> developer > dnu > courses > secure identity management page 13
Secure Identity Management Overview Course
March 2003
DeveloperNet University Course
Reader Rating    from ratings rate this article
View an eBook Version of this course - LARGE FILE! Send this page to a friend

eDirectory 8.7

eDirectory 8.7 is the current (as of 2003) release of the NDS technology branded eDirectory. In this course, we will only focus on the main enhancements introduced by eDirectory 8.7. For a good introduction to eDirectory, see the DNU course: http://developer.novell.com/education/tutorials/edirectory/edirecto.htm.

Partitions

When you partition NDS, you allow parts, called Partitions, of the database to exist on several servers. With this capability, you can optimize network use by distributing NDS data processing and storage over multiple servers. Typically you would want to partition and replicate the NDS database for three reasons:

  1. NDS fault tolerance.

  2. Efficient access to NDS information.

  3. Access to NDS from Bindery Services.

Replicas can be filtered to reduce synchronization traffic to the server by reducing the amount of data that must be replicated from other servers. Also reduce the size of the directory database, by creating a filtered replica that contains only specific classes (instead of creating a full replica), you can reduce the size of your local database. Finally, filtration reduces the number of events that must be filtered by DirXML.

Subordinate Reference Replicas

Subordinate References aid connectivity and navigation by ensuring that servers containing parent partitions always know where their child partitions are, and that child partitions know where the parent is.

Referential Integrity

The following kinds of references help keep NDS trees connected and synchronized:

  • External References

  • Back Links

  • Distributed Reference Links

Synchronization Improvements

The following are eDirectory 8.7 synchronization improvements:

  • Multi-Threaded Outbound -- The outbounding eDirectory agent can update more than one agent for more than one partition at a time.

  • Transitive Synchronization Enhancement to Reduce Chattiness -- Communication of the Transitive Vector between replicas is no longer delayed until each replica's outbound synchronization cycle - the destination replica's Transitive Vectors are exchanged with the source replica at the end of a replication cycle.

  • Synchronization Points or Incremental Replication of Changes -- All changes for the entire state difference between replicas of a given partition is still required, but a progress marker ("synchronization point") is kept so that work is not lost and redone in the event of an error (usually communication) during a synchronization cycle. Per Replica Attribute Time Stamps no longer cause extra needless synchronization attempts.

iMonitor Health Check

The principles of the health check are the same as previous versions of NDS, but the method has improved. A Basic Health Check now includes:

  • Agent Health

  • NDS Versions

  • Time Synchronization

  • Partition Continuity

A Complete Health Check includes:

  • Background Processes such as Synchronization, Limber, Schema, and Obituary.

Predicate Statistics

Predicate Statistics are server specific history of commonly accessed information. They are described as:

  • Very expensive to server resources

  • Not meant to run all the time

  • Turned on temporarily to determine which attributes are accessed the most

  • Used to aid in defining indexes appropriately

  • Data is stored in a ndsPredicateStatistics object

  • Referenced by the eDirectory server object

  • Keeps counts on the number of accesses

Server Indexes

eDirectory Servers now have indexes, which allows specific attributes to be accessed faster. Indexes increase performance, but take up memory. Keep the following in mind when using indexes:

  • Scale your server to support indexes

  • Memory requirements will vary with each index, and the number of attributes in the index

  • Over Indexing can cause high server utilization and delay writes to eDirectory

Predicate Data can be used to determine indexes, as eDirectory will always refer to an index of an attribute if it exists. Indexes can also be taken on and offline for testing purposes.

Identity Vaults

An Identity Vault is a central repository that holds all identity related information, i.e. Usernames, Passwords, Demographic information, Policies, Roles, Access Controls, etc. Also, services can leverage identity information to personalize content, authentication, authorization, policy enforcement, etc. Lastly, DirXML uses identity to route data between connected applications.

Previous Contents Next