Directory Services Best Practices

Ed Reed, TechnologistNovell, Inc.

ereed@novell.com

Why Best Practices?

Synchronization

Scalability

Synergy

Security

General

Make effective use of NDS replication for your applications. Don’t try to make it do things it doesn’t do.

Make effective use of namespace design to ensure flexibility and scalability of your applications.

Make your application look like it belongs! Leverage your customer’s investment in training, education, and experience to bring them back for more.

Avoiding surprises for our customers requires planning in our design. Preserving and empowering customer choice will gain us customers in today’s world.

We’re in business to make money, and so are our customers. Our commitment to help customers manage their business is what pays our bills.

Synchronization Suggestions

Velocity of Change< 4 changes / hour per value (approx)store configuration, not state

Capacity for Changeavoid lots of regular changescapacity planning includes

configuration, topology, replica placement, number of copies, bandwidth, cpu, …

the more change expected, the fewer replicas you should expect

Object name changes - they happen!Moves, reorganizations, mergers

Change notification to subordinate resource managers

Consistency of DataTight consistency implies Single

MasterLoose consistency provides better

availability of manageability and data

Directories are designed for fairly static dataStable status information may be ok, if it’s subject to

“flutter”Use SNMP or other protocols to query for real-time status

directly, rather than via directory

Use Transitive Synch in NDS5.0

To tailor the replication topologyAlso, limit the number of replicas of each partitionReplication is just one method to reduce the cost of

availability of data. Use it wisely.

See Data Design / Reuse in Synergy, followingdon’t hard-code names in your applications

Read and cache configuration at startupdon’t poll for changes, register for change notification

Do what makes sense for your applicationdon’t force fit everything to use loose consistencydon’t expect robust, failure resistant systems with single

master - that’s what SFT-III and TPMs are foruse High Confidence bit to force single master behavior

Scalability Enablers

Let the customer define the namespace, if possible

Avoid flat namespacesAvoid huge #s of objects per containerUse Catalog Services to provide flat

viewsUse hierarchy to enable partitioning,

right-sizing local storage, and delegation of authority

Assume a global namespaceDon’t assume anything about what is

in [ROOT]Assume many organizations and

authorities share the same namespace

Place policy near, but below, the organization or organizational unit to which it applies

Naming is more political than scientificDon’t impose your bias on your customer

NDS is tuned for fast lookup and read operationsNewDB will dramatically increase this limitCatalogs server as centralized indexes for search

Failure to plan ahead is guaranteed to hurt you laterLDAP effectively gives us federated namespacesSee the note on Naming, above

Synergy Across Products

Data / Design Re-use:defined schema elements, where

possibledefined relationships, where possible

Create new schema whennew data elements/attributes are

needednew semantics are neededuse auxiliary classes, when available

Use DN syntax to create relationshipsUse Groups & Roles to grant rights

Meansless development time for GUI, Installation, Testmore synergy with existing customer dataless duplicated effort by administratorsless complexity for administratorsfewer things for administrators to rememberfewer errors by administrators

Applications can customize the directory as needed

NDS will maintain relationships between objects, groups, and roles, even if object names change

this is one of the biggest values of NDS over competitors

Security Principles

First, do no harmship secure productslet the customer relax security if they

like

Let the customer decidehow much interoperability with other

vendors they wanthow much trust they have in various

authentication & security tools

Let the customer managewho they trust to do whatdifferentiate policy based on who and

what they trust not all tools are created equal - don’t

make customers treat them as if they were

Let the customer understandsecurity policy information must be

inspect-able & understandableservices behavior must be audit-able

Novell can’t say it’s sorry fast enough if we screw upor empower our customers to be screwed up without

their help

It’s a heterogeneous world out theremany choices brings complexity and chaos

We can help customers manage that complexity

And provide them reason to continue buying from us

General Advice

Design solutions that work out-of-the-box

Easy to installEasy to manageEasy to use

Help the customer develop an intuitionConsistency breeds loyaltyLook-and-feel is an important part of

brand identity and recognition

Use the directory to provide persistent storage and default policy information for services throughout the service instance life-cycle

installationconfigurationstartupin-serviceshutdownde-installation

Technology doesn’t sell, Products sell

Data design, object reuse, relationship reuse, common install, common GUI metaphor, consistent APIs, etc. define Novell in our customer’s eyes

It’s not a transactional database. Don’t try to make it one.There are lots of applications that traditional databases

can’t support. Use the directory for many of them.