then there were the undergone a complete re-design to improve directories; Novell Directory Services¨, Banyan* scalability, performance and availability. StreetTalk*, NT domains, and, more recently, ScalabilityÑiPlanet v5 claims Òvirtually unlimited *. Because they have had an easily scalabilityÓ in press releases, but claims only available user base, many developers have Òover 50 million entries per serverÓ (version 4 written applications using them and vendors have supported 50 million objects per server) in its developed many tools to simplify usage. Consider specifications. This version introduces finer- the number of available products leveraging NDS, grained partitioning so that the tree may be or Windows NT* Domains, both of which have been spread among more servers, hopefully improving around long enough to build up market share. scalability as well as performance. iPlanet also WeÕre going to look at a number of directory provides APIs that enable plugging in a relational products; LDAP-only, network operating system, database, such as Oracle*, as the data storage and X.500-based directory services. You will be system, extending scalability and reliability, able to see how the architectural foundation and but most likely reducing performance. primary intended function of the directory has ReplicationÑiPlanet v5 introduces a multi-master influenced the resulting directory service. model (actually a dual-master) which is, iPlanet essentially a primary master and a backup master. iPlanet* Directory Server is an LDAP-only server Should the primary be unavailable, the secondary designed for user authentication and management takes over. Once the primary is back on line, Which directory offers the best LDAP server? 4

its updated by the former secondary then reasserts X.500 complianceÑiPlanet does not support any

its primacy. Replication is done via LDAP, and is significant portions of the X.500 standards beyond

not automaticÑreplication agreement must be those mandated by LDAP. iPlanet does not provide

manually created for each pair of servers automatic server discovery or knowledge reference

that will be involved in replication. creation, relying upon manual construction of

knowledge references between directory servers. Replication granularityÑiPlanet v5 introduces

flexible partitioning of the directory tree, allowing LDAP supportÑAs iPlanet is an LDAP-only directory

sub-trees to be distributed among multiple directory server, it provides comprehensive support for LDAP

servers. No finer replication filtering capabilities v. 3 including extensions such as virtual list views,

(such as object or attribute replication filters) exist. persistent search, and server-side sorting.

SynchronizationÑUpdates are done via changelog LDIFÑLDIF support for importing and exporting

files resulting in possible unneeded data being directory information is provided. Version 5

sent during the replication process. For example, introduces LDIF support for schema modifications.

if several changes are made to the same object, SecurityÑiPlanet supports LDAP over SSL, X.509

rather than sending only the net changes, certificates, the FPS-140 cipher suite, and user-

directories using changelog style synchronization defined mechanisms such as via the

will send all of the interim changes as well. Simple Authentication and Security Layer (SASL).

Directory ToolsÑiPlanet includes limited tools, PKCS#11 is supported for hardware accelerated SSL.

including a Java administration console that While there is a certificate management product

allows delegation of administration only at the available as part of the iPlanet product line, it is

host, server, or task level, although v5 does not free. User authentication is provided through user ID/password, X.509v3 public-key certificates, introduce the concept of nested roles to improve or administrator-defined method. Version 5 also delegation. The NT Domain Synchronization tool introduces support for digest MD5 authentication. which was a part of version 4 is no longer

available in v5. Netscape Communicator* is not DNS Integration/FederationÑSupport for DNS

only the primary client for iPlanet, it is also naming via DC objects (RFC 2247) is introduced in

used for LDIF import operations. iPlanet version 5. DNS SRV records are not used

for directory server location. Technical aspects

The iPlanet directory server is an LDAP-only Developer Outlook

directory server that provides a high level The iPlanet Developer site includes SDKs and

of overall performance and manageability. substantial programming resources in the form

iPlanet support for LDAP v.3 is comprehensive. of documentation, newsgroups, tools, code Which directory offers the best LDAP server? 5

samples, TechNotes, whitepapers, and iPlanet Supported PlatformsÑSun* Solaris 2.6 for SPARC, server downloads. Sun Solaris 8 for SPARC, Hewlett Packard* HP-UX*

11.0, IBM* AIX* 4.3.3 (PowerPC), * InterfacesÑiPlanet programmatic interfaces Windows* NT 4 Server (x86 only), and Microsoft include C, Java, JavaScript*, Perl, and HTML via an HTML Gateway. Custom connectors to external Server. HP has bundled iPlanet data sources can be developed with PerlLDAP. with HP-UX.

Software Developer KitÑThere are free ConsultingÑThe Sun/Netscape Alliance provides downloadable Netscape* Directory SDKs for C (for a fee) iPlanet Professional Services to work and Java, as well as Perl LDAP for Solaris* and with your business on all phases of directory-

Windows NT only. Sun has recently announced the enabling your internet and e-commerce operations, availability of a iPlanet Developer Pack and Java 2 including planning, integration, deployment,

Enterprise Edition (J2EE) Component Library and maintenance. (which costs $1295 per developer). CostÑThe list price for iPlanet server is $995

Developer SupportÑThe iPlanet developer (with 100 client licenses), additional licenses community offers support via newsgroups, FAQs, are 10 for $100 ($10 per CAL). You should also and a newsletter. Although there is no free support, consider the cost of ancillary products like the fee-based support is available at a reduced price certificate server, and relatively expensive ($150 v. $300) for community members. development tools like the J2EE components.

3rd PartyÑiPlanet is being integrated into SecureWay an wide variety of business solutions including online wireless, billing, selling, procurement, IBMÕs SecureWay* Directory is an LDAP-only trading, communication services, and open product designed for Internet user management digital marketplaces. and e-commerce operations. SecureWay directory

is a component of many IBM products including Business perspective WebSphere*, SecureWay On-Demand Server, iPlanet is designed for use outside the corporate OS/390*, OS/400*, and AIX. firewall as an Internet-based server. With its lack of back-end features, it is most appropriate for Functional aspects

Internet directory deployments, but not designed SecureWay is an SLAPD-based directory service for enterprise network management, or large-scale using IBMÕs DB/2 database as the data store. distributed directory applications. It requires the presence of an SSL-enabled Web

Market AcceptanceÑSun claims 70% of the server on the network. Some basic functionality,

LDAP-only directory market with 330 million such as referrals between directory servers, licenses worldwide. requires manual configuration. Which directory offers the best LDAP server? 6

ScalabilityÑSecureWay is capable of managing up LDAP supportÑLDAP v. 3 is fully supported, as is

to 4 billion entries in a single tree. directory browsing via HTTP.

ReplicationÑSecureWay uses a single-master LDIFÑBasic LDIF support for LDIF-based data

replication model and replication relationships import, export and bulkload operations is provided.

must be manually configured. Only direct SecurityÑSASL, Kerberos, CRAM MD-5, GSSAPI, replication operations are supportedÑnot and SSL are supported, although SSL requires cascaded replication (where a replica serves installing GSKIT on the SecureWay server. as the source for another replica). Password authentication can also use SHA, crypt,

Replication granularityÑSelective replication or imask. Audit logging is supported.

by attribute or subtree is not supported. DNS Integration/FederationÑIBM provides

SynchronizationÑSecureWay uses changelog files comprehensive information on configuring

for synchronization processes. DNS service (SRV) records for locating

Directory ToolsÑSecureWay provides multiple SecureWay servers.

administrative tools, each with a limited scope Developer Outlook of functionality. DSA configuration is done via SecureWay developer resources are provided in WebAdmin, a Web-based interface, while client SDKs and references documenting directory management of directory information uses a access using popular programming languages. Java-based Directory Management Tool (DMT).

