The Metadirectory:
A Directory for the Real World
by Steve Tillery, Fischer International Systems Corporation.
(Originally published in Messaging Magazine, July/August 1999)

A hybrid of metadirectory types will address real-world, global enterprise needs—extending information boundaries, providing security, authenticity, and integrity.

Today’s corporate information systems rely on a variety of hardware, software, and network platforms. A metadirectory solution must be capable of managing the corporate information knowledge base, as well as provide secure access to information across a variety of distributed platforms. A metadirectory must also reduce corporate risk, increase productivity, and help protect IT investments.

Large organizations typically have mainframe computers, various network topologies, server farms of both NT and Unix servers, as well as end-user client computers with varying operating systems. Communication between these computers may depend upon different types of networks within the enterprise, as well as networks that cross corporate boundaries worldwide. Multiple e-mail systems, a variety of software products managing corporate data, the location and politics surrounding ownership of data, create access control, security, and administration problems that result in corporate risk, and a loss of productivity.

Employee information in a large organization might reside in a human resource database, with a more limited set of information available in a telephone directory, a departmental directory, or perhaps in databases being managed by various corporate software packages. Much of the information is redundant, and in many cases administrated manually.

E-mail as a means of efficient communication added a significant layer of complexity over the directory needs of the large corporation. Directory information was required not only to link e-mail addresses to individuals, but also to route the mail itself. Extending e-mail services to remotes, users, customers, and business partners, across corporate boundaries, drove the need for secure remote access to corporate data. Remote access, in turn, opened up the way for customers and vendors alike to improve communications and just-in-time inventory management.

E-commerce is increasing the level of complexity once again, demanding authentication, confidentiality, integrity, and non-repudiation services. The increased volume of access to corporate information is expected to increase the need for reliability and scalability of e-commerce applications. Directory services will be a key component of any e-commerce infrastructure. The need for directory services is expected to increase significantly over the next three years with revenues estimated to be $78.4 million by 2002 and professional services over $300 million.¹

Enter the Metadirectory

A metadirectory can act like a central clearinghouse for access to corporate information providing security, integrity, and authentication. Metadirectories reduce the cost of managing corporate information over existing directory methods and provide an infrastructure for managing the needs of e-commerce. By moving to a single, electronic telephone directory, one large company was able to eliminate nearly all of the $1,000,000 per year they were spending to publish a paper telephone directory.² The U.S. Department of Transportation was able to save at least $20 million just through better e-mail directory access, on a total investment of $600,000 for the entire metadirectory solution.³

Although GartnerGroup identifies three different techniques (replication-based, virtual directory, and directory information broker)⁴ to create a metadirectory function to meet today’s needs, the metadirectory will need to combine at least two of these techniques.

Even an information broker type of directory needs YETA—a directory of pointers
The need for another directory (YETA directory) to consolidate the data in the many corporate repositories seems like a contradiction to many. No matter the approach, however, yet another directory will be required. Replication-based metadirectories will move corporate information to an industry standard distributed repository where an enterprise security policy may be applied to the information. The Virtual directory pushes the solution to client platforms creating somewhat of a client platform administration problem, while compromising the organization’s flexibility to manage information. The directory information broker will need a YETA directory containing pointers to information in other repositories. Politics regarding information ownership, location, and security, will demand that the replication technique also accommodate the information broker technique, forming a hybrid of the two.

A corporate metadirectory must be capable of managing the organization’s knowledge base, securing sensitive information, and distributing the information inside or outside of the corporate firewall!
Only replication-based metadirectories offer the speedy access required for most applications. Information is captured in an industry standard repository. The organization’s security policy may be applied to information before shadowing the information to distributed directory servers within the organization, or beyond corporate boundaries to business partners. Yet, due to processing requirements, ownership, or politics, certain information may not be able to be moved to the metadirectory repository. Pointers to this information, along with pointers to information in a replication-based metadirectory, comprise your metadirectory knowledge base. A replication-based metadirectory has the machinery required to manage a knowledge base, secure the information, and distribute it across a variety of platforms throughout an organization, as well as to locations outside of the corporate firewall.

Metadirectory information must be managed independent of client applications, across organizational boundaries in the real-world, multinational corporation.
One of the main benefits to a metadirectory is the ability to securely manage corporate information, across industry standard protocols, independent of client applications. It is critical, that when the client—the employee, vendor, or e-commerce customer—accesses the metadirectory, that the location of information and access control issues are handled by the metadirectory backbone, and not referred to the client. If the requested data is not available on the boundary directory server, the metadirectory knowledge base should allow the backbone to locate the data rather than referring the client to another directory solution. Figure 1 shows an example metadirectory implementation where the client accesses corporate information from a boundary directory server. If the information is located on another directory server, in another repository outside the metadirectory, or possibly in a trading partner’s data center, the metadirectory backbone obtains the information and securely transfers it to the client.

