directory service


computing Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithm of an algorithm (Euclid's algorithm) for calculating the greatest common divisor (g.c.d ...

, a directory service or name service maps the names of network resources to their respective
network address A network address is an identifier for a node In general, a node is a localized swelling (a "knot A knot is an intentional complication in Rope, cordage which may be practical or decorative, or both. Practical knots are classified by function, ...
es. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a
network operating system A network operating system (NOS) is a specialized operating system An operating system (OS) is system software that manages computer hardware, computer software, software resources, and provides common daemon (computing), services for computer p ...
. A directory server or
name server A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example.c ...
is a server which provides such a service. Each resource on the network is considered an
object Object may refer to: General meanings * Object (philosophy), a thing, being, or concept ** Entity, something that is tangible and within the grasp of the senses ** Object (abstract), an object which does not exist at any particular time or pl ...
by the directory server. Information about a particular resource is stored as a collection of
attributes Attribute may refer to: * Attribute (philosophy), an extrinsic property of an object * Attribute (research), a characteristic of an object * Grammatical modifier, in natural languages * Attribute (computing), a specification that defines a propert ...
associated with that resource or object. A directory service defines a
namespace In computing Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithmic processes and development of both computer hardware , hardware and softw ...

for the network. The namespace is used to assign a ''name'' (unique identifier) to each of the objects. Directories typically have a set of rules determining how network resources are named and identified, which usually includes a requirement that the identifiers be unique and unambiguous. When using a directory service, a user does not have to remember the physical address of a network resource; providing a name locates the resource. Some directory services include
access control In the fields of physical security Physical security describes security Security is freedom from, or resilience against, potential Potential generally refers to a currently unrealized ability. The term is used in a wide variety of fields, ...

access control
provisions, limiting the availability of directory information to authorized users.

Comparison with relational databases

Several things distinguish a directory service from a
relational database A relational database is a digital based on the of data, as proposed by in 1970. A system used to maintain relational databases is a relational database management system (RDBMS). Many relational database systems have an option of using the (S ...
. Data can be redundant if it aids performance. Directory schemas are object classes, attributes, name bindings and knowledge (namespaces) where an object class has: * ''Must'' - attributes that each instances must have * ''May'' - attributes which can be defined for an instance but can be omitted, with the absence similar to NULL in a relational database Attributes are sometimes multi-valued, allowing multiple naming attributes at one level (such as machine type and serial number
concatenation In formal language theory and computer programming Computer programming is the process of designing and building an executable computer program to accomplish a specific computing result or to perform a specific task. Programming involves ...
, or multiple phone numbers for "work phone"). Attributes and object classes are usually standardized throughout the industry; for example,
X.500 X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by the ITU-T, Telecommunication Standardization Sector of the International Telecommunications Union (ITU-T). ITU-T was former ...
attributes and classes are often formally registered with the
IANA The Internet Assigned Numbers Authority (IANA) is a standards organization that oversees global IP address allocation, Autonomous system (Internet), autonomous system number allocation, DNS root zone, root zone management in the Domain Name Syst ...
for their object ID. Therefore, directory applications try to reuse standard classes and attributes to maximize the benefit of existing directory-server software. Object instances are slotted into namespaces; each object class inherits from its parent object class (and ultimately from the root of the hierarchy), adding attributes to the must-may list. Directory services are often central to the
security Security is freedom from, or resilience against, potential Potential generally refers to a currently unrealized ability. The term is used in a wide variety of fields, from physics Physics (from grc, φυσική (ἐπιστήμη), phys ...
design of an IT system and have a correspondingly-fine granularity of access control.

Replication and distribution

Replication and distribution have distinct meanings in the design and management of a directory service. Replication is used to indicate that the same directory namespace (the same objects) are copied to another directory server for redundancy and throughput reasons; the replicated namespace is governed by the same authority. Distribution is used to indicate that multiple directory servers in different namespaces are interconnected to form a distributed directory service; each namespace can be governed by a different authority.