SecureWay has multiple LDIF tools that create LDIF InterfacesÑSecureWay allows programmatic

files from standard input, translate data to and access via C, Java 1.2, JNDI, ODBC, SQL,

from relational databases, and perform bulkloading and browsing via HTTP.

tasks, although bulkload operations require downing Software Developer KitÑClient and server SDKs the server. Directory administration can be in C and JNDI for Windows NT, AIX, Solaris, and delegated down to the attribute level. HP-UX are available from IBM. Plug-in developer

kits allow extension of directory functionality for Technical aspects database-related, auditing, and LDAP operations. The SecureWay directory server is an LDAP-only

directory server based on SLAPD. While its Developer SupportÑIn addition to an online

support for LDAP, LDIF, and the security protocols technical database, SecureWay developer support

is comprehensive, it doesnÕt provide full is provided via newsgroups, newsletters, online

X.500 functionality. documentation, as well as support downloads.

X.500 complianceÑSecureWay doesnÕt implement 3rd PartyÑIBM has formed partnerships with

the X.500 standards beyond those used by LDAP. companies such as Bowstreet, Lucent, Aventail, Which directory offers the best LDAP server? 7

and RadiantLogic to develop applications that if you recompile your operating system kernel for leverage the SecureWay directory. fun, you will probably find it rather amusing.

Business perspective Functional aspects

SecureWay leverages the wide acceptance of server is provided as source code and

LDAP, plus their installed DB/2 customer base, must be compiled for the specific installation to provide an LDAP directory server on traditional environment before it is usable. OpenLDAP links

IBM platforms (currently free) as well as most to other SLAPD servers via manually configured leading competitors. referral entries (akin to X.500 knowledge

references). OpenLDAPÕs no cost software and Market acceptanceÑWhile holding no significant low hardware requirements make it a good market percentage yet, SecureWay partnerships selection if you are forced to deploy a directory are establishing the foundations leading to an service with nominal expenditures. increasing market share.

ReplicationÑOpenLDAP uses single master Supported PlatformsÑAIX, OS/390, OS/400, replication. Replication services for OpenLDAP Solaris, Windows NT 4 Server, and Windows 2000 are provided by the SLURPD stand-alone LDAP Server. A * version is in beta. replication server which provides replication

ConsultingÑConsulting support for implementing services via the LDAP protocol to update replicas.

IBM directory solutions is provided by the IBM SLAPD supports replication to X.500 directories

Software Services teams, offering comprehensive via LDAPD, which functions as a gateway to the assistance in planning, design, and deployment. X.500 DSA. Initial database population can be

CostÑIBM provides SecureWay as a no-charge accomplished via LDAP or via the LDIF2LDBM download. directory loading tool.

Replication granularityÑSLAPD and SLURPD OpenLDAP donÕt allow selective replication. OpenLDAP is a collection of open source LDAP SynchronizationÑOpenLDAP can generate components developed as a project of the replication logfiles, writing the file in a variant of OpenLDAP Foundation, and based on the the LDIF format. SLURPD uses these replication logs University of MichiganÕs stand-alone LDAP server as a changelog file for synchronization operations. (SLAPD). OpenLDAP also includes a SLURPD stand-alone LDAP replication server, the LDAPD Directory ToolsÑOpenLDAP comes with command

LDAP-to-X.500 gateway, utilities, tools, clients, line tools for viewing the directory database, and developer-contributed packages. As a directory converting data to LDIF format, importing LDIF, product, OpenLDAP has a very high geek factorÑ and creating indexes. Which directory offers the best LDAP server? 8

Technical aspects Developer Outlook

OpenLDAP support for the LDAP standards is If you want to help develop a directory server,

version dependent, in that OpenLDAP 1.x doesnÕt rather than applications for a directory server,

support LDAP v.3 (provided in version 2.0). Likewise, OpenLDAP is a likely playground for you.

the support for industry standard security protocols Developers working on the OpenLDAP project

is nominal in OpenLDAP 1.x, and only supports contribute functionality beyond that provided in

all three (SASL, Kerberos, SSL) in version 2.0. the base set. If, however, you need to develop

enterprise-class applications that use a directory X.500 complianceÑSupports only the portions of service, it may not be the best choice. X.500 that LDAP incorporates, such as the X.500

naming conventions. InterfacesÑSLAPD communicates between its

frontend LDAP services and backend database LDAP supportÑOpenLDAP 1.x supports LDAPv2+ management via a well-defined C API, allowing (adhering to RFC 1777 with U-Mich extensions). for flexible SLAPD extensions. Members of the OpenLDAP 2.0 will provide LDAPv3 support. OpenLDAP developers community have contributed OpenLDAP 1.x doesnÕt allow changes to the other interfaces such as TCL scripting. schema via LDAP. Adding new object class

definitions or changing existing ones in the Software Developer KitÑOpenLDAP includes an

slapd.conf or local schema file is how schema LDAP Software Development Kit(SDK). A number

changes are accomplished with OpenLDAP. of programmable database modules are provided, allowing developers to integrate external data LDIFÑSupports LDIF only for import of directory sources via common programming languages such content. as PERL, Shell, SQL, and TCL. SecurityÑSLAPD supports MITÕs Kerberos 4 for Developer SupportÑThere is a community of authentication, though it may not be supported developers who work on the OpenLDAP project, by default in the distribution build code and developing a range of functionality within the may thus require specific configuration prior to OpenLDAP product. build. In OpenLDAP 2.0, strong authentication is 3rd PartyÑWhile there is an ever-growing group provided via SASL. Linux OpenLDAP packages for of applications which can talk to any LDAP server, RedHat* and TurboLinux* with Kerberos, SSL, SASL there are no known applications built specifically support enabled are available. There is a degree for the OpenLDAP directory server product. of support for TLS/SSL in OpenLDAP 2.0, yet you

have to rebuild OpenLDAP specifying TLS support. Business perspective

DNS Integration/FederationÑThere is no explicit The free OpenLDAP directory server is

support for using the DNS in advantageous to universities, students,

conjunction with OpenLDAP. researchers, and users needing an LDAP server to Which directory offers the best LDAP server? 9

develop to, yet for most companies it doesnÕt maps to a DNS domain, meaning the top level present a viable off-the-shelf directory solution. of the AD tree must be congruent with the DNS

domain hierarchy. To allow for more than one DNS Market acceptanceÑNominalÑused at the domain hierarchy, Microsoft created a top level University of Michigan, but there is no visible container called the forest that provides multi-tree commercial market penetration. functionality, but also presents operational Supported PlatformsÑSource code is available for constrictions, contingencies, and issues. the BeOS, Compaq* (Digital) * (OSF/1), Data The choice to support the old NT domain General DGuX, FreeBSD, Hewlett Packard HP-UX, architecture creates some interesting limitationsÑ IBM AIX, Linux, (NT/98/95), the domain boundary is the only point of OpenBSD, Silicon Graphics IRIX, partitioning the DIB and is a security boundary for

Solaris, and Sun Microsystems SunOS. Packaged administrative rights. This lack of flexibility can versions of OpenLDAP are available for Debian make it difficult to design and administer AD

GNU/Linux, FreeBSD, NetBSD, and Linux. the way that you want to.

