Seminar "Making use of Directories": Network World, Washington DC
Why: find out about LDAP, MS Active Directory, NDS, etc.
What we found: Everyone is deploying some sort of
enterprise-wide (or wider) directory
What does this mean for NRAO?
Summary
Directory Basics
Three-tier: external, meta- (glue), and special purpose (NIS etc).
X.500 past, LDAP present and future
The problem: 187 separate directories for user info, e.g.:
Computer Account pmurphy (three: Unix, NT, AS400)
Personnel: RAO #2102 etc.
Mail aliases: pmurphy@orangutan
Fiscal: Purchasing, Payroll, etc.
Phonebook!
Library info
(Snail) mailing lists, etc.
Synchronization, Distributed entry, related entries, are problems.
Meta-directory can "glue" things together; short-term solution,
migration tool to more unified environment.
Directories and the Network
Eliminate "stovepipes"; custom, de facto "duct tape" between things
(e.g., mail aliases table, list of web pages,
auto-generated mailing lists...)
Concentric circles: data on inside, intranet, extranet, internet
Directories should help facilitate:
Single or near-single sign on;
Manageable PKI (Public Key Infrastructure, if used);
Easier to deploy secure and sensitive applications; give
control to the person who has the authority.
"Enterprise" directories, Network OS facilities (NIS/YP) are merging.
Quality of Service: high priority to, e.g. remote observing; low or
zero to less important services; routers will be directory-enabled.
Future Possibilities for a Directory Service:
Proposal submission and management
Observer management (!!)
Data Products (e.g., proprietary/public periods for VLA obs.)
Allow external users to modify their information without
manual intervention by us. Think guests, observers, other
NRAO "customers".
Meta-Directories
Merges info from other, existing directories (NIS, Phonebook, HR,
Fiscal)
The "glue" that binds things together; provides Uniform
NameSpace
Legacy "directories" ultimately retired as meta-directory subsumes
their roles.
Proposed Testbed Deployment: Phone Book
We're already using a poor man's "directory":
The Phonebook
is used to generate mailing lists, web page links, dialin modem
authentication, and web server redirects automatically, right
now.
In principle, this info could be used for mail aliases, then
(later) login records for Unix and NT.
Existing Phone Directory flat-text-and-Fortran-programs not
strong enough; need a real LDAP directory/server.
Long term goal: Personnel, Fiscal, Payroll, Purchasing?
Ideal: one directory. Realistic: fewer than we have now!
AVOID TURF WARS! Any group that plans a directory deployment HAS to
have top-level buy-in from ALL groups in the Observatory, and enough
funding to do the job.
Conclusions
LDAP-based directory can provide more functions and future expansion
than what we have now, at lower cost (in people's time)
We're headed that way, but not with the right tools yet
If NRAO wants to provide better services to our "Customers"
(Observers, Taxpayers), we need to start planning NOW.