Network Computingwww.networkcomputing.com

We were pleased with the installation and integration of DirectorySmart, but this package's Web-based management interface was disappointing compared with those of the others. DirectorySmart's unusual structure also placed a significant performance load on the LDAP server.

We began by installing DirectorySmart's management components on our Windows NT product server. We also installed the API, and used the DirectorySmart Web configuration tool to install the Menu of Services (MOS) and the Web Access Control (WAC). The MOS is used to view resources each user may access; the WAC is OpenNetwork's Web server plug-in. A step-by-step wizard simplified the installation of each service, but having to re-enter the name of the server and port number a dozen or more times for each installation of the plug-in was tedious. We also ran into a DLL (dynamic link library) dependency hang-up with one DirectorySmart file, but OpenNetwork resolved the glitch by sending us an updated system DLL.

Although we found no unique features in DirectorySmart's Web-based management interface, the basic options are well-laid-out. Using the management menu, we could create, modify, view or delete choices for resources, users and rules. Securant's product is more powerful, but DirectorySmart's interface is straightforward and explicitly offers a long list of DirectorySmart administrative options. However, we didn't like having to take the intermediary step of searching for users, resources or rules.

We tested DirectorySmart by securing the administration pages of our Web site and requesting a protected URL from a Web browser. We chose forms-based authentication for integration with our test Web site. Initial configuration was easy, but we needed to use a custom API to decrypt the current user ID from the DirectorySmart cookie. The plug-in intercepted our request and redirected our browser to the DirectorySmart form login page. Once authenticated, DirectorySmart stored our credentials in an encrypted session cookie (as other products do). No HTTP header variables were used for storing credentials. Before redirecting back to the Web server, DirectorySmart performed an authorization check to verify we had access to the protected resource.

Unlike competing products, DirectorySmart authenticated directly against our LDAP server, rather than send the request to an intermediary server. Our load generator ran a script that logged us into DirectorySmart, browsed the site and then logged out. When we stopped the test at 2,400 simultaneous connections, our LDAP server was maxed out at 100 percent CPU usage, and the system was handling 300 transactions per second with a response time of 6.4 seconds per Web page. These results indicate that using a plug-in to talk directly to the LDAP server rather than using an intermediary server to cache and balance requests to the LDAP server significantly hurts performance for the entire system. In addition, the Web servers were able to handle the same amount of traffic as the other products, indicating that the repeated calls to the LDAP server triggered the bottleneck and not the overhead caused by the Web server plug-in.

DirectorySmart, $10,000 to $850,000, OpenNetwork Technologies. (727) 561-9500, (877) 561-9500; fax (727) 561-0303. www.opennetwork.com

Michael Ross is a consultant with Internet Consulting Services. Jeffrey H. Rubin is an instructor with the School of Information Studies at Syracuse University and a consultant with Internet Consulting Services. Send your comments on this article to Ross at mross@internetconsult.com or Rubin at jhrubin@internetconsult.com.