Head in a blender

Striking a balance between best practice and a client’s desires

Andy Pedisich  April 7 2008 01:33:01 PM
A client wants to use a replica of the server-based address book as the secondary address book on laptops instead of a directory catalog.  I have pointed out that it exposes risky bits like security policy information and whopping hints about the infrastructure.

The response: create a way that users see only users and groups in the address book, both on servers and on laptops.  If users see the rest it would only cause needless help desk calls.

This is a new Notes installation migrating from Exchange.

I have a few ideas on how I might do this, but It's not something that I would normally recommend.  And I am not really recommending it this time either.  I'm just trying to keep everyone happy.

I am wondering if anyone else has seen a requirement like this one.

- Andy
Comments

1Curt Carlson  4/7/2008 2:38:09 PM  Striking a balance between best practice and a client’s desires

Did they say why they don't think a Condensed Directory Catalog will meet their needs? I would say that if you were hell bent on going this route you could do something with replication formulas or even readers fields but I would hesistate to modify the design of the names.nsf if at all possible. In other words, I would try to convince them to use the CDC....that is what it is for. Good luck!

2Andy Pedisich  4/7/2008 3:16:02 PM  Striking a balance between best practice and a client’s desires

They seem to be very much aware of both extended and condensed dircat. They say they only want to worry about one address book. I know it's odd. That's why I am trying to find out if anyone else has experienced it. They are telling me that "lots of places do this." But this is the first I have heard of such a thing.

- Andy

3Tim E. Brown  4/7/2008 3:57:01 PM  Striking a balance between best practice and a client’s desires

Andy,

The MDC (mobile directory catalog) is the best way to go for a "light address book". This would also only give then one address book.

HTH,

Tim E. Brown

4Ed  4/7/2008 4:25:32 PM  Striking a balance between best practice and a client’s desires

Isn't that a picture of Bob Gessner on your blog?

5Steve McDonagh  4/7/2008 5:32:30 PM  Striking a balance between best practice and a client’s desires

@Andy,

Another possibility at least for the local replica is to reduce the documents replicated to PERSON, GROUP and MAIL IN DBs using a policy-ed locked "space saver" replication setting. This would mean that in the local replica only those docs were present and none of the "interesting" ones.

Not totally perfect but it worked "back in the day"

Hiding chunks of the PAB on the server from users.... ooo I would not so keen on that but you could do it ... it is an admin nightmare that can lead all sorts of problems with adminp and RnR.

If you want to take this further drop me a line

6Keith Cullen  4/8/2008 3:35:26 AM  Striking a balance between best practice and a client’s desires

Maybe Extended ACL might be something you could look at.

Not used them myself but from what I have read, I think they could work for.

It does require an enforced ACL but that is probably what you would be using anyhow.

If only we didn't have users, things would be so much easier :-)

KC

7Jake White  4/8/2008 9:39:19 AM  Striking a balance between best practice and a client’s desires

Agreed with others about "just use directory catalog", but I guess clients is as clients does.

I don't have a specific recollection, but is there maybe something in the ASP server functionality that would help? I never set up a server that way, but what I do recall was that hosted service providers could share a server among organizations, with the right organization's materials being secured from other organizations. Maybe there's a way to bend that around to do the job?

Sorry for the non-specific suggestion.

8Ted Hardenburgh  4/8/2008 12:18:42 PM  Striking a balance between best practice and a client’s desires

My 2c:

1 - It's still just one place where data is maintained, and you're optimizing the data the users need

2 - the size of replication (and the time to replicate) will be greatly reduced by using the MDC. Depending on directory size, of course.

3 - As Steve says, and you know, this is "old school" and we got away from it once MDC came out, for the reasons you stated. I think the "extra work" needed to make this secure, and the possible side effects to adminp, etc, and the relative ease of maintenance of the MDC make replicating the Dom Directory a helpdesk call waiting to happen.

9Rupert Clayton  4/9/2008 1:25:21 AM  Striking a balance between best practice and a client’s desires

A selective replication formula for the local replica of the directory was how we used to do this before the condensed directory catalog came along, but that was about 9 years ago.

I imagine that your client can't see a practical difference between the two approaches. The four key ones I'd see are:

* The condensed directory catalog is designed for precisely this purpose -- why not use it?

* Directory catalogs are intended to be easily rolled out via policies, selective replicas aren't.

* Any later change to directory catalog requirements (Corporate hierarchy fields, Internet certificates, etc.) can be easily deployed to some or all users through a quick reconfig of the directory catalog and a policy settings update. Try rolling out changes to client-side replication settings.

* The directory catalog will always be way smaller than a "comparable" selective replica.

Your description of the client's position rings alarm bells that sound like "misunderstanding" and "cart before the horse" to me.

"Test"