Directory assistance

A developing tool makes it easier for agencies to meld information into one directory

As great as e-mail has been for government agencies, there is a downside

to it: maintenance.

Agencies constantly have to prune their lists of e-mail users. The process

can be onerous and time-consuming, especially for agencies with multiple

e-mail systems.

This problem has been disappearing as vendors adopt standards that allow

e-mail systems to share information. In fact, vendors are extending these

benefits beyond e-mail systems to other products, such as desktop applications,

security systems and even network routers.

"Government agencies have been forced to support distinct directories

for each new device or application installed," said Steven Moran, a technology

specialist manager in Microsoft Corp.'s state and local government group.

"They want to simplify management by having all of their products work with

a common directory, and that is becoming quite possible."

Directories act as computer and network traffic cops. They store lists

with the names and addresses of every end user and computer resource, which

could be an application as well as a printer. Before a connection is made

or access to a resource is granted, applications check directories to ensure

that users have the proper credentials.

Traditionally, vendors designed their own directories with each of their

products. Consequently, agencies found themselves with a wide — and ever-growing

— set of directories. One might provide access to a local-area network operating

system, a second might open an e-mail application and a third might work

with a security application.

Keeping directories updated has been difficult. Employees come and go,

new applications are installed and servers are replaced. Typically, network

administrators manually enter such changes. With the broadening number of

applications and variety of devices connected to agency networks, the task

is a full-time job.

"We have two employees responsible for maintaining our directories,"

said Bruce Henson, a senior programmer and analyst with San Bernardino County,

Calif., which has 14,000 users.

There are a couple of ways to solve the problem. In 1999, Baltimore

County, Md., had 3,000 users working with a range of computer systems: IBM

Corp. mainframes, Unix servers, IBM mid-range systems and PC servers. They

wanted to get away from a multi-vendor environment, said Ron Deibert, the

county's network and systems manager.

The county decided to standardize with products from Novell Inc., which

has been at the forefront of using one directory, its Novell Directory Services,

for multiple purposes. The county selected the firm's GroupWise system as

its enterprise mail system and also bought calendar, network management,

fax and workflow software that use NDS.

Last fall, officials began migrating the county's other systems to NDS.

They are about two-thirds of the way through. Once the transition is complete,

Deibert expects that the agency's programmers will spend less time entering

directory data and more time enhancing new electronic government applications.

Not all agencies are in a position to mandate deployment of an enterprisewide

standard. "In many cases, various departments are comfortable with certain

products and will continue to work with them," said John Barco, director

of product marketing at iPlanet E-Commerce Solutions, a directory software

supplier.

Unfortunately, because directories are autonomous entities, they often

cannot share information. So when an employee leaves, an administrator has

to delete his or her privileges from each directory — a process that is

tedious and prone to error.

Agencies yearn to integrate directories so that when an administrator

makes a change in one, it will automatically be relayed to all associated

directories. Standards are needed for this to take place; the Lightweight

Directory Access Protocol (LDAP) has emerged as the most likely solution.

Its roots go back to the International Standard Organization's X.500

specification, developed in 1988. Though functional, the specification was

large and complex. With companies pushing more e-mail functions to end users,

agencies needed something simple — software that could run on desktop systems.

In the early 1990s, the University of Michigan stripped down the ISO standard

so it could operate better on PCs. Enter LDAP.

The emergence of the World Wide Web gave the standard a big boost. "Many

companies selected LDAP for their new Web applications because it was functional

and easy to implement," said Dan Blum, a senior vice president at The Burton

Group Corp., a market research firm that specializes in networking issues.

Increasingly, state agencies are looking to LDAP to weave together their

directories. In 1998, New Jersey wanted to improve communications among

government workers. "We had a number of departments working with different

e-mail applications and wanted to put an infrastructure in place so they

could exchange information," said Joyce Arcioni, manager of public-key infrastructure

and directory services for the state.

The state began a multi-step project to make that possible. First,

the New Jersey government selected Web browsers as its universal user interface.

Next, it searched for a way to let employees find information (e.g., names,

telephone numbers) about workers in other departments. The state selected

iPlanet's Directory Server as the foundation for a central directory because

the LDAP-based system could exchange information with other directories.

The product stores personnel names, locations, telephone system data and

e-mail addresses for about 80,000 state employees.

Security was a major concern with the new system because the Department

of Labor and the judiciary planned to transmit worker compensation information

using the network. "We needed to tie our directory into our security system,"

Arcioni said.

The iPlanet system supports public-key encryption, where the sender

and receiver have software that opens and closes sensitive documents; New

Jersey is adding that feature. Eventually, the state expects to open its

directory — the myNewJersey portal — to citizens and businesses that need

to contact state workers.

Although LDAP can help connect different directories, it is not simple

to deploy. "Whenever a customer decides to buy an LDAP directory from us,

[that customer] also signs up for systems integration services," iPlanet's

Barco said. "Directories are not simple, plug-and-play software."

Problems can arise from the need to integrate the new services with

existing applications.

"Legacy directories were not designed to share information, so opening

them up to work with other products can be difficult," said Keith Sims,

a brand manager for Tivoli SecureWay, IBM's directory services product.

The Department of Administration for Kansas can attest to the hardship.

In 1999, the agency, with 600 em-ployees in multiple locations, examined

using LDAP to integrate department directories, including Lotus Development

Corp.'s Domino, Novell's GroupWise, Microsoft's Exchange and a few free

shareware packages.

"We determined that the ways vendors identify directory data differ

widely, and that can make it difficult to consolidate information in a central

location," said Jerry Merryman, a department director in the division of

information technology and communications. Aware of such concerns, a group

of vendors, including Cisco Systems Inc., IBM, Novell, Microsoft and SAP

America Inc., formed the Directory Interoperability Forum in July 2000.

The group is developing conformance-testing suites to help ensure that LDAP

products interoperate.

Yet, their work may not clear a department's biggest roadblock to directory

integration. "The real challenges in deploying a uniform, enterprise-wide

directory stem from managerial issues, not technology limitations," said

The Burton Group's Blum.

"Various departments now control directory data, and many are unwilling

to give it up," Deibert said. Baltimore County experienced such resistance

first-hand. "We had to start slowly and demonstrate the benefits that a

central directory offered before some departments were willing to work with

us," he said.

Making the case to doubters may soon become easier because network equipment

suppliers have also joined the integrated directory parade. Led by Cisco

and Microsoft, the Distributed Management Task Force Inc. — a Portland,

Ore., vendor consortium — crafted a standard dubbed Directory Enabled Network.

The consortium's goal was to make it simpler to map network and system device

management data to LDAP directories. The specification was completed in

June 2000, and compliant products have begun to arrive.

Korzeniowski is a freelance writer in Sudbury, Mass., who specializes in

networking issues. He can be reached at paulkorzen@aol.com.

NEXT STORY: Federal CIO will lead e-gov