In this section we describe Netscape's directory design and how it was developed. NeedsAs in many businesses, Netscape's directory requirements were largely determined by two needs: the need to support a wide range of applications and the need to deploy them in a manageable and cost-effective manner. As mentioned previously, Netscape's IS department is charged with providing computing support to employees at the main campus and satellite offices. With few exceptions, IS provides all the hardware, software, and network connectivity for every employee. (This arrangement is in contrast to the decentralized support methods that will be described in Chapter 26.) Despite this centralization, minor political problems arose when the directory service was being deployed. Obtaining a synchronization file that contained information on all full-time employees, contractors, temporary employees, and contingent employees proved difficult, and the issue had to be escalated to senior management. After the synchronization file was obtained, IS staff needed to spend a significant amount of time modifying existing IS and HR work processes to tie them into the directory. Connecting everything to the directory required some modifications to existing HR database tables and associated user interfaces, which required cooperation from the HR staff. Another constraint was that the staff involved in the directory design and deployment, although extremely skilled, needed some time to become familiar with directory technology. Fortunately the developers responsible for the directory server software (Netscape Directory Server) were literally next door. The proximity of the two groups provided immense benefits for both IS and the Directory Server software engineering team; questions from IS were handled quickly and accurately, and Engineering obtained valuable information on how the product worked in an actual deployment. In essence, the Netscape internal directory deployment still provides an ongoing directory pilot that continually feeds back useful information to the Netscape Directory Server engineering group , ultimately resulting in a higher-quality , more functional product. One of the primary motivations for the directory deployment was to support Netscape's suite of directory-enabled server products, including Netscape Messaging Server (electronic mail), Netscape Collabra Server (Usenet news and internal discussion groups), Netscape Enterprise Server (internal Web publishing), Netscape Certificate Management System (for public key certificates), and Netscape Calendar Server (for workgroup scheduling). [1] Each of these products is directory-enabled and can utilize the directory for user and group management and access control. In addition, employees have become very dependent on Netscape Phone Book, an internally developed application that allows quick and easy lookup of contact information and location information for people and meeting rooms.
The directory is also used for specific work processes, serving as the focal point for creation or removal of resources when a person joins or leaves Netscape. For example, when an employee is hired , a directory entry is created, triggering processes that create Unix and Microsoft Windows NT domain accounts, assign telephone numbers , add the employee to the security/badging database, allocate a network port, and include the employee on certain companywide , divisionwide, and workgroup-specific mailing lists. Early in the design process, Netscape IS made the assumption that directory users needed to feel confident that the central repository of directory data was secure, stable, valuable, and accurate. These needs led to the conclusions described here:
In addition, the directory itself must be flexible enough to accommodate new applications, and it must scale well so that users always receive adequate performance. DataAs mentioned in the previous section, the primary drivers behind the directory service revolved around the directory-enabled applications slated for deployment. Those applications had well-defined schema requirements, which made identification of the necessary data elements very straightforward. What was less straightforward, however, was identifying the "owner," or authoritative source, of each data element. The Netscape IS organization began by developing a conceptual framework for understanding the directory, external data sources, and external users of the data. Figure 24.1 shows this framework. Figure 24.1. A Conceptual Framework for Data Sources
Data owners are the databases that contain authoritative enterprise data. For example, data stored in the PeopleSoft system is considered authoritative for certain elements, such as a person's name and home postal address. The private branch exchange (PBX) telephone system is considered authoritative for office telephone numbers. In the Maintaining Data section of this chapter, we'll describe the process that synchronizes data between the directory and other data sources. Data is collected from the authoritative data sources and placed into the directory service. In this role, the directory serves as a central repository , a rendezvous point where applications can meet to obtain data about people, groups, and other business- related objects. The directory serves a valuable role by publishing and grouping the data synchronized from the various distinct data sources. The directory service itself is considered authoritative for some data elements, such as e-mail addresses. For these data elements, the directory functions simultaneously as the data owner and the central repository. Data users are the applications, business processes, and people that make use of the directory data stored in the central repository. After the fundamental data model had been developed, the Netscape directory deployment team refined the data plan further by establishing the following basic guidelines for deciding that a given data element should be stored in the directory:
