Specsavers sees clear benefits in open source
It has become a commonplace perception that the UK is rather unenlightened when it comes to open-source software.
According to Alfresco's Open Source Barometer, Britain is behind the US, France, Germany, Spain and Italy when it comes to adopting community-developed software, and, whatever its procurement rhetoric, central government seems content to continue entering into IT framework agreements with the likes of Microsoft and Oracle.
Mike Banahan, chief technology officer of OpenForum Europe, once described the UK as a "third-world country" compared with the rest of Europe when it comes to public- and private-sector interest in open-source software.
But some UK companies provide evidence that tells a different side of the story, and one of these is Specsavers Optical Group with its recent deployment of the open-source tools OpenLDAP, Samba and Gosa to handle directory services for its worldwide chain of optician stores.
Anyone looking for real-world, large-scale, business-critical enterprise uses of open source need look no further. Specsavers is one of Britain's fastest-growing retailers and is the largest privately owned chain of optician stores in the world, with more than 1,000 outlets across the UK and Europe, a figure that has doubled over the past four years. Turnover for 2007 exceeded £1bn and the company is still growing fast, with 100 stores about to open in Australia.
The expanding Specsavers has an official corporate policy to use open-source software and open standards by default.
While the Guernsey-headquartered company relies on Windows desktops, it uses open-source software elsewhere in the business, including Scalix, an enterprise email and groupware server that runs on Linux. In-store terminals use an in-house application, Socrates, that runs on embedded Linux, and Specsavers operates Red Hat Enterprise Linux servers alongside Windows and proprietary Unix.
Specsavers group IT director Michel Khan has no fears about the ability of open-source software to handle large-scale, quick-growing corporate systems — quite the reverse, in fact. The low upfront cost of open-source software and lack of licensing complications were important to the directory services deployment, he said.
"The scale of this deployment has been a real challenge in terms of the economics of the investment," Kahn said. "Pursuing an 'open source, open standards' strategy has allowed us to meet that challenge."
Timeline
The process began in June 2006, when Specsavers asked Sirius — a UK-based, open-source services group — to create a centralised model of access control for their UK Windows workstations and network services.
The company was initially using a proprietary LDAP (lightweight directory access protocol) implementation, but Sirius suggested using OpenLDAP instead and Specsavers quickly saw the advantages of going with the open-source alternative.
One of these advantages was scalability: Specsavers had decided to expand the project from the UK to its worldwide business, which was growing rapidly, partly as a result of a number of acquisitions in Europe — a factor that can often present IT integration headaches.
OpenLDAP was initially implemented with Samba networking software and the Gosa graphical management interface running on Red Hat servers, to authenticate Windows PCs and other network services in Guernsey and the mainland UK.
The deployment was then expanded internationally, with the global OpenLDAP master running in Guernsey, and delegated and replicating OpenLDAP masters in the UK, Finland, Hong Kong and Australia. This modular architecture allows users within one country domain to access network services in other countries using inter-domain trusts.
The global system went up and running at the end of 2007. "The back was broken in the last quarter of last year. It was effectively a three-month project," said Sirius chief executive Mark Taylor.
OpenLDAP, Samba and Gosa
LDAP was originally developed as a way of accessing X.500 directory services over TCP/IP, which is more "lightweight" than the open systems interconnection (OSI) protocol stack required by the X.500 directory access protocol (DAP).
LDAP made its debut in the early 1990s, put together by developers from the University of Michigan, Isode and Performance Systems International, with more recent development handled by the Internet Engineering Task Force (IETF).
It is a firmly established standard, defined in IETF requests for comments (RFCs), and has been implemented in a wide variety of more or less proprietary systems, one of the best known being Microsoft's Active Directory.
OpenLDAP was initiated in 1998 by Kurt Zeilenga, and started as a clone of the reference source code from the University of Michigan. It is released under its own OpenLDAP Public License and...
...is included in several widely used Linux distributions. Implementations exist for BSD variants, proprietary Unix distributions, Mac OS X and even Windows.
