Overview Presentation

Document Sample
Overview Presentation Powered By Docstoc
					Directory Services
      DIT Design
          Jim Rommel
   Perot Systems Corporation
Jim Rommel
Sr. Directory Specialist: Perot Systems Incorporated
4 years experience with X.500/LDAP Directory Services at
   Texas Instruments and Perot Systems
Prior experience with Object Repository Technology
X.500/LDAP Experience includes:
   Schema and DIT Design
   Directory Infrastructure Integration
   Directory Synchronization
   LDAP Development
   Client DUA Development
   X.500/LDAP Vendor evaluations
   Installation and Maintennance of 4 several X.500/LDAP products
DIT Design
What is a DIT?
   Directory Information Tree
   The logical hierarchical structure and categorization of
    directory information
   Different naming attributes within the tree:
    •   c : country
    •   o : organization
    •   ou : organizational unit
    •   l : locality
    •   cn : common name
   DIT Structure rules determine which naming attributes
    must preceed others in the hierarchy
   Each entry in a Directory must have a unique
    Distinguished Name (DN)
DIT Design: People By Department

                          c=US



                         o=Acme




 ou=Sales   ou=R&D   ou=Engineering      ou=Accounting   ou=Mfg.




                                  cn=Mike Smith
DIT Design: Types of People

                                   c=US



                                  o=Acme




ou=Employees     ou=Contractors      ou=Customers   ou=Others




         cn=Mike Smith
DIT Design: By Location

                               c=US



                              o=Acme




l=Headquarters   l=New York   l=Chicago   l=Dallas       l=Los Angeles




                                                     cn=Mike Smith
 DIT Design: Deep Tree By Department
                                                c=US


                                               o=Acme



                                             ou=People



                        l=North America        l=Asia                 l=Europe




l=New York   l=Dallas       l=Los Angeles   l=Japan     l=Singapore    l=London   l=Munich   l=Paris




                         cn=Mike Smith
DIT Design: Deep Tree
                                            c=US

                                            o=Acme


                                          ou=People



                   l=North America                                l=Asia
                                           cn=Joe Boss


 ou=Sales          ou=Engineering cn=Clara Jordan        ou=MFG        ou=Engineering   ou=R&D




l=DFW       l=LA     l=NYC     cn=Mike Smith                      cn=Mike Smith




             cn=Soopy Sales
DIT Design: Flat Tree

                         c=US



                        o=Acme



                        ou=People




                                 cn=Mike Smith
DIT Design: Flat Tree

                         c=US



                        o=Acme



                        ou=People



                                   cn=Mike Smith #1
                                 cn=Mike Smith #2
DIT Design: Perot Systems DIT

                     c=US



                    o=Acme


ou=People


      cn =SmithET
     cn =AikmanTA
    cn =SandersDJ
   cn = GonzalesJ
  cn =ModanoMW
DIT Design: Perot Systems DIT

                                            c=US



                                          o=Acme


ou=People       ou=Groups        ou=Locations           ou=Apps    ou=Systems    ou=Schema

      cn =SmithET    cn=Directory User     site=TX-SD
     cn =AikmanTA   cn=Mail Admin         site=TX-RI
    cn =SandersDJ  cn=Medical Admin site=SW-BK
   cn = GonzalesJ cn=Medical User
  cn =ModanoMW                         site=NY-AA



                                                 ou=Web Sites     ou=Medical    ou=Resumes
DIT Design: Deep -vs- Flat Trees
Deep Trees:
   Can result in long Distinguished Names (DN)
   May reflect your actual corporate structure
   Can result in administrative problems if your
    organization is constantly changing
   Better chance of having unique names within a
    subtree
   Works well if you want to distribute the data
    across multiple DSAs and do multi-mastering
DIT Design: Deep -vs- Flat Trees
Flat Trees:
   No need to categorize people
   Short Distinguished Names, easy to remember
    and type
   DIT is very stable: not affected by organizational
    changes, and easy to administer
   Higher chance of name collisions
   Not well suited for Browsing
   Can result in longer load times or startup times,
    depending on the Directory Product you use
DIT Design: Selecting a Distinguished Name
     c=US
                        - DN Changes if a female marries
                        - DN Changes if I change my nickname
 o=Perot Systems
                        - Name may not be unique.

  ou=People




 cn = Mike Smith




cn=Mike Smith, ou=People, o=Perot Systems, c=US
DIT Design: Selecting a Distinguished Name
     c=US
                       + DN Guaranteed to be unique
 o=Perot Systems
                       + DN Never Changes
                       + More robust searching using name components
  ou=People            - Browser shows useless information
                       - Microsoft and Netscape mail clients expected
                         a real name in the commonName (cn) field.
 cn = 0175387
 givenName = Michael
 nickname = Mike
 surname = Smith



cn=0175387, ou=People, o=Perot Systems, c=US
DIT Design: Selecting a Distinguished Name
     c=US
                        + DN Guaranteed to be unique
                        + DN Never Changes
 o=Perot Systems        + More robust searching using name components

  ou=People
                        + commonName (cn) field contains a real name to
                           work well with other LDAP applications.
                        - Browser shows useless information
 uid = 0175387
 cn = Mike Smith
 givenName = Michael
 nickname = Mike
 surname = Smith