Next a detailed data element inventory was completed. This inventory described each data element, the directory's attribute name for it, the authoritative source, and the consumers that use it. Table 24.1 shows a portion of that inventory. Table 24.1. A Portion of Netscape's Data Element Inventory
Finally, a set of synchronization procedures was developed to propagate changes from external authoritative data sources such as the PeopleSoft and PBX systems into the directory. These synchronization procedures are the core of Netscape's directory coexistence strategy and are designed to capture changed data in the external authoritative data sources and apply updates to the directory. SchemaThe schema used in the central directory is composed of three distinct sets of schema definitions:
Netscape IS staff members added the custom schema definitions only after carefully examining available schema elements and determining that no existing attribute types met Netscape's needs. All schema extensions were implemented as auxiliary, or "mix-in," object classes. To illustrate , consider the definition of the nscpPerson object class shown in Listing 24.1 (note that nscpPerson-oid should be replaced by a real object identifier, or OID). Listing 24.1 The nscpPerson Object Class ( nscpPerson-oid NAME 'nscpPerson' DESC 'Netscape-specific person information' SUP top AUXILIARY MUST uid MAY ( nscpBadgeImage $ nscpPersonExpDate $ nscpCurContactInfo $ nscpBuildingNum $ nscpBuildingLev $ nscpHarold ) This auxiliary object class contains only the Netscape-specific attributes. Entries in the directory that describe people have both the inetOrgPerson and nscpPerson object classes . Thus a person entry may contain any of the attributes allowed by either the inetOrgPerson or the nscpPerson object class. In this way, Netscape extended the schema with business-specific attributes without altering the standard object class definitions. The added attributes were as follows :
NamespaceFigure 24.2 shows Netscape's directory namespace. Netscape decided to use domain component naming for the top or global portion of the namespace ( dc=netscape,dc=com ). The organizational units that define subnamespaces beneath the top level are as follows:
Figure 24.2. Netscape's Directory Namespace
There are several important points to note about this namespace design. To some extent, the portion of the global directory namespace that Netscape uses at this time is unimportant because the internal directory is not available outside Netscape's firewalls. However, if Netscape should want to share this information with external business partners in the future, it will be necessary to choose a portion of the namespace that cannot conflict with namespaces in use by other businesses. With this constraint in mind, Netscape chose to use a naming method that leverages the existing Domain Name System (DNS) infrastructure to provide a unique namespace. The top-level name of dc=netscape,dc=com is derived from Netscape's assigned domain name, netscape.com . The other option would have been to use the X.500 naming method, which is based on a country “locality “organization name hierarchy. Using this scheme, Netscape's tree would have been rooted at o=Netscape Communications Inc.,st=California,c=US , or possibly o=Netscape Communications Inc.,c=US . Netscape chose the DNS-derived names because they are shorter and do not require registration with any standards organization (other than the domain name that was registered in the early days of the commercial Internet). After the directory suffix was chosen , Netscape's IS department needed to decide how the directory information would be structured. The final decision took into consideration the following factors:
A flat namespace beneath ou=People was chosen to avoid the headaches caused when people move between departments. Within the ou=People container, the uid (user ID) attribute was chosen as the naming attribute for entries. This attribute has two desirable properties. First, it must be unique anyway because the employee's electronic mail address is uid@netscape.com . Second, because the namespace is flat, any attempts to create a duplicate uid would be rejected by the directory server (because the new entry would have the same distinguished name [DN] as an existing entry). One trade-off in using a flat namespace under ou=People is that straightforward directory browsing is less interesting; all employees appear in a single, flat list of names. Browsing is more useful when the namespace reflects some organizational hierarchy. Netscape directory deployers realized that multiple hierarchies were present in the directory data. For example, each employee at Netscape is associated with a particular department, and this represents one type of hierarchy present in the data. Each employee also has a manager, and the reporting hierarchy represents a different type of hierarchy. Instead of favoring one type of hierarchy, the deployers opted to make the namespace independent of any particular hierarchy. To construct multiple alternative hierarchies, such as the reporting hierarchy, DN-valued attributes are used. For example, each employee's entry contains a manager attribute that holds the DN of the employee's manager. A directory application can use this information to support several different views of the data. For example, an application might allow a user to jump to an employee's manager or to browse the directory according to employee/manager reporting relationships. TopologyThe topology chosen for the Netscape directory deployment is very simple: The entire directory is contained in a single partition. Two considerations led to this decision:
