May 12, 1999 Common Solutions Group, DS Workshop

1

Directory Design & OperationsDirectory Design & Operationsat at Princeton UniversityPrinceton University

Michael R. Gettes

Collaboration Services Group (CSG)

Enterprise Services Directorate, CIT

Common Solutions GroupCommon Solutions GroupDirectory Service/Schema Design WorkshopDirectory Service/Schema Design Workshop

May, 1999May, 1999

May 12, 1999 Common Solutions Group, DS Workshop

2

Problems to solveProblems to solve

Multiple Name SpacesOperational Data vs. PhonebookModern Apps Directory EnabledSchema Design and Data MappingProper Schema Usage vs. RealityOperations: Replication, Access,

Application Reqs, Performance, Etc.

May 12, 1999 Common Solutions Group, DS Workshop

3

Multiple Name SpacesMultiple Name Spaces

Unix, Novell, NT, VM/MVS, E-Mail/Lists Need to Unify Name Space before really

able to leverage a central directory Unified 3/99; took 4 months to do– Includes 2100 ListProc list addresses

LDAP went “production” 3/98, install 6/97 Now looking at central userid mgmt with

LDAP instead of homegrown glue.

May 12, 1999 Common Solutions Group, DS Workshop

4

Operational vs. View OnlyOperational vs. View Only

Operational – E-mail access & Routing, Web Auth,

Proxy Svcs, Certificates - a wee bit View Only– CSO before, CSO2LDAP now

View Only - NOT– No Rules, No Control– Fight the Future?

May 12, 1999 Common Solutions Group, DS Workshop

5

Schema Design @ PrincetonSchema Design @ Princeton

Keep CSO attributes alive, how far? Use what popular apps expect– Netscape, IE/Outlook

Make LDAP enabled apps work– Netscape Messaging Server only, at the time

NIS & NT user management? These schemas are not well defined. Sun v. padl

How did we do? Quite well, of course!

May 12, 1999 Common Solutions Group, DS Workshop

6

Schema Design @ PrincetonSchema Design @ Princeton

Proper Schema vs. Reality– E-mail routing (Sendmail) vs. NSMS• attribute function overload

– objectclass: puPerson (superior is inetorgperson)

– like, can you relate? • universityid/ref to solve multi-ids

– Tracking: Why a DN exists, who did last

May 12, 1999 Common Solutions Group, DS Workshop

7

Schema Design @ PrincetonSchema Design @ Princeton

Princeton Attributes defined to Netscape Directory Server

Netscape Search and Sample LDIFWhat’s in a DN?– Cn=name (addr),o=,c=

• no OU! But ou defined. Multiple locations?

DN’s are just that, not to be parsed.–Wouldn’t that be nice?

May 12, 1999 Common Solutions Group, DS Workshop

8

ResourcesResources

Michael Gettes and Lee Varian– little if any interaction with others given

data control sensitivities and most issues worked out previously because Lee generated the printed campus phonebook, permission not needed.

no $$, no formal plan, no new policy– Almost invisible, therefore successful

May 12, 1999 Common Solutions Group, DS Workshop

9

OperationsOperations

Mainframe (VM/CMS) bulk mgmt1 supplier + 3 consumersLast user visible failure - CSG 1/99Netscape DS 3.12 SolarisPerLDAP scripting very powerful– All ops on-line, NO DOWNTIME!!!

Web interface to LDAP https://directory.Princeton.EDU

FOR MORE INFO...

May 12, 1999 Common Solutions Group, DS Workshop

10

Operations: NSMS & SendmailOperations: NSMS & Sendmail

E-Mail Replica– pbind to single cpu, nice to high priority– 4000 ops per minute - NSMS inefficient– 100MB memory cache for 9000 users– Failover works for online repairs– Replica Monitoring and Notification

NSDIRSECUG Mailing List: dirsec-request@nsdirsecug.org

FOR MORE INFO...

May 12, 1999 Common Solutions Group, DS Workshop

11

Operations: GeneralOperations: General

28,000 DNs - 80MB DB, 22MB ldifCommunicator configured for multiple

serversBackups - On-line LDIF dumps 1/hr– no good solution for backing up LDAP

Few Directory Managers (5)Help Desk has some privs for quick

support to users - access lists

May 12, 1999 Common Solutions Group, DS Workshop

12

Operations: GeneralOperations: General

Access Lists–What can users change?–What do Dir Mgrs change?– Audit

Limits– 500 max entries returned (not dumper)– near 0 look-through limit (values that

have ‘*’ in them cause problems).

May 12, 1999 Common Solutions Group, DS Workshop

13

Operations: Mailing ListsOperations: Mailing Lists

2100 Listproc Lists defined to LDAP for sendmail routing, automatically

Sendmail routes using DN which can see the lists

Would like to have Listproc keep list subscribers or obtain lists from group definitions in LDAP (merged groups).

May 12, 1999 Common Solutions Group, DS Workshop

14

Operations: Sendmail 8.9.3/8.10Operations: Sendmail 8.9.3/8.10

Based on work by StanfordPrinceton extended support for

looking up multiple attrs and returning multiple addresses.

Princeton changes available in 8.10May 4, 1999: Moved all .forward files

into LDAP, implementation by• Curt Hillegas <curt@Princeton.EDU>

May 12, 1999 Common Solutions Group, DS Workshop

15

Online Demo: IF PossibleOnline Demo: IF Possible

Https://directory.Princeton.EDUManage Mail AccountReplica MonitoringKerberos Backend Authentication

• let the firestorm begin!