Professional Documents
Culture Documents
®
™
w w w. n o v e l l . c o m
C O M P E T I T I V E W H I T E PA P E R
Novell eDirectory vs.
Table of Contents Microsoft Active Directory
2 INTRODUCTION
2 T H E V I TA L R O L E O F
A D I R E C T O RY
3 SELECTING A HIGH-END
D I R E C T O RY S E R V I C E
8 C O M PA R I N G M I C R O S O F T
A C T I V E D I R E C T O RY T O
N O V E L L e D I R E C T O RY
21 S U M M A RY
Novell eDirectory
vs. Microsoft
Active Directory
2
Introduction
Millions of people unknowingly tap the power of a directory service every day. Directory
services are a foundational technology serving a number of critical functions, yet the
everyday user rarely sees them. Any Web site or application that personalizes its pres-
entation or controls access to its content is almost certainly taking advantage of a
directory. Directories provide the information technology power behind customer
services, citizenry records and white or yellow page indexes. And from small shops to
massive enterprises, people count on directories to allow access to their networks, files,
printers and other resources.
If you are evaluating which Lightweight Directory Access Protocol (LDAP) directory
will best address your business needs, selecting the right one is no trivial task. Given
the numerous offerings available, it can be difficult to determine which directory is best
suited to the unique needs of your organization. This paper will assist you in that evalu-
ation process by clearly outlining what a directory is, why it is necessary and how to
evaluate one that will best fit your organization’s needs—with particular focus on the
differences between Novell eDirectory™ and Microsoft Active Directory*.
®
Directories provide the identity infrastructure Financial institutions securely extend their
for controlling access and authentication, services to customers over the Web by using the
and various other aspects of managing the a directory. Outsourced management firms
relationships between information resources and manage their diverse clientele and the services
the people who use them. As a central repository they need with directories. And directories
directory becomes a business component of wide range of devices, from broadband modems
Today, directories are being applied to manage health care services and manage electronic tax
identities on a scale never before seen. Internet collection systems for entire citizenries—again,
news sites use directories to identify readers, all backed by the power of directories.
Novell eDirectory
vs. Microsoft
Active Directory
3
the least of which is merely identifying a user or Does it work with our applications? Does it
consumer. Layered on top of that is the ability support directory access standards? Does it
multiple services and act as a foundation for What mechanisms ensure that service is
The diverse roles directories now play within goals? Is it prone to service errors or data
organizations have made them a very common corruption? Does it have well-thought-out
technology type. However, the uses described options for disaster recovery?
to consider some very specific qualities in the Does it plug into common network
today as well as tomorrow? Can it still criteria. It is very much a worthwhile exercise to
perform when scaled into the millions of prioritize your organization’s business requirements
identities and beyond? against these five points before diving into the
Novell eDirectory
vs. Microsoft
Active Directory
4
minute technical details. When selecting a directory environment. The top priority is almost always
service, questions (such as those listed above) whether a directory offering can work for the
may help to more exactly clarify your goals for immediate business needs to which it will be
deploying a directory, as well as prioritize what applied. But also important to consider is its
criteria matter most to the organization. ability to accommodate the next wave of uses
Let us now examine each of these criteria in your business may need to integrate with the
Because directories act as a hub for all things Certified directory. (Similarly, The Open Group
identity-related, compatibility is a key factor in also maintains the LDAP Ready certification for
must be measured with regard to adherence to directory service needs to support LDAP v3 and
standards and compatibility with your existing earn LDAP Certified status.
Novell eDirectory
vs. Microsoft
Active Directory
5
Web services comprise an emerging set of directory access standards are most important
standards designed to allow applications to use depends on the directory-enabled applications you
Web-based protocols to communicate. The primary plan to deploy and the level of expertise in your
protocol used by Web services is Simple Object organization. For a broader discussion of directory
Access Protocol (SOAP), which is based on access protocols, see Burton Group’s recent
eXtensible Markup Language (XML). SOAP allows research report “Interfacing with Directory Services:
dissimilar applications to interact regardless of Sorting out Options for Directory Access” at
encode directory requests within SOAP. DSML allows desktops and servers—including Linux*, Windows*,
Web services-enabled applications to leverage a UNIX* and NetWare . This almost mandates that a
®
directory. This offers a number of benefits, including: selected directory technology must be able to be
Although there are a number of other protocols availability, the more reliable it must be;
and standards for directories, LDAP sets the base so naturally, a high-end directory must provide
standard for directory access, and SOAP/DSML show continuous availability, no matter what. Much like
the most promise in providing integration with Web a financial database, when the directory is down,
The directory’s ability to self-correct and not only results in overly complex management,
prevent minor errors forms a first line of reliability. but also demonstrates the manufacturer’s
The capacity to transparently host writable copies inexperience and the consequential immaturity
possibly wide geographies, to provide central Tools for both directory maintenance and
backup and local data availability—forms another administration should be securely accessible from
needs to provide multiple levels of fall back and tasks both large and small.
