NIH Enterprise Directory

Initial Prioritized Requirements

Prepared by

The Burton Group

September 30, 1998

DRAFT

Base-Line Requirements

(The complete lack of which means a product would not be considered)

  1. Flexible, user friendly LDAP V3 access support
  2. Flexible, user friendly Web-based end user access to directory (i.e., access via HTTP/HTML)
  3. Support for secure, standardized authenticated access to the directory (SSL, Kerberos, …)
  4. Access controlled updates
  5. Flexibility to integrate complex directories (off the shelf meta directory functionality)
  6. Integration with PKI products (Entrust, Versign, …)
  7. Schema easily extended to support for NIH schema and naming standards (includes Rich DIT views of some sort), and other changing schema requirements
  8. Customizable bulk directory load/extract from existing data sources
  9. Real time connectivity with Oracle (OBDC/SQL)
  10. Server operates on Solaris/SPARC or NT/Intel
  11. Continuous uptime/Availability
  12. Minimize schedule risk

    13. High Priority Items

  13. Minimize ongoing cost, and software per-user
  14. Implementation services
  15. Multi-valued attribute support
  16. Browse directory hierarchy (paged search, support deep+flat)
  17. Audit trails/logs identify who changed what and when they did it
  18. Graphical administration interface, ease of administration
  19. Known, respected vendor (recognized track record)
  20. Response time performance and scalability
  21. UID Database (Oracle), Parking Database (Oracle), Telecommunications (FOXPRO/LDAP), PH/CSO, Data Warehouse (DB2 on MVS)

Backup Requirements

The following is a more comprehensive list of requirements that will be used to help evaluate the baseline and high priority capabilities from vendors. They will generally not be called out separately on the "report card", but will be factored in where they apply.

End User Access Requirements

  1. Support for Windows 32-bit clients (includes IE)
  2. Netscape Communicator support
  3. Notes client support
  4. Outlook client support
  5. Flexible, user friendly query/search functionality **
  6. Browse directory hierarchy (paged search, support deep+flat) (HIGH PRIORITY)
  7. Access from Microsoft Office suite (i.e., ADSI enabling Visual Basic macros, etc.)
  8. LDAP client support**
  9. Web-based user access to the directory**

 

** Element of baseline requirements

 

Information Requirements

  1. Flexibility of field lengths—e.g., phone extensions change.
  2. Support NIH schema and naming standards**
  3. Schema extensibility**
  4. Rich DIT views (flat, organizational, geographical)
  5. Support for storage of "Green Pages" organizational roles
  6. Multi-valued attribute support (HIGH PRIORITY)

Protocol Support

This section considers the core protocols supported.

  1. Backward compatibility with LDAP V2
  2. LDAP V3**
  3. LDAP authentication (SASL/SSL) **
  4. LDAP referral
  5. LDAP replication (future)
  6. LDAP interoperability testing
  7. Backward compatibility with ’88 DAP/DSP (optional)
  8. ’93 DAP/DSP (optional)
  9. ’93 DOP/DISP (nice to have)

 

Security Requirements

  1. Certificate support—X.509 support**
  2. Strong authentication of administrators**
  3. Integration with PKI packages (Entrust, Verisign, Netscape Certificate Server, Microsoft Certificate Server)**
  4. Consistently administered authenticated attribute-level and group-level access control for NIH employees and business partners that can be delegated/distributed to the IC level
  5. Audit trails/logs identify who changed what and when they did it (HIGH PRIORITY)

Operations, Adminstration, Management Requirements

This section will consider requirements driven by the administration of the next generation directory service. Requirements covered here include tools to better administer the enterprise directory, to improve the overall service quality and support for standards-based management.

  1. 7X24 readability with-out bringing the service down for maintenance**
  2. Customizable bulk directory load/extract from existing data sources **
  3. Schema easily extensible by administrator**
  4. Global changes on the schema
  5. Easy to perform tree operations
  6. Graphical administration interface, ease of administration (HIGH PRIORITY)
  7. Directory able to support over 200,000 entries
  8. Performance monitoring/directory optimization tools
  9. Schema management tools—support for schema changes with minimal Administrator/user impact
  10. Integrate with platform (NT, UNIX, etc.) system services (e.g., performance monitoring, security)
  11. Ability to administer directory group memberships in a decentralized manner
  12. Must be able to replicate relatively easily (near real-time)—robust, fast, scheduled and event triggered
  13. ACLs and interfaces end user self-service updates (phone,
  14. Template for controlling user access
  15. Web-based administration interface for standard functions (e.g., adds, deletes, changes)
  16. Minimal impact on existing directories
  17. Online, incremental backup (HIGH PRIORITY)
  18. Transactional updates with recovery/rollback

Directory Server Requirements

  1. Server operates on Solaris/SPARC or NT/Intel **
  2. Operate on clusters

 

Quality of Service Expectations

Specific requirements in this area include:

  1. Directory availability of 99.95% not counting scheduled maintenance
  2. No scheduled down time for routine maintenance tasks including database compaction, address changes, etc.
  3. Architectural provisions to ensure data integrity
  4. Reliability features (e.g., fault tolerance, logging, database rebuild, on-line back-up, transaction rollback)
  5. Reporting tools/statistics (e.g., average load, peak load)
  6. Known, respected vendor (recognized track record) (HIGH PRIORITY)
  7. Mature product
  8. Response time performance and scalability (HIGH PRIORITY)

 

 

Meta Directory Functionality

Meta directory functionality combines traditional directory synchronization with the management of relationships, access privileges, information propagation, chaining and a variety of other ways of consolidating directory information across heterogeneous directory environments. Key requirements include:

 

  1. Flexibility to import and integrate information from complex directories (basic meta directory functionality)**
  2. Accept input from UID database as the master of entry existence/non-existence
  3. Create entries/attributes in other systems (propagate information mastered in the meta-directory)
  4. Reflect entries/attributes (synchronize information mastered elsewhere between multiple systems)
  5. Chain queries to entries mastered elsewhere
  6. Administration views/control of connected directories
  7. Chain queries to attributes mastered elsewhere
  8. Schedule replication, synchronization, propagation
  9. Capabilities or special software to manage group or distribution list objects across connected directories
  10. Microsoft Exchange synchronization
  11. Microsoft Exchange propagation
  12. Other email synchronization
  13. Other email propagation (Notes, GroupWise, SuiteSpot, cc:Mail, MS Mail…)
  14. NT synchronization
  15. NT propagation
  16. NDS synchronization
  17. NDS propagation
  18. LDAP/LDIF synchronization
  19. LDAP/LDIF propagation
  20. Flat file import/export
  21. Name structure mapping
  22. Entry inclusion/exclusion rules
  23. Attribute inclusion/exclusion rules
  24. Bi-directional sync
  25. Exception handling (duplicate names, apparent duplicates, etc.)
  26. Callout/exits (to allow customer, 3rd party to customize code)
  27. Ability to easily restructure the DIT
  28. Generation of ad-hoc group member lists based on directory queries
  29. Event driven capabilities
  30. Synchronize/integrate Oracle databases
  31. Synchronize/integrate ODBC databases
  32. Multi-mastered attributes
  33. Overlapping directory content
  34. Rich DIT support
  35. Web server forms based apps…
  36. Specific NIH databases