1. Ready For A Directory Enabled World? Nand Mulchandani Co-Founder, Oblix, Inc. nand@oblix.com March 31, 1999

2. 2 The Digital Persona: Unorganized Elements Credit Card Expiration Frequent Flyer Numbers Login Exp Date Certificate DN Application Permissions Securid Number Challenge Phrase Location Floor Number Monitor Serial Number Keyboard Serial Number Title Organization Dep’t Number Department Name Employee Type Employee Number Emp Grade Level Admin Name Manager Direct Reports Indirect Reports Line Phone Number Fax Number Mobile Phone Pager Number Pager email Address Name Initials Home Address Home Phone Number Emergency Contact Emergency Phone Social Security Number College Name Hometown Personal URL Department URL Directory Photo Credit Card Number Airline prefs Airline Seating Prefs Budget Authority Login ID Password Password Change Date Password Expiration Date Language Email Address Email Absence Message Project Groups Skills Project Responsibilities Personal Groups Desktop OS Version MS Office Version Browser Version IP Address Network Drops Primary Machine IP Address Primary Printer Remote Access? Remote Access Login ID Remote Access password Primary Dial-in Number Connection Speed Securid Exp Date Challenge Phrase Response Work Address Mailstop Building Number Room Number Cubicle Number Mailing Address Geographic Region License Plate Pager Serial Number Laptop Serial Number Modem Serial Number Mouse Serial Number Cell Phone Serial Number Badge Photo Badge Issue date Badge Exp Date Building Access Authorizations Building Badge Number

3. 3 Overview Directory Enabled Applications Directory Enabled Infrastructure Issues to consider when deploying Directories –How do Directory Servers fit into everything –Scope and use of the Directory –Implementation considerations Longer term issues with Directories

4. 4 The Power of the Directory Enabled Network The power of a Directory is directly proportional to the number of applications using it Directories hold the promise of enabling a new class of applications –Rich and comprehensive profiles drive personalization –Ubiquity of configuration information drives universal access –Infrastructure (like the network) automatically work with the applications –Ability to set global policies in a single place –Extensive access control to setup and enforce policies –User centric vs. Administrator centric focus Directory-enable existing applications –Can replace parts of the applications to enable Directory use –Can synchronize application information into the Directory

5. 5 What does “Directory Enabled” mean? Any application that uses or stores information in the Directory Basic Information to keep in the Directory –User Profile Information –Application Configuration Information –Business Rules & Policy Information Directory Enabled Infrastructure –Directory Enabled Networking (DEN) –Messaging Servers –Single Signon –Application Configuration Information Directory Enabled Applications –Messaging Clients, Address books –Project Management –Corporate Services Automation (CSA)

6. 6 Directory Enabling Your Applications Use Directory authentication –Eliminate multiple user authentication databases Store application configuration information in the Directory –Can run multiple copies of the products without having to deal with configuration information –Can manage configuration information through standard admin consoles (e.g. Netscape Mission Control) Add per-user configuration information with user object –Current trend is to use auxiliary classes to store this information –Can distribute change management of this information using applications like Oblix CSA –Per-user configuration is not tied down to a particular computer or workstation –Information can be used by other applications as well

7. 7 Promise of the Directory Enabled Network User Profile & NeedsAvailable Resources Policy Resource Allocation Combination of factors to allocate resources Policy = Business Rules + Specific Rules –Can set specific rules based on users, groups

8. 8 Considerations in Directory deployment It is important to understand how the Directory fits in with the organization –Existing business processes –Organizational/Environmental considerations Scope and use of the Directory –NOS vs. Extranet –Authentication only vs. complete profiles –Publishing vs. Infrastructure –Is the Directory only for use by IT infrastructure? Implementation considerations –Tree design issues –Access Control –Data sources and synchronization –Directory Management

9. 9 SystemsAdministrators Current Situation ProcessUsers Days / Weeks

10. 10 Desired Architecture SystemsUsers LDAP-Based Directory Real-Time

11. 11 The Digital Persona

12. 12 Factors In Creating The Digital Persona Ownership and collection of data –Security issues –Political issues –Different databases and systems holding information Business Processes –No clear definition of information ownership and flow –Tying together effects on multiple departments Corporate Change –Disruption in IS and other departmental systems –Frequency and scope of change End user involvement –How much end-user involvement do you want or need ? –What information should they own ?

13. 13 Key Questions Where does the information come from ? –Department specific databases and applications Who owns the data ? –IS –Other departments (HR, Facilities, Telco) –Employees and Managers Who manages the data ? –IS wants to manage their own data but not all the data –Other departments want to own their own data but don’t have access to it How is it all automated ? –Manual entry by a few people is simply not possible Where are the savings ? –Infrastructure is not enough, need applications and other uses of data

14. 14 Volume and Complexity of Change Constant change in the user base affects the Directory –Rolling out these new services can place a new load on administrators to keep up with the constant change in the user base Integration with the rest of the enterprise –With the concept of the integrated network, it is no longer possible to have disconnected business processes –The Directory is fundamental and cannot exist in isolation –Requires coordination with HR, Facilities, Telco, etc. Policies cannot be centrally created and managed by a single group –All that IS should do is set policies, and let the different departments take care of what they want to do within those constraints –Need to understand organizational/cost structure to set policies

15. 15 Different Directory Deployments Directories are being used in a number of different (but related) environments –Enterprise –Extranet e-commerce applications –ISP Service Provisioning Extranet Internet ISPs Large Enterprise Customers

16. 16 Enterprise Directory Deployment Single Directory with all user profiles? –Short term, customers are deploying Directories for specific reasons or in conjunction with other systems (like Messaging Servers) Cross-Vendor Directory replication is very important –If there is more than one Directory, then need to synchronize the various systems –Unfortunately, cross-vendor Directory replication does not entirely work Transition will happen over time

17. 17 Extranet/ISP Directory Deployment Extranet/ISP: Access control based on user profiles –Profiles control application use, information, etc. Extranet: Internal vs. External users –Typically not stored in the same Directory as the internal users –Need to rollout self-service to manage support costs ISP: Policy management outside the firewall –Bandwidth control for customers

18. 18 Directory Tree Design How do we create a single Directory structure based on different views of the organization? Network Administrators –“Everyone in a subnet” –“Everyone in a domain” HR –“Everyone in a division” –“Everyone in a cost-accounting group” Facilities –“Everyone in this building” Telecom –“Everyone on a particular switch”

19. 19 Example: Directory Enabled Networking Each DS uses its own tree structure –Some are flexible, and some are not –Different between Active Directory and Netscape Directory Server Policies are setup at the tree level –Can setup overall policies based on organizational unit (ou), or even for specific users Impact of Directory structure –Access control and policy creation can be rendered useless with a flat tree structure –Can find alternate ways of defining membership (dynamic groups, common attributes)

20. 20 Longer-term issues with Directory Servers Infrastructure Issues –Scalability –Replication Same vendor server to server Different vendor server to server –Inter-operability between different servers –“Platform” independence –Security and authentication Certificates, etc. Proxy connections and access control Application Support Issues –Schema design and extension –Directory structure and layout Organizational, Network-oriented, Geographic, Flat –Access control to support a variety of different uses –Transaction support