| Now that you have completed a brief hands-on tour of Netscape Directory Server, it is time to park the car for a while and skim the owner's manual. This section describes the origin, focus, and feature set of the Netscape server with an eye toward introducing you to some common characteristics of LDAP directory service products. Origin The first Netscape LDAP product, Netscape Directory Server 1.0, was delivered to the marketplace in September 1996. But Netscape did not start from scratch; it based its product on the open -source LDAP version 2 (LDAPv2) implementation from the University of Michigan. Version 1.0 of the Netscape product supported LDAPv2, server-to-server replication, a sophisticated access control scheme, a synchronization agent for Microsoft Windows NT domain directories, and an HTML template “based HTTP-to-LDAP gateway. Netscape quickly added LDAP support to the rest of its enterprise software, including products such as Netscape Communicator and Netscape SuiteSpot (a collection of integrated servers that included Netscape Enterprise Server, Netscape Messaging Server, and other servers). Netscape also developed software development kits (SDKs) and tools for LDAP developers. Netscape shipped two major releases over the next three years , adding features such as LDAPv3 support, Netscape Console, and more robust replication features. In March 1999, Netscape and Sun Microsystems entered into the Sun-Netscape Alliance, in which the two companies jointly developed a variety of enterprise server products and delivered them under the iPlanet brand name . Later, Sun acquired Innosoft International, an open standards directory and messaging software company. The best ideas from Sun's own LDAP server (SunDS) and Innosoft's LDAP server (IDDS) were fed into the development of the product that was originally planned as Netscape Directory Server 5.0. The combined product shipped in May 2001 as iPlanet Directory Server 5.0, and it included noteworthy features such as multimaster replication, server-to-server chaining, entry distribution, and role-based access control. As the Sun-Netscape Alliance was coming to its scheduled end, Netscape and Sun decided to go their separate ways. Sun continues to develop the iPlanet line of server products (now sold under the "Sun ONE" moniker), and Netscape again develops its own line of server products. In December 2001, Netscape shipped Netscape Directory Server 6.0, which includes support for DSML, as well as integration with some America Online services, such as AOL Instant Messenger (America Online is Netscape's parent company). Product Focus Netscape Directory Server is designed primarily to address the needs of large enterprises , e-commerce companies, and extranets. Netscape has historically been a performance and scalability leader. The Netscape product supports millions of LDAP entries per server and can process thousands of simple search operations per second. High performance for add and modify operations is not Netscape's focus; Netscape chooses to focus on search performance somewhat at the expense of update performance. The Netscape server is designed to meet the needs of applications that work with a logically centralized directory service. Netscape has a broad line of LDAP-enabled products, including -
Netscape Communicator and Netscape 7.0 . Web browser and e-mail client suites. -
Netscape Certificate Management System . A flexible, standards-based public key infrastructure (PKI) server suite that supports certificate issue, renewal, suspension, revocation, and online status checks. -
Netscape Enterprise Server . A high-performance, secure Web application server that is used by many high-traffic Web sites. Enterprise Server can use LDAP for authentication and access control. -
AIM Enterprise Gateway . An AOL Instant Messenger (AIM) gateway that allows AIM use to be managed by an enterprise. The AIM Enterprise Gateway acts as a proxy between users inside the corporate firewall and those on AOL's public AIM network, enabling enterprises to manage and control how employees use AIM services. LDAP-enabled identity management features map AIM screen names to corporate employee IDs and group employees by job function or department. -
Netscape Delegated Administrator . A product that builds on Netscape Directory Server to provide a Web-based interface for delegated directory and services administration as well as end- user self-administration. This product supports many levels of delegation of authority and many types of directory and service administrators (for example, e-mail administrators). In addition, leading application and middleware vendors such as Netegrity, Hewlett-Packard, and IBM support Netscape Directory Server in their own LDAP-enabled products. Netscape Directory Server is a multiplatform product that runs on several leading server hardware and software platforms. Netscape also supports hardware-based accelerators to improve Secure Sockets Layer (SSL) and Transport Layer Security (TLS) performance. The Netscape server is a