recovery—from real-time failover to online, near- To reduce costs and appropriately distribute
line and offsite backup capabilities. Quick recovery management, many organizations require some
hardware failures, operating system failures or Delegated administration allows the assignment
Directory management breaks down into two HP OpenView* and CA Unicenter*, is also important.
major groups of activities: administration and These standards-based systems use Simple Network
maintenance. Administration involves day-to-day Management Protocol (SNMP) and other protocols
tasks such as setting up groups, assigning access for monitoring events and directory health in real
rights and clearing account lockouts. Maintenance time. If you intend to put a directory to high-end
involves less frequent tasks such as performance- use, support for monitoring through the generic
tuning LDAP services, extending the directory SNMP and the more directory-specific LDAP event
breadth of tools available. With several of the handling and ongoing innovation in the systems that
directory contenders today, a limited set of tools connect to directories. However, many ongoing
Novell eDirectory
vs. Microsoft
Active Directory
7
management tasks still require appropriate tools. highly confidential data. Most directories can
The larger the scale and business criticality of your create an identity for use as a simple login, yet
directory service, the more you will rely on its few can use that identity as a comprehensive
management tools to prevent overwhelming your security principal that can be leveraged across
checkbox item to say that a directory is secure. Business Value Comes First
In fact, no directory can claim to actually be Though not exhaustive, these five criteria—
secure, only securable.
scalability, compatibility, reliability, manageability
With directories, securable encompasses a
and securability—form the requirements foundation
myriad of possibilities, not limited to: the operating
for evaluating directory services for your organi-
system on which the directory will be hosted;
zation’s high-end purposes. Understanding your
the granularity of the directory’s permissions and
requirements and priorities in these key areas
enforcement model; how secure data, such as
ensures that your investment in a directory will
passwords, is encrypted and stored; whether strong
fit your needs for both today and tomorrow,
authentication methods (such as biometrics and
and keep cost aligned with benefits.
smart cards) can be used instead of passwords;
Directories that do not fulfill your organization’s
and much more. The nature of security requires
requirements in light of these five fundamental
that some of these capabilities must be built into
values may not be suited for high-end needs,
the directory, rather than added piecemeal.
but may still have an important place in your
Security includes far more than mere
enterprise. Application-specific directories will
authentication (the logging on of users).
often need to be deployed because they are
The directory must proactively enforce access
inseparable from a business-critical application.
control in real time and ensure that the methods
used to gain access to data are suited to the task. (For example, Microsoft Exchange requires Active
As an example, graded authentication might Directory for the purpose of supporting e-mail.)
be configured to allow access only when a user The presence of such a directory does not
has the correct rights or privileges and the user negate the need for a high-end directory service,
has authenticated with multiple credentials nor dictate which directory should be used for
(password plus a biometric, for example). Such an high-end purposes. Ultimately, the directory you
implementation may be desirable for accessing choose must be capable of unifying your various
Novell eDirectory
vs. Microsoft
Active Directory
8
foundation for many of management umbrella to create a manageable Scalability has always been questionable in
the world’s largest identity identity system. Active Directory. Though Microsoft claims there
Let us now compare the two offerings using identities and will grow to accommodate
the five business criteria for selecting a high-end 35 million (encompassing virtually all French
• TransUnion, one of the world’s largest credit- by eDirectory and Active Directory, respectively.
reporting agencies, has deployed eDirectory The table in Figure 1 and the graph in Figure 2
to personalize the Web experience for 10 to illustrate that on average Active Directory
12 million customers annually. consumes twice as much disk space as eDirectory
• PC maker Gateway has deployed eDirectory
when hosting the same number of objects. In a
to manage employee, partner and customer
high-end deployment, where millions of identities
identities in excess of 5 million users.
and their related objects are stored in a directory,
Scalability and System Requirements this gap could be a substantial obstacle. In addition,
A major factor behind why Novell eDirectory Active Directory’s excessive consumption of disk
scalability far outpaces Active Directory’s is space becomes even more problematic as access
simply the efficient use of hardware resources. controls are applied, as discussed later in the
For example, consider the hard disk space used “Securability” section.
