e-Directories

e-Directories: Enterprise Software, Solutions, and Services is a clear and comprehensive guide to understanding and building industrial-strength enterprise applications that utilize directory services technology. It features the real-world information and techniques needed to build robust, reliable applications, using leading technologies such as the Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI).

The authors share their insights and give a detailed description of the nuts and bolts of directory services structure and function. In addition, the book presents case studies that illustrated how directory services provide solutions to enterprise challenges. Extensive appendices provide comprehensive references to leading APIs and protocols.

The resource-packed CD-ROM includes the book online; example programs with source code; complete working versions of the IBM SecureWayAE LDAP Directory Server for WindowsAE; LDAP SDKs for Windows, Solaris™, and AIX; and a multi-platform JNDI client SDK. The CD-ROM also contains complete versions of useful Redbooks from IBM Engineers and live URLs that can take you to the latest technical information.

Clear explanations, practical techniques, and a valuable CD-ROM make this book your ultimate resource on Directory Services and how they relate to enterprise class software.

Table of Contents

Preface xxi

Acknowledgments xxvii

About the Authors xxix

Introduction xxxi

Part 1 You Are Here 1

Chapter 1 Introduction to the Problem 3

A User-Oriented View 3
Over and Over 4
Data Sharing and Manipulation 5
A System View 5
Location, Location, Location 5
Administering to the Masses 6
A Unifying Force 7
Identity 8
Enterprise Characteristics 8
Bringing the Views Together with LDAP 9
Lightweight Directory Access Protocol 9
What, Exactly, Is a Directory? 10
Where to Find Code 11
Summary 11

Chapter 2 What Directories Are and Are Not 13

Directory Gestalt 13
Server and Service 13
The Importance of RASSS 14
What Directories Do 15
Functional Characteristics of a Directory Service 16
What a Directory Is Not 16
Remember ACID? 16
Not Quite Nirvana 17
Loose Consistency 17
A Definition Can't Be Wrong--by Definition 18
Good, Bad, and Ugly Data 18
A Brief Code Example 20
Summary 21

Chapter 3 Directories Are Everywhere 23

Directory Forms 23
System Directories 23
Phone Book Directories 24
Application Directories 26
User-Oriented Directories 27
Personal and Mail Systems 27
Operating Systems 29
Networks 31
Generic Directories 32
Corporate Directories 33
Human Resources Information 33
Future Demands 34
Distributed Administration 34
Policy-Based Administration 34
Consistent User Interface 34
Skills Portability 35
Summary 35

Chapter 4 Directories: Bone Yard to Nursery 37

Early Standardization 37
SNA Host Names and Logical Units 37
Domain Name Service 37
Distributed Computing Environment Cell Directory Services 40
LAN Managers 41
X.500 42
Standards Today 43
X.500 44
Domain Name Service 44
Lightweight Directory Access Protocol 46
Summary 48

Part 2 Enterprise Software with Directories 51

Chapter 5 Man-Rated, Enterprise-Rated, Good-Enough, and Don't-Care 53

Four Classes of Usage 53
How Much Software Is Written and at What Cost? 54
Examples of the Four Usage Classes 55
Cost 56
Directory Exploitation 58
A One-Line Quiz 59
Example Program 61
Summary 65

Chapter 6 The Operating System and the Directory 67

The Role of the Operating System 67
Usage Ratings 68
Usage Rating of the Operating System 68
Usage Rating of the Directory Service 68
Directory Service Users 69
Compensating for Low Usage Rating 70
Fault Tolerance, Redundancy, and Graceful Fail-Over with Takeover 70
Summary 73

Chapter 7 Directory Users 75

People 75
White Pages and Yellow Pages Lookups 75
Operating Systems 77
Users and Groups 77
Hardware Configuration 78
Networks 80
Applications 81
Configuration 82
Location 82
Users and Groups 83
Summary 84

Chapter 8 The Evolution of Application Models 85

Enterprise Application Models 85
Monolithic Applications 85
Client-Server Applications 86
Thick Client Applications 86
Thin Client Applications 87
Tiered Applications 88
Client-Server Glue Technologies 90
Transactions 90
Message-Oriented Middleware 90
Boss-Worker Thread Model 91
Managed Components 92
Applications on Symmetric Multiple Processors 93
Clustering 93
Workload Balancing 93
Fail-Over Clusters 93
Summary 94

