The rest of the series: Directories branching out The main article. What directories are and how they work Microsoft's Active Directory Services may lighten your load Enterprise directory investments pay off Metadirectories are the kings of consolidation Rowe and Blum are principals at Rapport Communication, Inc., an industry consulting company specializing in directories, messaging and groupware. They can be contacted at www.rapport .com.

By Gary Rowe and Daniel Blum
Network World Fusion, 9/15/97

Thanks to broad vendor support for Lightweight Directory Access Protocol (LDAP), it's become a lot easier to create enterprise directories.

But it's still not that easy - building an enterprise directory isn't as simple as deploying LDAP-compliant applications and choosing a single directory for them to access. Be prepared for an evolutionary - not revolutionary - process during which you support legacy applications and existing business processes.

Directories of the future will serve as matchmakers between users, machines, applications and the network. The same directory will hold IP addresses issued by Dynamic Host Configuration Protocol servers, user names/passwords and other resources. Directories will know no boundaries and be able to extend outside of the enterprise. For example, Chevron Corp., Exxon Corp. and Texaco are discussing establishing cross-company directories to support interoil company commerce initiatives.

All this sounds good, but how do you go about implementing an enterprise directory?

Detailed planning is a must. Start by establishing a cross-functional team including, IS, human resources and end users to set your project objectives. Scrupulously inventory your existing directory environment. Your environment and goals will determine whether you should choose Microsoft Corp.'s Active Directory Services (ADS), Novell, Inc.'s Novell Directory Services (NDS) or a third-party metadirectory or network management tool.

Once you've decided on an approach, the work begins. The next steps are defining your enterprise naming tree structure and creating a data model that specifies the attributes for user and resource entries, as well as the authoritative source (or information owner-performing updates) for each one. Try to make the core naming structure as simple and stable as possible because the LDAP/X.500 names will soon show up on everything from business cards to network queries to public-key certificates. You don't want the names to be complicated or need to perform frequent changes.

Settle on a distributed or centralized management strategy for administering the directory based on your corporate culture. If your company is functionally organized with a strong IS department, have IS own the servers and be the authoritative source for logon IDs, e-mail addresses and other network information, but consider giving HR control over user names, telephone numbers, titles and other organizational information. If your company is geographically distributed with autonomous operating units, consider letting each region own its servers and control the updates - as long as everyone stays within the guidelines of an overall enterprise naming strategy and data model.

Finally, integrate the directory design into your enterprise security policy and define access privileges (if any) to the directory for external partners. Make a list of the organizational units (groups of entries) and attributes external partners should be allowed to see, and configure the appropriate access controls into your chosen product. For added security, you may want to locate directory servers that provide external access on a firewall and provide read-only replicas of public information.

The implementation process is complex depending on the size and complexity of your environment, as well as the resources that went into planning. Implementation may take anywhere from a few weeks to a year. That said, environment as well the resources you put into planning, it may take anywhere from a few weeks to a year. You may want to get some help. Consider working with your primary network operating system or metadirectory vendor, third-party vendors, systems integrators or consultants.