ConsultingÑThe OpenLDAP site has a job board In addition, Active Directory has two operating for people who have worked with OpenLDAP to modes which supply different levels of functionality: advertise their consulting and technical services. ¥ Mixed-modeÑAD must operate in mixed-

mode while there are any down-level Domain CostÑOpenLDAP is available for free. Controllers (DC) on the network. AD has

Active Directory limitations in mixed-mode, some groups are

Active Directory (AD), MicrosoftÕs initial foray into not available limiting security functionality the directory service market is still in its first and complicating administration. Microsoft revision. Active Directory is a hybrid of the NT 4 has created new groups to facilitate network domain model, DNS, and LDAP with multiple management, but they are not available proprietary aspects. If you are familiar with while AD is operating in mixed-mode. eDirectory (or other X.500-based directory Nested groups, another feature designed services), you will note substantial differences to streamline security administration are in the AD design and operations. also prohibited in mixed-mode. ¥ Native-modeÑWhen only Windows 2000 Functional aspects domain controllers (DC) are present on the

The complexity of Active Directory deserves special network, native-mode can be employed mention, and requires just a bit of explanation. providing access to all AD functionality. This

Microsoft chose to maintain the older NT domain state, however, is not likely to be attained by model directly in AD, and integrated it with the most enterprises soon after AD deployment,

DNS location service functionality. An NT domain as there will be many NT 4 DCs on the Which directory offers the best LDAP server? 10

network. Once AD has been switched to Tool. There are also tools available via secondary

native-mode, there is no going back to products such as the Microsoft Windows 2000

mixed-mode and no backward compatibility Server Resource Kit.

for NT 4 DCs. Technical aspects ScalabilityÑActive Directory is capable of supporting Active DirectoryÕs support for LDAP v.2 and v.3 multiple trees each containing millions of objects. supplies an industry standard access methodology

ReplicationÑWhile Active Directory does provide to the directory service repository and operations.

multi-master replication, partitioning and replica Active Directory supports a range of programming

assignment in AD is inflexible. Partitions are interfaces and developer tools, and much of the

created automatically on domain boundaries and programming information and some tools are

cannot be created anywhere else. A DC must hold provided for free.

a replica and can only hold one replica: a replica X.500 complianceÑActive Directory doesnÕt of the domain of which it is a member. adhere to X.500 standard beyond that which is

Replication granularityÑAD has no filtered required for LDAP support, deviating from the

replication capabilities. standards for things like naming, security, and DIB

management. Object names must be unique within SynchronizationÑAD doesnÕt employ X.500 the entire domain, not just the OU, complicating replication, but rather uses proprietary user management. OUs are not security principals synchronization routines based on sites in AD, preventing administration and security by (a technology derived from their Exchange mail OU and requiring that access control be managed application) requiring site configuration and via groups thus complicating administration, management. Certain synchronization issues especially with large and dynamic directories. arise with MicrosoftÕs use of multi-valued Additionally, locking partition boundaries to attributes to identify group membership, domains hinders DIB management. resulting in possible update conflicts and loss

of group update information. LDAP supportÑAD fully supports LDAP v.3 but

AD design presents some limitations for LDAP Directory ToolsÑMost AD management is done via functionality. LDAP is unaware of the AD concept the Microsoft Management Console (MMC), which of forests and thus, for example, searches canÕt uses snap-in modules to provide administrative traverse the forest and are limited to a single access in Windows 2000. The MMC, however, does AD tree. not supply integrated AD management, as many

snap-ins are needed just to manage the directory LDIF supportÑAD can use LDIF for importing and

itself. Some additional Active Directory tools are exporting directory data as well as performing

provided, such as the Active Directory Migration schema updates. Which directory offers the best LDAP server? 11

SecurityÑActive Directory does provide for the Windows environment, yet MicrosoftÕs support for SSL/PCT, SASL, and X.509 PK development environment is shifting to their certificate management, and uses Kerberos for new .NET paradigm, changing the development authentication, yet lack of interoperability languages and tools, and focusing on the between different vendorÕs Kerberos and PKI development of all Windows applications as implementations are ongoing issues. Microsoft Web services. This fundamental shift from their implements Kerberos using a proprietary Privilege traditional Win32 environment leaves developers

Access Certificate in its Kerberos tickets, uncertain about the future of application preventing interoperability with other vendors development for the Windows platform. adhering to the Kerberos 5 standard. In addition, Technical issues also add complexity to in Active Directory there is a lack of tree-wide application development. For example, the AD delegation of administrative rights, and no restrictions on security principals mean that, dynamic rights inheritance. since applications can not be granted access rights directly, a User account must be created for the DNS Integration/FederationÑAD relies on DNS as application. This creates an additional layer of its location service and uses DNS SRV records to administration and complicates the process of support this functionality. AD requires that the top directory-enabling applications. of the AD tree be congruent with a DNS domain.

While the DNS support is nice, the dependency on InterfacesÑActive Directory Service Interfaces

DNS can also be problematic: (ADSI) is a set of COM interfaces which use an LDAP provider to talk to Active Directory. The ¥ Even small businesses must set up DNS MAPI interface is also supported for application services in order to use Active Directory, compatibility, as is the Security Account Manager and if DNS is not configured perfectly, (SAM) API for down-level NT DCs and clients. AD will not install or function correctly. Additionally, support is provided for Visual Basic, ¥ The DNS servers on the network must support Perl, JavaScript, WSH environment, and the Dynamic DNS (DDNS), and AD has complicated LDAP C API. DNS records beyond readability, making DNS

support labrythine and problematic. Software Developer KitÑMicrosoft recommends developing for Active Directory using the ADSI Additionally, Active Directory servers configured SDK, and also provides directory access in their with more than 51 IP address will fail, preventing development language products. management of users and access to resources. Developer SupportÑMicrosoft provides detailed

Developer Outlook information resources via the Microsoft Developer

Microsoft provides a robust development Network, TechNet, as well as extensive online environment, supplying lots of developer tools access to development information and tools. Which directory offers the best LDAP server? 12

3rd PartyÑProducts designed to take advantage of 2000 last yearÓ, and a Giga survey found that

Active Directory are just starting to ship and this for companies who have installed Windows 2000

will probably help boost the overall adoption rate. Server ÒÉonly 10 percent to 15 percent of those

While thousands of applications will probably run have used Active DirectoryÓ.

on Windows 2000 eventually, at this point fewer Supported PlatformsÑActive Directory runs only than 70 applications have been certified for on the Windows 2000 Server platform, and client Windows 2000 from a total of 45 vendors. platforms are limited to Windows-based clients.

This single-platform approach to a directory Business perspective service limits it applicability to heterogeneous MicrosoftÕs Active Directory is specifically designed enterprise networks, and restricts the flexibility as to enhance and extend the management of networks centered on Active Directory. and functionality of existing NT networks in

an enterprise environment. For enterprises ConsultingÑMicrosoft Consulting Services does

vested in Windows NT networks and clients, provide extensive Active Directory support,

Active Directory allows corporate IT to enhance and while there are many 3rd Party consultants

network functionality, ease NT domain manage- familiar with Windows NT and 2000, fewer have

ment, and improve user access to network extensive experience with planning, designing,

resources. Active Directory is not a generic LDAP and implementing Active Directory.

directory server, nor is it optimized to provide CostÑActive Directory is only available as part

LDAP services in an e-commerce environment. of Windows 2000 Server, thus every AD server

Its focus is on inside-the-firewall Windows requires a copy of Windows 2000 Server costing

provisioning, user management, $1199 ($3999 for Advance Server) with 10 user

and corporate network resource control. licenses and $40 per additional CAL. Yet because

Market acceptanceÑDue to the inherent an AD server can only hold a single replica,

complexity of migrating existing NT networks to every replica requires its own standalone server

Active Directory, market acceptance of Active (as opposed to, say, eDirectory which allows

Directory has been somewhat slow. In the year 250 replicas per server).

after release of Windows 2000, research from IDC Critical Path InJoin and LiveContent reflects that only about one-third of the shipped DIRECTORY

copies of Windows NT and 2000 combined were LiveContent DIRECTORY was created by PeerLogic,

Windows 2000 (and most of those were Windows which was recently acquired by Critical Path who

2000 Professional), indicating a slow adoption rate also makes the InJoin* (formerly called Global

of Windows 2000 Server and Active Directory. Directory Server) directory service product.

According to Gartner Group Òonly about 3% of the Critical Path is incorporating LiveContent into

NT server installed base was converted to Win its InJoin directory product line. Which directory offers the best LDAP server? 13

Note: Because these products are so similar, ¥ InJoin SynchronizationÑSynchronization

and from the same vendor, we are evaluating is performed in a transactional two-phase

them together. In the few instances where they commit process that allows roll-back/

are not functionally identical, the differences roll-forward of directory changes.

are noted. Directory ToolsÑEach of these directory services

provide their own set of tools for administration Functional aspects and interoperability. Both InJoin and LiveContent supply scalable X.500 distributed directory operations, and while they ¥ LiveContent ToolsÑAdministration tools use different replication and synchronization include Directory Administration Center methods, they provide equivalent degrees of (DAC), essentially a Windows NT only DUA directory functionality. While they are both that uses a standard Winsock interface. DAC powerful directory service implementations, allows administration of local and remote complexity is a factor. DSAs. The DAC environment also supports X/OpenÕs XDS & XOM APIs. Platform-neutral, ScalabilityÑInJoin and LiveContent are both highly single point of administration is supported via scalable directory products capable of maintaining iCon, a Web browser based administration 20 million directory entries per DSA with sustained tool. LiveContent DIRECTORY includes a access rates of 100 reads per second for read and command-line scripting language for import search operations. of schema and content.

ReplicationÑBoth directories support X.500-based ¥ InJoin ToolsÑDirectory Navigator is InJoinÕs single-master replication via primary and secondary management console providing centralized shadowing mechanisms, but do not support administration of the directory. Single point multi-master replication. Shadow relationships are of administration capability is also supported manually established via administration tools. via browser client.

Replication granularityÑThe replication Technical aspects mechanisms support filtering down to the These directories are fully X.500-compliant attribute level. directory services, supporting standards and

SynchronizationÑThese products differ in their operations as delineated in the 1993 X.500 approach to synchronization of directory content. specifications, as well as the LDAP v.3 standards.

¥ LiveContent SynchronizationÑAutomatic X.500 complianceÑInJoin and LiveContent fully

synchronization is supplied via modification adhere to the 1993 X.500 standards supporting

log (i.e. change logs), and synchronization all the administrative, information, functional,

APIs are also supported. security, and DSA models as well as X.500 Which directory offers the best LDAP server? 14

protocols including DAP, DSP, and DISP. DNS Integration/FederationÑThe DNS namespace

All X.500 functionality is provided, including and functions are not included nor integrated into

such useful features as chaining and referral either InJoin directory, nor the LiveContent

mechanisms for query resolution, dynamic DIRECTORY product or operations.

schema configuration, subtree pruning and Developer Outlook grafting, and collective attributes. Administration tools for these products supply the LDAP supportÑBoth InJoin and LiveContent fully needed ability to manage the distributed set of support LDAP v.3 including all standard LDAP directory servers, and support the import and operations, and they provide support for LDAP export of directory content. v3 process handling including paged results for Interfaces LDAP queries, debugging, tracing, logging, alerts, Both LiveContent and InJoin natively support DAP and statistics. and LDAP user agents (with full v.2 and v.3 APIs), LDIFÑInJoin and LiveContent support the import and directory client access via HTTP to Netscape and export of directory schema and content Navigator and Microsoft Internet Explorer browsers. information via LDIF. ¥ LiveContent InterfacesÑSupported APIÕs SecurityÑSecurity in both of these directory include the LDAP C API, X/Open Directory services is implemented in adherence with the Services (XDS), and a LiveContent DIRECTORY X.500 standards, supplying hierarchical delegation Proprietary API. The XDS implementation of security administration, access control, and includes support for the X/Open OSI-Abstract- configurable strong authentication. SASL and Data Manipulation (XOM) API, as well as X.509 security mechanisms are provided. X/Open specified packages Basic Directory

¥ LiveContent SecurityÑTLS and SSL security Contents Package and MHS Directory User

are supported via the LiveContent DIRECTORY Package. iGateway, an integrated gateway

TLS Adaptor API. LiveContent DIRECTORY also product exposes a backend ODBC interface

supports a proprietary Crypto Adaptor API (via for integration of SQL-based datasets.

proprietary LiveContent DIRECTORY API) ¥ InJoin InterfacesÑProvides support for X.500

which operates as a security module handler. standard protocols, as well as LDAP and HTTP.

¥ InJoin SecurityÑInJoin Directory provides Software Developer KitÑOnly limited

comprehensive directory-wide user access development tools are directly provided,

controls, and native support for SSL/TLS and with Critical Path pointing to LDAP interface kits

data encryption. Note: SSL is supported only by other vendors to supply language-specific

on Windows NT 4 and Sun Solaris 2.6. development support. Which directory offers the best LDAP server? 15

¥ LiveContentÑThe iGateway add-on has a leaders, including IBM, Cisco, Intel, Lucent, AOL,

developer toolkit, the LiveContent Directory AT&T, HP, EDS, and many others.

Db Adapter (ODBC) API, for creating other Supported PlatformsÑthe range of supported ODBC interfaces. LiveContent documentation platforms is one of the more striking differences notes the availability of LDAP interface between these two directory service toolkits for a number of development implementations. environments including LDAP for ActiveX, ¥ LiveContent ÑSun Solaris 2.6, 2.7, HP UX LDAP via PERL, and LDAP Java class libraries. 10.20, 11, Windows NT 4. According to ¥ InJoinÑInJoin has a range of application tools PeerLogic/Critical Path, LiveContent is availableÑTRANS supports hosting CICS, COBOL, available on other UNIX platforms on request. PL/1, VSAM , and DB2 applications on Unix ¥ InJoinÑInJoin Directory Server is available for or NT, Path3270 allows a developer to use Windows NT 4/2000 (Intel*), Sun Solaris 2.6, any Java IDE to connect with, and integrate HP/UX 11, AIX 4.3, SGI IRIX 6.5. legacy mainframe applications, BROKER which

integrates information across multiple Consulting servicesÑAs part of the array of

platforms, and BATCH which provides batch integrated directory solutions, Critical Path offers

management on Unix or NT. its InTouch services providing consultants to assist

Developer SupportÑOnline developer resources in requirements analysis, integration planning, arenÕt available for either LiveContent or InJoin as well as designing and deploying directory directory products. infrastructures with ongoing support.

