Electronic directories allow networked applications to access and manage items of information that represents entities such as people or items of equipment. The items of information are logically organized as a hierarchy of objects or entries in a directory information tree (DIT), where each object has a name (using naming attributes) and one or more other attributes. A directory service provides electronic access to one or more distributed DITs, allowing one or more objects to be accessed by a directory service user performing a search on an object's name or its other attributes, for example.
X.500, is the name given to an internationally agreed set of standards for electronic directory services, as defined by the International Standards Organisation (ISO) and the International Telecommunications Union (ITU). The X.500 directory service is defined in an abstract way and conceptually specifies a distributed object oriented system that has security and access control features. It provides a range of user services (such as Read, Search, List, Modify, Add, Remove and Modify Name operations) that enable a directory service to be distributed, replicated, managed and accessed. One of X.500's protocols used for directory access is known as Directory Access Protocol (DAP), and is defined in X.511. Lightweight Directory Access Protocol (LDAP) is based on DAP and is defined by the Internet Engineering Task Force (IETF) in RFC 2251. LDAP has allowed directory access technology to be easily incorporated into desktop client software.
Directory systems are used by many organizations to store information in relation to the their staff and the organisation's networked computer equipment (printers, routers). For example, a common use of LDAP is to store information representing users of a campus-wide network at a university. A user can log onto any workstation at the university using a single username-password pair that is verified by the workstation after accessing a networked LDAP directory service.
Although directory systems have been successfully applied to large organizations referred to as ‘Enterprises’ having up to ˜50,000 users, today's Internet-based electronic commerce business organisations may need to support much larger numbers (e.g., 30,000-200,000,000) of users. Such an ‘eBusiness’ could use directory systems to represent many aspects of the business organization, its customers, its services, its policies, its products (including catalogues, content systems and libraries) and its infrastructure components (network systems, mail servers) used to deliver services. In terms of information design, this type of directory virtualizes the organization (as much as possible) into directory system objects as identified entities. Such systems may be expected to hold five hundred million objects, with a schema configuration of hundreds of object classes and thousands of attribute types. In addition, such directory systems need to support the organization's respective security regimes (such as Public Key Infrastructure (PKI) and Access Controls as used for authorization) that are applied to protect ownership, provide information sharing rules and validate trusted identities.
The need to provide rapid, profiled and efficient updating, management and access to so many objects for so many users and services is beyond the capabilities of existing directory systems. Existing directories are engineered as distributed object-oriented databases that comply with the X.500 and LDAP standards. These directories incorporate an underlying storage system of their choosing, such as a Relational Database Management System (RDBMS) based on structured query language (SQL), or Object Oriented Databases.
SQL-based database products have significant drawbacks when ultimate performance is the objective. For example:                (i) The relational model tends to lead to complex objects being fragmented over multiple tables, reflecting “many to one” relationships of elements within a directory object class and the instantiations of that class within a named hierarchical structure.        (ii) SQL is an interpreted language, and this has a performance cost. For a conventional lower scale disk-based RDBMS, this cost is acceptable, as it is less than the cost of disk access when tables are cached, and the main optimization goal of conventional RDBMS products is to avoid unnecessary high rates of disk input/output operations.        (iii) SQL performance is determined by the effectiveness of the query optimizer in turning the SQL into an efficient database access route. Mature RDBMS products have extremely effective query optimizers, but their performance is not guaranteed, particularly when the directory may be subject to a wide range of random queries.        (iv) As the number of entries increases in an RDBMS-based directory system, so do the database table lengths (i.e., the number of rows in a table). This constrained way of extending and joining database tables increases information indexing and search times. A central problem is that RDBMS tables cannot be segmented laterally based on arbitrary object name values, naming contexts (what hierarchy the object might be in) or attribute types and values. This causes significant scaling and extensibility problems for very large directory systems.        
Implementing a directory database using an object-based database management system would avoid some of these particular “SQL” problems. However, object databases do not scale well when searching for sparse attributes in complex directory trees or with large entries: object-based directory systems reach their storage, search access and indexing limits very quickly.
To provide high performance in a directory system, the DIT naming information, the attributes held within the directory entries, and the schema and access control information should be accessed as rapidly as possible. Existing directory systems use keys or indexes to access database data, and hash or B-Tree indexing systems are typical. For example, an RDBMS can use keyed columns in its database tables and build hash indexes for them.
One difficulty is that as RDBMS-based directory systems scale, the indexes need to be retuned or rebalanced. Alternatively, if every entry attribute type and value is indexed in the same way and at the same processing level, the system can become saturated with index processing and re-processing.
Moreover, when a new eBusiness user and a corresponding user-to-service relationship is added to a directory service, many directory objects and attributes have to be added in a sequential manner in existing directory systems. This makes the larger scale identity based eBusiness systems quite complex to build and creates a significant risk should the system fail during the user management update process.
Another difficulty facing Internet-based businesses today is the complexity and inefficiency of existing platforms. Internet based service platforms that provide dialup, email, instant messaging (IM) and web based services use a multitude of protocol and network interactions. The shortage of Internet Protocol addresses world wide, network bottlenecks and systems failures all suggest that simpler ways of building systems with fewer “networking” functions are needed.
Similarly, existing directory enabled systems use a considerable number of products and servers, a mixture of information storage paradigms, multiple protocols, and inconsistent data and user identity models to perform even the most basic of tasks in Internet service provisioning. Users require a service environment where they can access one or more on-line applications (e.g., email, IM, web, transactions), using one or more devices (e.g., phones, PCs, PDA, Kiosks and iDTV systems) using a one or more authentication and authorization tokens (e.g., passwords, coded cards, biometrics and signatures). Existing systems implement such interactions in a piecemeal fashion using files, databases, directories, and a range of application processes and decision points. Thus installing, deploying and growing such systems is exceedingly complex and constitutes a significant business risk due to poor scaling and reliability vulnerabilities.
It is desired to provide a directory system that alleviates one or more of the above difficulties, or at least provides a useful alternative.