D ATA B A S E S I Z E ( I N M E G A B Y T E S ) Figure 1
OBJECTS (IN THOUSANDS) N O V E L L e D I R E C TO RY 8 . 7 . 3 M I C R O S O F T A C T I V E D I R E C TO RY 2 0 0 3
0 28.57 59.04
10 52.81 100.04
Figure 2
To achieve anything approaching the scalability Directory. In fact, very little is known on the
of eDirectory requires significantly more hardware state of Active Directory and certification under
for Active Directory, without achieving comparable the LDAP Certified guidelines. Microsoft has had a
Protocol Standards and Application between Active Directory and the LDAP standard
Compatibility
is Microsoft’s publication of a document defending
Previously, we discussed that LDAP is the common
their LDAP support (http://www.microsoft.com/
denominator for directory access. To date, The Open windowsserver2003/techinfo/overview/ldapcomp.
Group lists 22 products as LDAP Certified, including mspx). And, consistent with their usual vendor
several entries for Novell eDirectory on various lock-in strategy, Microsoft almost invariably steers
operating systems. Currently The Open Group lists developers to use proprietary Active Directory APIs
Without this certification, businesses have no In addition to LDAP, Web applications use DSML
assurance that non-Microsoft applications and other to communicate with directories. Both Novell and
Support for additional directory access methods is often not as important as support for LDAP. However,
depending on your current and potential applications, as well as your in-house developer expertise, you
may need to consider various other protocols. The table below offers some summary comparisons:
N O V E L L e D I R E C TO RY M I C R O S O F T A C T I V E D I R E C TO RY Figure 3
ODBC Novell eDirectory supports ODBC There is no ODBC driver for Active
(Open Database Connectivity) through a client-side driver to allow Directory. However, an LDAP/ODBC Driver
directory access for standard reporting exists. Active Directory’s partial LDAP
tools (such as Crystal Reports) or support may limit this approach.
database queries.
JDBC* A JDBC Driver allows Java programs Active Directory has no JDBC driver.
(Java* Database Connectivity) (applets, servlets, applications or (However, the Novell LDAP JDBC driver
J2EE* application servers) to access can be used to query AD through LDAP.)
eDirectory data.
JNDI* The Novell JNDI Provider enables The only way to access Active Directory
(Java Naming and Directory access to eDirectory through JNDI. with this protocol is through a JNDI Provider
Integration) (such as the one from Novell), which uses
Active Directory’s limited LDAP support.
JavaBeans* and Enterprise Several JavaBeans and EJBs allow the No support other than through LDAP.
JavaBeans (EJBs) use of eDirectory services in Java
applications and J2EE application
servers (such as IBM WebSphere* and
BEA WebLogic*).
ActiveX* Controls Novell provides ActiveX controls to Microsoft has a very rich set of controls
access eDirectory via ASP pages, for use in Visual Basic, RAD tools and
Visual Basic* and Visual Studio embedded HTML.
applications.
ADSI Novell has a client-side ADSI provider Microsoft pushes their proprietary ADSI
(Active Directory Services for eDirectory. for access to Active Directory over
Interface) standards such as LDAP.
