The Directory Server component of Directory Server Enterprise Edition provides the most scalable, high-performance LDAP data store for identity information in the industry and serves as the foundation for the new generation of e-business applications and Web services.



The Directory Server provides many security features to achieve compliance with information security policies and to ensure that only those with proper authorization have access to the information

• Macro-level and dynamic Access Control Instructions (ACIs) make access definable at the lowest level of data—an attribute. They make it possible to define access control policies once and then re-use them across the directory tree. Macro ACIs can be used to optimize the number of ACIs in the directory and thereby reduce the complexity of the security framework.
• Along with ACIs, role-based access provides a simpler way to provide access based on information in a user's entry. Roles are defined and administered like groups, but they provide more efficient grouping mechanisms for applications. Roles can be used in ACIs to control access to data. They can also be used by Class of Service (CoS) to define "virtual" attributes for an entry, reducing storage requirements on entries and allowing a single change to update an unlimited number of related entries.
• Directory Server supports a means for determining what access a user has on a set of information. By using the Get Effective Rights control, administrators who maintain access policies for the directory service can tighten security by “auditing” the permissions of directory users and applications. This capability can also be used to build applications with adaptive interfaces, based on the user's rights.
• Directory Server supports encryption mechanisms to protect data on the disk and during transfer through communications channels. Combined with support for fractional replication and data-hiding based on access, this can be used to comply with European Union and other international privacy regulations.
• To guard against unauthorized access to user accounts that can be used to obtain identity information, the Directory Server supports multiple password policies that can be defined on a per-user basis or targeted to certain groups. These policies help to ensure users are changing passwords on a regular basis and that anyone attempting to hack into an account is effectively blocked.

The Directory Server natively supports a variety of access protocols and offers a highly flexible and scalable replication environment ensuring availability in distributed environments.

• The Directory Server supports the LDAP v2 and v3 protocols and the Directory Service Markup Language (DSML) v2 natively for standards-based access. LDAP and DSML over HTTP/Simple Object Access Protocol (SOAP) protocols enable clients anywhere on a network to securely search and update directory data objects, receive changes made by other applications, and authenticate users or applications – even through firewalls.
• To ensure that there is no single point of failure for applications using the aforementioned protocols to access identity data, the Directory Server supports up to four masters and any number of read-only servers in a replicated environment across both local and wide area networks. Special features of the replication protocol allow for optimizations when replicating data over high-latency networks.

The Directory Server provides for both vertical and horizontal growth without major deployment redesign. This level of scalability becomes increasingly critical as deployment grows.

• The Directory Server is the highest-performing LDAP directory server on the market today, with the ability to provide sustained search performance of over 10,000 entries per second on a single machine and horizontal scalability to tens of thousands of searches per second.
• The requirement to store and update information constantly is increasing with the expansion of use across the organization. Update performance of directory server has been seen near the 500 per second range on multi-million entry deployments, allowing for near relational database-write performance.
• As the industry's only 64-bit, enterprise-class directory with linear CPU scalability to 12 CPUs, the Directory Server allows access to maximum memory capacity and delivers high performance accommodating extremely large directories on a single system for maximum hardware benefit.

The Directory Server provides a comprehensive set of management tools for administering the server as well as the service.

• The Directory Server delivers up-to-date, consistent, and always-available identity data—and offers a central point of control for managing it. A centralized GUI-based administration console can be used to configure and manage multiple Directory Servers. The interface includes all the tools required for effective day-to-day server administration and service from configuration to monitoring. In addition, a number of command line utilities for almost all configuration or administration actions can be performed dynamically via LDAP while the servers are running.
• These management features mean that most management operations that would typically be performed while the directory is offline—such as backup, bulk import, and re-indexing—can instead be performed while it is online, thus maximizing availability.
• Management flexibility makes it much simpler to deploy the directory service into many different environments. If data centers are outsourced to third-party companies or operated on a "lights out" basis that requires remote management, the command line utilities make it as easy to manage the service as if it were in a local data center.