Netscape DIRECTORY SERVER 6.01 - DEPLOYMENT Deployment Manual page 36

Performing a Site Survey
• Can the data be read anonymously?
The LDAP protocol supports anonymous access, and allows easy lookups for
common information such as office sites, email addresses, and business
telephone numbers. However, anonymous access gives anyone with access to
the directory access to the common information. Consequently, you should use
anonymous access sparingly.
• Can the data be read widely across your enterprise?
You can set up access control so that the client must log in to (or bind to) the
directory to read specific information. Unlike anonymous access, this form of
access control ensures that only members of your organization can view
directory information. It also allows you to capture login information in the
directory's access log, so you have a record of who accessed the information.
For more information about access controls, refer to "Designing Access
Control," on page 134.
• Can you identify a group of people or applications that need to read the data?
Anyone who has write privileges to the data generally also needs read access
(with the exception of write access to passwords). You may also have data
specific to a particular organization or project group. Identifying these access
needs helps you determine what groups, roles, and access controls your
directory needs.
For information about groups and roles, see Chapter 4, "Designing the
Directory Tree" on page 57. For information about access controls, see Chapter
7, "Designing a Secure Directory," on page 119.
As you make these decisions for each piece of directory data, you define a security
policy for your directory. Your decisions depend upon the nature of your site and
the kinds of security already available at your site. For example, if your site has a
firewall or no direct access to the Internet, you may feel freer to support
anonymous access than if you are placing your directory directly on the Internet.
In many countries, data protection laws govern how enterprises must maintain
personal information, and restrict who has access to the personal information. For
example, the laws may prohibit anonymous access to addresses and phone
numbers, or may require that users have the ability to view and correct information
in entries which represent them. Be sure to check with your organization's legal
department to ensure that your directory deployment follows all necessary laws
for the countries in which your enterprise operates.
The creation of a security policy and the way you implement it is described in
detail in Chapter 7, "Designing a Secure Directory," on page 119.
36 Netscape Directory Server Deployment Guide • January 2002