Chapter 9 Availability 95

24 Yen 7 and 24 Yen 365 95
Servers and Services 96
High Availability 97
Robust Server Code 97
Redundant Servers 99
Low Availability 100
Improving Application Availability 102
Advertising and Finding Services 103
Beyond Location Information 105
Summary 106

Chapter 10 Scaling 107

Scalability 107
Planning Ahead 109
Approaches to Scaling 110
Single-System Scaling 110
Multiple-System Scaling 114
Directories and Scalability 115
Summary 115

Chapter 11 Performance 117

Performance and Performance Measurement 117
Gating Factors 118
Processor Usage 118
Input/Output Usage and Constraints 120
Network Bandwidth, Latency, and Timing Fluctuations 121
Poor Performance 122
Summary 123

Chapter 12 Security 125

Policy and Risks 125
Application Development and Maintenance as a Source of Ongoing Risk 127
Controlling Access Based on Organization Responsibilities 128
The Audit 131
Summary 132

Chapter 13 Life Cycle Control 133

Serviceability and Maintainability 133
Controlling Downtime 134
Real-Time Event Logging with First Failure Data Capture 134
Failing a Request Versus Failing the Server Application 136
Directory Redundancy 139
Periodic Maintenance 140
Backups and Directories 140
Planning for the Next Release 141
Carrying Out an Upgrade 141
Installing a New Server in Place 142
Streaming Data to a File 143
Applying the Life Cycle Lessons 143
Client and Server Changes 144
Availability 145
Summary 145

Chapter 14 Directories Grow Up 147

Predicting the Future 148
Integration with the Operating System 148
Transactional "Flavors" 148
Storing Large Objects 150
Dynamic and Easy Partitioning 150
Hot Spot Management Through Dynamic Replica Creation 151
Better Multivendor Interoperability 151
XML and DSML 152
Improved Administration 153
Monitoring Tools 153
Identity Store 154
Device Management 154
ACID RASSS Everywhere 155
Summary 155

Part 3 Directory Infrastructure 157

Chapter 15 Fundamental Enterprise Directory Services Management 159

The Political Dimension 159
Managing Directories 160
Enterprise Data Storage 161
Organizing Directory Data for Performance 161
Structuring the Directory Data 162
Who Puts Data in the Directory Versus Who Gets Data Out? 163
Categorizing Directory Data 163
Enterprise Data Retrieval 163
White Pages Retrieval--If It's That Easy, There Must be a Catch 164
Yellow Pages Retrieval--An Even Bigger Catch 166
Is LDAP Deficient? 168
Enterprise Data Operations and Management 168
The Enterprise Locator Service 169
Directory Management as Part of the Bigger Picture 170
Summary 171

Chapter 16 Schema 173

The Aspects of Directory Service 173
The Function of Schema 174
What Things Are 174
Where Things Reside 175
What Is Mandatory and What Is Optional 176
The Role of Schema 177
Performance 177
Usability 178
Extensibility 179
Administration 179
Schema in LDAP 180
X.500 180
Syntaxes 181
Matching Rules 183
Attribute Types 184
Object Classes 186
Schema Check 187
Object Class Hierarchy 188
Directory Information Tree 189
Schema in LDAP 190
Other Characteristics 192
DIT Structure Rules 192
Naming Constraints 192
Name Space Layout 193
ASN.1 (X.208) and X.501 194
Summary 195

Chapter 17 Building a Schema 197

Custom Schemas 197
Why There Are So Many Schemas 197
Custom Schema 198
Designing Custom Schema 198
Defining the Data Model 199
Exploiting the Hierarchical Name Space 200
Defining a Package 202
Defining Object Classes 204
Defining Attribute Types 206
Creating DN-Pointers 209
Defining Functional Characteristics 209
Business Issues Impacting Structure 210
Using the Base Schema 211
Installing a Custom Schema 211
Updating a Schema Using LDAP Version 3 212
Updating a Schema Using LDIF Format 212
Other Schema Definition Formats 215
Summary 215

