Presentation is loading. Please wait.

Presentation is loading. Please wait.

Directory Services DIT Design Jim Rommel Perot Systems Corporation.

Similar presentations


Presentation on theme: "Directory Services DIT Design Jim Rommel Perot Systems Corporation."— Presentation transcript:

1 Directory Services DIT Design Jim Rommel Perot Systems Corporation

2 Jim Rommel Sr. Directory Specialist: Perot Systems Incorporated 4 years experience with X.500/LDAP Directory Services at Texas Instruments and Perot Systems Prior experience with Object Repository Technology X.500/LDAP Experience includes:  Schema and DIT Design  Directory Infrastructure Integration  Directory Synchronization  LDAP Development  Client DUA Development  X.500/LDAP Vendor evaluations  Installation and Maintennance of 4 several X.500/LDAP products

3 DIT Design  Directory Information Tree  The logical hierarchical structure and categorization of directory information  Different naming attributes within the tree: c : country o : organization ou : organizational unit l : locality cn : common name  DIT Structure rules determine which naming attributes must preceed others in the hierarchy  Each entry in a Directory must have a unique Distinguished Name (DN) What is a DIT?

4 c=US o=Acme ou=Sales ou=Accounting ou=R&D ou=Engineering cn=Mike Smith DIT Design: People By Department ou=Mfg.

5 ou=Employees ou=Customers ou=Contractors DIT Design: Types of People ou=Others cn=Mike Smith c=US o=Acme

6 l=Headquarters l=Los Angeles l=Chicago l=Dallas l=New York cn=Mike Smith DIT Design: By Location c=US o=Acme

7 c=US o=Acme l=Los Angeles l=Dallasl=New York l=North America l=Europe l=Asia l=Singapore l=Japan l=Munich l=London l=Paris ou=People cn=Mike Smith DIT Design: Deep Tree By Department

8 l=North America l=Asia ou=People cn=Joe Boss cn=Clara Jordan ou=Engineering ou=R&D ou=MFG ou=Engineering ou=Sales cn=Mike Smith DIT Design: Deep Tree l=DFW l=NYC l=LA cn=Soopy Sales c=US o=Acme

9 DIT Design: Flat Tree ou=People cn=Mike Smith c=US o=Acme

10 DIT Design: Flat Tree ou=People cn=Mike Smith #2 c=US o=Acme cn=Mike Smith #1

11 ou=People cn =SmithET cn =AikmanTA cn =SandersDJ cn = GonzalesJ cn =ModanoMW DIT Design: Perot Systems DIT c=US o=Acme

12 ou=People cn =SmithET cn =AikmanTA cn =SandersDJ cn = GonzalesJ cn =ModanoMW cn=Directory User cn=Mail Admin cn=Medical Admin cn=Medical User site=TX-SD site=TX-RI site=SW-BK site=NY-AA ou=Medical ou=Web Sites ou=Resumes DIT Design: Perot Systems DIT c=US o=Acme ou=Groups ou=Locations ou=Apps ou=Systems ou=Schema

13 DIT Design: Deep -vs- Flat Trees  Can result in long Distinguished Names (DN)  May reflect your actual corporate structure  Can result in administrative problems if your organization is constantly changing  Better chance of having unique names within a subtree  Works well if you want to distribute the data across multiple DSAs and do multi-mastering Deep Trees:

14 DIT Design: Deep -vs- Flat Trees  No need to categorize people  Short Distinguished Names, easy to remember and type  DIT is very stable: not affected by organizational changes, and easy to administer  Higher chance of name collisions  Not well suited for Browsing  Can result in longer load times or startup times, depending on the Directory Product you use Flat Trees:

15 DIT Design: Selecting a Distinguished Name - DN Changes if a female marries - DN Changes if I change my nickname - Name may not be unique. cn=Mike Smith, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = Mike Smith

16 DIT Design: Selecting a Distinguished Name + DN Guaranteed to be unique + DN Never Changes + More robust searching using name components cn= , ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = givenName = Michael nickname = Mike surname = Smith - Browser shows useless information - Microsoft and Netscape mail clients expected a real name in the commonName (cn) field.