Active Directory supports only the Windows Active Directory that is somewhat less operating
server platform, starting with Windows 2000. system dependent, called Active Directory
In addition, many enhancements to Active Application Mode, or AD/AM. AD/AM is useful for
Directory in Windows 2003 are not backward testing and deploying identity-enabled applications
compatible to Windows 2000/Active Directory. and can help alleviate some of the inflexibility
This compromises the value of key features such inherent in an enterprise Active Directory
as the ability to rename and reorganize the implementation. Once deployed, AD/AM can be
directory. Further, this tight coupling with the used to pass authentication credentials to an
Windows server operating system indicates that existing Active Directory deployment; however,
new features in each version of Active Directory richer integration requires the use of Microsoft’s
will come with the high cost of operating system— meta-directory product (and an additional fee
While AD/AM seems to address the necessary plague even the most recent release of Active
decoupling from the Windows operating system, Directory. To be sure, Microsoft Windows is seldom
it still does not constitute an effective replacement equated with reliability. And with no option to
for a high-end directory service. Rather, AD/AM select a more robust platform such as Linux or any
helps to remove some of the pain of deploying of the high-end UNIX platforms—coupled with the
Active Directory for application-specific needs; fact that Active Directory cannot be clustered—
and it simplifies the development or deployment Active Directory reliability suffers from the
Also, even though AD/AM has been decoupled In contrast, because Novell pioneered the
from Windows, it can still only be deployed on directory services market, it has the industry’s
A key strength of eDirectory is compatibility directory services. Novell eDirectory meets the
with various platforms. This capability allows an reliability challenge with top-to-bottom
security and reliability requirements, and to take To examine how each offering stacks up,
advantage of the organization’s platform expertise. let’s compare the two directory platforms using
Novell eDirectory can be hosted from Linux, four criteria: self-maintenance, service continuity,
Windows, HP-UX*, IBM AIX*, Solaris* and NetWare. maintenance tools and disaster recovery.
Because they play such a critical role in so many minor errors with no administrator intervention,
businesses, directories are required to provide thereby reducing the frequency of reliance on more
The version of Active Directory which shipped As an example, consider the directory schema,
with Windows 2003 introduced tools that have which defines the possible objects and attributes
eased some past manageability problems. However, that can be stored in the directory. Both Novell
scalability, reliability and security concerns still eDirectory and Microsoft Active Directory allow
Novell eDirectory
vs. Microsoft
Active Directory
13
schemas to accommodate new object types and replication provides reliability that is limited
attributes. However, only eDirectory allows schema only by the underlying directory’s architecture.
erroneous extension is removed from the eDirectory master directory replication. Today, Novell eDirectory
schema, the associated data on existing objects continues to lead the industry in this capability—
In contrast, Active Directory does not allow the feature that ensures continuous availability and
removal of schema extensions. In fact, when an forms one of the compelling advantages that
administrator tries to extend the Active Directory eDirectory has over any other directory service.
schema, before he can proceed, he receives While Active Directory has multi-master
this warning: “WARNING: Creating schema replication, there are implementation weaknesses
objects in the directory is a permanent operation. to be aware of. An Active Directory implementation
While these objects may be disabled to prevent relies on designated “operations master” servers.
their usage, they cannot be deleted and will Operations masters police one of five key functions
become a permanent part of your enterprise within the Active Directory system: the schema
installation.” This limitation is a prime example master manages the schema; the domain naming
of the immature state of Active Directory. master enforces domain interaction rules; the RID
If someone without proper permissions bypasses master ensures uniqueness of object identifiers;
change control procedures (perhaps in the process the infrastructure master maintains interdomain
of deploying a departmental application) and references between objects; and the PDC emulator
In directory services, multi-master replication forms controller in each domain. This single point for
the foundation for horizontal scalability and service critical operations presents a significant weakness
master server can be brought online in the event of of the directory database. DSRepair can be
an outage, bringing that standby server online is a run against replicas on one server or against
manual process. What's more, Active Directory multiple servers for tree-wide maintenance.
offers little warning in the event of an operations The amount of data to repair can also be
master server failure. Microsoft’s own product scaled from the whole directory down to a
documentation states: “Generally, you will notice single partition, and even a single object.
that a single master operations role holder is DSRepair runs natively on all supported
unavailable when you try to perform some function platforms and is also remotely hosted
1
controlled by the particular operations master.” through the eDirectory administration
Clearly this approach is not sufficient for a high- interface in Novell iManager.
With critical services like directories, businesses coupled with its self-maintenance processes,
require the ability to immediately bring the system ensure a level of reliability unmatched by any
back to full service when problems occur. Ideally, other directory vendor.
a manager should be able to diagnose and manage Active Directory repairs frequently entail
directory problems remotely, without the need to dispatching technicians directly to the host
bring down the hosting server—and certainly not Windows server, and then taking the server
the entire directory. offline. Many Active Directory repair processes are
Novell eDirectory addresses this issue with only available by rebooting the server in “Directory
maintenance tools that can do much of their Services Restore Mode.” Whether local or remote,
work on a live directory server. These tools give the process of taking directory servers offline for
a manager the ability to remotely repair errors repairs, then restarting those servers, can create
__________
1
See http://www.microsoft.com/ within the directory, and are optimized to take the much lengthier service disruptions. This may be
resources/documentation/
directory service offline only during those parts regarded as an unacceptable option for a piece of
WindowsServ/2003/standard/
proddocs/en-us/Default.asp?
