Directory Coexistence Implementation Considerations

   

The design and implementation of any directory coexistence solution inevitably involves sweat, trial and error, and some frustration. As always, we recommend an incremental approach: Tackle your most critical coexistence requirements first, while keeping the other needs in mind. Succeeding usually involves many trade-offs, and it may be difficult to meet all of your requirements on day one. This section describes a variety of implementation considerations, with the goal of helping you make the right trade-offs.

Implementation Options

Depending on your requirements, you may have a lot of flexibility in how you achieve coexistence between each data source and your directory service ”or you may not. The techniques presented earlier in this chapter all have their pros and cons. Usually there is a trade-off between complexity of implementation and the functionality achieved.

For example, a one-time migration of data is easy, but it does not provide for future updates to or from the original data source. On the other hand, a two-way synchronization approach with N-way join that is based on commercial metadirectory software can provide a wide range of functionality, including extensive data translation facilities, near real-time synchronization of data, and multiple places where data may be updated. However, there is no free lunch : Such systems are often difficult to design, deploy, and maintain.

As has been our theme throughout this book, we recommend that you choose the simplest technique that adequately meets your needs. Remember, different techniques will be appropriate for different data sources and elements.

Performance Implications

One important area of directory coexistence that is often overlooked is the performance of the systems used to achieve that coexistence and the impact of coexistence on your directory service and other data sources. Some coexistence techniques are by nature more performance intensive than others; for example, two-way synchronization may impose twice as much system load as one-way synchronization. But you can dramatically improve performance by reducing the frequency of synchronization or by using incremental updates instead of completely refreshing the data.

Before you decide which coexistence techniques and tools to use, think about performance and engage in some thought experiments. After you have made a preliminary decision about which techniques to use, evaluate the actual performance by running a directory coexistence pilot. See Chapter 14, Piloting Your Directory Service, for more information on conducting meaningful pilot deployments.

Directory Coexistence Tools

Once you have chosen your preferred coexistence techniques, you need to select a set of tools to implement them. Here are some of the many choices:

  • Application-specific synchronization tools . Some application packages, such as e-mail server software, include synchronization and data translation tools. At the very least, file-based import and export tools are usually provided.

  • Tools that come with your directory server software . Most directory server implementations have the ability to import and export data in a variety of formats. Some also include synchronization software.

  • Metadirectory and virtual directory software . Sophisticated (and expensive) commercial packages are available that include synchronization, join, data translation, and virtual directory capabilities. Some open -source software is also available.

  • Custom tools that you develop yourself . To paraphrase an old saying, "If you want a solution that does just what you need and no more, develop it yourself." Even if you use off-the-shelf software to meet most of your requirements, directory coexistence is an area where some custom software development is usually needed. An example of a simple one-way synchronization tool that is implemented in Perl is presented a little later in the chapter.

The most important issues to consider when selecting coexistence tools are whether a given tool will meet your requirements and how well that tool will work in your environment. Cost, ease of deployment, vendor support, and availability of consulting services are also important factors. Refer to Chapter 13, Evaluating Directory Products, for general information on performing an appropriate evaluation.

Tuning and Troubleshooting

Perhaps the most painful step in achieving directory coexistence is tuning the system until it works well. Why is this painful? As you have probably figured out by now, directory coexistence is an ugly problem. Therefore, challenges unique to your environment will inevitably arise. Most tuning and troubleshooting should be done during a pilot deployment, and the ability to get advice from the following people during the design and pilot phases is extremely valuable :

  • The designers and system administrators of your directory service

  • The designers and system administrators of the data sources included in your coexistence effort

  • The vendor or author of the directory coexistence tools you're using

  • The data security team within your organization, if you have one

  • Consultants and other experts you bring in to assist with the directory coexistence implementation

The last group is worth emphasizing. Many organizations shy away from hiring outside consultants, but directory coexistence is one area where experience counts for a lot. Hiring the right consultant may save a lot of time and frustration. Whatever you do, don't rush a coexistence solution that is not ready into production. See Chapter 16, Putting Your Directory Service into Production, for general information on the optimal process.

Monitoring and Caring for Your Coexistence Solution

Finally, don't expect your directory coexistence solution to take care of itself. As with all other aspects of your directory deployment, it is important to implement automated monitoring of the system. Chapter 19, Monitoring, includes information on how to monitor your directory service; similar techniques should be used to monitor the components of your directory coexistence solution.

The type of monitoring required varies depending on the coexistence techniques you use and the frequency of synchronization. For example, for daily or less frequent synchronization, sending out a nightly e-mail message that indicates whether synchronization was successful may be sufficient. On the other hand, continuous monitoring that includes automated notification of problems is appropriate for a virtual directory system.

You also need to create troubleshooting and problem escalation procedures for the various components of your directory coexistence solution. For busy systems that use incremental synchronization, it is especially important to take action promptly. If the synchronization process gets stuck, the backlog of unapplied updates may quickly grow to an unmanageable amount.

   


Understanding and Deploying LDAP Directory Services
Understanding and Deploying LDAP Directory Services (2nd Edition)
ISBN: 0672323168
EAN: 2147483647
Year: 2002
Pages: 242

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net