Directory services were part of an Open Systems Interconnection (OSI) initiative for common network standards and multi-vendor interoperability. During the 1980s, the International Telecommunication Union, ITU and International Organization for Standardization, ISO created a X.500, set of standards for directory services, initially to support the requirements of inter-carrier electronic messaging and network-name lookup. The Lightweight Directory Access Protocol (LDAP) is based on the X.500 directory-information services, using the Internet protocol suite, TCP/IP stack and an X.500 Directory Access Protocol (DAP) string-encoding scheme on the Internet. Systems developed before the X.500 include: * ''Domain Name System (DNS):'' The first directory service on the Internet, still in use * ''Hesiod (name service), Hesiod:'' Based on DNS and used at MIT's Project Athena * ''Network Information Service (NIS):'' Originally Yellow Pages (computing), Yellow Pages (YP) Sun Microsystems' implementation of a directory service for Unix network environments. It played a role similar to Hesiod. * ''NetInfo:'' Developed by NeXT during the late 1980s for NEXTSTEP. After its acquisition by Apple, it was released as open source and was the directory service for Mac OS X before it was deprecated for the LDAP-based Open Directory. Support for NetInfo was removed with the release of 10.5 Leopard. * ''Banyan VINES:'' First Scalability, scalable directory service * ''Windows domain, NT Domains:'' Developed by Microsoft to provide directory services for Windows machines before the release of the LDAP-based Active Directory in Windows 2000. Windows Vista continues to support NT Domains after relaxing its minimum authentication protocols.

LDAP implementations

LDAP/X.500-based implementations include: * 389 Directory Server: Free Open Source server implementation by Red Hat, with commercial support by Red Hat and SUSE. * Active Directory: Microsoft's directory service for Windows, originating from the X.500 directory, created for use in Microsoft Exchange Server, Exchange Server, first shipped with Windows 2000 Server and supported by successive versions of Windows * Apache Directory Server: Directory service, written in Java, supporting LDAP, Kerberos 5 and the Change Password Protocol; LDAPv3 certified * Apple Open Directory: Apple Inc., Apple's directory server for macOS, Mac OS X, available through macOS Server, Mac OS X Server * NetIQ eDirectory, eDirectory: NetIQ's implementation of directory services supports multiple architectures, including Microsoft Windows, Windows, NetWare, Linux and several flavours of Unix and is used for user administration and configuration and software management; previously known as Novell Directory Services. * Red Hat Directory Server: Red Hat released Red Hat Directory Server, acquired from AOL's Netscape Security Solutions unit, as a commercial product running on top of Red Hat Enterprise Linux as the community-supported 389 Directory Server project. Upstream open source project is called FreeIPA. * Oracle Internet Directory: (OID) is Oracle Corporation's directory service, compatible with LDAP version 3. * Sun Java System Directory Server: Sun Microsystems' directory service * OpenDS: Open-source model, Open-source directory service in Java, backed by Sun Microsystems * Oracle Unified Directory: (OUD) is Oracle Corporation's next-generation unified directory solution. It integrates storage, synchronization, and proxy functionalities. * IBM Tivoli Directory Server: Custom build of an old OpenLDAP release * Windows NT Directory Services (NTDS), later renamed Active Directory, replaced the former NT Domain system. * Critical Path, Inc., Critical Path Directory Server * OpenLDAP: Derived from the original University of Michigan LDAP implementation (like Netscape, Red Hat, Fedora and Sun JSDS implementations), it supports all computer architectures (including Unix and Unix derivatives, Linux, Windows, z/OS and a number of embedded-realtime systems). * Lotus Domino * Nexor Directory * OpenDJ - a Java (programming language), Java-based LDAP server and directory client that runs in any operating environment, under license Common Development and Distribution License, CDDL. Developed by ForgeRock, until 2016, now maintained b
Community Open-source tools to create directory services include OpenLDAP, the Kerberos (protocol), Kerberos protocol and Samba software, which can function as a Windows domain controller with Kerberos and LDAP Front and back ends, back ends. Administration is by GOsa or Samba SWAT.

Using name services

Unix systems

Name services on Unix systems are typically configured through nsswitch.conf. Information from name services can be retrieved with getent.

See also

* Access control list * Directory Services Markup Language * Hierarchical database model * LDAP Data Interchange Format * Metadirectory * Service delivery platform * Virtual directory




* {{Authority control Computer access control Computer access control protocols Directory services,