Contents

Purpose of This Guide
Prerequisites
Typographical Conventions
Default Paths and Filenames
Downloading Directory Server Tools
Suggested Reading

Part 1 Directory Server Design

Chapter 1 Directory Server Design and Deployment Overview

Directory Design Overview

Design Process Outline

Directory Deployment Overview

Chapter 2 Planning and Accessing Directory Data

Introduction to Directory Data

What Your Directory Might Include
What Your Directory Should Not Include

Defining Your Directory Needs
Accessing Your Directory Data with DSML over HTTP/SOAP

DSMLv2 Over HTTP/SOAP Deployment

Performing a Site Survey

Identifying the Applications That Use Your Directory
Identify How Applications Will Access Your Directory
Identifying Data Sources
Characterizing Your Directory Data
Determining Directory Availability Requirements
Considering a Data Master Server
Determining Data Ownership
Determining Data Access
Documenting Your Site Survey
Repeating the Site Survey

Chapter 3 Designing the Schema

Sun ONE Directory Server Schema
Schema Design Process Overview
Mapping Your Data to the Default Schema

Viewing the Default Directory Schema
Matching Data to Schema Elements

Customizing the Schema

When to Extend Your Schema
Getting and Assigning Object Identifiers
Naming Attributes and Object Classes
Strategies for Defining New Object Classes
Strategies for Defining New Attributes
Deleting Schema Elements
Creating Custom Schema Files - Best Practices and Pitfalls

Maintaining Data Consistency

Schema Checking
Selecting Consistent Data Formats
Maintaining Consistency in Replicated Schema

Other Schema Resources

Chapter 4 Designing the Directory Tree

Introduction to the Directory Tree
Designing Your Directory Tree

Choosing a Suffix
Creating Your Directory Tree Structure
Naming Entries

Grouping Directory Entries and Managing Attributes

Static and Dynamic Groups
Managed, Filtered, and Nested Roles
Role Enumeration and Role Membership Enumeration
Role Scope
Role Limitations
Deciding Between Groups and Roles
Managing Attributes with Class of Service (CoS)
About CoS
Cos Definition Entries and CoS Template Entries
CoS Priorities
Pointer CoS, Indirect CoS, and Classic CoS
CoS Limitations

Directory Tree Design Examples

Directory Tree for an International Enterprise
Directory Tree for an ISP

Other Directory Tree Resources

Chapter 5 Designing the Directory Topology

Topology Overview
Distributing Your Data

Using Multiple Databases
About Suffixes

About Referrals and Chaining

Using Referrals
Using Chaining
Deciding Between Referrals and Chaining

Chapter 6 Designing the Replication Process

Introduction to Replication

Replication Concepts

Common Replication Scenarios

Single-Master Replication
Multi-Master Replication
Cascading Replication
Mixed Environments
Fractional Replication

Defining a Replication Strategy

Replication Backward Compatibility
Replication Survey
Replication Resource Requirements
Using Replication for High Availability
Using Replication for Local Availability
Using Replication for Load Balancing
Example Replication Strategy for a Small Site
Example Replication Strategy for a Large Site
Replication Strategy for a Large, International Enterprise

Using Replication with Other Directory Features

Replication and Access Control
Replication and Directory Server Plug-Ins
Replication and Chained Suffixes
Schema Replication
Replication and Multiple Password Policies

Replication Monitoring

Chapter 7 Designing a Secure Directory

About Security Threats

Unauthorized Access
Unauthorized Tampering
Denial of Service

Analyzing Your Security Needs

Determining Access Rights
Ensuring Data Privacy and Integrity
Conducting Regular Audits
Example Security Needs Analysis

Overview of Security Methods
Selecting Appropriate Authentication Methods

Anonymous Access
Simple Password
Proxy Authorization
Simple Password Over a Secure Connection
Certificate-Based Client Authentication
SASL-Based Client Authentication

Preventing Authentication by Account Inactivation
Designing your Password Policies

Password Policy Features
Configuring Your Password Policies
Designing an Account Lockout Policy
Designing Password Policies in a Replicated Environment

Designing Access Control

About the ACI Format
Default ACIs
Deciding How to Set Permissions
Requesting Effective Rights Information
Tips on Using ACIs
ACI Limitations

Securing Connections With SSL
Encrypting Attributes

What is Attribute Encryption?
Attribute Encryption Implementation
Attribute Encryption and Performance
Attribute Encryption Usage Considerations

Grouping Entries Securely

Using Roles Securely
Using CoS Securely

Securing Configuration Information
Other Security Resources

Chapter 8 Monitoring Your Directory

Defining a Monitoring and Event Management Strategy
Directory Server Monitoring Tools
Directory Server Monitoring

Monitoring Directory Server Activity
Monitoring Database Activity
Monitoring Disk Status
Monitoring Replication Activity
Monitoring Indexing Efficiency
Monitoring Security

SNMP Monitoring

About SNMP
SNMP Monitoring in Sun ONE Directory Server

Part 2 Directory Server Deployment Scenario and Reference Architectures

Chapter 9 Banking Deployment Scenario

Business Challenge
Deployment Context and Replication Topology

Deployment Context
Replication Topology

Performance Requirements

User Demands
Hardware Guidelines

Schema, Data, and Directory Information Tree Design

Schema
Data
Directory Information Tree

Security Considerations
Implementation

Chapter 10 Architectural Strategies

Addressing Failure and Recovery
Planning a Backup Strategy

Choosing a Backup Method
Choosing a Restoration Method

Sample Replication Topologies

Single Data Center
Two Data Centers
Three Data Centers
Five Data Centers
Single Data Center Using the Retro Change Log Plug-In

Appendix A Accessing Data Using DSMLv2 Over HTTP/SOAP

An Empty Anonymous DSML "Ping" Request
A DSML Request Issuing a User Binding
A DSML Search Request