Chapter 18 Directory Security 217

User Identification and Authentication 217
Controlling Access to Directory Entries 220
Data Confidentiality and Data Integrity 222
Security Management and Administration 223
Summary 223

Chapter 19 Replication and Partitioning 225

Replication 226
How Replication Works 226
Application-Level Problems Caused by Replication 228
Replication Versus Caching 228
Dealing with Temporal Consistency 229
Partitioning 233
Partitioning for Performance 234
Partitioning for Management 235
Application-Level Problems Caused by Partitioning 235
Referrals 236
Drawbacks of Referrals 237
Chaining 238
Putting Replication and Partitioning Together 238
Business Issues Drive Replication and Partitioning 239
Summary 239

Chapter 20 Synchronization and Metadirectories 241

Replication 241
Synchronization 243
Access Control Problems 246
Schema Mapping Problems 246
Replication Problems 247
Metadirectories 249
Summary 250

Chapter 21 APIs and Protocols 253

Differences between APIs and Protocols 253
Protocol 254
Progamming Interface 255
Origins of Directory Protocols and Programming Interfaces 257
Novell Directory Service (NDS) and Network Core Protocols (NCPs) 257
Distributed Computing Environment (DCE) and Cell
Directory Services (CDS) 258
X.500 and Directory Access Protocol (DAP) 259
Popular Directory Protocols 259
LDAP 260
Domain Name Service (DNS) 260
Novell Directory Access Protocol 260
COSNaming over IIOP 260
Popular Directory Programming Interfaces 261
LDAP C 261
JDAP 262
PerLDAP 263
Novell Development Kit (NDK) 263
COSNaming 265
JNDI 265
Active Directory Service Inferface (ADSI) 266
Summary 267

Chapter 22 Directory Implementations 269

Commercial Implementations 269
IBM SecureWay Directory 269
Novell Directory Services (NDS) 269
Netscape Directory Server 270
Microsoft Active Directory 270
Lotus Domino Name and Address Book 271
Banyan Vines 271
An Open Source Implementation 271
Specialized Implementations 272
Domain Name Service (DNS) 272
Service Location Protocol (SLP) 273
Summary 273

Part 4 Internet and Intranet Case Studies 275

Chapter 23 Roaming Users with LDAP 277

How Directories Enable Roaming 277
Description of the Roaming Problem 278
The Sales Application (TSA) 280
Schema 281
TSA Schema Class Objects 281
TSA Schema Attributes 282
The Directory Information Table 283
Updating the Schema 285
Directory Vendor Differences 285
Other Schema Issues 286
Directory Structure 286
How TSA Works 287
Write Activity 289
Write Collisions 289
What TSA Looks Like 290
Warning! 290
Critique of the Example 291
Summary 292

Chapter 24 Corporate Employee Directory 293

The Purpose of a Corporate Employee Directory 293
Use Cases for the Corporate Directory 294
Data Model 295
Object Classes 295
Attribute Types 296
Name Space Layout 297
Accessing the Corporate Directory 299
Looking Up People 299
Looking Up a Chain of Command 300
Adding a Distribution List 301
Modifying a Distribution List 302
Deleting a Distribution List 302
Managing Information in the Corporate Directory 303
Adding Employee Information 304
Modifying Employee Information 304
Deleting Employee Information 304
Handling Employee Transfers 305
Handling Company Reorganization 308
Sample Code 308
Using the Corporate Directory from E-Mail Systems 309
Critique of the Solution 309
Summary 310

Chapter 25 Personalization of the Internet 311

The Customer Access and Update 311
The Web Self-Help (WSH) Site 312
Schema 312
Directory Infrastructure 313
How the Web Self-Help Application Works 315
Critique of the Solution 318
Summary 319

Chapter 26 Application Management 321

The Application Management Problem 321
The Purpose of the Application Management 322
The Directory 323
Directory-Enabling the Server 324
Directory-Enabling the Client 326
Schema 327
Critique of the Solution 328
Reliability 330
Availability 330
Serviceability 331
Scalability 331
Security 331
Summary 332

Chapter 27 Internet and Intranet Single-Sign 333

Internet and Intranet Users 333
The Single Sign-On Solution 335
The Directory Solution 336
Summary 337