flexible product that is easy to deploy and manage. It is therefore used in deployments that range from one location with a single server to large, multinational companies with thousands of LDAP servers. Netscape does not focus on the needs of network operating systems (where authentication, file services, and printing services still dominate the requirements). However, the Netscape product is popular with Unix operating system vendors. For example, Hewlett-Packard bundles the Netscape product with its HP/UX operating system to provide authentication, authorization, and centralized storage for the OS and its applications. Feature Set The Netscape product provides a broad set of features. Although some of the features are specific to this product, many of them are supported by other leading LDAPv3 servers. The Netscape feature set includes -
Support for LDAPv3 standards, including RFCs 2251, 2252, 2253, 2254, 2255, 2829, and 2830. This feature provides interoperability with LDAP clients and servers from other vendors, as well as strong, standards-based security. -
Support for many LDAPv3 controls, including those that provide Virtual List View, server-side sorting, persistent searching, proxied authorization, ManageDSAIT , and password expiration. Some of these are proposed standards, and some are not; see Chapter 3, LDAPv3 Extensions, for more information on LDAPv3 controls. -
Support for many LDAPv3 extended operations, including StartTLS and online bulk import. See Chapter 3, LDAPv3 Extensions, for more information on LDAPv3 extended operations. -
Entry distribution to allow entries within one subtree of the DIT to be stored on more than one server. Distribution can be based on the location of an entry within a subtree , or a custom distribution algorithm can be specified; for example, a one-way hash of each entry's DN might be used. -
Extensible schema and configurable attribute indexes to support custom applications. New schema information can be added over LDAP. Netscape Directory Server 6 supports one subschema subentry per server; there is no support for using different schemas for different portions of the DIT. -
Server-to-server replication over LDAPv3. This feature provides flexible replication schedules, multiple writable copies (multiple masters), cascaded replication (chains of replicas), and replication monitoring. -
Flexible, scalable directory access control in which the rules are stored in the DIT so that they can be managed by means of LDAP and replicated with the regular directory data. Access control can be based on a DN, simple or dynamic (filter-based) groups, roles, time of day, day of the week, IP address, and other criteria. Fine-grained access control can be applied to entries, attributes, and attribute values. -
Support for several local directory databases on one server, or several remote databases located on network-connected servers (through server-to-server LDAP chaining). The databases support high-speed import from a file (LDIF or DSML format) and online bulk import over LDAP through a proprietary LDAPv3 extended operation. -
Data integrity features, including a transactional data store, referential integrity, attribute uniqueness enforcement, and the ability to restrict attribute values to ASCII (7-bit) characters . -
A server plug-in API that allows developers outside of Netscape to extend the functionality of the directory server in an arbitrary manner. For example, plug-in writers can implement preoperation filters, postoperation triggers, and new controls and extended operations. See the next section, Extending the Netscape Server: A Simple Plug-in Example, for more information on plug-ins. -
Integration with AOL's Instant Messenger (AIM) service to allow retrieval over LDAP of status information, such as whether someone is connected to AIM. This feature is unique to the Netscape server. -
A class of service (CoS) feature that provides collective or shared attribute values. Using CoS, you can manage an attribute value in one place that appears in thousands of directory entries. Although CoS is unique to the Netscape and Sun servers, some other directory servers also support shared attribute values. -
Dynamic groups and roles to provide convenient ways to manage collections of entries. Dynamic groups and roles may be used for access control, to control CoS attributes, and by LDAP applications. -
Support for SSL and TLS, including X.509v3 certificate “based authentication and the ability to algorithmically map information in a certificate to a specific directory entry. Netscape also supports hardware-based accelerators to improve SSL and TLS performance. -
Server monitoring using Simple Network Management Protocol (SNMP) and LDAP. -
Tools for C, C++, Java, JavaScript, and XML developers and for anyone using another language that can call C or Java code (such as Visual Basic). The Netscape SDKs support all popular OS and hardware platforms. In summary, Netscape Directory Server 6 is a high-performance, highly scalable LDAP server that provides many features. |