3rd PartyÑOnline Critical Path references donÕt CostÑPricing information per server and per client describe any 3rd party applications developed for each of these directory services is not readily specifically for LiveContent or InJoin. available from Critical PathÕs product information,

yet a recent networking magazine review cited Business perspective the client access license cost at $100,000 per Both InJoin and LiveContent have the flexibility 100,000 users (or $1 per CAL). and scalability of true X.500-based directory services, and as such can well support a wide eTrust/OpenDirectory range of business and IT operations. The eTrust Directory from Computer Associates (CA)

Market AcceptanceÑBoth of there products are is an X.500-based distributed directory service deployed in large-scale messaging environments, providing a robust, extensible, and scalable including a wide range of businesses, as well as solution supporting high levels of concurrent users. the European postal, financial, and government The eTrust Directory is a component of the eTrust environments. Critical Path customers encompass suite, an integrated collection of infrastructure a broad spectrum of industry and technology security and management products. Which directory offers the best LDAP server? 16

Functional aspects dumping, replication, and archiving. Any external

ETrust is fully X.500 compliant. It uses CAÕs Ingres LDAP server can be integrated into eTrust

RDBMS as the backend data store providing flexible Directory via DXlink. Tools for scripting of directory

and reliable directory storage and retrieval. operations, and synchronizing of external data are

eTrust supports load balancing, query streaming, included in DXtools. eTrust Directory integrates

and can also serve as a router for proxies and with the Unicenter TNG for enterprise network

firewall applications. eTrust can run multiple DSAs administration, and PKI certificate validation is

on the same serverÑessentially multiple instances supported by eTrust OCSPro.

of the directory serverÑincreasing the number Technical aspects of concurrent users supported per server. eTrust provides a fully distributed X.500 directory

ScalabilityÑeTrust Directory employs a fully service, allowing dynamic schema updates and distributed directory information base, supporting extensions, modifications to access controls, tens of millions of directory entries with millisecond knowledge references, and tracing configurations. response times. eTrust employs a fully-indexed eTrust also supports dynamic directory configuration directory database to provide extremely high and control, allowing online backups and hot performance and achieves linear scalability via swapping of databases. increase in disk storage and processor expansion. X.500 complianceÑeTrust has full X.500 ReplicationÑUses single-master replication compliance, supporting all functional, DSA, based on the X.525 primary and secondary authority, and information models, as well as the shadowing mechanisms. Shadow relationships X.500 protocols including DAP, DSP, and DISP. It are manually established. also supports query chaining and referral.

Replication GranularityÑAttribute level replication DXserver stores comprehensive knowledge

filtering is supported. references to all DSAs in the directory allowing

shortest path routing of directory queries. SynchronizationÑThe DXreplicator mechanism

uses a transactional two-phase commit process LDAP supportÑeTrust fully supports LDAP v.3

with checkpoints and rollback functionality. including extensions such as virtual list views,

The DXserver DSA supports ÔmultiwriteÕ operations persistent search, and server-side sorting.

which allows all DSAs in a naming context to eTrust uses DXLink to incorporate LDAP servers

be dynamically synchronized while maintaining into the directory.

real-time directory operations. LDIFÑeTrust Directory does support import/export

Directory ToolsÑeTrust supplies a lightweight DUA of schema, as well as database content loading,

called DXplorer that supports import/export of dumping, replication, and archiving via Java-based

schema, as well as database content loading, DXplorer tool. Which directory offers the best LDAP server? 17

SecurityÑeTrust enforces access controls on all Business perspective directory entries, and fully supports rule-based eTrust is a suite of services integrated with the access controls and rights inheritance. X.509 PKI eTrust Directory, providing a robust, extensible, certificates from VeriSign, Entrust, and Baltimore and massively scalable enterprise identity

Tech can be used for strong authentication. management or e-commerce solution. eTrust

Kerberos, SASL, and SSL are supported, as well Directory can integrate LDAP services from as X.700 and SNMP monitoring for logging, multiple vendors (Active Directory, iPlanet, NDS, tracing, and alarms. any LDAP-compliant directory) into a unified

directory service without gateways or DNS Integration/FederationÑSupport for DNS metadirectory components. integration and namespace federation is not specified. Market acceptanceÑeTrust Directory has limited but significant market presence, mostly in large- Developer Outlook scale government or enterprise environments. CA supplies useful eTrust directory management Supported PlatformsÑeTrust runs only on and LDAP synchronization tools, yet offers Microsoft Windows NT and Windows 2000, limited developer information for the eTrust as well as Sun Solaris 2.6, 2.7, and 2.8. directory product. ConsultingÑCA provides consulting services InterfacesÑeTrust documentation lacks specified supporting all aspects of business solution development interface information. implementation with CA products, supplying

Developer SupportÑeTrust provides schema and value-added planning, integration, deployment, communications support for a range of directory- and ongoing support. enabled applications (via LDAP), including DEN, CostÑWhile the server price is not available, a

CTI/IVR, HR, Security, Postal, as well as support recent networking magazine review placed the for document management, catalog, government, client access license cost at $20,000 for 100,000 and financial services. While CA supplies a set users (or $.20 per CAL). of integrated eTrust applications, little data is THE eDIRECTORY ADVANTAGE available for external developer information and APIs. We have looked at three styles of directories, three sets of strengths and weaknesses. Time for Software Developer KitÑCA does not appear to a quick recap. provide any SDK for the eTrust Directory. LDAP is great for clients and directories

3rd PartyÑWhile CA has an impressive array of to talk to each other. However, LDAP specifies development partners, they donÕt reference any only a directory access method, and a directory

3rd party applications specifically for eTrust. service is a lot more than an access method. Which directory offers the best LDAP server? 18

LDAP, being an access protocol, doesnÕt define 139 million users who rely on NDS eDirectory every

the X.500 distributed directory mechanisms. day. In fact, according to the International Data

That makes sense, as LDAP was designed to Corporation (IDC), eighty percent of Fortune 1000

access X.500 directories and it relied on the companies using a directory service are using NDS!

underlying directory for that functionality. eDirectory technology is the foundation for

X.500 is the foundation for high performance, enterprise management, security, e-commerce,

massively scalable, and highly distributed collaboration and Internet solutions from Novell.

directory services. Due to the focus of X.500, Technology mileposts these directories have typically been associated NDS eDirectory has undergone numerous changes with the same sorts of companies you think of since Novell introduced it in 1992. LetÕs take a when you think of mainframes. Until LDAP came quick look at some of the significant LDAP-related along, X.500-ready clients werenÕt everywhere, mileposts on the way to eDirectory 8.5. and since they lacked the relatively captive user NetWare 4ÑLDAP Services for NDS released as a base of network-focused directories, development free add-on product for NDS in 1997. for them wasnÕt quite as impressive.

