13. Piloting Your Directory Service

Understanding and Deploying LDAP Directory Services > 12. Choosing Directory Products > Evaluation Criteria for Directory Software

Evaluation Criteria for Directory Software

One of the first tasks in choosing directory software is to develop evaluation criteria that takes into account your current and future needs. Whether you have no idea what software you might use or you already have a specific set of products in mind, evaluation criteria are very valuable . A good set of evaluation criteria helps you decide on, justify, and feel comfortable with your product choices.

In this section, we provide some advice for developing evaluation criteria to fit your own situation. We divide the criteria into the following areas:

• Core features

• Management features

• Reliability

• Performance and scalability

• Security

• Standards conformance

• Interoperability

• Cost

• Flexibility and extensibility

• Other considerations

Each area is discussed in the following sections. As you read through these criteria, examine your own directory service needs and design to see which factors are most important to you. Your goal is to create a list of requirements and questions you have about the products. You should assign a priority or weight to each item on the list so you can make intelligent trade-offs later.

Your list of evaluation criteria will serve as a tool for evaluating products and help you ask the right questions of vendors about what they can deliver. Keep in mind that the areas we cover in the following sections are not exhaustive and that there will likely be other factors that you may want to consider as well. Use this information only as a starting point to develop your own set of evaluation criteria. And don't neglect the areas in which you have no immediate needs; be sure to take future needs into account.

Core Features

When looking at the core features of LDAP software products, your main task is to ensure that the product can meet the needs of all the directory-enabled applications you plan to deploy now and in the future. This is not a small task, of course, but the work done in Chapter 5 and throughout Part II should provide all the information you need to create a list of the features that are important to you. Some areas to consider include:

• Support for the hardware and software platforms you use or plan to use in the future.

• Support for all the core LDAP operations and extensions needed by your applications.

• Replication features, including support for all the topologies your design uses, the ability to provide uninterrupted service to client applications even if one or more replicas fail, flexible scheduling policies, and so on. Chapter 10, "Replication Design," includes detailed product criteria for replication.

• Support for distributed directories, if required by your design. This is usually accomplished with LDAP referrals or server-to-server chaining of requests .

• Directory data import, maintenance, and backup features.

• The quality, availability, and extra cost of documentation and support.

Management Features

You will need to manage both the directory service itself and its contents. When examining the management features of software, focus on your most critical needs and look for flexibility to meet future needs. Areas to consider include

• Simplicity and flexibility of installation scripts and procedures.

• Availability of good tools for configuring, monitoring, and maintaining all aspects of the service itself. Look for tools that are easy to use for complicated tasks such as security, access control, and performance tuning. Graphical and command-line tools are both often desirable, depending on your situation and preferences.

• Availability of a variety of LDAP client interfaces that users and administrators can use to find and manipulate directory content such as person entries, group entries, and any other data you plan to store in your directory. The best client interfaces can be customized to target specific needs.

• Scriptable administration and content manipulation tools that can be used to automate frequent tasks.

• The ability to manage user -specific constraints such as password policies, resource usage quotas, and other items.

• Remote administration capabilities.

Reliability

All directory services are expected to be reliable so as not to inconvenience applications and halt business processes. Specific requirements, of course, vary widely. For example, if your directory will primarily serve as an electronic phone book, but everyone has paper copies of the same data available for use if your service is unavailable, reliability is not too critical. However, extranet applications used by customers and business partners to update their contact information require great reliability.

Some reliability issues to consider when creating your evaluation criteria include

• The ability to support 24 —7 (continuous) operation. Features such as the ability to back up and change the server configuration without affecting the running service can be important. Common configuration changes include extending directory schema, adding indexes to improve performance, and temporary changes needed during upgrade and maintenance activities (such as a change in the TCP port a server listens on).

• A robust, transactional server data store that is self-repairing and recovers automatically from temporary failures such as power outages.

• Support for automated failover to minimize downtime in the event of software or hardware failures. With directory server software, this can be accomplished via support for third-party or built-in high availability (HA) solutions, advanced replication features such as multimaster topologies and hot standbys, and client-side support for transparent failover to a standby server.

• Directory service monitoring tools. As discussed in Chapter 18, "Monitoring," monitoring is essential for quickly identifying and correcting problems. Support for Simple Network Management Protocol (SNMP) and the availability of proprietary monitoring tools can both be helpful. Otherwise , you need to write your own monitoring tools. (If you plan to do this, make sure that appropriate hooks and SDKs are provided with the directory products you choose.)