Chapter 28 Configuration Management of a Web Farm 339

The Web Farm Problem 339
Web Farm Design 340
Adding Servers 343
Managing the Web Farm 344
Implementing the Web Farm 344
Management Objectives 347
Centralized Control of the Constituent Servers 348
Transparent Replication of Content Updates 349
Web Service Advertising: Mapping of DNS to Correct IP Addresses 349
Performance Monitoring 349
Crisis Notifications 350
Hot-Plugging and Removing Servers 350
Backup and Restoration of Backing Store Without Service Interruption 350
Migrating Individual Boxes 351
Schema 351
The Directory Infrastructure 351
Directory Configuration 352
Critique of the Solution 353
Reliability 353
Availability 353
Serviceability 354
Scalability 354
Security 354
Limitations 354
Summary 355

Chapter 29 Metadirectory 357

The PMW Metadirectory Problem 357
The Move to E-Business 357
Round 1--The Answer Is the Web. What's the question? 358
Round 2--The Answer Is Directory Architecture. What's the Question? 360
Round 3--Maybe I Should Understand the Question First 363
Round 4--Metadirectory 364
Summary 367

Part 5 Appendices, Annotated Bibliography, and Glossary 369

Appendix A LDAP C API 371

LDAP 371
The Directory Data Model 372
The LDAP C API 374
LDAP Initialization and Termination 374
Getting an LDAP Handle 375
LDAP Results 376
LDAP Bind 377
LDAP Search and Compare 377
LDAP Add, Modify, and Delete 379
LDAP Modify Name 381
The LDAPConnection C++ Class 381
Summary 382

Appendix B JNDI API 383

Using JNDI to Access LDAP Directories 383
JNDI Initialization and Termination 384
Getting an LDAP DirContext 385
JNDI Results 385
JNDI Bind 386
JNDI Search and Compare 387
JNDI Add, Modify, and Delete 389
JNDI Modify Name 390
Summary 391

Appendix C ADSI 393

Using ADSI 395
ADSI and C/C++ 395
For More Information and Samples 396

Appendix D Web APIs and Protocols 397

Projecting Static Brochures to Clients 397
Web Protocols 399
Web Client APIs 400
Client-Side Scripting 400
Java Applets 401
ActiveX Controls 402
Dynamic HTML with Cascading Style Sheets 403
Web Server APIs 404
Common Gateway Interface 404
Improving CGI 405
Session State 406
Transactions 408
Server-Side Components 408
Security 411

Appendix E Generic Security Services (GSS-API)

and System Security Provider Interfaces (SSPI) 413
General Helper Functions 414
Mechanism/Package Management 414
Buffer Management 414
Name Management Functions 415
Object Identifier Helper Functions 415
Other Functions 416
Credential Management Functions 416
Context Management Functions 417
Message Protection Functions 420

Appendix F Access Control Summaries 421

IBM SecureWay Directory Access Control 421
Users and Groups in Access Control Lists 421
Structure of an Access Control List 422
Evaluation Algorithm for an Access Check 423
Creating a New Object 423
Common Problems and Solutions 423
Microsoft Active Directory Access Control 424
Users and Groups in Access Control Lists 424
Structure of an Access Control List 424
Evaluation Algorithm for an Access Check 426
Creating a New Object 426
Common Problems and Solutions 426
Netscape Directory Access Control 427
Users and Groups in Access Control Lists 427
Structure of an Access Control List 427
Evaluation Algorithm for an Access Check 429
Common Problems and Solutions 429

Appendix G IBM Standard Schema 431

Standard Directory Information Tree (DIT) 431
Standard Objects 431
Attributes 432
Syntaxes 432

Appendix H Directory Standards and Other References 435

IETF RFCs 435
IETF Drafts 440
Other IETF Documents 443
Other Standards 444
Vendor Information 444

Appendix I Useful Attribute Types and Object Classes 447

Appendix J Using the CD 461

CD Contents 461
Using the CD 462
Startup.exe 463
Browser Versions, Executable Programs, and File Formats 463
Executable Programs and Your Operating System 463
Sample Programs 464
Requirements for Running the Samples 464
Program Environment 464

Glossary 467

Annotated Bibliography 477

Index 483