Network-focused directories are easier to use NetWare 5ÑLDAP Services for NDS integrated into

and have more application support. What most base NDS product.

network directory services have lacked, however, NDS eDirectory 8.0ÑImprovements in LDAP search is the massive scalability of X.500 and the universal performance, DNS namespace support, and clients of LDAP. Again, this makes sense; they caching and indexing enhancements. werenÕt designed to be distributed across the world NDS eDirectory 8.5ÑReleased as stand-alone like X.500 and, as they were tied to a specific product for Windows NT/2000, Linux, Solaris, and network operating system, the client architecture Tru64 UNIX with DirXMLª support on all platforms. could be limited to a relevant subset. Substantial LDAP enhancementsÑfull version 3 So where does NDS eDirectory fit? ItÕs the best support for auxiliary classes, schema updates of all of these. via LDAP and LDIF, ICE (Import/Convert/Export) eDirectory is a time-tested, cross platform, LDIF utility, and support for LDAP over SSL. enterprise-ready directory service grounded in Filtered replication also introduced. X.500 with native LDAP support, providing you

with a secure foundation for your internet, Functional advantages

intranet, and e-commerce applications. Moreover, eDirectory is rooted in the X.500 design for

because it has been around as an enterprise massively scalable directory services, giving it

network directory service since 1993, NDS has had powerful, yet manageable, distributed

time to mature and build a base of products that capabilities. Native LDAP support is also

leverage it. There are over 1800 applications and provided along with other critical Internet Which directory offers the best LDAP server? 19

standards like XML, making it easy to access While eDirectory uses multi-master replication with ubiquitous clients. eDirectoryÕs time in the by default, it also allows single-master style network field shows too; with easily managed replication with read-only replicas. Read-only operations, automatic configuration of many replicas operate as a shadow in a master-shadow inter-server processes, and mature integrated relationship and provide a means of distributing tools. As you will see, eDirectory leverages this copies of the directory for look-ups. best-of-breed design and operations to its Replication granularityÑMany times, you only advantage, and yours. need a sub-set of directory information for your

ScalabilityÑNovell has publicly demonstrated application. If, for example, you only need the that eDirectory can manage more than a billion business-related address book portion of a User objects in a single tree. This capability far object, why replicate the entire object? By exceeds what most enterprise networks or filtering directory replication, you can create a eBusinesses will require. replica that just contains the address book

information. You can create replication filters at LDAP PerformanceÑeDirectory 8.5 has substantially the object or attribute level for either inbound or improved LDAP performance, with automatic outbound replication, facilitating the creation of optimization of caching and indexing; its improved custom views of the directory. Because they so much that LDAP catalogs are no longer needed. create very small replicas and keep synchronized LDAP searches perform with consistent speed, even data to a minimum, filters allow much larger with millions of objects in the directory. The LDAP replication rings (over 100 servers) supporting search capabilities of competing directories large-scale Internet or e-commerce deployments. generally decrease in direct proportion to the You enjoy greater flexibility in directory number of users added to the directory. Key Labs, deployment along with improved network and an independent consulting firm, tested eDirectory directory performance. against iPlanet and found that LDAP searches were SynchronizationÑeDirectory uses transitive up to 50% faster on eDirectory. synchronization, a powerful method of updating

ReplicationÑeDirectory provides powerful and replicas that reduces network traffic and server easy to administer multi-master replication. load while maintaining data integrity. eDirectory

Replica placement and management is highly servers act as intermediaries to other eDirectory flexibleÑeDirectory allows 50 replicas of a servers in a sort of cascaded replication to perform partition and 250 replicas per server. Automatic synchronization operations more efficiently, and replication processes ensure performance and fault across disparate network protocolsÑIPX to TCP/IP, tolerance, while robust customization abilities for example. Prioritized synchronization ensures allow you to place replicas where you need them. that critical updates, like security and password Which directory offers the best LDAP server? 20

changes, are replicated quickly (in 10 seconds), amounts of directory information between

while most directory changes are scheduled to NDS and LDAP, or between LDAP directories,

occur on a regular, but much less frequent basis. via LDIF files. ICE uses the same XML rules as

DirXML for creation, and placement of objects Referential integrityÑReferential integrity ensures as well as schema mapping. You can use XML that when you attempt to change data, all related rules to perform tasks such as providing and dependent objects are confirmed in those default values when creating objects or changes which are not propagated out to other mapping schema elements. datastores until ythe references are checked. ¥ Traditional LDAP utilities like ldapsearch, PartitioningÑNo limits on partition size means ldapmodify, ldapdelete are included. you can design your directory based solely on

what works best in your environment. A single Technical advantages

container can hold millions of objects, giving you eDirectory blends the architecture of X.500 and

plenty of space to easily manage those massive the ubiquitous nature of LDAP with robust security

trees. ThereÕs also no need to manually tell one services to provide the technical foundation for a

directory server where another is, as there is with global directory service ready for any mission-

many other directory productsÑeDirectory creates critical task.

the references needed for inter-server operation Best Combination of X.500 and LDAPÑNDS automatically as you partition the directory. eDirectory is grounded in X.500, the industry Directory information is stored efficiently as well; standard for a high-performance, scalable, and an eDirectory partition holding a million objects secure directory service. It incorporates the will only take about one GB of disk space. X.500 architecture for distributed operations and

Directory ToolsÑeDirectory has a broad range of administration with a powerful data storage system

tools that provide powerful means of simplify to provide a world-class directory service. Soon,

directory management. eDirectory will be able to communicate with X.500

¥ ConsoleOneª provides a platform independent directories via the standard X.500 protocols as

unified interface for administering eDirectory, Novell and Nexor are partnering to build DirXML

including directory information, servers, and connectors to X.500 directory services.

LDAP components. eDirectory fully implements LDAP version 3 as

¥ iMonitor is a browser based monitoring and well as popular extensions and controls allowing

diagnostics tool lets you keep an eye on all of advanced query handling such as virtual list view

your eDirectory servers from anywhere on the (VLV) and server-side sorting of search results that

network. makes browsing containers containing millions of

¥ The Import/Convert/Export (ICE) utility objects easier. LDAP extensions and controls can

provides a mechanism for moving large also be used to create utilities for managing Which directory offers the best LDAP server? 21

partitions and replicas. A DirXML connector for DNS Integration/FederationÑeDirectory now iPlanet is available, providing changelog style integrates DNS functionality to provide support for synchronizationÑunfortunately since changelogs world-wide NDS referrals via DNS. eDirectory trees arenÕt standardized, this connector is limited to can be created within the corporate DNS domain iPlanet at this time. structure and DNS used as the location service for

LDIFÑeDirectory uses an extended set of LDIF codes, these trees, facilitating distributed business across providing a way to update access rights, define the Internet. When a directory server receives a attributes to index, change schema definitions, request for an object within another DNS domain, and configure NDS-LDAP mappings using LDIF files. it uses DNS to locate the other eDirectory server eDirectoryÕs LDIF utility provides a mechanism for and continues directory operations transparently. importing and exporting directory information and Developer advantages performing migrations from server-to-server. Novell believes that eDirectory can provide critical SecurityÑeDirectory supports flexible user functionality to your application, and theyÕd like authentication methods ranging from passwords to help you access it. ThatÕs why they provide encrypted over SSL to X.509v3 certificates or comprehensive tools and support to developers security tokens, such as smart cards. eDirectory including an array of offerings supporting core supports LDAP over SSL for secure connections internet technologies like LDAP, Java, and XML, (especially important if clients are using clear- text passwords) to the directory on all platforms. as well as the old standards like C/C++.

