Directory Service and Synchronization Techniques

Stephen L. Arnold, Ph.D.

President, Arnold Consulting, Inc.

Presented 3 November 1997 at the DECUS U.S. Chapter Symposium in Anaheim, as Session MM005.

Abstract

Most mail systems have some kind of directory services. If we only had one mail system in an organization, we wouldn't need this session. Problem is, we're all struggling trying to maintain what we have now while either piloting or migrating to something new. The only way to achieve continuity in service in this state of flux is by developing a central naming standard and using directory services. This session describes one such naming standard and how that standard was implemented using Innosoft's PMDF product.

Unless we get all of our mail systems to use the same directory service, we are faced with maintenance of multiple directories with similar information. This session reviews the techniques used to synchronize DDS, PMDF, and MS Exchange directories in one particular company's environment.

[Title and abstract by Donald Borsay, Allendale Mutual Insurance Company]

Speaker

Dr. Stephen L. Arnold is an independent consultant with over 14 years of networking experience on OpenVMS, UNIX, and IBM mainframe and midrange systems. Steve specializes in internetworking, electronic mail, and directory services.

Marching Orders!

Management has tasked you to develop organization-wide mail directory services with these characteristics:

• Works for all client platforms
• Uses natural names for people
• High performance
• Transparent to users and applications
• Supports your connection to the Internet

Note: Since you are connected to the Internet, you can't use the seductive but impractical "same software for every user" strategy.

Native Electronic Mail Addresses

Used for addressing mail within a message handling system

Example: My DECUServe mailbox:

• VMSmail: EISNER::ARNOLD
• MAILbus: ARNOLD@ AM @ EISNER
• Internet: Arnold@Eisner.DECUS.Org
• (Hypothetical) X.400: Country=US; ADMD=MCI; PRMD=DIGITAL; ORG=DECUS; Surname=Arnold; Givenname=Stephen; Initial=L
• (Hypothetical) cc:Mail:
  Stephen L Arnold at DECUServe

Used for addressing mail between messaging handling systems

These depend on both the gateway and the user agent!

• Internet in MAILbus:
  Stephen.L.Arnold@ Arnold.Com @ PMDF @ TOPAZ
• Internet in cc:Mail:
  Arnold@Eisner.DECUS.Org at Internet
• Internet in VMSmail:
  IN%"Arnold@Eisner.DECUS.Org"
• X.400 in Internet:
  /C=US/A=MCI/P=DIGITAL/O=DECUS /S=Arnold/G=Stephen/@MCIMail.Com
• X.400 in Internet in VMSmail!
  IN%"/C=US/A=MCI/P=DIGITAL/O=DECUS /S=Arnold/G=Stephen/@MCIMail.Com"

Directory synchronization is frequently used to hide gateway addresses from mail users.

Canonical (Internet) Addresses

There is no universally-used directory for the Internet! Instead, we use names for mailboxes.

For my work mailbox:

Stephen.L.Arnold@Arnold.Com

• Supports mail systems with no directories, for example Internet, VMSmail
• Format is conformant with RFC 1327
• Mapping rules determine corresponding X.400 address
• Conversion between SMTP and X.400 forms is automatic at RFC 1327 gateways, e.g., Country=US; ADMD=MCI; PRMD=ARNOLD; Surname=Arnold; Givenname=Stephen; Initial=L
• Supports apostrophe (S=O'Brian) and hyphen (S=Hardcastle-Kille)

When this convention is implemented across organizational units or mail platforms, it is often called central naming. Names and the corresponding Internet native or gateway mail addresses must be gathered on a mail hub (or backbone), which is responsible for routing mail.

Example Directory Environment

Using ALL-IN-1 and Digital's Distributed Directory Service (DDS), Microsoft Exchange, and an Internet connection; we would like to meet objectives with directory synchronization, maintaining:

• Exchange users in the DDS
• ALL-IN-1 users in the Exchange directory
• Internet alias and reverse entries for Exchange users
• Internet alias and reverse entries for ALL-IN-1 users

Three mail communities could require six directory exchanges. We have four, because all Internet users cannot be loaded into our directories!

Each "directory exchange" has three steps:

1. Dump source to export format
2. Clean up and massage to destination import format
3. Load destination from import format

How many exchanges are needed if we add Lotus Notes?

Directory Synchronization Tactics

For each directory source:

1. Dump the new source data to an interchange format.
2. Perform any needed cleanup or transformation.
3. For each other directory destination, either:
   • Dump the old source data from the destination directory to interchange format.
   • Compute the deltas to get from old data to the new data.
   • Apply the deltas to the destination directory.
   
   Or:
   • Delete the old source data from the destination directory.
   • Load the new source data into the destination directory.

   Note: Steps 1-3 represent an outer loop. Step 3 is an inner loop. This problem gets bigger geometrically as we add mail systems!