While the installed base of LDAP-based software requires LDAP compatibility in the metadirectory, LDAP will not, by itself, satisfy all the requirements for managing metadirectory information. With LDAP, the client can only retrieve information from directory servers defined to the LDAP client. If the desired information is not resident on the designated LDAP server, a referral is returned to the client. The client must then attempt to access other LDAP servers in its quest for the desired information. Figure 2 shows the resulting communication flow. In addition to the overhead required to access the referred LDAP servers, access control becomes a serious issue, as each server needs to know about each and every client.

X.500 protocols supply the machinery required to manage metadirectory information. Combined with LDAP as a client protocol, a wide variety of client applications may access the metadirectory backbone. The protocols found in X.500, represent the machinery an organization needs to manage metadirectory information across a variety of distributed platforms worldwide. Client platforms as well as other directory-enabled applications are independent of the metadirectory implementation. With X.500-like machinery, whether the metadirectory repository physically holds corporate information or another repository holds the data, is no longer an issue that concerns the client. Metadirectory security and protocol technologies also address communication and security issues pertaining to various repositories. The client authenticates itself to the metadirectory backbone, and information is made available securely according to a corporate security policy. Organizations are free to reorganize the topology of metadirectory backbones according to their e-commerce needs.

Active Directory will become a de facto standard within NT networks. The Metadirectory can be integrated with Active Directory.
Microsoft has a history of developing de facto standards for the PC-based computing world. With the introduction of Active Directory with Windows NT 2000, Microsoft will, arguably, spawn a new standard—one of a directory communications interface. As software developers the world over write software that interface using the Active Directory Service Interface (ADSI, Microsoft’s interface for Active Directory), the need to support this protocol with the metadirectory is evident. In addition to LDAP and X.500, the successful metadirectory must also support Active Directory. The question is "Will Microsoft applications evolve away from LDAP using ADSI as their directory interface?" If that is the case, the next question becomes "Does LDAP become an Active Directory interoperability component to existing standalone LDAP servers?"

The metadirectory must run on today’s hardware and software topologies, meeting necessary scalability requirements, while providing growth potential for the future.

As the benefits of metadirectory technology are realized, organizations will become clever about inventing ways to leverage metadirectory resources. Process automation, digital certificate management, directory-enabled networking, as well as other e-commerce applications will increase the use of metadirectory exponentially. Organizations and their businesses will become increasingly dependent on their metadirectory resource. Reliability, scalability, and availability are critical. Once a metadirectory is in place, usage will demand 100% availability. Careful consideration should be given towards the type of metadirectory technology, the platforms it runs upon, and the reliability and scalability of the entire solution.

Conclusion

A new metadirectory structure is needed that encompasses the needs of Fortune 500 companies and offers access to information across all enterprise platforms.

The metadirectories proposed to date do not address the needs of Fortune 500 companies. These companies need, as a minimum:

1. Meta-methodology: The metadirectory solution must address performance requirements along with process automation and the politics of information ownership. It must be a hybrid that features both a repository-based solution as well as an information broker-based solution.
2. Knowledge Base: The solution must be capable of managing the metadirectory knowledge base across all enterprise platforms.
3. Interoperability: The solution must encompass interoperability with LDAP, X.500, Active Directory, as well as technologies required by other information repositories.
4. Security: The metadirectory backbone must provide authentication services protecting information as it flows through the backbone. It must be capable of distributing information, securely, across corporate boundaries.
5. Scalability: The metadirectory must support the volumes of users, transactions, and directory entries, required in the not-so-distant future.
6. Reliability: The metadirectory will become vital to a company’s ability to conduct business. Both the hardware and the software must be available 24 hours a day, 7 days a week, 365 days a year.

In real-world terms, the successful metadirectory needs to be an information broker with a replication capability. It needs to run on a variety of platforms including NT, Unix, as well as the IBM S/390 mainframe. It needs to interoperate with other metadirectory solutions with support for LDAP, X.500, and Active Directory. We look forward to the introduction of this type of metadirectory into the marketplace.    MM

Footnotes
1. Radicati Group, "The Directory Services Market & Product Analysis 1998–2002," 1998.
2. "Mail Directory Battles Intensify," WEBWEEK, v.3(12), 1997.
3. Alexis Bor, "Enterprise Directories, Now More Than Ever," 1997.
4. See Goldsmith and Mulqueen, "Meta Directory: The Technology Differences," Messaging Magazine, March/April 1999, for a complete discussion of these techniques.

Back to Table of Contents