Ready For A Directory Enabled World?

Nand Mulchandani

Co-Founder, Oblix, Inc.

nand@oblix.com

March 31, 1999

2

The Digital Persona: Unorganized Elements

Cred

it Ca

rd E

xpira

tion

Frequent FlyerNumbers

Login

Exp Date

Certificate DN

Application Permissions

Securi

d Num

ber

Challenge Phrase

Loca

tion

Floor Number

Monitor Serial Number

Keyboard Serial Number

Title

Organ

izatio

n

Dep’t Number

Department Name

Emplo

yee T

ype

Employee Number

Emp Grade Level

Admin

Name

Manager

Direct ReportsIndirectReports Line

Phone Number

Fax Number

Mobile

Phone

Pager Number

Pager email Address

Name

Initials

Home Address

Home P

hone

Numbe

r

EmergencyContact

EmergencyPhoneSocial SecurityNumber

College

Name

Hometown

Personal URL

Department URL

Directory PhotoCredit Card Number

Airline prefs

Airline SeatingPrefs

Budget Authority

Login ID

Password

Password Change

Date

Password Expiration

Date

Lang

uage

Email Address

Email AbsenceMessage

Projec

t Grou

ps

Skills

ProjectResponsibilities

Personal G

roups

Desktop OS Version

MS Office VersionBrowser Versio

n

IP Address

Network Drops

Primary Machine

IP Address

Primary Printer

Remote Access?

Remote AccessLogin ID

Remote Access password

Primary Dial-in Number

Connection SpeedSe

curid

Exp

Dat

e

Challe

nge P

hrase

Respo

nse

Work Address

Mailstop

Building Number

Room Number

Cubicle Number

Mailing Address

Geographic Region

License Plate

Pager Serial Number

Laptop Serial Number

Mod

em S

erial

Num

ber

Mouse Serial Number

Cell Phone Serial NumberBadge Photo

Badge Issue date

Badge Exp Date

Building Access

Authorizations

Building Badge

Number

3

Overview

• Directory Enabled Applications• Directory Enabled Infrastructure• Issues to consider when deploying Directories

– How do Directory Servers fit into everything– Scope and use of the Directory– Implementation considerations

• Longer term issues with Directories

4

The Power of the Directory Enabled Network

• The power of a Directory is directly proportional to the number of applications using it

• Directories hold the promise of enabling a new class of applications

– Rich and comprehensive profiles drive personalization– Ubiquity of configuration information drives universal access– Infrastructure (like the network) automatically work with the applications– Ability to set global policies in a single place– Extensive access control to setup and enforce policies– User centric vs. Administrator centric focus

• Directory-enable existing applications– Can replace parts of the applications to enable Directory use– Can synchronize application information into the Directory

5

What does “Directory Enabled” mean?

• Any application that uses or stores information in the Directory

• Basic Information to keep in the Directory– User Profile Information– Application Configuration Information– Business Rules & Policy Information

• Directory Enabled Infrastructure– Directory Enabled Networking (DEN)– Messaging Servers– Single Signon– Application Configuration Information

• Directory Enabled Applications– Messaging Clients, Address books– Project Management– Corporate Services Automation (CSA)

6

Directory Enabling Your Applications

• Use Directory authentication– Eliminate multiple user authentication databases

• Store application configuration information in the Directory

– Can run multiple copies of the products without having to deal with configuration information

– Can manage configuration information through standard admin consoles (e.g. Netscape Mission Control)

• Add per-user configuration information with user object– Current trend is to use auxiliary classes to store this information– Can distribute change management of this information using applications like

Oblix CSA– Per-user configuration is not tied down to a particular computer or workstation– Information can be used by other applications as well

7

Promise of the Directory Enabled Network

User Profile & Needs Available Resources

Policy

Resource Allocation

• Combination of factors to allocate resources• Policy = Business Rules + Specific Rules

– Can set specific rules based on users, groups

8

Considerations in Directory deployment

• It is important to understand how the Directory fits in with the organization

– Existing business processes– Organizational/Environmental considerations

• Scope and use of the Directory– NOS vs. Extranet– Authentication only vs. complete profiles– Publishing vs. Infrastructure– Is the Directory only for use by IT infrastructure?