"We introduced [Specsavers] to OpenLDAP, and they liked that," said Taylor. "They migrated everything out of their proprietary directory service into OpenLDAP and now run all of their user-management functions from that."
Samba, an open-source re-implementation of the SMB/CIFS networking protocol, is standard on nearly all distributions of Linux and effectively allows integration with Windows Server and Active Directory domains. The software was important to the project, given Specsavers' heterogeneous IT environment, and particularly its Windows workstations.
"One of the reasons for making the fully open-source server environment closely resemble a Windows environment is the presentation to the Windows desktop. It was important that the presentation of the servers didn't touch that," said Taylor. "The other reason was that many of Specsavers' engineers are familiar with Windows-style networks on the server side."
Fortunately, configuring Samba to imitate Windows environments is "perfectly straightforward", according to Taylor.
The third piece of the puzzle was the graphical interface for the front end. Specsavers selected Gosa, a PHP-based graphical administration tool, developed as part of the city of Munich's comprehensive deployment of open-source software, to help manage the deployment.
Gosa uses a security model along the lines of access-control lists (ACL) and allows administrators to install, reinstall and manage computers and users on a large-scale network.
Gosa can also be accessed by users to manage their own passwords or other information. The tool allowed Specsavers to decentralise role-based access control, giving application or business-process owners the ability to create, manage and delegate groups on their own.
Taylor said he believes it's significant that Gosa has emerged out of one open-source project (Munich) and is now being reused by other large organisations.
"Ten or 15 years ago, you had the basic open-source elements, but now they are being used in the real world, in real businesses, and that is throwing up new requirements. You need the tools to manage this stuff," Taylor said. "The remarkable thing is: those tools are being developed. Munich has shown this process in action."
Design challenges
The project's biggest challenge was presented by the wide geographical dispersion involved, covering multiple time zones, said Taylor.
"This brought in a lot of design challenges. For instance, what's the best way of replicating data?" Taylor said. "Specsavers is no longer a single-country business. In the past two or three years, they've bought substantial chains in northern Europe. They're the biggest opticians in Sweden now. This meant collecting data from different parts of the organisation and centralising them."
On the one hand, in the final system, all the different parts of the global business are centralised into a single directory tree. At the same time, the data is replicated to each country.
The open nature of the software used has led to improvements in compatibility, which has allowed some significant simplifications in Specsavers' network.
Previously, the company needed to maintain several different sources of authentication, one for proprietary Unix machines and others for Windows systems or boxed appliances, such as proxy servers or firewalls.
"Centralising meant that each of those has been integrated to use the same source of authentication," said Taylor. "It's cross-platform [and] cross-device. If a staff member is hired, they now don't need to be added in three or four different places — just one."
"You can get this kind of centralisation if it's purely a Windows domain, for instance, but, once you bring Unix in, it's no longer simple. With open source, it's equally comfortable with Windows, Solaris or whatever," Taylor said.
Simplification
IT director Khan had balked at the prospect of the licensing complications that would have arisen from expanding rapidly with a proprietary infrastructure. Open-source software eliminated that problem.
"If you want to throw a few more thousand machines in there, you can just do it," said Taylor. "There is a whole layer of bureaucracy that it takes out. You don't need to worry about compliance or licence tracking for these deployments."
Specsavers is approaching open-source software as a strategic investment that will give it control over the future direction of the company's infrastructure. Open source means that Specsavers can choose when to upgrade and can take its choice of software packages, because they're all interoperable. "They're not locked into any one platform choice. They can choose what's the best file server, the best email server or whatever," Taylor said.
While this is the biggest deployment of its kind in the UK to date, according to Taylor, more UK companies are beginning to show a serious interest in open source. The only thing holding them back is "inertia", Taylor said. Other UK companies with a board-level interest in open source include Malmaison and Unilever.
"The beauty of Specsavers is: we're finally seeing companies drive this from the top down. It was a strategic choice, not via the back door, not a few techies in the IT department installing Apache," Taylor said.