ª Novell Certificate Server , available free from InterfacesÑIn addition to the LDAP C API, Novell, integrates with eDirectory to provide and eDirectory supports a variety of programmatic and manage PKI certificates. SASL is supported, administrative access methods. You can choose allowing authentication mechanisms such as between the traditional DSAPI (NovellÕs port of the Kerberos for LDAP. eDirectory provides access X.500 XDS APIs), ADSI (Active Directory Services control and delegated administrative rights down Interface), and LDAP interfaces. You can write to the attribute level. eDirectory applications using C/C++, Java, ActiveX Novell Modular Authentication Service (NMASª) controls, JavaBeans components, JNDI/JNCL, as 2.0 supports extensions to security mechanisms well as ODBC and JDBC queries. Supported scripting to support authentication using biometric devices, languages include JavaScript, Perl, and Net Basic. tokens such as smartcards, and passwords. NMAS can provide differential access based on how a XML-based access to eDirectory information is user authenticated to the network. Someone with provided via Directory XML (DirXML), which also just a password can be allowed to get to their supports XSL and XSLT. In the interest of helping e-mail, for example, while the directory requires set a standard for XML-based access to directories, a security token to get to financial records. Novell has offered the DirXML specification to Which directory offers the best LDAP server? 22

OASIS for adoption as the open standard for the leading companies like IBM, Sun Microsystems,

Directory Services Markup Language (DSML) 2.0. Lucent, and Oracle have signed on as DeveloperNet

partners and the program has over 100,000 Novell Developer KitÑNovell provides a wide range members world-wide. There are multiple levels of of no-charge downloadable software development DeveloperNet membership available: kits and libraries. HereÕs just a sampling; NDS

libraries for C and Java, NDS Authentication ¥ The Net membership is free and provides

services, LDAP Libraries for C and Java, and free online access to the Novell Developer

eCommerce LDAP Beans. JNDI support, including Kit, Developer Support Forums, AppNotes,

class libraries, providers, extensions, and controls Novell Support Connection, and the

are available, as are a DirXML driver kit, and Single DeveloperNet University.

Sign-on for C and Java. There is even a toolkit for ¥ At the NetPlus level, you get all of the above,

creating utilities that managing partitions and plus the latest release of NDS eDirectory, a

replicas through LDAP extensions and controls. one-year subscription to the Novell Developer

You can check out the full Kit, and two 25-user copies of NetWare 5.1

range of developer downloads from ¥ NetProfessional level membership offers

Novell, available at http://developer.novell. Novell Software Evaluation Libraryª (SEL), with

com/ndk/downloadaz.htm. 100-user versions of many Novell products,

annual NDK and AppNotes subscriptions, two Bundled eDirectory for ISVsÑNovell has developer support incidents, four shipments of created a version of eDirectory that can be the Novell Support Connection, and Metrowerks bundled with your application providing customers CodeWarrior for Windows, Professional Edition. without an installed directory service the benefit ¥ Executive and Strategic memberships are of a directory-enabled solution. If multiple available for strategic development partners applications, each with their own copy of and large enterprises that require unlimited eDirectory, exist on the same network, they can compatibility testing and a high level of support. even share a single installation of eDirectory

eliminating the need to support multiple stand- Developer SupportÑNovellÕs Worldwide Developer

alone application-specific directory services. Support offers services for hardware and software

developers as well as compatibility testing services. DeveloperNet¨ÑDeveloperNet includes

comprehensive development tools, technical ¥ Software and International Developer

information, developer support, advanced training, Support: Provides support on the NDK and

and co-marketing programs. DeveloperNet makes application compatibility for the US, hardware

it easier for you to deliver secure, scalable and software developers in Europe, as well as

directory-ready solutions in areas like e-commerce DeveloperNet, software, partnerships, and 3rd

or customer relationship management. Industry- party support for the Asia Pacific region. Which directory offers the best LDAP server? 23

¥ Developer Solutions Team: This team works ¥ Certification: Once you are done at the

on NDS integration for both hardware and Developer Lab, your product should be ready

software, including in lab testing support in to submit to the certification lab. Here, your

Provo, San Jose, Boston, and Taiwan This application will be evaluated to see if it gets

team provides on-site developer support and the Novell Yes Tested and Approved mark that

liaison services for selected partners. certifies application compatibility with Novell

¥ Hardware Developer Support Team: Systems Net Services software.

support group works with major hardware Novell Solutions SearchÑOnce you have

vendors such as Intel, Dell, Compaq, and developed your product, you need to tell the

Hewlett-Packard to provide developer support world about it. Well, Novell has a way to help

and deal with compatibility issues. The Device with that part of the product development process

Drivers and Printing (DDAP) group supports too: Novell Solutions Search(NSS), a free service

Novell partners working with a variety of available to Novell Partners and DeveloperNet

infrastructure hardware. This team also subscribers. NSS provides a searchable database of

handles hardware testing, including the the myriad of software, hardware, and professional

creation of testing tools for developer and services available for Novell products. The

Yes certification testing. information in NSS is refreshed periodically to

¥ Developer Labs: Novell has four developer maintain high quality listings.

labs, located in Provo, San Jose, Boston and By registering your product with NSS you gain

Taiwan, available for use in development and access to the tens of thousands of people a day

testing of your eDirectory-enabled solutions. who visit NovellÕs site looking for technology

NovellÕs Developer Lab can speed your solutions. Registration is simple, you can do it

development process to get products to market quickly via a convenient online form. If Novell

faster. These labs offer access to the complete has certified the product, the Yes Tested and

array of Novell software deployed on a network Approved mark appears next to your NSS listing,

that includes both LAN and WAN topology. letting potential customers know that your

YouÕll also benefit from the expertise of top solution is compatible with Novell products.

Novell engineering talent available to help (Hardware products must be certified by Novell to be included in the NSS database.) youÑeach lab has two senior engineers to assist All the information you need about NSS is you as you test the deployment, migration, and available at http://developer.novell.com/nss/. operations of your products. Novell staff will

even negotiate non-disclosure agreements for 3rd Party Business Solution OfferingsÑHundreds

the engineers you will be working with, so you of independent vendors have developed a wide

can rest assured that your work at Novell Labs range of NDS eDirectory-based solutions for

stays secret until you want to talk about it. business operations, and e-commerce applicationsÑ Which directory offers the best LDAP server? 24

too many to list here! But if you browse to Business advantages

http://www.novell.com/partners/corporate/ NDS eDirectory can help you manage identity

current.html, you can see the company youÕll be information for people (employees, customers, etc.)

keeping when you develop to NDS eDirectory. across disparate networks; NetWare, Windows,

Linux, and UNIX. It can also facilitate relationship ToolsÑeDirectory has a broad range of tools management between companies (partners, that provide powerful means of simplify vendors, etc), something that is increasingly directory management. important as more business is conducted on-line. ¥ iMonitor is a browser based monitoring and Using eDirectory you can provide secure access to diagnostics tool lets you keep an eye on all of the resources your employees and business partners your eDirectory servers from anywhere on need while protecting those they donÕt. the network. Increasing market acceptanceÑWhen you are ¥ ConsoleOne provides a platform independent selecting something as critical as your directory unified interface for administering both infrastructure product, you want to be sure itÕll eDirectory and its LDAP components. be around (and working) in a few years. After all, ¥ The Import/Convert/Export (ICE) utility directory deployments arenÕt undertaken lightly, provides a mechanism for moving large you canÕt afford to re-engineer your business amounts of directory information between because your directory vendor decides to change NDS and LDAP, or between LDAP directories, things, or worse yet, goes out of business! via LDIF files. ICE uses the same XML rules as When you choose NovellÕs NDS eDirectory, you DirXML for creation, and placement of objects get a mature and widely adopted product backed as well as schema mapping. You can use XML by a company that has been in the directory rules to perform tasks such as providing business for a long time. ThatÕs why companies like default values when creating objects or British Telecom, Red Hat, CNN and Yahoo! depend mapping schema elements. on eDirectory to support mission-critical operations

