- By Paul Korzeniowski
- Mar 04, 2001
As great as e-mail has been for government agencies, there is a downside
to it: maintenance.
Agencies constantly have to prune their lists of e-mail users. The process
can be onerous and time-consuming, especially for agencies with multiple
This problem has been disappearing as vendors adopt standards that allow
e-mail systems to share information. In fact, vendors are extending these
benefits beyond e-mail systems to other products, such as desktop applications,
security systems and even network routers.
"Government agencies have been forced to support distinct directories
for each new device or application installed," said Steven Moran, a technology
specialist manager in Microsoft Corp.'s state and local government group.
"They want to simplify management by having all of their products work with
a common directory, and that is becoming quite possible."
Directories act as computer and network traffic cops. They store lists
with the names and addresses of every end user and computer resource, which
could be an application as well as a printer. Before a connection is made
or access to a resource is granted, applications check directories to ensure
that users have the proper credentials.
Traditionally, vendors designed their own directories with each of their
products. Consequently, agencies found themselves with a wide — and ever-growing
— set of directories. One might provide access to a local-area network operating
system, a second might open an e-mail application and a third might work
with a security application.
Keeping directories updated has been difficult. Employees come and go,
new applications are installed and servers are replaced. Typically, network
administrators manually enter such changes. With the broadening number of
applications and variety of devices connected to agency networks, the task
is a full-time job.
"We have two employees responsible for maintaining our directories,"
said Bruce Henson, a senior programmer and analyst with San Bernardino County,
Calif., which has 14,000 users.
There are a couple of ways to solve the problem. In 1999, Baltimore
County, Md., had 3,000 users working with a range of computer systems: IBM
Corp. mainframes, Unix servers, IBM mid-range systems and PC servers. They
wanted to get away from a multi-vendor environment, said Ron Deibert, the
county's network and systems manager.
The county decided to standardize with products from Novell Inc., which
has been at the forefront of using one directory, its Novell Directory Services,
for multiple purposes. The county selected the firm's GroupWise system as
its enterprise mail system and also bought calendar, network management,
fax and workflow software that use NDS.
Last fall, officials began migrating the county's other systems to NDS.
They are about two-thirds of the way through. Once the transition is complete,
Deibert expects that the agency's programmers will spend less time entering
directory data and more time enhancing new electronic government applications.
Not all agencies are in a position to mandate deployment of an enterprisewide
standard. "In many cases, various departments are comfortable with certain
products and will continue to work with them," said John Barco, director
of product marketing at iPlanet E-Commerce Solutions, a directory software
Unfortunately, because directories are autonomous entities, they often
cannot share information. So when an employee leaves, an administrator has
to delete his or her privileges from each directory — a process that is
tedious and prone to error.
Agencies yearn to integrate directories so that when an administrator
makes a change in one, it will automatically be relayed to all associated
directories. Standards are needed for this to take place; the Lightweight
Directory Access Protocol (LDAP) has emerged as the most likely solution.
Its roots go back to the International Standard Organization's X.500
specification, developed in 1988. Though functional, the specification was
large and complex. With companies pushing more e-mail functions to end users,
agencies needed something simple — software that could run on desktop systems.
In the early 1990s, the University of Michigan stripped down the ISO standard
so it could operate better on PCs. Enter LDAP.
The emergence of the World Wide Web gave the standard a big boost. "Many
companies selected LDAP for their new Web applications because it was functional
and easy to implement," said Dan Blum, a senior vice president at The Burton
Group Corp., a market research firm that specializes in networking issues.
Increasingly, state agencies are looking to LDAP to weave together their
directories. In 1998, New Jersey wanted to improve communications among
government workers. "We had a number of departments working with different
e-mail applications and wanted to put an infrastructure in place so they
could exchange information," said Joyce Arcioni, manager of public-key infrastructure
and directory services for the state.
The state began a multi-step project to make that possible. First,
the New Jersey government selected Web browsers as its universal user interface.
Next, it searched for a way to let employees find information (e.g., names,
telephone numbers) about workers in other departments. The state selected
iPlanet's Directory Server as the foundation for a central directory because
the LDAP-based system could exchange information with other directories.
The product stores personnel names, locations, telephone system data and
e-mail addresses for about 80,000 state employees.
Security was a major concern with the new system because the Department
of Labor and the judiciary planned to transmit worker compensation information
using the network. "We needed to tie our directory into our security system,"
The iPlanet system supports public-key encryption, where the sender
and receiver have software that opens and closes sensitive documents; New
Jersey is adding that feature. Eventually, the state expects to open its
directory — the myNewJersey portal — to citizens and businesses that need
to contact state workers.
Although LDAP can help connect different directories, it is not simple
to deploy. "Whenever a customer decides to buy an LDAP directory from us,
[that customer] also signs up for systems integration services," iPlanet's
Barco said. "Directories are not simple, plug-and-play software."
Problems can arise from the need to integrate the new services with
"Legacy directories were not designed to share information, so opening
them up to work with other products can be difficult," said Keith Sims,
a brand manager for Tivoli SecureWay, IBM's directory services product.
The Department of Administration for Kansas can attest to the hardship.
In 1999, the agency, with 600 em-ployees in multiple locations, examined
using LDAP to integrate department directories, including Lotus Development
Corp.'s Domino, Novell's GroupWise, Microsoft's Exchange and a few free
"We determined that the ways vendors identify directory data differ
widely, and that can make it difficult to consolidate information in a central
location," said Jerry Merryman, a department director in the division of
information technology and communications. Aware of such concerns, a group
of vendors, including Cisco Systems Inc., IBM, Novell, Microsoft and SAP
America Inc., formed the Directory Interoperability Forum in July 2000.
The group is developing conformance-testing suites to help ensure that LDAP
Yet, their work may not clear a department's biggest roadblock to directory
integration. "The real challenges in deploying a uniform, enterprise-wide
directory stem from managerial issues, not technology limitations," said
The Burton Group's Blum.
"Various departments now control directory data, and many are unwilling
to give it up," Deibert said. Baltimore County experienced such resistance
first-hand. "We had to start slowly and demonstrate the benefits that a
central directory offered before some departments were willing to work with
us," he said.
Making the case to doubters may soon become easier because network equipment
suppliers have also joined the integrated directory parade. Led by Cisco
and Microsoft, the Distributed Management Task Force Inc. — a Portland,
Ore., vendor consortium — crafted a standard dubbed Directory Enabled Network.
The consortium's goal was to make it simpler to map network and system device
management data to LDAP directories. The specification was completed in
June 2000, and compliant products have begun to arrive.
Korzeniowski is a freelance writer in Sudbury, Mass., who specializes in
networking issues. He can be reached at [email protected]