Metadirectories Branch Out

These uberdirectory systems can interconnect enterprise directory systems for easier administration, but implementing them can be a challenge.

Employee-centric data appears all over the IT landscape in most companies, from payroll systems and human resources to e-mail and network operating systems. Each application a user logs into stores his name and other attributes in its own internal directory. And users may be logged into a dozen or more applications within an organization.

When people leave a company, their user accounts should be updated on each system, but they often aren't. The names of former employees may be off the payroll system, but their accounts could very well linger in the e-mail system and other places until administrators finally update them.

Metadirectories can solve this problem by automatically coordinating changes to all application directories. Metadirectories may actually store a copy of some or all directory information, or they may act as a traffic cop, redirecting information requests to specific directory systems. In either case, metadirectories aim to provide data consistency across all directories and make the process of updating across directories faster and easier.

But metadirectories haven't taken off yet, for several reasons. Implementing them involves technical challenges, and their benefits may not be easy to explain to top management. Also, people in different groups often administer the existing application directories.

The technical part isn't difficult, says Jinx Walton, who, as director of computing services and systems development at the University of Pittsburgh, implemented a metadirectory. The hard part, she says, is getting the various groups involved to accept the concept of a central directory in the first place.

Yet another issue is awareness. "Metadirectories are a great concept," says Michael Hoch, a senior analyst at Aberdeen Group Inc. in Boston. But they have been slow to catch on, he says, "because directories themselves have been slow to be adopted." Organizations that haven't yet recognized the value of a directory can't be expected to seek a metadirectory. And many of the systems and applications that store common information don't even have formal directories; often, the so-called directory might be little more than an internal flat file listing authorized users.

The introduction of Microsoft Corp.'s Active Directory as a central part of Windows 2000 promised to usher in an era of enterprise directory usage, but Active Directory and Windows 2000 have experienced slower-than-expected adoption. And although Microsoft's applications will use Active Directory, it's unlikely that all other enterprise and Web applications will standardize on it.

But as the number of directories within organizations is increasing, metadirectories are starting to gain some traction. Novell Inc., iPlanet E-Commerce Solutions (an alliance between Sun Microsystems Inc. and Netscape Communications Corp.), Microsoft, Critical Path Inc., Siemens AG, IBM and others offer metadirectories. However, those companies may not market them as such, and their focuses may differ, says Aaron Beaudoin, directory and security practice manager at ePresence Inc., a consultancy in Westboro, Mass.

Reaching Their Potential

Setting up a metadirectory is complex, and outside assistance is usually required to install or configure it. On the technical side, existing directory and application schemata have to be mapped to the metadirectory schema. Administrators may need to clean up, transform or otherwise normalize the data. Data must also be maintained in the face of frequently changing information and applications. And if you intend to use the directory to automate administrative tasks, administrators will need to define and code business rules. Metadirectory products offer transformation engines, connectors and templates to simplify these technical tasks.

A metadirectory's purpose is to expedite access to shared information and ease the administration of multiple directories. "It presents all the information as a single view to the application instead of seeing individual silos," says Beaudoin.

With a metadirectory, administrators have to enter information only once. If a human resources group, for example, enters a new employee into its system, the system routes designated employee account data to the metadirectory, which in turn makes it available to other directories and applications. The new employee then has an e-mail address, a phone extension and authorizations for appropriate applications.

Once an organization has several directories and starts trying to maintain them, the need for a metadirectory quickly becomes apparent. For example, the University of Pittsburgh is using Novell's DirXML to create a metadirectory that will act as "the authoritative source to feed all our other systems," says Walton.

The university has directory information in multiple directories such as student and human resources databases. "With DirXML, we will no longer have to maintain them individually," Walton says.

Setting up a metadirectory takes some work. Each directory uses a different database that stores data in different formats. Terms, abbreviations and syntax are different. The University of Pittsburgh merges information from multiple directories through DirXML's XML-based transformation engine, which uses Extensible Stylesheet Language Transformations and rules written in XML to automatically convert information into the correct format for the specific directory.