Time to market advantagesÑAs a developer, from user management to e-commerce.

using eDirectory means you donÕt have to build Largest installed baseÑWith an installed user

another application directory, speeding application base of over 139 million, NDS is a mature proven

deployment and leveraging what the informed product. Many other directory products are in

customer is buying right now and in the future. their earliest implementations, or only deployed

The broad range of access methods means you in a highly limited fashion, depriving the vendors

donÕt have to rewrite existing applications that of the experience Novell has used to improve NDS

use any of these interfacesÑjust plug them in over the years. In addition to supporting all LDAP

and youÕre ready to go. applications, more than 1800 directory-enabled Which directory offers the best LDAP server? 25

applications have been built using eDirectory as needs assessment, planning, technology selection, the information repository. deployment, optimization and customization.

Novell Consulting also releases products that Cross-platform availabilityÑeDirectory 8.5 is a enhance security, ease directory management, truly stand-alone directory running on Novell and extend Novell product functionality. NetWare, Windows NT, Windows 2000, Sun Solaris,

Linux, and Compaq Tru64 UNIX (with IBM AIX CostÑeDirectory costs $2 per user. in beta). eDirectory is fully interoperable NOVELL DEVELOPMENT PARTNER cross-platformÑany eDirectory 8.5 server can COOL SOLUTIONS communicate with any other eDirectory 8.5 Now that you know a little more about eDirectoryÕs server, as well as any LDAP 3 compliant capabilities and how Novell can help you develop application or directory. Client libraries and LDAP world-class applications, perhaps a bit of tools are available for Linux, Solaris, and Tru64 inspiration would be useful. Many independent UNIX, as well as Windows. vendors have come up with what we like to call NDS eDirectory is the first, and so far only, ÒCool SolutionsÓÑparticularly useful, innovative, directory to pass the rigorous testing required for or just plain cool ways to leverage eDirectory. SunTone Program Certification, demonstrating superior performance and reliability. eDirectory HereÕs a couple of examples of business solutions has, in passing SunÕs tests, met requirements for vendors are developing with NDS eDirectory. scalability, security, and availability as well as Business Layers eProvision DayOne optimization for SunTone architecture. eProvision DayOne*, named ÔDirectory Products

When you deploy eDirectory you can choose Best of Show 2000Õ by the Electronic Messaging the platform based on your current environment Association, demonstrates the power of eDirectory and business needs. When you compare this to the as the foundation for next-generation business proprietary single-platform Òmy way or the applications. DayOne leverages eDirectory to highwayÓ approach from many other directory provide a policy-based business provisioning and vendors, the advantage is clear. procurement solution that uses LDAP to streamline

Novell ConsultingÑNovell consultants have the process of bringing new employees online and extensive experience designing and deploying making them production from Òday one.Ó solutions for Novell customers worldwide. Whether DayOne uses employee profiles stored in the itÕs directory integration or migration, management directory and XML connectors to automatically tools or a new application, Novell Consulting can register people with HR and IT, providing help provide a greater Return On Investment (ROI) immediate registration with network resources, for eDirectory customers. Consultants can provide services, devices, applications, and PBX. This comprehensive project management including ensures that new employees, business partners and others who need access to company resources © Copyright 2001, Novell, Inc. All solutions to address the worldÕs most pressing rights reserved. Novell, DeveloperNet, NDS and Novell Directory Services are get everything they need quickly, and with a information technology problems, and provide registered trademarks, and ConsoleOne, DirXML, eDirectory, NMAS and Novell Certificate Server are trademarks minimum of hassle. eProvision DayOne supplies a consulting and support services to ensure that your of Novell, Inc. in the United States and other countries. Web-based GUI for management of the process directory project successfully accomplishes your *Java, Solaris and Sun are registered trademarks, and iPlanet and JavaScript and automatically notifies HR, IT, and appropriate business goals. are trademarks of Sun Microsystems, Inc. ActiveX, Microsoft, Windows managers of unfinished tasks to insure timely and Windows NT are registered We support our developer community with a rich trademarks, and Active Directory is a trademark of Microsoft Corporation. completion of the provisioning process. Banyan and StreetTalk are registered set of tools and comprehensive documentation, to trademarks of Banyan Systems, Inc. Oracle is a registered trademark of help software developers understand, access (and . Netscape is a Connectotel Ltd Mobile Phone Policy Manager registered trademark and Netscape Communicator is a trademark of Mobile Phone Policy Manager (MPPM) delivers profit by using) our products to deliver complete Netscape Communications Corporation. Hewlett-Packard and HP-UX are registered trademarks of Hewlett- policy-based management of mobile device directory-enabled applications. Packard Company. AIX, IBM, OS/390, OS/400, SecureWay and including cellphones. User and policy information We stand behind our directory services with WebSphere are registered trademarks of International Business Machines Corporation. Linux is a registered is stored in eDirectory and all management tasks many years of practical experience deploying trademark of Linux Torvalds. RedHat is a registered trademark of RedHat are performed via NWAdmin snap-ins. MPPM services Software, Inc. TurboLinux is a directory solutions in the enterprise networks and registered trademark of TurboLinux, Inc. Compaq is a registered trademark fall into four categories: eBusiness environments. We continue to enhance, of Compaq Computer Corporation. UNIX is a registered trademark of X/Open Ltd. InJoin is a trademark of ¥ Asset Registration which maintains a registry extend, and refine our directory service capabilities Critical Path, Inc. Intel is a registered trademark of Intel Corporation. to support the evolving set of industry standards and eProvision DayOne is a trademark of people and their wireless devices, of Business Layers, Inc. All other third-party trademarks are the property ¥ Zero Day Start which (like DayOne) addresses technologies required by business. of their respective owners.

the need to get new employees up and WhatÕs that worth to you? Let us help you Novell Product Training and Support Services running quickly deliver your directory-enabled business solutions For more information about ¥ Support for text-to-cellphone messaging for with our time-tested, award winning NDS Novell’s worldwide product training, certification programs, devices that are not Wireless Access Protocol eDirectory product. consulting and technical support services, please visit: (WAP) enabled www.novell.com/services

¥ Policy-Based Management which For More Information provides a centralized point of Contact your local Novell Authorized Reseller, administration for Short Message or visit the Novell Web site at: www.novell.com Service (SMS) features

You may also call Novell at: eDIRECTORY: THE RIGHT 1 888 321 4272 US/Canada CHOICE FOR LDAP 1 801 861 4272 Worldwide 1 801 861 8473 Facsimile Novell provides more than just great Novell, Inc. directory services. 1800 South Novell Place Provo, Utah 84606 USA We help CTOs, architects, and project leads design comprehensive directory www.novell.com

462-001218-001