Directroy Synchronization Two
"John D. Burgher" <jburgh@primenet.com> Wed, 07 June 1995 20:59 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa12390; 7 Jun 95 16:59 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa12386; 7 Jun 95 16:59 EDT
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa22824; 7 Jun 95 16:56 EDT
Received: from bells.cs.ucl.ac.uk by haig.cs.ucl.ac.uk with local SMTP id <g.03474-0@haig.cs.ucl.ac.uk>; Wed, 7 Jun 1995 15:51:44 +0100
Received: from mailhost.primenet.com by bells.cs.ucl.ac.uk with Internet SMTP id <g.22027-0@bells.cs.ucl.ac.uk>; Wed, 7 Jun 1995 15:46:24 +0100
Received: from ip130.fhu.primenet.com (ip130.fhu.primenet.com [198.68.41.130]) by mailhost.primenet.com (8.6.11/wjp-h2.0) with SMTP id HAA21513 for <osi-ds@cs.ucl.ac.uk>; Wed, 7 Jun 1995 07:46:14 -0700
Message-Id: <199506071446.HAA21513@mailhost.primenet.com>
X-Sender: jburgh@mailhost.primenet.com
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 07 Jun 1995 07:46:01 -0700
To: osi-ds@cs.ucl.ac.uk
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: "John D. Burgher" <jburgh@primenet.com>
Subject: Directroy Synchronization Two
-----BEGIN PGP SIGNED MESSAGE----- Hey Folks: Greetings from Southern Arizona; Again! Thanks to everyone who responded to my recent request for information. I obtained some interesting tidbits and pointers towards other sources. The purpose of this message is two-fold; To post a synopsis of the information I've obtained; and To request feedback regarding these issues and my logic surrounding them. I've uncovered five issues relating to Directory Synchronization: (1) Organizational Unit (OU) Hierarchy; (2) User Identity Evolution; (3) User Multiple Identity Cross-Leveling; (4) Directory and Administrative Directory User Agent (DUA / ADUA) Utilization Procedures; and (5) Certificate Revocation List / Compromised Key List (CRL / CKL) Procedures. 1. The OU Hierarchy Issue involves Organizational Department (OR) leveling and X.400/X.500 Naming Convention Standard development. This is a policy related problem. I've got to make sure that the OR's System Administrators utilize appropriate standards when they develop Distinguished Names (DN) for the users. As I synchronize the diverse system directories, I'll probably have to "Re-Do" some of the DNs to make sure that they comply with X.400/SMTP-based E-Mail address formats. 2. The Identity Evolution Issue involves standardization of DN X.400/SMTP-based E-Mail addresses throughout the ORs. This is a policy related problem and it requires close coordination with the Human Relation folks in my organizaiton. Employee turnover will require "daily" attention. The System Administrators must keep up with the personnel changes. Employees and Supervisors are involved in this problem too. 3. The User Multiple Identity Cross-Leveling Issue involves making sure that "Dual Hat" employees, requiring different rights and privileges based on their particular roles, get those rights and privileges accordingly. This involves technical and policy related problems. The System Administrators must make sure that the "Dual Hats" obtain specific Login Scripts with "unique" characteristics for each role. I've got to make sure that the "Dual Hats" understand and follow standard procedures, without abusing their access. The DUA might be able to handle this problem for me. 4. The ADUA Utilization Procedures Issue involves standardizing DN creation, modification and deletion procedures. This involves technical and policy related problems too. Everyone must do everything right the first time. The System Administrators must completely understand ADUA functionality and employees must understand their E-Mail responsibilities. I guess I'll be developing standard operating procedures for "New" and "Terminated" employees. I'll probably make the supervisors responsible for ensuring that their employees coordinate with the System Administrators. 5. The CRL/CKL Procedures Issues involves guaranteeing confidentiality of "sensitive" information. Some of my Users deal with "proprietary" information. We use asynchronous (public/private) key cryptography. We're gonna incorporate X.509 Authentication Framework Certificates to manage our Public Key Ring. The System Administrators must issue CRL/CKLs whenever employees with access leave the organization or lose control of their Private Key. Employees and Supervisors are also in this loop and the distributed directory needs to be updated readily as employee access changes. I'd really appreciate critiques of these five issues, suggestions towards other issues and pointers towards case studies or insightful analysis regarding "real-world" directory synchronization efforts. I'll try to keep you folks posted as to my findings in regards to this critical problem. Sincerely; John -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBL9PndjOUYu1NDHppAQE3NgL/aJaL87tuMNDBDiQHuZ9APaQ+lNkmEBYI nd7HXWv3eT0lHDX47MqK2GFBuzscTOp28IZ4HfOOk98Rn4mVSwmjk5sk4A1YP6Z3 lcLGOqbBHLkZE/9RJpTCu5WgOQ8Uq6da =Vt9v -----END PGP SIGNATURE-----
- Directroy Synchronization Two John D. Burgher