XML, however, is still new, and not all applications and directories can work with it. For those that aren't XML-enabled, Novell provides a driver called a shim. The shim, which can take the form of Dynamic Link Libraries or Java archive files, acts as middleware between the data source and DirXML's transformation engine and must be provided or developed for each application.

The payoff from a metadirectory can be significant. "We will no longer have to maintain these other directories," which should produce big savings by reducing the labor required to maintain multiple directories, says Walton.

And it should result in more accurate data. At one point, 1,500 people at the university were creating student accounts. She says the centralized approach will give the university better control of the process.

Bell Canada International Inc. in Montreal turned to Microsoft Metadirectory Services (MMS) when it needed to "simplify our infrastructure, which consisted of a lot of legacy systems," says Francois Coallier, Bell Canada's general manager of its IT practice. The telecommunications firm now consists of multiple companies brought together through acquisition. Creating a metadirectory was a necessity in order for the resulting company to cut costs, Coallier notes.

Bell Canada began by creating a central directory of all employees that pulled information from different data sources, including PeopleSoft HRMS, Netscape Mail, Microsoft Exchange Server and Lightweight Directory Access Protocol (LDAP) directories.

"To populate a profile of a Bell Canada employee, we need to get information from at least five sources," says Pierre Lestage, a technical consultant at CGI Group Inc., a Montreal-based firm that provides on-site IT services for Bell Canada. This entailed extensive Visual Basic and Perl scripting, he says.

Overall, Bell Canada maintains about 60 directory sources that need to be synchronized daily. "It was slow and costly, and we ended up with a pile of scripts," Lestage says.

With MMS, Bell Canada's applications log into the metadirectory to retrieve profile information, which is cached for performance. MMS drives the flow of information, "but each application is the master of its own data," Lestage explains.

Rather than use a transformation engine to handle differences between data sources, as DirXML does, MMS uses a connector approach - middleware that provides default schema mapping and transformations. MMS includes connectors for common applications and also provides general connectors, such as an LDAP connector.

"We tested three or four of the connectors and are using two of them," one for Windows NT and another for LDAP-compliant directories, says Lestage. Connectors, however, require some code on the target system, which can create problems. "Some systems, especially mainframe systems, won't accept foreign code," Lestage says.

For Bell Canada's PeopleSoft application, the directory team created a direct feed using file transfer protocol (FTP) because no connector was available. To handle the FTP feed, the metadirectory team set up the incoming file by defining the number of entries per record and the variables, and specifying the delimiters. MMS takes the file definition and puts the data in the right places.

MMS is very flexible in terms of what it will accept, says Lestage, as long as you specify in advance what it will get. Creating the file definition "is pretty easy to do by yourself," he adds.

Although the operational benefits of a metadirectory - efficient administration and automation - quickly become apparent, and the technical issues are manageable, organizational issues remain a key obstacle, IT professionals say.

LAN administrator Curtis Parker, who's working on a DirXML-based metadirectory at Utah's Division of Information Technology Services, can attest to that.

"It really is a political issue," he says. "We've proven the technology can do this. Now it is a problem of bringing the business process together and getting the executives to buy in."

The Missing Link: Metadirectories at a Glance
Metadirectories synchronize common information (usually user account data) to be shared among enterprise directories, to ensure data consistency and automate the update process. Metadirectories do this either by redirecting directory changes or by acting as a central, intermediate directory information store.

A metadirectory can be quite large, expensive and tricky to implement. The process requires creating a schema and mapping schemas to each directory. And required code on the target systems can create integration problems.

This write-once, replicate-everywhere approach allows user account changes initiated in one application to automatically propagate to other applications, without redundant data entry. An employee termination in the human resources system, for example, can immediately inactivate accounts to the corporate database, e-mail and LAN.

The idea of centralizing control of directory updates may face resistance within departments that currently have complete control over their own applications.

Radding is a freelance writer in Newton, Mass. He can be reached at

Copyright © 2001 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon