| ||||||
Search Microsoft.com for: |
Hosting Multiple User Communities with a Membership DirectoryAugust 1999 Microsoft Corporation On This Page
IntroductionThis document has been updated to reflect the release of Microsoft SQL Server™ version 7.0. It differs only from the original document of the same name in that it reflects changes in software and service pack versions. This document covers strategies and techniques for hosting Internet service providers (ISPs) who want to support multiple customers, each with a separate community of users. In particular, this document discusses a mechanism for hosting multiple separate communities of users in a single shared Membership Directory. Although the Microsoft® Site Server 3.0, Commerce Edition documentation does not include a discussion of these topics, you can host multiple separate communities using the released version of Site Server Personalization & Membership (P&M). Some typical scenarios for hosting with P&M include:
This document focuses on the last scenario, and discusses in detail the main issues of configuration. Each configuration topic describes the advantages and disadvantages of that configuration, providing you with enough information to make an educated decision for your own situation. It is assumed that you have a basic familiarity with Site Server, P&M, and the Membership Directory. For more information, see the "Personalization & Membership (P&M)" section of the Site Server 3,0, Commerce Edition documentation. To open the documentation, on the Start menu, point to Programs, point to Microsoft Site Server, and then click Documentation. Configuration IssuesTo decide which configuration will suit your needs, answer the following questions:
The topics that follow address these issues in detail, and describe how some choices you make will dictate other choices. 1. Separate or Shared HardwareOne way to host multiple customers is to add a new hardware system for each new customer. As shown in Figure 1, this approach isolates each customer's Web site, Membership Directory, and other services. The shaded boxes in the diagram indicate components that reside within a single Membership Server. Figure 1: Isolated Hardware System This approach, however, can quickly become impractical. Normally, it is a good idea to share at least some of your hardware components between customers. For example, if you use a shared Membership Directory, you will automatically be using some common hardware, such as a computer running Microsoft® SQL Server™. Separate Hardware The advantages of using separate hardware systems include:
The disadvantages of using separate hardware systems include:
Note: If you use separate hardware for each customer, you cannot share software components such as SQL Server, Membership Servers, or Web sites. Shared Hardware You can reduce your implementation and maintenance costs by sharing some or all of your hardware components among your customers. However, you must set configuration standards for all of your customers in order to avoid conflicts. 2. Separate or Shared Web SitesYou can use a common Web site for some or all of your customers. Figure 2 shows the software components needed to support a single Web site system. Figure 2: Components Necessary for a Single Web Site System Internet Information Server (IIS) can host more than one virtual Web site on one computer, as shown in Figure 3, whether or not those sites use a single Membership Server and Membership Directory. Figure 3: A Multiple Web Site System You must use separate Web sites if you are using:
Separate Web Sites The advantages of using separate Web sites include:
However, each hosted customer requires a separate Internet Protocol (IP) address or at least a separate host header name. If you are using Secure Sockets Layer (SSL) encrypted channels and certificates, each customer must have a separate IP address. Note: You can use separate Web sites whether or not you share hardware or other system components. Shared Web Site If you use a shared Web site, you must also use:
The advantages of using shared Web sites include:
The disadvantages of using shared Web sites include:
3. Separate or Shared Membership DirectoriesTo completely isolate your customers, you can house each customer in a separate Membership Directory, as shown in Figure 1. However, you can house more than one customer in a single Membership Directory and still maintain separate Web sites and support services for each customer, as illustrated in Figure 4. Figure 4: A Single Membership Directory with Separate Web Sites and Support Services You must use separate Membership Directories if:
Separate Membership Directories The advantages of using separate Membership Directories include:
However, if you use separate Membership Directories, you must create and maintain separate databases for each customer. Important: If you use separate Membership Directories, you must use separate LDAP Services, Web sites, and AUO/Authentication Services for each customer. Shared Membership Directory The advantages of using shared Membership Directories include:
However, administration is more complex if you use shared Membership Directories, especially if you plan to delegate administration of each customer's users. There are many additional decisions to make when you use a shared Membership Directory. See "Special Considerations for a Shared Membership Directory" later in this document for information about:
4. Separate or Shared LDAP Services for One Membership DirectoryA Membership Directory requires at least one Membership Server that contains an LDAP Service. You can use more than one LDAP Service Membership Server for one Membership Directory, as shown in Figure 4. However, for best results, place only one LDAP Service on a single computer. If you are adding another LDAP Service (and Membership Server), create it on a separate computer. However, separate LDAP Services are usually unnecessary if you are using a shared Membership Directory. Figure 5: Recommended Configuration when Sharing a Membership Directory Separate LDAP Services Separate LDAP Services are practical if you are going to host a large, dedicated customer who will cover the costs of the additional overhead and who will require a separate Membership Directory based on size or security. If you use multiple LDAP Services, you can create separate LDAP Service configurations, such as dynamic data, for different customers. However, server overhead cost will increase significantly. Important: When you use separate LDAP Services, each customer must have a separate Web site and a separate Active User Object (AUO) and Authentication Service. Shared LDAP Service You can reduce server overhead by using a shared LDAP Service, although all customers will then share the same LDAP configuration. Important: If you use only one LDAP Service, you can have only one Membership Directory. 5. Separate or Shared AUO and Authentication ServicesIn the simplest configuration, all of the Web sites that share a single Membership Directory use a single Membership Server. That Membership Server contains an LDAP Service, an Authentication Service, and an AUO, as in Figure 3. If you move the LDAP Service to a separate computer and create the appropriate Membership Server on that computer, the Web sites will still use a single Membership Server that contains an Authentication Service and AUO. For more flexibility, connect each Web site to a separate Membership Server. If you are using a single, shared LDAP Service, that LDAP Service can reside within one of these Membership Servers or in a separate Membership Server on another computer. Each Authentication Service and AUO connects to the common LDAP Service, as shown in Figure 5. You must use separate AUO/Authentication Service combinations if you are using:
You must use a shared AUO/Authentication Service if you are using a shared Web site. Separate AUO/Authentication Services The advantages of using separate AUO/Authentication Service combinations include:
However, such configurations increase the complexity of your system. Important: In order to use separate AUO/Authentication Service combinations, you must use separate Web sites for each customer. Shared AUO/Authentication Service A single, shared AUO/Authentication Service combination is a basic configuration and is easy to maintain. The disadvantages of using a shared AUO/Authentication Service combination include:
Important: If you use a shared AUO/Authentication Service combination, you must also use a shared LDAP Service and a shared Membership Directory. Special Considerations for a Shared Membership DirectoryA Membership Directory has one container for user accounts (ou=Members) and one container for group information (ou=Groups). If multiple customers are going to share a Membership Directory, consider whether it is appropriate for all of the users to reside in a single container, or whether you want to keep each customer's users separate. Figure 6: Membership Directory with Separated Members and Groups You should also consider whether to allow your customers to customize attributes in the Membership Directory. In addition, you should give some thought to managing the automatic creation of Microsoft Windows NT® groups that correspond to groups in the Membership Directory. Segregating CustomersYou can separate the customers in the Membership Directory by creating subcontainers in the ou=Members and ou=Groups containers. Each subcontainer stores the information for one customer. Note: If you expect that you will need a lot of storage capacity, you can partition the Membership Directory so that each subcontainer under the ou=Members container is stored in a separate database. This process is beyond the scope of this document. See Creating a New Partitionin the Membership Directory in the "Personalization & Membership (P&M)" section of the Site Server 3.0, Commerce Edition documentation. Segregating the Membership Directory Namespace When you use a common Membership Directory namespace, the model is simple and requires less custom configuration. Users from multiple customers can authenticate to the same Web sites without requiring a prefix for user names. This approach might be appropriate, for example, for a cybermall where a user signs up for an account and expects it to be usable at a number of sites. However, to prevent name collision, names must be unique across the entire Membership Directory, not just within a particular customer's set of users. You can create subcontainers in the Membership Directory namespace so that each customer's users are in a separate container. Figure 7: Membership Directory with Separated Customer Containers When you segregate the Membership Directory namespace, there is no name collision between separate customers' users. Each customer can have discrete access control lists (ACLs) to allow delegated Membership Directory administration. However, each user must log on with a user name prefix, unless the Membership Directory uses segregated namespace authentication. For more information, see "Using Segregated Namespace Divisions for Authentication" later in this document. Using Segregated Namespace Divisions for Authentication When all users are housed in an unsegregated namespace, less custom configuration is required and users from multiple customers can authenticate to a single Web site to access common content. However, users must add the customer's container name as a prefix to their user names when they log on (similar to the Windows NT domain name). In some cases, you can script or hide this in your authentication interface. If you subdivide the Membership Directory to use separate containers for each customer, users will be required to use the customer prefix to log on to the site. To eliminate this requirement, in addition to subdividing the Membership Directory namespace (discussed earlier in this document), you can use segregated namespace authentication. In this configuration, the Authentication Service looks in a specific customer's container to authenticate users. However, you do not have to protect all of your content in this way. You can use segregated namespace authentication on separate Web sites for each customer, but, for content that is accessible to multiple customers, you can also have another Web site use common namespace authentication against the same Membership Directory. You can enhance the user's experience by using HTML Forms Authentication. Using this authentication method, you can provide the user with a list of customers from which to choose and the appropriate container name will automatically be added to the user name that is entered. When you segregate the namespace for authentication, the subcontainers of the ou=Members container are invisible to customers. A prefix is not required for authentication when a user logs on. In addition, users from one customer cannot authenticate to another customer's site. However, segregated namespace authentication requires you to set up a separate Web site and AUO/Authentication Service combination for each customer. This configuration is more complex to set up and administer than common namespace authentication. Configuring Member ObjectsYou can let your customers use customized attributes in the Membership Directory. However, you might want to avoid letting each customer add their own attributes to the Member object class, which could lead to an unmanageable number of attributes on Member objects for all customers. And you must also avoid allowing one customer to remove the attributes used by another customer. Following are possible solutions to the problems that can occur when you host a shared Membership Directory. Restricting Customers to a Fixed Set of Attributes You can define a fixed set of Member object attributes for your customers that will be the same for all customers. This solution has the advantage of simplicity, at the cost of flexibility. You can use this solution whether or not your customers are segregated within the Membership Directory. Defining a Fixed Set of Custom Attributes If your customers are segregated within the Membership Directory, you can define a common set of attributes that will be used by all customers, such as name and e-mail address. The minimum required attributes for the Members object are cn, GUID, user-password, and account-status. In addition, you can allow a fixed number of customizable attributes (such as String1, String2, Integer1, or Custom1). Each customer can use these attributes in different ways. Because the customers are segregated, multiple customers can use these attributes without conflict. Allowing Custom Attributes on a Custom Class Object If your customers are segregated within the Membership Directory, you can define a new object class for each customer and allow each customer to add attributes to this custom class. Because each customer's class object is separate, objects for various customers do not affect one another. Customers can select from a set of predefined attributes or can create new attributes for this class. Create instances of custom classes in a separate area of the Membership Directory, rather than in the ou=Members container. You can create an ou=CustomObjects container at the same level as the ou=Members and ou=Groups containers in the directory information tree (DIT), with customer containers underneath as in the ou=Members container. In order for Active Server Pages (ASP) scripts to use these custom objects and their attributes, each customer must have a custom Active User Object (AUO) configuration. For information about AUO, see "5. Separate or Shared AUO and Authentication Services," earlier in this document. Each AUO must have a secondary AUO provider that accesses the custom object, configured with an Active Directory Services (ADS) path to the customer's container under the ou=CustomObjects container. To impose and enforce limitations on such modifications to the Membership Directory schema, you may want to set appropriate ACLs on the cn=Schema object (pointed at designated attributes) and handle such changes through ASP page scripting or a customized Web administration interface. Controlling Automatic Group CreationOne potential disadvantage of hosting multiple customers in a single Membership Directory is that with Windows NT group autocreation turned on (which is the default), the Authentication Service will automatically create corresponding Windows NT groups for all groups in the Membership Directory, except those in the ou=NTGroups container. If there are many customers, each with many groups, the number of groups can become quite large and create an inconveniently large number of groups on the Web site computer. If all Web sites are on the same computer, this proliferation is not an issue because the groups for all customers are presumably needed. However, you can limit the number of groups created on a given Web site computer in two ways:
Setting up a Shared Membership Directory SystemIdentifying a ConfigurationTable 1 summarizes the possible configurations for a shared Membership Directory and the effects of the choices you make. For example, the table shows that if you use separate hardware systems for each customer, your options are limited. Restriction 1 (from the list that follows the table) applies, meaning you must isolate customer information about separate hardware systems. In addition, you cannot use any of Available Options 3-6. On the other hand, using separate Web sites for each customer (with some or all hardware and other components shared among customers) provides the greatest configuration flexibility. Available Option 6 applies, meaning that you can use distinct customer domains, authentication methods, and content access control lists (ACLs). Table 1 Configurations for a Shared Membership Directory
Restrictions (numbers appear in Table 1)
Available Options (numbers appear in Table 1)
Implementing a Shared DirectoryOnce you have identified a Membership Directory configuration that suits your needs, you can begin implementing it. To implement a shared Membership Directory with segregated customers Create the Membership Servers
Set Up the Web Sites After you have created all of the Membership Servers needed for your customers, you are ready to set up the Web sites.
Create and Configure the Containers After creating all of the Web sites necessary for your customers, you must create and configure the customer containers in the Membership Directory.
Set Up the Security After establishing the customer containers in the Membership Directory, you must configure the security by setting permissions and implementing authentication.
|