What are Directory Services?
Directory services are essentially a central database for your organization. They generally contain users, computers, and resources. Directory services are like a giant electronic phone book for your organization. They contain everything from usernames, passwords, and contact information to printers and other resources. They provide a central location for administrators to manage information in one place.
There are a number of different directory services. One of the more popular ones is Active Directory from Microsoft. To look at some of the data in Active Directory, I will open Active Directory Users and Computers. Microsoft provides many different tools to administer data in Active Directory; this is just one of them.
The data is organized into folders called organizational units. Under the organizational unit called “Computers,” there is a list of computer accounts. Active Directory requires a computer account to access resources in a domain. The directory service keeps track of these computer accounts.
Under the organizational unit “NY,” there is a list of users in the New York office. Directory services often allow you to create management structures that match your organizational structure.
I will right-click on the first user and select “Properties.” This will open the properties for that user. There are many attributes you would expect for a user account, like the user account name and user identification information. You will also notice that there is an office phone number and email address. Directory services are also expandable, so it is possible for an organization to add their own attributes if they wish.
The main takeaway is that directory services provide a centralized repository for managing user identities, access control information, and network resources within your organization. The next step is to implement a system to determine who has access and what they have access to.
What are Authentication Services?
Authentication services perform exactly as their name implies: they confirm a user’s identity and determine whether to allow or restrict access. For instance, if a user tries to access a network resource such as a network share, the authentication service checks their identity and their permissions. If the user is authorized, they gain access to the network share; if not, access is denied.
Let’s have a look at how these systems all come together.
Lightweight Directory Access Protocol (LDAP)
One of the protocols that combine directory and authentication services is Lightweight Directory Access Protocol or LDAP. LDAP is an open standard for accessing X.500 directory services-based directory services. X.500 is an older standard for directory services, but the framework is still used for modern directory services.
To understand how it works, it is best to consider an example. Let’s consider that you have a laptop running Windows 11. The laptop connects to a file share on a Windows Server. The Windows Server needs to know if the user has access to the file share. Thus, the Windows Server uses LDAP to contact Active Directory to verify the identity of the user and that they should have access to the network.
Although Active Directory has the largest market share, it is not the only directory service out there. Let’s consider a user connecting to a network device that provides network sharing. The network device needs to authenticate the user to determine if they have a valid user account. Rather than using Active Directory, it could connect to another directory service using the LDAP protocol.
Having an open protocol like LDAP means that any device that supports it can connect to directory services. For example, our network storage could use Active Directory if needed.
For the A+ exam, the most important point to remember about LDAP is that it uses port 389. Have a basic understanding that the protocol is used to connect to directory services, but you are unlikely to get an in-depth question about it.
Authentication, Authorization, and Accounting (AAA)
If you go onto more advanced networking, you will come across triple A. This stands for Authentication, Authorization, and Accounting. Your software and network devices may state they support triple A. Triple A devices are designed with these three principles in mind. This does not mean they support specific standards.
You are unlikely to get a question about triple A on the A+ exam, but if you go on to study networking, you will need to know it.
Authentication essentially involves usernames, passwords, and any other system used to authenticate. It is important to understand that triple A systems generally don’t hold the user accounts; they connect to other systems to authenticate the user. For example, using systems like RADIUS. RADIUS is often used for authentication for remote access. This makes it perfect for public facing networking devices like your company’s remote VPN server.
Authorization involves permissions to access resources. This may be configured locally, but it often involves contacting a directory service to determine if the user is in a particular group.
The last part is accounting, which involves logging access. This may be done locally on the device or the log files may be sent to another device. I will now put everything together that we have learned in this video.
AAA Example
This example is in the official guide. I doubt you will get a question on this in the exam, but it does help you put the topics together that I have covered in this video. On the network is a network switch configured as a RADIUS client. This means that when a device is connected to the network switch, it can be authenticated before being allowed on the network, thus preventing unauthorized devices from connecting to the network.
For the network switch to determine if a device is authorized, it needs to connect to a RADIUS triple A server. The RADIUS server will check if the device is allowed to connect to the network.
For the switch to connect to the RADIUS server, a shared secret will be used on both devices. A shared secret is a piece of data that both parties in the secure communication know. This may be a pre-shared key, username, or password. Regardless of the method used, if both sides have the same information, they will be able to make the connection.
The next step is for the laptop to attempt to connect to the network. In computer networking, a supplicant refers to the software application or hardware device that initiates the authentication process to gain access to a network. It acts as the client-side component requesting permission to connect to a network resource protected by an authentication system.
When the laptop in this example connects to the network switch, the network switch will instruct the laptop that it needs to authenticate to connect to the network. Until the laptop authenticates, the network switch will block all network traffic from the laptop.
The laptop will then send its credentials to the network switch. The network switch does not hold or have access to a database to authenticate the laptop. Thus, it passes the credentials to the RADIUS server.
The RADIUS server validates the credentials. The RADIUS server then sends a message back to the switch that the authentication request was successful. The network switch then opens the port connected to the laptop for regular network traffic.
The laptop is then able to communicate on the network. If you have a network that authenticates devices before they are allowed to communicate on the network, it probably has a setup similar to this one. You are unlikely to get a question like this in the A+ exam, but having some understanding of how it works will help you troubleshoot problems on your network.
End Screen
So why do authentication services make terrible detectives? The only question they ever ask is, “Who are you?” Thanks for watching, and see you in the next video.
References
“The Official CompTIA A+ Core Study Guide (Exam 220-1101)” pages 206 to 207
Credits
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk