Directory Service Deployment

While the directory design was being completed and reviewed, HugeCo formed a directory deployment team. The team included all the people who participated in the design process, plus system administrators responsible for the actual rollout and for running the service on a day-to-day basis. An IS employee who had expertise in network monitoring and problem escalation procedures was also added to the team.

Product Choice

Before making a final choice of LDAP server software, HugeCo performed an extensive in-house evaluation. After talking to many directory server vendors , HugeCo narrowed its choice to three products: Netscape's Directory Server, Critical Path's CP Directory Server, and Novell's eDirectory. Evaluation copies of each of the three products were obtained, and each was subjected to a thorough hands-on evaluation that involved installing the products, configuring them with HugeCo's schema, setting up replication, and conducting performance and scalability testing.

In the end, the team selected the Netscape Directory Server product for the following reasons:

• Best performance and scalability, as observed during performance tests

• Support for TLS, as required by HugeCo's replication and security design

• Flexible, powerful access controls whose use did not significantly reduce performance

• Good support for international data

• Comprehensive management tools that included a Java GUI, command-line scriptable tools, and an HTML-based delegated administration tool

• Support by all of HugeCo's important directory-enabled applications

HugeCo also evaluated several LDAP software development kits (SDKs), including Netscape's C and Java SDKs, a few LDAP Perl modules found on the Internet, Microsoft's ADSI, and JavaSoft's JNDI. The team found that all these SDKs were functional but decided to focus on Netscape's SDKs and the PerLDAP Perl module for most of its own development projects. The team members recommended the Netscape SDKs primarily because they felt confident that these SDKs would work well with the Netscape and Sun server products already selected. Availability of source code for the SDKs was considered a bonus.

Piloting

An extensive directory service pilot was conducted to prove the directory design, become familiar with the directory software, and determine the level of effort required to roll out and maintain the production service. HugeCo's North America and Asia Pacific regions participated in the pilot, which was conducted over four months. During the pilot, the directory service was deployed in a limited number of physical sites within each region, and only one master and one replicator server were used for each portion of the directory data.

The directory-enabled applications used in the pilot included the following:

• Sun ONE Messaging Server to provide e-mail routing and delivery for end users.

• A simple workflow application to allow employees to request vacation time and other time off. This application was hosted by a Netscape Enterprise (Web) Server in conjunction with Netegrity SiteMinder and included an interface for employees (used to request time off) and an interface for managers (used to approve time-off requests ). The application uses the hugeCoEmployeeRole and manager attributes within employee entries to route time-off requests appropriately and verifies that a specific manager is allowed to approve or deny an employee's request.

• An employee phone book to support anonymous directory lookups. This was created by the central IS programmers using PerLDAP.

• A directory administration application, based on the Netscape Delegated Administrator tool. This application supports directory administration at the global and departmental level, as well as employee self-service activities such as setting passwords or changing home telephone numbers . The directory administration application is accessible from the employee phone book via a hypertext link.

Apart from testing the directory-enabled applications, an important goal of the pilot project was to obtain feedback on the directory service from end users and system administrators. To collect feedback from end users, the directory phone book was modified halfway through the pilot to occasionally display a simple survey form before providing access to the phone book itself. Face-to-face and telephone interviews were conducted to collect feedback from system administrators of directory-enabled applications and the directory service.

The pilot showed that most of HugeCo's directory design choices were sound. One major redesign was done halfway through the pilot after the team experienced the pain of managing a replication topology that included many partitions. As discussed earlier in this case study, the directory namespace was redesigned to use a simpler structure based on regions rather than DNS subdomains.

After the pilot project was complete, most of the hardware used was incorporated into the production directory service. A few servers were reserved to form a test bed for future experiments with new applications, new directory server software, and directory design changes. Figure 25.9 shows the test bed topology.

Normally none of the servers in the test bed are connected to the production directory service, although sometimes they are temporarily incorporated into the production topology to prepare for software upgrades or obtain data for testing purposes. One limitation of the HugeCo test bed is that it does not match the replication topology used in the production service. As older machines become available, the HugeCo directory team plans to make them part of the test bed and improve it by adding replicator servers and by pairing up the master servers.

Analyzing and Reducing Costs

HugeCo tried to minimize the ongoing cost of its directory service by saving money in the following ways:

• All routine directory administrative tasks were automated, including nightly backups , service monitoring, creation of entries for new employees, and deletion of entries for terminated employees.

• Pilot hardware was reused to deploy the production service and form a directory service test bed.

• A small number of larger, more expensive server machines were used instead of many smaller machines. This cost-cutting measure followed the principle that personnel costs are more significant than hardware costs, and it fit well with HugeCo IS's general approach toward service deployment.

HugeCo has not conducted a thorough analysis of directory costs and has no immediate plans to do so.

Putting the Directory Service into Production

Because HugeCo's directory deployment involved many sites, servers, and applications, the production rollout was a complex undertaking. The key to success was to roll out the service in five phases:

Phase 1: Roll out directory servers and the phone book application in one region (North America).

Phase 2: Roll out directory servers and the phone book application in the remaining three regions using the same server configuration and enlisting the assistance of IS staff members who deployed the North American service.

Phase 3: Deploy the administrative application across the entire service. This phase was handled by the central IS staff, with testing performed by IS staff within each region.

Phase 4: Deploy directory-enabled e-mail services in each region. This phase was handled by the regional IS staff with help from some directory experts in the central IS organization.

Phase 5: Deploy other directory-enabled applications, including the Web-based workflow applications and the Netegrity SiteMinder access control product on which they depend.

In conjunction with the production rollout, training sessions were conducted within each region for IS system administrators and Help Desk staff. The IS communication group spread the word about the directory service by publishing a series of how-to articles in the employee newsletter and through a "Do you know where your directory entry is?" poster campaign. Posters were placed in every HugeCo building to encourage employees to try the phone book application and to use the self-service feature to update their own directory entries. The poster campaign raised awareness of the new service and improved the accuracy and completeness of employee information in the directory.