🗂️Idea of Directory Services

What is Directory Services ?

directory Service Diagram

What is a Directory Service?

A directory service is a centralized database that stores, organizes, and provides access to information about networked resources (users, devices, applications, etc.). It acts as a "phonebook" for the network, enabling:

• Authentication (verifying identities).

• Authorization (granting access rights).

• Resource discovery (locating printers, servers ,.....).

• Policy enforcement (password rules ,....).

"Directory" vs "Service" ?

Directory :

A directory in this context is not a file system folder. Instead, it is a specialized, hierarchical database optimized for read-heavy operations. used to store and organize information about users, computers, networks, applications, permissions, Data is stored as objects (a user) with attributes (username=john, email=john@example.com).

Service:

1- A service is a software component running on a server that performs a specific task — in this case, handling directory-related requests.

2- The software that manages the directory, handling requests like:

• User authentication.

• Data queries ("Find all printers in Building A").

• Updates ( resetting a password).

What is a Directory Service?

A Directory Service is:

• A centralized database of information about network resources (users, computers, groups,...)

• A server-based service that responds to directory requests (like login validation or permission checks).

• Typically uses LDAP protocol.

Key Functions:

• Authentication & Authorization

• User/group management

• Computer management

• Policy enforcement

Types of Directory Services ?

Directory Service	Description
Active Directory (AD)	Microsoft’s directory service for Windows domain networks
OpenLDAP	Open-source implementation of LDAP
eDirectory	Novell’s enterprise directory service
Apache Directory	Java-based LDAP server
Red Hat Directory Server	LDAP-based enterprise directory by Red Hat

Interaction between (Directory Client ↔ Directory Server) ?

Client & Server

Client-Server Interaction Flow:

1. Client (computer or app) wants to:

   • Log in a user

   • Check permissions

   • Find user info

2. Sends a request to Directory Server

   • Usually via LDAP (Lightweight Directory Access Protocol)

3. Directory Server responds

   • Authenticates or rejects

   • Returns data (e.g., user’s department)

4. Client acts based on response

What is a Directory Client?

A directory client is software that interacts with the directory service. Examples:

• OS Components: Windows logon client, lsass Process , .....).

• Applications: Email clients (Outlook), SSO systems, custom scripts.

• Functions:

  • Sends queries (LDAP searches).

  • Authenticates users (via Kerberos/LDAP binds).

  • Enforces group policies (in Windows).

Protocols Used in Directory Services

Protocol	Description
LDAP (Lightweight Directory Access Protocol)	Main protocol for querying and modifying directory information
LDAPS	Secure version of LDAP over SSL/TLS
Kerberos	For secure authentication (used with Active Directory)
NTLM	Older Windows authentication protocol
DNS	Used to locate directory servers (especially in AD)

LDAP Operations:

1. Bind: Authenticate the client to the server

2. Search: Query the directory for entries

3. Compare: Check if a value matches

4. Modify: Update an entry

5. Add/Delete: Insert or remove entries

Does Active Directory Exist on the Directory Client?

No.

• Active Directory (Directory Service) runs exclusively on Windows Server machines (Domain Controllers).

• Clients (Like Windows 10/11 PCs) have:

  • Client-side components: Like the lsass.exe process, which handles authentication requests to AD servers.

  • Group Policy Client: Applies policies from AD to the local machine, like Group Policy Client Service (gpsvc).

  • LDAP/Kerberos libraries: To communicate with AD servers.

Analogy:

Your web browser (client) accesses Google (server). Google doesn’t "exist" on your device , it responds to requests. Similarly, AD resides on servers, while clients use lightweight agents to talk to it.

What Does Exist on the Directory Client: The "AD Client Agents"

Clients (Windows, macOS, Linux) run lightweight software components that act as intermediaries. Think of them as "ambassadors" for the AD server:

Core Components on Windows Clients :

Component	Purpose	Technical Details
LSASS.EXE	Local Security Authority Subsystem	Handles authentication requests. Talks to DCs via Kerberos/LDAP.
Group Policy Client (gpsvc)	Applies Group Policy Objects (GPOs) from AD.	Downloads policies from \\domain\SYSVOL---->On DC and enforces them locally.
NetLogon Service	Establishes secure channel with DCs.	Uses Netlogon protocol over RPC.
LDAP/Kerberos Libraries	Protocol implementations for directory queries/auth.	Built into Windows APIs (e.g., Secur32.dll, Wldap32.dll).
Credential Cache	Stores recent Kerberos tickets/password hashes.	Enables offline logins (cached credentials). Stored in secure memory (not disk).

Non-Windows Clients (e.g., Linux/macOS)

• sssd (System Security Services Daemon): Integrates with AD/LDAP/Kerberos.

• realmd: Joins Linux clients to AD domains.

• Samba: Provides SMB/CIFS and NetLogon emulation.

Protocols Used by Client Agents

Protocol	Used By	Client-Side Process
Kerberos	LSASS.EXE	Authentication via TGTs/service tickets (ports 88/TCP/UDP).
LDAP	Apps/APIs	Queries user/group data (port 389/636).
SMB	Group Policy Client	Downloads GPOs from \\domain\SYSVOL (port 445).
RPC	NetLogon Service	Secure channel maintenance (dynamic ports).

Understanding Read-Heavy Operations in Directory Services

Directory services act like digital phone books for computer networks, storing information about users, devices, and resources (Like usernames, passwords, permissions) ."read-heavy operations" means these systems are designed to handle far more lookup requests (reads) than updates or changes (writes).

Why Directories Are "Read-Heavy"

1. Everyday Use Cases

Most interactions with directory services involve checking information, not changing it. For example:

• Logging into your work computer: The system reads your username and password from the directory to verify you .

• Accessing a shared folder: The directory checks if you have permission to view the files .

• Connecting to Wi-Fi: The network authenticates your device by reading its details from the directory.

These actions happen constantly in organizations, making reads much more frequent than writes (like updating a password or adding a new user).

What is LookUp Request ?

The term "lookup requests" refers to operations where a system searches for and retrieves specific information stored in a directory or database. In the context of directory services (like Active Directory or LDAP), a lookup request means asking the directory to find a particular unique entry, such as a user’s account details, a device name, or a domain name.

Simple Explanation:

• Imagine a phone book: a lookup request is like looking up a person’s phone number by their name.

• You provide the directory with a key piece of information (like a username), and it returns the matching entry with all related details (like email, permissions,......).

Technical Context:

• A lookup targets one specific, unique entry in the directory.

• It is different from a search, which might return multiple entries matching some criteria.

• Lookup requests are very common in directory services because systems constantly need to verify user identities, permissions, or resource locations by quickly retrieving precise information.

---

References : https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/what-is-a-directory-service

---