• Implementation considerations– Tree design issues– Access Control– Data sources and synchronization– Directory Management

9

SystemsAdministrators

Current Situation

ProcessUsers

Days / Weeks

10

Desired Architecture

SystemsUsers

LDAP-Based Directory

Real-Time

11

The Digital Persona

12

Factors In Creating The Digital Persona

• Ownership and collection of data– Security issues– Political issues– Different databases and systems holding information

• Business Processes– No clear definition of information ownership and flow– Tying together effects on multiple departments

• Corporate Change– Disruption in IS and other departmental systems– Frequency and scope of change

• End user involvement– How much end-user involvement do you want or need ?– What information should they own ?

13

Key Questions

• Where does the information come from ?– Department specific databases and applications

• Who owns the data ?– IS– Other departments (HR, Facilities, Telco)– Employees and Managers

• Who manages the data ?– IS wants to manage their own data but not all the data– Other departments want to own their own data but don’t have access to it

• How is it all automated ?– Manual entry by a few people is simply not possible

• Where are the savings ?– Infrastructure is not enough, need applications and other uses of data

14

Volume and Complexity of Change

• Constant change in the user base affects the Directory– Rolling out these new services can place a new load on administrators to keep

up with the constant change in the user base

• Integration with the rest of the enterprise– With the concept of the integrated network, it is no longer possible to have

disconnected business processes– The Directory is fundamental and cannot exist in isolation– Requires coordination with HR, Facilities, Telco, etc.

• Policies cannot be centrally created and managed by a single group

– All that IS should do is set policies, and let the different departments take care of what they want to do within those constraints

– Need to understand organizational/cost structure to set policies

15

Different Directory Deployments

• Directories are being used in a number of different (but related) environments

– Enterprise– Extranet e-commerce applications– ISP Service Provisioning

ExtranetInternet

ISPs

Large Enterprise Customers

16

Enterprise Directory Deployment

• Single Directory with all user profiles?– Short term, customers are deploying Directories for specific reasons or in

conjunction with other systems (like Messaging Servers)

• Cross-Vendor Directory replication is very important– If there is more than one Directory, then need to synchronize the various

systems– Unfortunately, cross-vendor Directory replication does not entirely work

• Transition will happen over time

17

Extranet/ISP Directory Deployment

• Extranet/ISP: Access control based on user profiles– Profiles control application use, information, etc.

• Extranet: Internal vs. External users– Typically not stored in the same Directory as the internal users– Need to rollout self-service to manage support costs

• ISP: Policy management outside the firewall– Bandwidth control for customers

18

Directory Tree Design

• How do we create a single Directory structure based on different views of the organization?

• Network Administrators– “Everyone in a subnet”– “Everyone in a domain”

• HR– “Everyone in a division”– “Everyone in a cost-accounting group”

• Facilities– “Everyone in this building”

• Telecom– “Everyone on a particular switch”

19

Example: Directory Enabled Networking

• Each DS uses its own tree structure– Some are flexible, and some are not– Different between Active Directory and Netscape Directory Server

• Policies are setup at the tree level– Can setup overall policies based on organizational unit (ou), or even for specific

users

• Impact of Directory structure– Access control and policy creation can be rendered useless with a flat tree

structure– Can find alternate ways of defining membership (dynamic groups, common

attributes)

20

Longer-term issues with Directory Servers

• Infrastructure Issues– Scalability– Replication

• Same vendor server to server• Different vendor server to server

– Inter-operability between different servers– “Platform” independence– Security and authentication

• Certificates, etc.• Proxy connections and access control

• Application Support Issues– Schema design and extension– Directory structure and layout

• Organizational, Network-oriented, Geographic, Flat

– Access control to support a variety of different uses– Transaction support