Directroy Synchronization Two

["John D. Burgher" <jburgh@primenet.com>]

-----BEGIN PGP SIGNED MESSAGE-----

Hey Folks:

	Greetings from Southern Arizona; Again!  Thanks to everyone who responded
to my recent request for information.  I obtained some interesting tidbits
and pointers towards other sources.  The purpose of this message is
two-fold; To post a synopsis of the information I've obtained; and To
request feedback regarding these issues and my logic surrounding them.

	I've uncovered five issues relating to Directory Synchronization:  (1)
Organizational Unit (OU) Hierarchy;  (2) User Identity Evolution;  (3) User
Multiple Identity Cross-Leveling;  (4) Directory and Administrative
Directory User Agent (DUA / ADUA) Utilization Procedures; and (5)
Certificate Revocation List / Compromised Key List (CRL / CKL) Procedures.

	1.  The OU Hierarchy Issue involves Organizational Department (OR) leveling
and X.400/X.500 Naming Convention Standard development.  This is a policy
related problem.  I've got to make sure that the OR's System Administrators
utilize appropriate standards when they develop Distinguished Names (DN) for
the users.  As I synchronize the diverse system directories, I'll probably
have to "Re-Do" some of the DNs to make sure that they comply with
X.400/SMTP-based E-Mail address formats.

	2.  The Identity Evolution Issue involves standardization of DN
X.400/SMTP-based E-Mail addresses throughout the ORs.  This is a policy
related problem and it requires close coordination with the Human Relation
folks in my organizaiton.  Employee turnover will require "daily" attention.
The System Administrators must keep up with the personnel changes.
Employees and Supervisors are involved in this problem too.

	3.  The User Multiple Identity Cross-Leveling Issue involves making sure
that "Dual Hat" employees, requiring different rights and privileges based
on their particular roles, get those rights and privileges accordingly.
This involves technical and policy related problems.  The System
Administrators must make sure that the "Dual Hats" obtain specific Login
Scripts with "unique" characteristics for each role.  I've got to make sure
that the "Dual Hats" understand and follow standard procedures, without
abusing their access.  The DUA might be able to handle this problem for me.

	4.  The ADUA Utilization Procedures Issue involves standardizing DN
creation, modification and deletion procedures. This involves technical and
policy related problems too.  Everyone must do everything right the first
time.  The System Administrators must completely understand ADUA
functionality and employees must understand their E-Mail responsibilities.
I guess I'll be developing standard operating procedures for "New" and
"Terminated" employees.  I'll probably make the supervisors responsible for
ensuring that their employees coordinate with the System Administrators.

	5.  The CRL/CKL Procedures Issues involves guaranteeing confidentiality of
"sensitive" information.  Some of my Users deal with "proprietary"
information.  We use asynchronous (public/private) key cryptography.  We're
gonna incorporate X.509 Authentication Framework Certificates to manage our
Public Key Ring.  The System Administrators must issue CRL/CKLs whenever
employees with access leave the organization or lose control of their
Private Key.  Employees and Supervisors are also in this loop and the
distributed directory needs to be updated readily as employee access changes.

	I'd really appreciate critiques of these five issues, suggestions towards
other issues and pointers towards case studies or insightful analysis
regarding "real-world" directory synchronization efforts.  I'll try to keep
you folks posted as to my findings in regards to this critical problem.

Sincerely;

John

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBL9PndjOUYu1NDHppAQE3NgL/aJaL87tuMNDBDiQHuZ9APaQ+lNkmEBYI
nd7HXWv3eT0lHDX47MqK2GFBuzscTOp28IZ4HfOOk98Rn4mVSwmjk5sk4A1YP6Z3
lcLGOqbBHLkZE/9RJpTCu5WgOQ8Uq6da
=Vt9v
-----END PGP SIGNATURE-----