Maintenance

Understanding and Deploying LDAP Directory Services > 25. Case Study: A Large Multinational Enterprise > Deployment

Deployment

While the directory design was being completed and reviewed, HugeCo formed a directory deployment team. The deployment team included all the people who participated in the design process, plus system administrators responsible for the actual rollout and for running the service on a day-to-day basis. An IS employee who had expertise in network monitoring and escalation procedures was also added to the team.

Product Choice

Before making a final choice of LDAP server software, HugeCo performed an extensive in-house evaluation. After talking to a large number of directory server vendors , HugeCo narrowed its choice to three products: Netscape Directory Server, ISOCOR's Global Directory Server, and OpenDirectory's Dxserver. Evaluation copies of each of the three products were obtained, and each was subjected to a thorough evaluation that involved installing the products, configuring them with HugeCo's custom schema, setting up replication, and conducting performance and scalability testing using custom tools.

In the end, the team selected the Netscape Directory Server product for the following reasons:

• Best performance and scalability, as observed during performance tests

• Support for SSL security, as required by HugeCo's replication and security design

• Flexible, powerful access controls

• Good support for international data

• Comprehensive management tools that provide a Java GUI and a command-line interface

• Customizable HTML-to-LDAP gateway for building phonebook interfaces and directory management applications

HugeCo also evaluated several LDAP software development kits (SDKs), including Netscape's C and Java SDKs, a few LDAP Perl modules they found on the Internet, Microsoft's ADSI, and JavaSoft's JNDI. The team found that all these SDKs were functional but decided to focus on Netscape's SDKs and the PerLDAP Perl module for most of its own development projects. Availability of source code for the SDKs was considered a nice bonus, but the main reason the team recommended the Netscape SDKs was because it felt confident that they would work well with the Netscape server products already selected.

Piloting

A fairly extensive directory service pilot was conducted to prove the directory design, become familiar with the directory software, and determine the level of effort required to roll out and maintain the production service. HugeCo's North America and Asia Pacific regions participated in the pilot, which was conducted over four months. During the pilot, the directory service was deployed in a limited number of physical sites within each region. Figure 25.10 shows the pilot topology.

Figure 25.10 HugeCo's directory pilot topology.

The directory-enabled applications used in the pilot included the following:

• Netscape Messaging Server to provide electronic mail routing and delivery for end users.

• A simple workflow application to allow employees to request vacations and other time off. This was hosted by a Netscape Enterprise (Web) Server and included an interface for employees (used to request time off) and an interface for managers (used to approve time off requests ). The application uses the hcEmployeeRole and manager attributes within employee entries to route time off requests appropriately and verify that a specific manager is allowed to approve or deny an employee's request.

• An employee phonebook to support anonymous directory lookups and employee self-service activities such as setting passwords or changing home telephone numbers . This was built using a customized version of Netscape's HTML-to-LDAP directory gateway.

Apart from testing the directory-enabled applications, an important goal of the pilot project was to obtain feedback on the directory service from end users and system administrators. To collect feedback from end users, the directory phonebook was modified halfway through the pilot to occasionally display a simple survey form before providing access to the phonebook itself. Face-to-face and telephone interviews were conducted to collect feedback from system administrators of directory-enabled applications and the directory service.

The pilot showed that most of HugeCo's directory design choices were sound. One major redesign was done halfway through the pilot after the team experienced the pain of managing a replication topology that included a large number of partitions. (As discussed earlier in this case study, the directory namespace was redesigned to use a simpler structure based on regions instead of DNS subdomains.)

After the pilot project was complete, most of the hardware used was incorporated into the production directory service. A few servers were reserved to form a testbed for future experiments with new applications, new directory server software, and directory design changes. Figure 25.11 shows the testbed topology.

Figure 25.11 The HugeCo directory testbed.

Normally, none of the servers in the testbed are connected to the production directory service, although sometimes they are temporarily incorporated into the production topology to prepare for software upgrades or obtain data for testing purposes.

Analyzing and Reducing Costs

HugeCo tried to minimize the ongoing cost for its directory service by saving money in the following ways:

• All routine directory administrative tasks were automated, including nightly backups , service monitoring, creation of entries for new employees, and deletion of entries for terminated employees.

• Pilot hardware was reused to deploy the production service and form a directory service testbed.

• A relatively small number of larger, more expensive server machines was used instead of many smaller ones. This followed the principle that personnel costs are more significant than hardware costs, and it fit well with HugeCo IS's general approach toward service deployment.

HugeCo has not conducted a thorough analysis of directory costs and has no immediate plans to do so.

Going Production

Because HugeCo's directory deployment involved a large number of sites, servers, and applications, the production rollout was a complex undertaking. The key to success was to roll out the service in four phases:

1. Roll out directory servers and the phonebook application in one region (North America).

2. Roll out directory servers and the phonebook application in the remaining three regions using the same server configuration and enlisting the assistance of IS staff members who deployed the North American service.

3. Deploy directory-enabled email services in each region. This was handled by the regional IS staff, with help from some directory experts in the central IS organization.

4. Deploy other directory-enabled applications, including Web-based workflow applications.

In conjunction with the production rollout, training sessions were conducted within each region for IS system administrators and help desk staff. The IS communication group spread the word about the directory service by publishing a series of how-to articles in the employee newsletter and through a "Do you know where your directory entry is?" poster campaign. Posters were placed in every HugeCo building to encourage employees to try the phonebook application and update their own directory entry. The poster campaign raised awareness of the new service and improved the accuracy and completeness of employee information in the directory.

Index terms contained in this section

2002, O'Reilly & Associates, Inc.