of the repair that require exclusive data access. infrastructure technology as vital as a directory.
url=/resources/documentation
/windowsserv/2003/standard/ The family of eDirectory live maintenance To expedite the repair process (and save network
proddocs/en-us/sag_ADrespond
FSMOfailures.asp tools includes: managers undue travel), Microsoft recommends
Novell eDirectory
vs. Microsoft
Active Directory
15
remote management of offline Windows 200x Regardless of the scale of deployment, the
servers (sometimes called “headless” operation). management tools for eDirectory excel in both
Certainly it is the unreliability of Window servers administration and maintenance, providing several
that drives Microsoft to make this recommendation, mechanisms for proactive and reactive management.
but it also furthers the uncertainty around Active Creating and maintaining an Active Directory
Directory’s ability to play a high-end role. service is a time- and human resource-intensive
dataset, but it also functions as a live journaling Directories change. Organizations or departments
service, continuously recording all directory sometimes change names; customer bases may need
data changes from the time you declare a new to merge; subsidiaries are spun out. For large-scale
backup period should begin. This approach business identity systems, directory flexibility is
ensures you have an up-to-the-last-second backup the key to allowing a high-end directory service
restore everything to the last logged transaction. inflexible naming scheme—a legacy combination
Complementing its already extensive reliability of NetBIOS and Windows Domain Name System
arsenal, only Novell eDirectory provides this moved to a DNS paradigm—that precludes any
Within an Active Directory forest (the name of a In contrast, since its inception, eDirectory has
deployed directory system conforming to common been extremely flexible. Novell eDirectory allows
schema and naming rules) there are domains and the flexibility to change partition boundaries
servers. These derive their naming based on a DNS as design needs change. Further, the ability of
naming structure, which is established when the eDirectory to house multiple partitions on a single
first servers are installed and the directory is server provides several advantages, including
first provisioned. the ability to easily decommission servers and
If your naming convention remains static consolidate directory data. Other options taken
forever, all is well. However, should a time come for granted by eDirectory managers include:
that you must make structural changes to the
• Renaming any organizational level of the
directory, Active Directory domain boundaries and
directory
naming constraints can present significant barriers.
• Moving entire sub-branches of a directory
Microsoft’s support material strongly discourages
• Merging two trees
such procedures.2
• Using identity criteria to automatically
Why does Microsoft discourage domain
provision access (dynamic groups).‡
operations? Consider: Just one hierarchy change
‡
This LDAP feature automatically grants group membership
means manually contacting every domain controller
to an identity based on attribute values, such as when a value
in the tree, rebooting those servers plus two reboots indicates that a user is a manager or is in the sales department.
controllers do not have this option. Additionally, partitioning and replication scenarios can be
domain hierarchy is not possible. Therefore, Much of the deployment planning for Active
once you have deployed Active Directory, you must Directory revolves around placement of domains
be sure to make all changes before an Exchange and the Global Catalog.
no supported way to change the hierarchy in Directory is a domain. In order to host directory
__________
either Windows 2000 or Windows 2003 Active data, a Windows server must be a domain
2
See Domain-Rename-Intro.doc
hosted on Microsoft.com Directory deployments. controller. A domain controller can only host a
Novell eDirectory
vs. Microsoft
Active Directory
17
single domain. Domains cannot be sub-segmented To complement iManager, Novell also provides
or consolidated easily. This results in a rigid iMonitor, a browser-based maintenance tool for
directory system requiring much more up-front performing diagnostics on your eDirectory servers.
Many of the Active Directory fixes introduced provides a shell application for the management
with Windows 2003 address design flaws with of many Windows features, including Active
domains and the Global Catalog due to customer Directory. Microsoft supplies numerous Active
assigned to the logged-on user. For more global functions. For example, you can delegate password
administrators, iManager can present a navigable management to help desk personnel, but delegating
view of the directory tree, allowing fast access the ability to change other user data (such as a
to general management of one or multiple phone number) requires much deeper knowledge
generally a more time-consuming process reserved against attackers. Since Active Directory runs
Active Directory also has been instrumented any platform that meets the security needs of the
An exhaustive security comparison between Novell usually determined by what rights (or privileges)
eDirectory and Microsoft Active Directory is well a security principal has to the resource being
Much can be said of the poor track record Windows Three notable components of the model are,
has earned with respect to security. Basing a first, that any object can access other objects as
high-end directory deployment on Windows is a security principal; second, that access to every
a risky endeavor, because a directory relies on object is secured by an access control list (ACL);
the operating system as its first line of defense and third, that the directory hierarchy forms
Novell eDirectory
vs. Microsoft
Active Directory
19
the basis for dynamic rights inheritance. These rights change ends up multiplying the directory
components allow eDirectory to easily manage data, directly impacting disk storage and memory
complex security relationships between objects. requirements. It also can generate a flood of
When an identity in eDirectory attempts to replication traffic between servers. Aside from
access another resource in the directory, that resource issues, what happens to security if a
identity’s access rights are dynamically calculated process is interrupted mid-way through writing
and enforced. Appropriate access is derived from such a change to ten thousand objects? And when
rights assigned directly to the identity for the an object is deleted, how intensive a process is it
resource being accessed; from rights assigned to
to clean up rights when rights-related references
the identity’s security equivalences (which include
are so pervasive throughout the directory?
groups and other assignments); and from rights
The Active Directory security model is also
assigned to a container in which the resource
limited to only three security principals: users,
resides (rights inheritance).
groups and computers. Other objects types cannot
Rights inheritance is a powerful capability
be granted rights to Active Directory resources.
for a directory to provide. It both simplifies the
In eDirectory, containers are often granted rights
assignment of rights and prevents from bloating
to a resource, which allows all the identities
the directory with redundant data written to
within the container to have the same access
multiple objects’ access control lists. Among the
rights. Because containers are not one of the
many patents for innovations established in the
Active Directory security principals, this cannot
eDirectory access control model, rights inheritance
be done in Active Directory.
is recognized as one of the major capabilities that
The security principal limitation also reduces
makes Novell eDirectory unique.
the uses to which Active Directory can be applied.
The security model for Active Directory is
While adding new object classes is possible,
derived from that of the Windows file system.
you cannot make the new objects act as security
Every object in Active Directory has an access
principals—that is, securely authenticate and
control list, providing a solid basis for securing
However, Microsoft has emulated Novell’s of Active Directory are limited to those that
rights inheritance through the Active Directory do not rely on strong trust models in which
management tools. When assigning rights at the applications and devices securely authenticate
container level, the management tool walks the to the directory, as would be required for digital
sub-tree and writes the access control list change rights management and trusted computing,
on every single subordinate object, potentially for example. This detail illustrates very well
effecting hundreds, thousands or tens of millions how Active Directory was designed solely to
of access control entries. What should be a simple solve Windows management issues.
Novell eDirectory
vs. Microsoft
Active Directory
20
One final consideration in examining the Active control implementation? If not, are you certain
Directory security model is the hardware needed to that your security model will remain simplistic
meet even the most basic security requirements. as your business use of the directory matures?
In a comparative test on a container of 1 million Have you correctly budgeted hardware to scale to
users, a rights assignment to the parent container your security needs? Will you be able to withstand
produces staggering results that show how poorly the latency associated with every large-scale
Active Directory’s security model scales. By granting rights assignment, especially those that involve
a single user or group full access control at the revoking assignments that have become outdated
parent container, the Active Directory data set when you need to re-design your access control
involve more complex rights assignments than authentication requires multiple factors—
the aforementioned test case, and as such will perhaps a biometric plus a proximity card. Finally,
This brings to bear many questions about than others—for instance, changing a password
using Active Directory for a high-end deployment. might require a user to provide a PIN, biometric
Both Active Directory and eDirectory support full requirements of high-end directory services.
