Netscape Directory Server Deployment Guide:

Deployment Guide
Netscape Directory Server

Contents

About This Guide
Purpose of This Guide
Directory Server Overview
Conventions Used in This Guide
Related Information
Chapter 1   Introduction to Directory Server
What is a Directory Service?
About Global Directory Services
About LDAP
Introduction to Directory Server
Overview of Directory Server Architecture
Overview of the Server Front-End
Server Plug-ins Overview
Overview of the Basic Directory Tree
Directory Server Data Storage
About Directory Entries
Distributing Directory Data
Directory Design Overview
Design Process Outline
Deploying Your Directory
Piloting Your Directory
Putting Your Directory Into Production
Other General Directory Resources
Chapter 2   How to Plan Your Directory Data
Introduction to Directory Data
What Your Directory Might Include
What Your Directory Should Not Include
Defining Your Directory Needs
Performing a Site Survey
Identifying the Applications that Use Your Directory
Identifying Data Sources
Characterizing Your Directory Data
Determining Level of Service
Considering a Data Master
Data Mastering for Replication
Data Mastering Across Multiple Applications
Determining Data Ownership
Determining Data Access
Documenting Your Site Survey
Repeating the Site Survey
Chapter 3   How to Design the Schema
Schema Design Process Overview
Netscape Standard Schema
Schema Format
Standard Attributes
Standard Object Classes
Mapping Your Data to the Default Schema
Viewing the Default Directory Schema
Matching Data to Schema Elements
Customizing the Schema
When to Extend Your Schema
Getting and Assigning Object Identifiers
Naming Attribute and Object Classes
Strategies for Defining New Object Classes
Strategies for Defining New Attributes
Deleting Schema Elements
Creating Custom Schema Files
Custom Schema Best Practices
Maintaining Consistent Schema
Schema Checking
Selecting Consistent Data Formats
Maintaining Consistency in Replicated Schema
Other Schema Resources
Chapter 4   Designing the Directory Tree
Introduction to the Directory Tree
Designing Your Directory Tree
Choosing a Suffix
Suffix Naming Conventions
Naming Multiple Suffixes
Creating Your Directory Tree Structure
Branching Your Directory
Identifying Branch Points
Replication Considerations
Access Control Considerations
Naming Entries
Naming Person Entries
Naming Group Entries
Naming Organization Entries
Naming Other Kinds of Entries
Grouping Directory Entries
About Roles
Deciding Between Roles and Groups
About Class of Service
Directory Tree Design Examples
Directory Tree for an International Enterprise
Directory Tree for an ISP
Virtual Directory Information Tree Views
Overview
Introduction to Virtual DIT Views
Advantages of Using Virtual DIT Views
Example of Virtual DIT Views
Views and Other Directory Features
Effects of Virtual Views On Performance
Compatibility With Existing Applications
Other Directory Tree Resources
Chapter 5   Designing the Directory Topology
Topology Overview
Distributing Your Data
About Using Multiple Databases
About Suffixes
About Knowledge References
Using Referrals
The Structure of an LDAP Referral
About Default Referrals
Smart Referrals
Tips for Designing Smart Referrals
Using Chaining
Deciding Between Referrals and Chaining
Usage Differences
Evaluating Access Controls
Using Indexes to Improve Database Performance
Overview of Directory Index Types
Evaluating the Costs of Indexing
Chapter 6   Designing the Replication Process
Introduction to Replication
Replication Concepts
Unit of Replication
Read-Write Replica/Read-Only Replica
Supplier/Consumer
Change Log
Replication Agreement
Data Consistency
Common Replication Scenarios
Single-Master Replication
Multi-Master Replication
Cascading Replication
Mixed Environments
Defining a Replication Strategy
Replication Survey
Replication Resource Requirements
Using Replication for High Availability
Using Replication for Local Availability
Using Replication for Load Balancing
Example of Network Load Balancing
Example of Load Balancing for Improved Performance
Example Replication Strategy for a Small Site
Example Replication Strategy for a Large Site
Using Replication with other Directory Features
Replication and Access Control
Replication and Directory Server Plug-ins
Replication and Database Links
Schema Replication
Chapter 7   Designing a Secure Directory
About Security Threats
Unauthorized Access
Unauthorized Tampering
Denial of Service
Analyzing Your Security Needs
Determining Access Rights
Ensuring Data Privacy and Integrity
Conducting Regular Audits
Example Security Needs Analysis
Overview of Security Methods
Selecting Appropriate Authentication Methods
Anonymous Access
Simple Password
Certificate-Based Authentication
Simple Password Over TLS
Proxy Authentication
Preventing Authentication by Account Inactivation
Designing a Password Policy
Password Policy Attributes
Password Change After Reset
User-Defined Passwords
Password Expiration
Expiration Warning
Password Syntax Checking
Password Length
Password Minimum Age
Password History
Password Storage Scheme
Designing a Password Policy in a Replicated Environment
Designing an Account Lockout Policy
Designing Access Control
About the ACI Format
Targets
Permissions
Bind Rules
Setting Permissions
The Precedence Rule
Allowing or Denying Access
When to Deny Access
Where to Place Access Control Rules
Using Filtered Access Control Rules
Using ACIs: Some Hints and Tricks
Securing Connections With SSL
Other Security Resources
Chapter 8   Directory Design Examples
An Enterprise
Data Design
Schema Design
Directory Tree Design
Topology Design
Database Topology
Server Topology
Replication Design
Supplier Architecture
Supplier Consumer Architecture
Security Design
Tuning and Optimizations
Operations Decisions
A Multinational Enterprise and its Extranet
Data Design
Schema Design
Directory Tree Design
Topology Design
Database Topology
Server Topology
Replication Design
Supplier Architecture
Security Design
Glossary
Index

Last Updated August 16, 2002