S 2.406 Selection of suitable components for directory services

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Head of IT

In the planning and conception phase for a directory service, the purpose and operational scenarios for the directory service are defined and the security policies applying to its use are specified.

Once the requirements for the use of the directory service have been specified, it is necessary to identify suitable components for its realisation. This applies especially to the software to be purchased. Note, though, that the required hardware together with its operating system and the network infrastructure must meet these requirements.

Selection of the software for the directory service

Numerous manufacturers offer directory service software for a variety of platforms. Commercial products are available, but there are also products available for free. Almost all of the most well-known directory services today are based on the LDAP standard. A list of examples is shown below. The list should not be viewed as an evaluation of the products and is by no means complete:

• Active Directory in Microsoft Windows 2000 Server or Windows Server 2003 networks
• eDirectory, previously called NDS, in Novell networks
• Fedora Directory Server, which is supported by Red Hat
• OpenLDAP (Open Source software for various operating systems)
• Apple Open Directory in Mac OS X Server
• IBM Tivoli Directory Server
• Sun Java System Directory Server
• Network Information Service (NIS) in Unix networks (not based on LDAP).

Directory services may be already integrated into an operating system, as is the case with Active Directory in Windows 2000 servers and later versions, as well as in stand-alone software components offered for various operating systems such as OpenLDAP, or for Java platforms such as the Sun Java System Directory Server, for example.

An important initial criterion for the purchase of directory service software is its compatibility with the applications to be used according to the strategic decision made during the planning phase of the directory service. The interfaces offered by the directory service in particular must be taken into account when purchasing the software.

The core of the LDAPv3 standard is used by practically all directory services offered. However, some software may contain product-specific extensions to the LDAP standard. Such extensions can come in the form of additional functionality or consist of specific security features.

If LDAP does need to be extended, then it is also necessary to examine if the directory service software provides the required extensions.

Furthermore, the availability of additional interfaces could be used as a purchasing criterion if this is the only way to ensure effective or efficient use of the directory service. Examples of such directory service interfaces include the Extended Markup Language (XML), Directory Services Markup Language (DSML), Simple Object Access Protocol (SOAP), as well as the proprietary Active Directory Service Interfaces (ADSI), and Novell Directory Access Protocol (NDAP).

It is also necessary to determine the overall requirements placed on the directory service by the applications and their users in order to ensure its availability. Depending on the requirements, it may be necessary to ensure that the directory service is able to process the estimated number of requests, for example. If the clients require additional components to meet this demand, then these components also need to be included in selection and purchasing processes.

Fulfilment of the security requirements

The security requirements placed on the directory service were formulated during the planning and design phase based on the purpose of the directory service. Therefore, the following questions at a minimum need to be taken into account when selecting the software components to be used for the implementation of the directory service:

• Can the administrative tasks be delegated or distributed using the product under examination so that it meets current as well as potential future requirements? Can the corresponding rights be granted to the individual administrator groups in such detail that it is possible to restrict the access rights of each group to the necessary rights only? Can the confidentiality and integrity of the administrative tasks be protected adequately in the directory service?
• Are the mechanisms provided by the directory service for user authentication strong enough to meet the requirements specified by the organisation?
• Can the confidentiality of the data be protected adequately during transmission between locations and to the users?
• Do the directory service components offer enough support for scenarios in which electronic certificates are needed for authentication, encryption, digital signatures, or in the context of a PKI?
• Is multi-master replication of the directory service possible (if this is necessary)? Is multi-master replication supported by the directory service software at all required levels?
  
  In contrast to a master/slave installation, a multi-master replication scenario has several master servers that receive and process the requests sent by the applications and their users. The requests are always sent to the master server that is closest to the user sending the request in this case.
  
  Multi-master operation is recommended especially for globally distributed directory service structures. In any case, it is necessary to ensure that replication between the master servers is performed regularly because every master must have a copy of all databases of the directory service at all times. The resulting time and effort for administration is thus correspondingly higher for multi-master operations.

Training and additional support

The administrative personnel must be correspondingly competent to ensure the secure installation, configuration, and operation of a directory service. When selecting software products for a directory service, it is therefore necessary to check if suitable training is offered for this purpose by the manufacturer or an independent provider.

Additional support may be needed from the manufacturer or a third party if complex problems arise during live operation of the directory service. For this reason, consideration should be given to signing suitable support agreements or service level agreements (SLAs) when purchasing directory service components.

The training and support services required must be included in the calculation of the total cost of the directory service.

Tools

There is generally a wide range of tools available for the administration of directory services and administration of the data. When selecting a directory service, it is therefore also necessary to determine if suitable tools are available to aid the administration of the directory service. In addition, it is necessary to check if these tools meet the requirements specified for them.

• Do the tools provide adequate support for the administration of the directory service as well as for the data of the directory service? Does the administration of the directory service during installation, configuration, and operation provide adequate support considering the complexity of the directory service in order to avoid errors and mistakes for the most part?
• Can the interfaces and access to the administration and monitoring functions be adequately protected using these tools?

Scalability

The performance of the underlying database is also important to the availability of the directory service.

• Is the directory service adequately scalable? Will the directory service also be able to meet future demands/requirements in terms of its structures and number of possible entries?

Hardware

If the hardware intended to be used for the directory service or the operating system running on this hardware is already available or already allocated for some other reason, then this will generally limit the range of software products considered suitable for selection, and this fact must be taken into account.

If, on the other hand, the directory service needs to be integrated into a heterogeneous landscape of hardware and operating systems, then the directory service software must support this landscape.

If it is necessary to purchase new hardware and/or operating systems for the directory service to be created, then the performance and storage space requirements must be met in order to guarantee the availability of the directory service and the integrity of its data (see also S 2.317 Criteria for the procurement of servers)

Networks

The same also applies to the network infrastructure. If existing networks with prescribed bandwidths will be used, then the directory service components must be selected so that it is possible to distribute the network load generated by requests to the directory service, which in turn ensures that it is possible to maintain the availability of the service.

When planning a new network or an extension of the existing network, the communication connections must be designed so that they will be able to meet the requirements resulting from the analysis of the expected level of network traffic sent to and from the directory service.

Review questions:

• Is there a catalogue of criteria available for the selection and purchase of the components for the directory service?
• Were the security requirements for each component of the directory service formulated according to its purpose?