Business Case for Transitioning to LDAP

Return on investment can be calculated by determining the cost of doing business the current way and the savings obtained by switching to a new process. Some of the savings are easier to quantify than others. For example, if it takes 50 system administrators to manage your current naming service, but only 25 after consolidation, the savings are obvious.

Some savings are harder to quantify, such as:

• Data loss, or compromise, caused by unauthorized access

• Loss of user productivity in the event that they cannot get access to needed resources due to naming service problems

• New opportunities for cost cutting by sharing data between applications

Identifying Potential Consolidation Problems

Before you can justify the expense of transitioning from your legacy naming service to LDAP, you need to understand what it buys you. The first step is to take a look at the problems encountered by staying with your legacy naming service. The following list highlights some of the pitfalls you might experience by not using a directory service:

• Fragmented data storage

• Duplicate data

• Loss of administration control

• Lack of extensibility

• Poor accessibility

Fragmented data can occur in a legacy naming service because there are autonomous organizations maintaining their own data or different applications requiring different data stores. Usually this is a result of how the organization evolved, and not the result of any conscious decision. At best, fragmented data is costly in terms of administrative costs. At worst, a security hole can be created if, for example, user accounts are unintentionally left enabled after the users have left the company.

Duplicate, unsynchronized data is the result of data fragmentation or poor data management. This situation usually occurs when data is not consistently updated across all data sources. For example, if an employee's phone number changes, but the change is not updated everywhere it is stored, you might retrieve the old number depending on which data source answers your request. A more serious problem can arise if user accounts are not synchronized. Users could be denied access to particular applications or resources if a change in the account is not propagated properly.

Loss of administrative control can be the result of decentralized data. If data is managed by disparate groups within an enterprise, it is difficult to enforce a consistent management policy. For example, some organizations may require passwords to be a certain length, while others may not see this as a necessity.

Lack of extensibility is the inability to add additional data fields to naming service data. This restricts its usefulness . It also makes creating new data stores a requirement to support new applications which require those extra fields.

Poor accessibility is the result of incompatibility between the numerous technologies that exist in the enterprise. The number of ways naming service data can be accessed enhances its usefulness. If data can be accessed through a variety of application programming interfaces (APIs) the cost of deploying new applications and tools to manage the data diminishes.

Identifying the Solution

The main reason to invest in a technology change is to either reduce your operation cost or make your company more competitive. Deploying LDAP in your enterprise offers the following benefits which help you meet these criteria:

• Consolidation of enterprise data

• Universal access

• Ease of management

• Ease of securing data

These benefits are described in the following sections.

Consolidation of Enterprise Data

The most common use of directories is to store information about users of enterprise computing resources. This information can reside in numerous places including:

• Human resource database

• Corporate phone book

• Email system

• Web services authentication

• Network Operating System (NOS) authentication

From a business point of view, maintaining duplicate information in multiple places creates extra overhead, loss of productivity, and possible security breaches. As employees are hired , fired , or leave voluntarily, entries need to be added or deleted in multiple places. Likewise, as changes, such as marital status data, entries in several locations needs to be updated. If applications require passwords, then users might be required to maintain several passwords, one each for each service they access.

Directory consolidation is usually the most frequently cited reason for moving to a new naming service. Because LDAP-based directories adhere to standards and have established a significant industry presence, this is the technology of choice for many consolidation projects.

Universal Access

Universal access means you can get to your data from a variety of clients in a variety of locations. Maintaining corporate data is useless unless it is easy to get to. Universal access to data reduces programming costs and allows employees access while at work or at home. It also provides a competitive edge because customers and partners can access the same data, or subset that you allow them to view.

Directories based on LDAP technology, such as the Sun ONE Directory Server 5.2 software, provide a variety of ways to access directory data, as follows :

• C library

• PerLDAP

• Java/Java Naming and Directory Interface (J.N.D.I.) API

• JavaServer Pages (JSP ) software/XML tag library

• DSML

• Command-line tools

• Netscape Communicator

There are many examples available in the Sun ONE Directory Server, Resource Kit (SDRK) software that can be downloaded for free from the http://www.sun.com web site. These examples illustrate how to take advantage of the universal access capabilities. Chapter 6 "Management Tools and Toolkits" provides useful tips on how to customize your own solutions based on these examples.

Ease of Management

Hidden in the cost of deploying new technology is the cost of training employees who must manage the new technology. Once data is consolidated, it is easier to manage. LDAP is a standard, so your investment in training is protected because the concepts are transferable to a wide range of applications and services.

A variety of tools and toolkits are available for managing directory data. Some are available from Sun, some from the public domain, and some are provided by thirdparty vendors . Chapter 6 "Management Tools and Toolkits" discusses many of these.

Ease of Securing Data

Maintaining user data in one type of data store, rather than several, makes the job of securing it easier because you only have to be concerned with one security mechanism for all your data stores. LDAP directories provide a flexible way of controlling access to data that provides a great deal of granularity. Encrypted data channels can be created to prevent unauthorized snooping.

Technical Benefits of LDAP Directories

This sections examines specific technological features that LDAP directories provide, and how these features result in business case benefits.

Extensible Schema

By extending the directory schema, you can create customized data entries that are still compatible with existing applications. This is significant because you can create an entry for a person, add company-specific attributes to that entry, and still have existing applications function properly. For example, an entry containing Solaris OE login information will work fine even though additional information about a person such as a department number, manager name , and work telephone number has been added to the user entry.

Scalability

Applications can scale either vertically or horizontally. Vertical scalability is the ability to take advantage of resources provided on a single large computer. Horizontal scalability is the ability to spread the application load among several smaller computers. The key technology behind horizontal scalability is the ability to distribute directory data across the enterprise. With Sun ONE Directory Server 5.2 software, this is accomplished with data replication and multiple databases.

Data replication was enhanced starting with the directory server 5.0 release by supporting the multi-master replication model. In this model, more than one server can master the same data. This allows updates to be performed on either system. Database distribution allows a large database to be broken up into smaller ones that can be distributed among several servers.

Directory servers generally require lots of RAM, disk, and network bandwidth in relation to CPU speed. Because the amount of RAM a computer can accommodate is finite, and network bandwidth across an enterprise may not be evenly distributed, horizontal scaling is usually more advantageous than vertical scaling.

Availability

Data replication in conjunction with load-balancing switches or LDAP proxy servers can provide high availability. Modern switches are capable of detecting the load on multiple LDAP servers and can direct LDAP operation to the least busy server. Alternatively, the LDAP client software can be designed to failover to alternate servers if the primary server fails.

Sun Cluster technology can be deployed to provide high availability without using LDAP data replication. Instead, a mirrored disk volume is shared among two or more systems, or nodes. Only one system controls the shared disk volume at any one time. If that system fails, control is transferred to one of the surviving nodes. The LDAP service is associated with a Virtual Internet Protocol (VIP) address that can also be transferred to a surviving node.

Future of NIS and NIS+

When the Solaris 9 OE was released, Sun announced the end of feature (EOF) of NIS+. While Sun will support NIS+ for some time in terms of minor bug fixes, there will be no new enhancements, and support will be dropped in some future Solaris release. It is also likely that a similar EOF announcement of NIS will be made at some time in the future.

To aid in the migration from NIS/NIS+ to LDAP, transition tools began shipping with the Solaris 9 OE. Deployment of these tools is discussed in Chapter 5 "Migrating Legacy Data to LDAP."