   PMDF Directory Tools

   PMDF includes directory tools to manipulate the X.500 Directory (via LDAP), entry description files, and foreign directories:

   • $ PMDF DIRECTORY /LOAD
   • $ PMDF DIRECTORY /DUMP
   • $ PMDF DIRECTORY /IMPORT
   • $ PMDF DIRECTORY /EXPORT
   • $ PMDF DIRECTORY /DIFF
   • $ PMDF DIRECTORY /GENDB

   Directories supported include:

   • Digital ALL-IN-1 user and network profiles
   • Digital Distributed Directory Service
   • Lotus cc:Mail
   • Microsoft Exchange
   • Microsoft Mail
   • Novell GroupWise/WordPerfect Office

   Sample Directory Import

   To import ALL-IN-1 profile entries to an EDF file for exporting to another directory or loading into the X.500 Directory, enter, for example:

   $ pmdf directory /import /a1 /rooting - /domain="Chicago.Acme.Com" /country=US - /org="Acme Corporation"

   A sample entry description from ALL-IN-1:

   RootedAt=o=Acme Corporation cn=Kelly B Forker mail=Kelly.B.Forker@Chi.Acme.Com postalAddress=Acme Corporation $ P.O. Box 1234 $ \ Chicago, IL 60001-1234 userClass=a1 uid=KFORKER sn=Forker l=Chicago roomNumber=14th Floor ms 52 phone=+1 312 814 2289 objectClass= top & quipuObject objectClass=organizationalPerson objectClass=organizationalUnit objectClass=person objectClass=newPilotPerson

   The userClass attribute is automatically set up by the directory tools. We use it to keep track of the authoritative sources of entries.

   Directory Strategies

   Terminology for this session:

   • Directory synchronization copies all entries to every directory
   • Distributed directories store entries on central servers for wide-area network access
   • Directory replication copies entire directories within a homogeneous environment

   An Alternative Solution

   Using ALL-IN-1 and DDS, Microsoft Exchange, and an Internet connection; we might instead meet objectives with a distributed (X.500) directory:

   • Maintain Exchange users in the X.500 directory
   • Maintain ALL-IN-1 users in the X.500 directory
   • Generate reverse entries from the X.500 directory
   • Route mail using X.500 directory lookups

   Three mail communities could require three X.500 loads. We only have two, because all Internet users cannot be loaded into our X.500 directory!

   Each X.500 load has the same three steps required by a directory exchange.

   Additional benefits from the X.500 approach:

   • The X.500 directory may be browsed by humans.
   • Our servers can query other Internet White Pages servers.
   • Other X.500 users on the Internet can see the data we make public.

   Exercise: How many exchanges if we add Lotus Notes?

   Distributed Directory Tactics

   For each directory source:

   1. Dump the new source data to an interchange format.
   2. Perform any needed cleanup or transformation.
   3. Dump the old source data from the master directory to interchange format.
   4. Compute the deltas to get from old data to the new data.
   5. Apply the deltas to the master directory.

   Note: Steps 1-5 represent the only loop. There is no inner loop. This problem gets bigger linearly as we add mail systems.

   OSI Identifier Registration

   To participate in X.500, obtain these identifiers from ANSI:

   • Numeric organization: 49236
   • Alphanumeric organization: Arnold Consulting, Inc.
   • MHS management domain (for X.400): ARNOLD

   Total cost: $3000. Waiting time: 90-120 days.

   Don't worry about challenges. There have never been any!

   Smaller organizations may register in the Internet White Pages under their corporation name at no charge.

   (The examples are hypothetical. Arnold Consulting, Inc. is a "smaller" organization, and not registered with ANSI. Its entry in the Internet white pages is under Wisconsin, its state of incorporation.)

   Recommendations

   For medium and large organizations:

   • Educate IS management about these issues.
   • Register an Internet domain with the InterNIC.
   • Register OSI identifiers with ANSI.
   • Build central, replicated X.500 servers.
   • Maintain your directory data in X.500. If synchronization is required, use X.500 as the hub.
   • Support canonical addresses for VMSmail and
     Internet users.
   • Provide LDAP based clients for all mail users.
   • Press vendors for products supporting X.500 and LDAP.
   • Join the Internet White Pages and contribute your public data.
   • Stop loading foreign data into local directories.
   • Avoid LDAP-only server products.

   Thank you!

   Stephen L. Arnold, Ph.D., President

   Arnold Consulting, Inc.
   2530 Targhee Street, Madison, Wisconsin 53711-5491
   Telephone: +1 608 278 7700
   Facsimile: +1 608 278 7701

   Stephen.L.Arnold@Arnold.Com
   http://WWW.Arnold.Com

   Back to the Arnold Consulting Welcome Page

   This page was last updated 14 November 1997, and has been visited 8,447 times.

   ---

   Copyright © Arnold Consulting, Inc., 1995, 1996, 1997. All rights reserved, except you may download this page to view it, and you may print a single copy for personal use. Some of the names here are trademarks of others.
   SLA