Performance and Scalability

High performance and high scalability are very important in many directory deployments. The directory design process described in Part II of this book should help you expose all your performance and scalability needs. Areas to consider include:

• Latency of directory operations. For example, how fast must the directory service respond to a search or modify request?

• Throughput of directory operations. How many operations can a directory server handle in a given time period? How fast can a client application or SDK send LDAP requests and process the responses? How many search, add, and modify requests can the server process per second? Be sure to take into account the type and mix of operations you expect to have in your environment. For example, server performance for searches is typically much greater than it is for adds and modifies; thus, if your needs imply that there will be a lot of add-and-modify traffic, you should pay special attention to the write performance of the directory server software.

• The ability of the server to handle a large number of simultaneous LDAP connections while providing good performance to all the clients .

• The ability to monitor and tune the performance of the directory server to meet your needs. This is important in determining the characteristics of the hardware you should purchase as well as to optimally meet the needs of your most important directory-enabled applications.

• The ability of server and client software to maintain good performance as scale increases . Dimensions to consider include the number and size of entries, number and size of attribute values, number of access control rules, number of replicas, and number of directory partitions.

• The availability of performance information such as benchmark results and performance-focused documentation. If performance is important to you, but a directory software vendor has little to say about it, you may need to look at other products or conduct your own benchmark tests.

Security

As discussed in Chapter 11, "Privacy and Security Design," security needs vary widely from one directory service deployment to another. Without exception, though, security should be an important part of your product evaluation criteria. Areas to consider include:

• Access control capabilities, including adequate flexibility and granularity to meet your privacy, security, and data management needs.

• The ability to delegate administration of directory content to independent administrators and end users as needed.

• The authentication methods supported by the client and server software (e.g., LDAP basic authentication, various SASL methods , and certificate-based authentication).

• The encryption capabilities for LDAP data streams and directory data stores, including support for secure sockets layer (SSL) and transport layer security (TLS). If you need strong encryption with long key lengths, you may encounter product purchase and deployment obstacles in the form of export restrictions enforced by some governments (most notably the United States).

• The ability to use SSL or TLS to protect replication updates in transit.

• Support in server software for hardware acceleration of cryptographic algorithms. This is very important for servers that must perform a lot of encryption or routinely handle digital certificates.

Standards Conformance

To most people, standards are not interesting for their own sake; it's the products that adhere to standards that are more interesting. Standards-compliant software is important to you because it provides increased flexibility, better interoperability, more customer choice, and a proven, well- understood core feature set.

Standards documents are typically very technical and hard to understand. Although you probably do not need to read and understand all the standards documents, you should be aware of all the emerging and ratified standards so that you can ask software vendors if they comply with them. Because no available product supports all the standards, you need to determine which standards are most critical to you. You can do that by understanding what each standard specifies and how it aligns with your own directory needs.

The most important group that creates standards for LDAP is the Internet Engineering Task Force (IETF), which is the standards-setting body for the Internet. IETF standards are published as a series of documents called requests for comments (RFCs). Note that not all RFCs are destined or even intended to become standards, and that specifications are first published as Internet drafts. (See Chapter 2, "A Brief History of Directories," for more information on the IETF and how it operates.)

Other important standards are produced by industry consortiums, and some de facto standards are developed by the leading directory services vendors. Some of the directory service standards you should consider for your evaluation criteria list include:

• The core LDAP Internet protocol standards, including the complete set of LDAPv2 and LDAPv3 RFCs. The relevant documents are RFCs 1777-1779 and 2251-2256. Because these standards are the building blocks on which all LDAP- related software is built, most products claim to support these RFCs. Be sure to ask your software vendor exactly which aspects of these LDAP standards they do not support, however.

• Related Internet standards that LDAP has adopted, including Simple Authentication and Security Layer (SASL), which is defined in RFC 2222; and the directory services Simple Network Management Protocol Management Information Base (SNMP MIB), which at the time of this writing has not yet been published as an RFC (it is available only as an Internet draft). You can use SASL to integrate with a specific authentication scheme. Support for the SNMP MIB for directory services helps you integrate your servers with off-the-shelf network management systems (NMSs).

• Emerging LDAPv3 extensions, such as those for dynamic entries, server-side sorting of search results, virtual list view, standard access control, and standard replication protocols. At the time of this writing, all these extensions are available only as Internet drafts; they have not yet been published as RFCs. In general, you should examine each extension to see if you need the feature it provides within your own directory deployment.

• The LDAP Data Interchange Format (LDIF), which defines a standard format for representing directory entries and changes to entries. At the time of this writing, LDIF is documented in an Internet draft; it has not yet been published as an RFC.

• LDAP application programming interface (API) standards within SDKs and LDAP clients. Internet standard LDAP APIs for C/C++ and Java are being developed by the IETF. Note that a number of proprietary APIs also exist, such as Microsoft's Active Directory Services Interface (ADSI) and Javasoft's Java Naming and Directory Interface (JNDI). However, support for standard APIs can be very helpful in reducing the time and cost incurred when developing LDAP applications. See Chapters 20, "Developing New Applications," and 21, "Directory-Enabling Existing Applications," for more information on available APIs and SDKs.

• Schema standards, such as those being developed as part of the Directory Enabled Networking (DEN) industry group. Good LDAP products are extensible and can accommodate a wide variety of schemas.

• Security standards, such as X.509 for certificates and the SSL and TLS protocols. Security is an area in which standards are especially important, not just to achieve basic interoperability, but also so you can more easily evaluate the security provided by the products. For example, all SSL version 3.0 implementations support a certain level of security, but for proprietary security schemes you need to trust the software vendor to provide adequate capabilities. Security is an area that is not well understood, but standards reduce the learning curve and allow you to transfer knowledge from one product to another much more easily.

• X.500 directory service standards. Because LDAP depends to some extent on the X.500 standards for its naming, information, and operations models, the X.500 standards are relevant to all LDAP directories. X.500 also specifies standards for access control and replication that have been adopted by some LDAP vendors; however, there are reportedly some interoperability problems with products that implement the more advanced X.500 features. More information on X.500 can be found in Chapter 2.

• Any other standards or certification requirements, such as Y2K compliance, certification by an operating system or hardware vendor, or support for industry-leading third-party products such as HA and backup solutions.

Interoperability

Standards conformance is an important part of any product's interoperability story. However, if you require interoperability with specific products, you should take that into account when developing your evaluation criteria. Areas to consider include:

• Availability and support for directory-enabled applications that you plan to deploy. Some vendors, such as Netscape offer a complete line of LDAP-enabled Web and messaging products designed to work with their own directory service products. When working with products from two or more vendors, you probably should verify interoperability yourself.

• Availability of synchronization tools for data sources that your directory service needs to interoperate with. For example, you may have a requirement to mirror the data held in a cc:Mail address book in your LDAP directory; therefore, you would need to buy or build a cc:Mail-to-LDAP synchronization tool. See Chapter 22, "Directory Coexistence," for more information on integrating your directory service with other data sources.

• Availability of metadirectory solutions to facilitate the joining and synchronization of disparate directories and data stores. See Chapter 22 for more information on metadirectories .

• Proof of interoperability. This can come in the form of results from vendor-to-vendor tests performed in an ad hoc fashion or at an LDAP interoperability testing forum, such as the recent DirConnect events sponsored by the Internet Directory Consortium which is part of the Open Group.

Cost

The most obvious cost is that of the software itself, but you should also consider the total cost of buying, deploying, supporting, and maintaining your directory service and the applications that surround it. Chapter 14 covers cost analysis in depth, but some general areas to examine when creating your list of evaluation criteria include the following:

• Software costs.   Be aware of the different cost structures under which the software may be sold ”per server installation, per CPU, per user, per entry, yearly lease, unlimited use, and so on. Also, don't forget to take into account ongoing upgrade and support costs and the licensing costs associated with operating systems or any other software the directory software depends on. For example, Microsoft Active Directory requires that you upgrade all your servers to Windows NT 5.0 to take advantage of some features.

• Hardware costs.   Different directory service products require different hardware, some of which may be much more expensive than others.

• Deployment costs.   These include the cost of hardware, personnel, software deployment, and so on.

• Maintenance costs.   These include the cost of day-to-day tasks such as performing backups , maintaining the content of the directory servers, monitoring it for failures, and any other ongoing activities. Look for products that allow management tasks to be easily automated.

• Training costs   . These include costs to train administrators of the system, end users, and directory content administrators.

• Support costs.   Products that are easy to learn, use, and manage cost less to support.

Keep in mind that some of your costs will be hard to quantify, especially if you have not yet deployed your directory service. Talk to people within other organizations who have already deployed a similar product to gather more concrete information about costs.

Flexibility and Extensibility

It is unlikely that an existing product can meet all your needs out of the box. For this reason, and because you can't anticipate all your future needs, it is important to choose directory products that are flexible and extensible. Areas to consider include the following

• Configurability.   Look for the ability to selectively enable and disable features, the ability to adapt the product to work well on your available hardware and operating systems, and the ease with which you can make configuration changes. For example, if you have remote offices within your organization, you may want to run some replicated servers in those offices on inexpensive machines that have moderate amounts of memory, CPU, and disk capacity. For your main campus, you may want to run the same directory server software but tune it to take advantage of large machines that have lots of memory, CPU, and disk capacity.

• Flexibility.   To support a variety of directory-enabled applications, you want to be able to easily extend directory schemas, add or remove indexes, and otherwise configure directory servers to provide optimal performance, for an application's queries. For example, if you bring a high-performance, directory-enabled application online in the future, it will probably come with its own schema extensions and may require the tuning of your servers to achieve optimal performance.

• Extensibility.   Some products can be extended by writing scripts or creating software plug-ins that alter the behavior of directory clients and servers. Netscape Directory Server, for example, provides a fairly complete set of well-documented plug-in interfaces. This kind of extensibility can help when you need to support an unusual application or when you want to adapt the directory service to fit your organization's data maintenance policies.

Other Considerations

There are a few additional areas to examine as you construct your evaluation criteria. These issues are primarily related to the future of the product and the vendor that provides it. Consider each of the following topics:

• The future of the product.   Is it evolving and moving in the direction you expect your organization to move? Is the product important enough to the organization that develops it that you can count on continued availability and support?

• Completeness of product line.   A vendor that sells a complete line of directory-enabled applications and has made LDAP a key part of its corporate strategy may be able to meet more of your needs and serve as a good partner for all your directory services efforts. On the other hand, it is unlikely that you will buy all your directory products from only one vendor.

• Industry and developer mindshare .   Look at how much support for the product there is outside the company or organization that develops it. A product that is widely used and supported by many third parties has a better chance of meeting the needs of most people. On the other hand, if your needs are very specialized, this isn't as important.

• General vendor issues.   Make sure the vendor stands behind the products it sells. Determine whether the vendor has a viable business plan so you can be assured that it will be around to support you.

An Evaluation Criteria Example

In this section, we present an example evaluation criteria list for directory server software. The sample criteria were developed for a fictitious company called Airius Airlines that is deploying a directory service for the first time. The focus of the deployment is support of directory-enabled intranet applications. The first two applications that are expected to come online are an electronic phone book and an email delivery service. Airius currently has only 5,000 employees but expects to grow rapidly over the next few years .

The sample criteria are presented as a series of tables that the Airius Airlines directory services planning team created using a spreadsheet program like Microsoft Excel. Each row in the spreadsheet lists a specific characteristic used to evaluate each candidate product. A description and a weight are provided for each item. The weight is a number from 1 (not very important) to 10 (extremely important) that captures the importance of the item. Items that are extremely critical ( must-have features) are marked with an asterisk (*) so that they can be spotted more easily when reviewing the results of the evaluation.

The right side of each table provides room to evaluate two products (Product A and Product B). Each product is given a rating for each characteristic. A score ranging from 0 (poor) to 100 (best) is calculated by multiplying each item's weight by a product's rating. By adding all the scores, an objective number is produced that can be consulted when making a final product choice.

Airius's evaluation criteria for core directory server features are shown in Table 12.2.

Table  12.2. Sample evaluation criteria for core directory server features

To illustrate how the scoring system works, consider the first row in Table 12.2: support for all basic LDAP operations. This feature was given a weight of 7 (out of a possible 10) by Airius because it is fairly important to the company (it plans to eventually make full use of its directory service, including allowing employees to update their own contact information).

Product A received a rating of 8 (out of a possible 10) because it does support all the basic LDAP operations but falls short on complete implementation of some of the added features of LDAPv3. The item score for Product A is calculated by multiplying 7 (the weight) by 8 (the product rating) to arrive at 56. Product B received a rating of 3 because it supports only search operations. Product B's score is 21 (7 times 3).

Because Airius plans to develop its own phone book application and eventually create dozens of directory-enabled applications, flexibility and extensibility of the directory software are very important. Table 12.3 shows Airius's evaluation criteria for this area.

Table  12.3. Sample criteria for flexibility and extensibility

The sample evaluation criteria we have presented for Airius Airlines are, of course, far from complete. When you develop your own evaluation criteria, you should include all the areas we discussed in the previous sections, such as security, interoperability, and cost. The evaluation criteria tables shown here could be improved by adding a column to record specific comments or notes about each product feature.

Index terms contained in this section

2002, O'Reilly & Associates, Inc.