Presentation is loading. Please wait.

Presentation is loading. Please wait.

Directory Services DIT Design Jim Rommel Perot Systems Corporation.

Published byAnabel Babbs Modified over 9 years ago

Similar presentations

Presentation on theme: "Directory Services DIT Design Jim Rommel Perot Systems Corporation."— Presentation transcript:

1 Directory Services DIT Design Jim Rommel Perot Systems Corporation

2 Jim Rommel Sr. Directory Specialist: Perot Systems Incorporated 4 years experience with X.500/LDAP Directory Services at Texas Instruments and Perot Systems Prior experience with Object Repository Technology X.500/LDAP Experience includes:  Schema and DIT Design  Directory Infrastructure Integration  Directory Synchronization  LDAP Development  Client DUA Development  X.500/LDAP Vendor evaluations  Installation and Maintennance of 4 several X.500/LDAP products

3 DIT Design  Directory Information Tree  The logical hierarchical structure and categorization of directory information  Different naming attributes within the tree: c : country o : organization ou : organizational unit l : locality cn : common name  DIT Structure rules determine which naming attributes must preceed others in the hierarchy  Each entry in a Directory must have a unique Distinguished Name (DN) What is a DIT?

4 c=US o=Acme ou=Sales ou=Accounting ou=R&D ou=Engineering cn=Mike Smith DIT Design: People By Department ou=Mfg.

5 ou=Employees ou=Customers ou=Contractors DIT Design: Types of People ou=Others cn=Mike Smith c=US o=Acme

6 l=Headquarters l=Los Angeles l=Chicago l=Dallas l=New York cn=Mike Smith DIT Design: By Location c=US o=Acme

7 c=US o=Acme l=Los Angeles l=Dallasl=New York l=North America l=Europe l=Asia l=Singapore l=Japan l=Munich l=London l=Paris ou=People cn=Mike Smith DIT Design: Deep Tree By Department

8 l=North America l=Asia ou=People cn=Joe Boss cn=Clara Jordan ou=Engineering ou=R&D ou=MFG ou=Engineering ou=Sales cn=Mike Smith DIT Design: Deep Tree l=DFW l=NYC l=LA cn=Soopy Sales c=US o=Acme

9 DIT Design: Flat Tree ou=People cn=Mike Smith c=US o=Acme

10 DIT Design: Flat Tree ou=People cn=Mike Smith #2 c=US o=Acme cn=Mike Smith #1

11 ou=People cn =SmithET cn =AikmanTA cn =SandersDJ cn = GonzalesJ cn =ModanoMW DIT Design: Perot Systems DIT c=US o=Acme

12 ou=People cn =SmithET cn =AikmanTA cn =SandersDJ cn = GonzalesJ cn =ModanoMW cn=Directory User cn=Mail Admin cn=Medical Admin cn=Medical User site=TX-SD site=TX-RI site=SW-BK site=NY-AA ou=Medical ou=Web Sites ou=Resumes DIT Design: Perot Systems DIT c=US o=Acme ou=Groups ou=Locations ou=Apps ou=Systems ou=Schema

13 DIT Design: Deep -vs- Flat Trees  Can result in long Distinguished Names (DN)  May reflect your actual corporate structure  Can result in administrative problems if your organization is constantly changing  Better chance of having unique names within a subtree  Works well if you want to distribute the data across multiple DSAs and do multi-mastering Deep Trees:

14 DIT Design: Deep -vs- Flat Trees  No need to categorize people  Short Distinguished Names, easy to remember and type  DIT is very stable: not affected by organizational changes, and easy to administer  Higher chance of name collisions  Not well suited for Browsing  Can result in longer load times or startup times, depending on the Directory Product you use Flat Trees:

15 DIT Design: Selecting a Distinguished Name - DN Changes if a female marries - DN Changes if I change my nickname - Name may not be unique. cn=Mike Smith, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = Mike Smith

16 DIT Design: Selecting a Distinguished Name + DN Guaranteed to be unique + DN Never Changes + More robust searching using name components cn=0175387, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = 0175387 givenName = Michael nickname = Mike surname = Smith - Browser shows useless information - Microsoft and Netscape mail clients expected a real name in the commonName (cn) field.

17 DIT Design: Selecting a Distinguished Name + DN Guaranteed to be unique + DN Never Changes + More robust searching using name components - Browser shows useless information uid=0175387, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People uid = 0175387 cn = Mike Smith givenName = Michael nickname = Mike surname = Smith + commonName (cn) field contains a real name to work well with other LDAP applications.

18 DIT Design: Selecting a Distinguished Name uid=smithMJ, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People uid = smithMJ cn = Mike Smith givenName = Michael nickname = Mike surname = Smith + DN Guaranteed to be unique + More robust searching using name components + commonName (cn) field contains a real name + Browser shows more useful information (although not as ideal as a full name) + Directly maps to a user’s logon ID (can be used for single signon) - DN has the potential to change if the name or UID changes - Entrust product requires the commonName (cn) to be part of the DN.