a range of authentication options, such as On the other hand, Novell eDirectory gives
simple passwords (including SHA-1 and MD-5 businesses flexibility in host platform options,
password hashing), PKI, biometrics, smart cards, its internal authorization model and its authenti-
tokens, etc. Novell eDirectory, however, offers a cation capabilities. Once again, eDirectory can be
distinct advantage in the flexibility of its adapted to the needs of your business, rather than
Service (NMAS™). Besides supporting virtually any The role of directories in information technology
existing credential type as well as being able to has grown to become a fundamental piece of
be quickly adapted to new authentication methods, infrastructure and the foundation for an
NMAS supports graded authentication. NMAS allows organization’s ability to manage the identities
a user’s access rights to be dependent on the that make business work. A high-end directory
method of authentication or the combination of provides the authoritative source for all identity-
several methods. For example, an accounting driven services; and scalability, compatibility,
employee who uses a simple password to log on to reliability, manageability and securability are
the corporate network may only be granted access the requirements categories for identifying such
whereas, logging in with a biometric or a digital Novell eDirectory has grown from a foundation
certificate or both would grant that same employee that is secure, reliable and scalable, while adapting
access to more detailed financial data about to emerging standards and meeting the needs
specific projects or individuals. This capability of developers. From LDAP to SOAP and from a
gives businesses the choice of securing applications, strong and flexible security model to unmatched
network resources and sensitive corporate data scalability, eDirectory is the unparalleled leader
that best suits organizational policies and objectives. Active Directory, in its second generation (as
While Microsoft Active Directory offers a breadth opposed to eDirectory in its eighth), struggles to
of authentication options, it does not offer graded simply meet the needs of the network operating
authentication based on multiple factors. system for which it was built. Meeting the needs
To summarize our short examination of the of the high-end directory market is still a far sight
securability of both Active Directory and eDirectory, from the current iteration of Active Directory.
we find once again that Active Directory reveals For many organizations, having Windows
Microsoft’s inability to adequately address the servers for line-of-business applications requires
Novell eDirectory
vs. Microsoft
Active Directory
22
having Active Directory in some form or other. • Comprises better reliability, thanks to © 2004 Novell, Inc. All rights reserved.
Novell, the Novell logo, NetWare,
NDS and Novell Directory Services are
While this may be the case, it is important to automated self-repair, multi-master registered trademarks, and eDirectory,
NMAS and the N logo are trademarks
of Novell, Inc. in the United States
recognize that Active Directory is a network replication, live maintenance tools and and other countries.
operating system directory and cannot effectively disaster recovery tools. *Active Directory, ActiveX, Microsoft,
Visual Basic, Windows and Windows
NT are registered trademarks of
fill the role of a high-end directory service. • Excels in manageability—having complete, Microsoft Corporation. Linux is a
registered trademark of Linus Torvalds.
UNIX is a registered trademark of
In contrast, Novell eDirectory fills the high-end well-thought-out management tools, and X/Open, Ltd. AIX, IBM, Tivoli
Enterprise Console and WebSphere
need. And through meta-directory technologies such allowing organizations to easily tune and are registered trademarks of IBM
Corporation. HP, HP-UX and
OpenView are registered trademarks of
as Novell Nsure Identity Manager, eDirectory can adapt eDirectory to accommodate changing Hewlett-Packard Company. Unicenter is
a registered trademark of Computer
integrate an Active Directory deployment with business requirements. Associates International, Inc. Java and
Solaris are registered trademarks, and
J2EE, JavaBeans, JDBC and JNDI are
many other identity-enabled systems, such as • Offers much better securability through its trademarks of Sun Microsystems, Inc.
BEA and WebLogic are registered
trademarks of BEA Systems, Inc.
Oracle*, PeopleSoft* and SAP*. Such an approach host platforms, access control model and Oracle is a registered trademark of
Oracle Corporation. PeopleSoft is a
assures that Active Directory can be managed authentication options. registered trademark of PeopleSoft, Inc.
SAP is a registered trademark of SAP
AG. All other third-party trademarks are
appropriately for the services it provides. the property of their respective owners.
Novell eDirectory is the industry’s best choice
When compared head-to-head with Microsoft
for large-scale, high-end directory deployments, Novell Product Training
Active Directory, Novell eDirectory: and Support Services
providing an identity cornerstone for the enterprise
For more information about
Novell’s worldwide product
• Provides unmatched scalability, which has and the Internet that can grow and adapt to meet
training, certification programs,
been demonstrated to 1 billion identities and the demands of your business today and tomorrow. consulting and technical support
services, please visit:
backs many of the world’s largest identity For more information about Novell eDirectory, www.novell.com/ngage
Novell, Inc.
404 Wyman Street
Waltham, MA 02451 USA
www.novell.com
462-001396-002