Directories & LDAP: The NRAO Connection
(Regular [individual slides] version)
Seminar "Making use of Directories": Network World, Washington DC
Why: find out about LDAP, MS Active Directory, NDS,
What we found:
is deploying some sort of enterprise-wide (or wider) directory
What can NRAO gain from this technology?
Three-tier: external, meta- (glue), and special purpose (NIS etc).
X.500 past, LDAP present and future
The problem: 187 separate directories for user info, e.g.:
(three: Unix, NT, AS400)
Personnel: RAO #2102 etc.
Fiscal: Purchasing, Payroll, etc.
The Phonebook Database
(Snail) mailing lists, etc.
Synchronization, Distributed entry, related entries, are problems.
Meta-directory can "glue" things together; short-term solution, migration tool to more unified environment.
Directories and the Network
Eliminate "stovepipes"; custom, de facto "duct tape" between things (
, mail aliases table, list of web pages, auto-generated mailing lists...)
Concentric circles: data on inside, intranet, extranet, internet
A directory should help facilitate:
Single or near-single sign on;
Manageable PKI (Public Key Infrastructure, if used);
Easy deployment of secure/sensitive applications; give control to the person who has the authority.
"Enterprise" directories, Network OS facilities (NIS/YP) are merging.
Quality of Service: high priority to, e.g. remote observing; low or zero to less important services; routers will be directory-enabled.
Future Possibilities for a Directory Service:
Proposal submission and management
Observer management (!!)
Data Products (e.g., proprietary/public periods for observations)
Allow external users to modify their information without manual intervention by us. Think guests, observers, other NRAO "customers".
Merges info from other, existing directories (NIS, Phonebook, HR, Fiscal)
The "glue" that binds things together; provides
Legacy "directories" ultimately retired as meta-directory subsumes their roles.
Proposed Testbed Deployment: Phone Book
We're already using a poor man's "directory":
is used to generate
web page links
, dialin modem authentication (800 and CV), and web server redirects automatically, right now.
In principle, this info could be used for mail aliases, then (later) login records for Unix and NT.
Existing Phone Directory flat-text-and-Fortran-programs not strong enough; need a real LDAP directory/server.
Long term goal: Personnel, Fiscal, Payroll, Purchasing?
Ideal: one directory. Realistic: fewer than we have now!
AVOID TURF WARS! Any group that plans a directory deployment HAS to have top-level buy-in from all affected groups in the Observatory, and enough funding to do the job.
LDAP-based directory can provide more functions and future expansion than what we have now, at lower cost (in people's time)
We're headed that way, but
with the right tools yet
If NRAO Computing wants to provide better services to our "Customers" (Observers, Taxpayers, Staff), we need to start planning
An LDAP-based replacement for the phone book database is a good place to start. Think big, but test small.