uid=0175387, ou=People, o=Perot Systems, c=US
DIT Design: Selecting a Distinguished Name
     c=US
                       + DN Guaranteed to be unique
                       + More robust searching using name components
 o=Perot Systems       + commonName (cn) field contains a real name
                       + Browser shows more useful information
  ou=People               (although not as ideal as a full name)
                       + Directly maps to a user’s logon ID (can be used
                          for single signon)
 uid = smithMJ
                       - DN has the potential to change if the name or
 cn = Mike Smith
                           UID changes
 givenName = Michael   - Entrust product requires the commonName (cn)
 nickname = Mike           to be part of the DN.
 surname = Smith


uid=smithMJ, ou=People, o=Perot Systems, c=US
DIT Design: Selecting a Distinguished Name
     c=US
                       + DN Guaranteed to be unique
                       + More robust searching using name components
                       + Directly maps to a user’s logon ID (can be used
 o=Perot Systems          for single signon)
                       + commonName (cn) field contains a real name
  ou=People            + commonName (cn) is part of the DN
                       - DN has the potential to change
                       - Very hokey way of achieving uniqueness
 cn = Mike Smith + uid = smithMJ
 givenName = Michael - Complicated DN syntax
 nickname = Mike
 surname = Smith
                        - More complicated Directory Logon procedures
                       - This syntax may not be accepted as standard in
                          the future.
cn=Mike Smith + uid=smithMJ, ou=People, o=Perot Systems, c=US
DIT Design: Selecting a Distinguished Name
     c=US
                       + DN Guaranteed to be unique
                       + More robust searching using name components
 o=Perot Systems       + Directly maps to a user’s logon ID (can be used
                          for single signon)
  ou=People
                       + commonName (cn) field contains a real name
                       + commonName (cn) is part of the DN
                       - DN has the potential to change
 cn = smithMJ          - Data is duplicated in several areas (uid and cn)
 cn = Mike Smith       - Value displayed for commonName may vary.
 givenName = Michael
 nickname = Mike
 surname = Smith
 uid = smithMJ

cn=smithMJ, ou=People, o=Perot Systems, c=US
DIT Design: Selecting a Distinguished Name
                                           + DN Guaranteed to be unique
    c=US
                                           + More robust searching using
                                              name components
o=Perot Systems                            + Directly maps to a user’s logon
                                              ID (can be used for single
                                              signon)
  ou=People        ou=Certificates         + commonName (cn) field
                                              contains a real name
                                           + commonName (cn) is part of the
                                              DN
 uid = smithMJ             cn = smithMJ    - DN has the potential to change
 cn = Mike Smith           ALIAS POINTER
                                           - Problems with X.500 aliases:
 givenName = Michael
 nickname = Mike                              - no built-in referential integrity
 surname = Smith                              - will LDAPv3 support them?
cn=smithMJ, ou=People, o=Perot Systems, c=US
uid=smithMJ, ou=Certificates, o=Perot Systems, c=US
DIT Design: An IETF DIT Naming Proposal
http://www.imc.org/draft-ietf-ids-dirnaming



  “The X.500 approach to naming has
   become an obstacle to the wide
   deployment of directory-enabled
   applications on the Internet.”
DIT Design: An IETF DIT Naming Proposal
http://www.imc.org/draft-ietf-ids-dirnaming
                                    The dc named attribute stands
                                      for domain component
              dc=com
                                    The idea is to map the upper
                                      levels of the tree with registered
             dc=acme                  DNS Names (in this case
                                      acme.com)
DIT Design: An IETF DIT Naming Proposal
http://www.imc.org/draft-ietf-ids-dirnaming
                                      The dc named attribute stands
                                       for domain component
                 dc=com
                                      The idea is to map the upper
                                       levels of the tree with registered
                dc=acme                DNS Names (in this case
                                       acme.com)
                                      Lower levels of the tree will also
   dc=Corporate         dc=Customers   use the dc named attribute
DIT Design: An IETF DIT Naming Proposal
http://www.imc.org/draft-ietf-ids-dirnaming
                                    The dc named attribute stands
                                      for domain component
                 dc=com
                                    The idea is to map the upper
                                      levels of the tree with registered
                dc=acme               DNS Names (in this case
                                      acme.com)
                                    Lower levels of the tree will also
   dc=Corporate         dc=DalSite    use the dc named attribute
                                    Each user is identified with the
                                      uid named attribute containing
                                      the email address.
 uid = mike.smith@acme.com
                               uid = jane.doe@acme.com
 cn = Mike Smith
                               cn = Jane Doe
 givenName = Michael
                               givenName = Jane
 surname = Smith
                               surname = Doe
DIT Design
Conclusion
 Robust DIT Naming and design standards are not in place yet
 There is currently no single “right way” to design your DIT that
  applies to everyone
 Take into consideration your organization
   – the organizational structure
   – the organization’s tendency to change
   – the organization’s current size and potential to grow
 Take into consideration the how you want to use the directory
   – what information will be stored in the directory
   – who will own what data and how will be be mastered
   – what what other systems in the infrastructure will be
     using/storing the data
   – how and what applications will be accessing the data
Questions???
Jim Rommel
Perot Systems Corporation

email: jim.rommel@ps.net
phone: 972-461-3689
fax:   972-461-3030

				
DOCUMENT INFO