For these reasons, a single-partition design was chosen. ReplicationThe primary motivator behind Netscape's replication architecture was to provide sufficient directory capacity for its directory-enabled applications, such as messaging and calendaring. Figure 24.3 shows the overall replication architecture. Figure 24.3. Netscape's Replication Architecture
There are several important points to note about the replication architecture:
This particular design leverages the strengths of Netscape Directory Server ”namely, its ability to store many entries while still providing excellent performance. If your directory server software limits you to a small number of entries per partition relative to how many entries you will have, a more complicated replication architecture may be required. On the other hand, the presence of the replication hub is a concession to the single-master nature of Netscape's Directory Server software prior to version 6. Because there is a single updatable server, it is highly desirable to keep the server's load as light as possible ”which is why a replication hub is used. If your directory server software supports multimaster replication, you may be able to eliminate the concept of a replication hub from your architecture. Replication hubs do improve the directory service's ability to distribute data widely and also help accommodate network architectures that limit the ability of applications to access the master directory servers directly. Privacy and SecurityThe security design for Netscape's internal directory service deployment focused on two major issues: controlling access to directory data and protecting against certain types of security attacks. The data contained in Netscape's internal directory is composed primarily of public information that can be viewed by any employee. However, several attributes of person entries are potentially sensitive, such as the employee home address and telephone number. To fully understand the security issues associated with each directory attribute, Netscape's IS department developed a security matrix. For each type of object stored in the directory, the matrix describes the attributes present in that entry and the security restrictions in effect for those attributes. For example, the electronic mail address for a given employee is considered public information; it is essential for other employees to know a given employee's e-mail address. On the other hand, the employee's home address is considered sensitive information and must be protected in order to address employee privacy concerns. During the development of this security matrix, Netscape's Legal department offered advice about which attributes might be considered sensitive information. For each attribute considered sensitive, a policy was developed describing who may view and update it. Table 24.2 shows a portion of the final security matrix. The update policy also allows an individual employee to decide whether certain information should be published in the directory at all. For example, the authoritative source for the employee's home telephone number is the PeopleSoft database. Unlike most of the other directory attributes, the home phone number is not automatically synchronized from PeopleSoft to the directory. Instead, an employee must place his own home phone number in the directory if he wants it there (the same policy is used for home postal address as well). This kind of approach places complete control of sensitive information in the hands of the employee. Another part of Netscape's directory security design involved protecting the directory from several types of security attacks. Because Netscape's internal directory is used only by employees and contractors, certain assumptions make it unnecessary to protect against some types of attacks. Employees are trusted to conform to company policy, so disciplinary action can be levied against an employee who perpetrates a directory attack. Such attacks (of which there have been none to date) include denial-of-service attacks and impersonation attacks. Table 24.2. An Excerpt from the Netscape Security Matrix
Nevertheless, other precautions need to be taken because Netscape sometimes uses leased lines provided by a third party. Netscape does not control the physical security of those lines; therefore, unencrypted data cannot be guaranteed safe from eavesdropping. The following precautions are in place:
In summary, the security architecture for the directory service and the data it contains are tuned to Netscape's particular business requirements and culture. As business requirements change, the security architecture is reviewed and updated as necessary. |