19 DIT Design: Selecting a Distinguished Name cn=Mike Smith + uid=smithMJ, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = Mike Smith + uid = smithMJ givenName = Michael nickname = Mike surname = Smith + DN Guaranteed to be unique + More robust searching using name components + Directly maps to a user’s logon ID (can be used for single signon) + commonName (cn) field contains a real name + commonName (cn) is part of the DN - DN has the potential to change - Very hokey way of achieving uniqueness - Complicated DN syntax - More complicated Directory Logon procedures - This syntax may not be accepted as standard in the future.

20 DIT Design: Selecting a Distinguished Name + DN Guaranteed to be unique + More robust searching using name components + Directly maps to a user’s logon ID (can be used for single signon) + commonName (cn) field contains a real name + commonName (cn) is part of the DN - DN has the potential to change cn=smithMJ, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = smithMJ cn = Mike Smith givenName = Michael nickname = Mike surname = Smith uid = smithMJ - Data is duplicated in several areas (uid and cn) - Value displayed for commonName may vary.

21 DIT Design: Selecting a Distinguished Name c=US o=Perot Systems ou=People ou=Certificates uid=smithMJ, ou=Certificates, o=Perot Systems, c=US uid = smithMJ cn = Mike Smith givenName = Michael nickname = Mike surname = Smith cn = smithMJ ALIAS POINTER cn=smithMJ, ou=People, o=Perot Systems, c=US + DN Guaranteed to be unique + More robust searching using name components + Directly maps to a user’s logon ID (can be used for single signon) + commonName (cn) field contains a real name + commonName (cn) is part of the DN - DN has the potential to change - Problems with X.500 aliases: - no built-in referential integrity - will LDAPv3 support them?

22 “The X.500 approach to naming has become an obstacle to the wide deployment of directory-enabled applications on the Internet.” http://www.imc.org/draft-ietf-ids-dirnaming DIT Design: An IETF DIT Naming Proposal

23 dc=com dc=acme http://www.imc.org/draft-ietf-ids-dirnaming DIT Design: An IETF DIT Naming Proposal  The dc named attribute stands for domain component  The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)

24 dc=com dc=acme dc=Corporate dc=Customers http://www.imc.org/draft-ietf-ids-dirnaming DIT Design: An IETF DIT Naming Proposal  The dc named attribute stands for domain component  The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)  Lower levels of the tree will also use the dc named attribute

25 dc=com dc=acme dc=Corporate dc=DalSite uid = mike.smith@acme.com cn = Mike Smith givenName = Michael surname = Smith uid = jane.doe@acme.com cn = Jane Doe givenName = Jane surname = Doe http://www.imc.org/draft-ietf-ids-dirnaming DIT Design: An IETF DIT Naming Proposal  The dc named attribute stands for domain component  The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)  Lower levels of the tree will also use the dc named attribute  Each user is identified with the uid named attribute containing the email address.

26  Robust DIT Naming and design standards are not in place yet  There is currently no single “right way” to design your DIT that applies to everyone  Take into consideration your organization –the organizational structure –the organization’s tendency to change –the organization’s current size and potential to grow  Take into consideration the how you want to use the directory –what information will be stored in the directory –who will own what data and how will be be mastered –what what other systems in the infrastructure will be using/storing the data –how and what applications will be accessing the data DIT Design Conclusion

27 Questions??? Jim Rommel Perot Systems Corporation email: jim.rommel@ps.net phone: 972-461-3689 fax: 972-461-3030

Download ppt "Directory Services DIT Design Jim Rommel Perot Systems Corporation."

Similar presentations

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Directory services in Nextra - experiences and future plans Kari Marvik, Nextra AS 11.05.00.

Directory services in Nextra - experiences and future plans Kari Marvik, Nextra AS
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Directory & Naming Services CS-328 Dick Steflik. A Directory.

Directory & Naming Services CS-328 Dick Steflik. A Directory.
CS603 Directory Services January 30, 2002. Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?

CS603 Directory Services January 30, Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
Understanding Active Directory

Understanding Active Directory
Module 1: Introduction to Active Directory

Module 1: Introduction to Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.

Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.
Distributed Computing COEN 317 DC2: Naming, part 1.

Distributed Computing COEN 317 DC2: Naming, part 1.
Lesson 17. Domains and Active Directory. Objectives At the end of this Presentation, you will be able to:

Lesson 17. Domains and Active Directory. Objectives At the end of this Presentation, you will be able to:
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Corso referenti S.I.R.A. – Modulo 2 06 – Active Directory 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 06 – Active Directory 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.

Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.

Similar presentations

Ads by Google