17 DIT Design: Selecting a Distinguished Name + DN Guaranteed to be unique + DN Never Changes + More robust searching using name components - Browser shows useless information uid= , ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People uid = cn = Mike Smith givenName = Michael nickname = Mike surname = Smith + commonName (cn) field contains a real name to work well with other LDAP applications.

18 DIT Design: Selecting a Distinguished Name uid=smithMJ, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People uid = smithMJ cn = Mike Smith givenName = Michael nickname = Mike surname = Smith + DN Guaranteed to be unique + More robust searching using name components + commonName (cn) field contains a real name + Browser shows more useful information (although not as ideal as a full name) + Directly maps to a user’s logon ID (can be used for single signon) - DN has the potential to change if the name or UID changes - Entrust product requires the commonName (cn) to be part of the DN.

19 DIT Design: Selecting a Distinguished Name cn=Mike Smith + uid=smithMJ, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = Mike Smith + uid = smithMJ givenName = Michael nickname = Mike surname = Smith + DN Guaranteed to be unique + More robust searching using name components + Directly maps to a user’s logon ID (can be used for single signon) + commonName (cn) field contains a real name + commonName (cn) is part of the DN - DN has the potential to change - Very hokey way of achieving uniqueness - Complicated DN syntax - More complicated Directory Logon procedures - This syntax may not be accepted as standard in the future.

20 DIT Design: Selecting a Distinguished Name + DN Guaranteed to be unique + More robust searching using name components + Directly maps to a user’s logon ID (can be used for single signon) + commonName (cn) field contains a real name + commonName (cn) is part of the DN - DN has the potential to change cn=smithMJ, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = smithMJ cn = Mike Smith givenName = Michael nickname = Mike surname = Smith uid = smithMJ - Data is duplicated in several areas (uid and cn) - Value displayed for commonName may vary.

21 DIT Design: Selecting a Distinguished Name c=US o=Perot Systems ou=People ou=Certificates uid=smithMJ, ou=Certificates, o=Perot Systems, c=US uid = smithMJ cn = Mike Smith givenName = Michael nickname = Mike surname = Smith cn = smithMJ ALIAS POINTER cn=smithMJ, ou=People, o=Perot Systems, c=US + DN Guaranteed to be unique + More robust searching using name components + Directly maps to a user’s logon ID (can be used for single signon) + commonName (cn) field contains a real name + commonName (cn) is part of the DN - DN has the potential to change - Problems with X.500 aliases: - no built-in referential integrity - will LDAPv3 support them?

22 “The X.500 approach to naming has become an obstacle to the wide deployment of directory-enabled applications on the Internet.” DIT Design: An IETF DIT Naming Proposal

23 dc=com dc=acme DIT Design: An IETF DIT Naming Proposal  The dc named attribute stands for domain component  The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)

24 dc=com dc=acme dc=Corporate dc=Customers DIT Design: An IETF DIT Naming Proposal  The dc named attribute stands for domain component  The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)  Lower levels of the tree will also use the dc named attribute

25 dc=com dc=acme dc=Corporate dc=DalSite uid = cn = Mike Smith givenName = Michael surname = Smith uid = cn = Jane Doe givenName = Jane surname = Doe DIT Design: An IETF DIT Naming Proposal  The dc named attribute stands for domain component  The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)  Lower levels of the tree will also use the dc named attribute  Each user is identified with the uid named attribute containing the address.

26  Robust DIT Naming and design standards are not in place yet  There is currently no single “right way” to design your DIT that applies to everyone  Take into consideration your organization –the organizational structure –the organization’s tendency to change –the organization’s current size and potential to grow  Take into consideration the how you want to use the directory –what information will be stored in the directory –who will own what data and how will be be mastered –what what other systems in the infrastructure will be using/storing the data –how and what applications will be accessing the data DIT Design Conclusion

27 Questions??? Jim Rommel Perot Systems Corporation phone: fax:


Download ppt "Directory Services DIT Design Jim Rommel Perot Systems Corporation."

Similar presentations


Ads by Google