目錄服務和身份管理系統(tǒng)在電力企業(yè)中的設計與應用畢業(yè)設計論文.doc

畢畢 業(yè)業(yè) 設設 計計( 論論 文文) 目錄服務和身份管理系統(tǒng)在電力企業(yè)中的設計與應用目錄服務和身份管理系統(tǒng)在電力企業(yè)中的設計與應用 論論文作者姓名：文作者姓名： 申申請請學位學位專業(yè)專業(yè)： ： 申申請請學位學位類別類別： ： 指指導導教教師師姓姓名名（ （職職稱稱） ）： ： 論論文提交日期：文提交日期： 目錄服務和身份管理系統(tǒng)在電力企業(yè)中的設計與應用目錄服務和身份管理系統(tǒng)在電力企業(yè)中的設計與應用 摘摘 要要 21 世紀初，人類社會繼工業(yè)文明之后進入新經濟時代。在這個時代里，如何降低用戶 管理及其對應用系統(tǒng)訪問的復雜性和成本，防止擅自使用企業(yè)信息，如何提高靈動性，以 便系統(tǒng)能響應不斷變化的業(yè)務需求已經成為限制企業(yè)發(fā)展的重要因素。 國家電網公司在十一五期間啟動了“sg186”工程。本文以此工程為背景，通過對現(xiàn)有 電力企業(yè)內系統(tǒng)的調查，提出一套以身份目錄、企業(yè)資源目錄和認證目錄為核心的目錄服 務來集中統(tǒng)一的存儲、管理和展現(xiàn)用戶身份信息。并在此基礎上使用身份管理產品對現(xiàn)有 和即將投入運營的系統(tǒng)進行整合，以此實現(xiàn)整個電力企業(yè)系統(tǒng)中高效且無需手工維護的用 戶生命周期管理。同時為了保證系統(tǒng)穩(wěn)定高效的運行，在本文中還對影響整個系統(tǒng)效率的 關鍵要點進行了性能測試和分析并獲得預期結果。 關鍵詞：關鍵詞：目錄服務；身份管理；用戶生命周期 the design and application of directory services and identification management system in electric power enterprise abstract at the beginning of the 21st century, human society entered a new economic era following the industrial civilization. nowadays, there are several problems we have to face, for instance, the way to reduce the cost and complexity of user management and the access to application system; the method to protect the information of the company; how to improve the flexibility of the system in order to respond the business requirements. the “sg186“ project that state grid corp. started in the 11th five-year plan period is the background of this thesis. with the research of the system in electric power enterprise, a set of identity directory, enterprise resource directory and authentication directory has been proposed which provides a core directory services. and then it is used to store, manage and display user identity information. base on that, in order to achieve efficient and automatic lifecycle management of the electric power enterprise system, the existing and upcoming operational systems with identity management products has been commix. meanwhile, in order to ensure that the system is stable and efficient, the key features which affect the efficiency of the system were tested and analyzed and the expected results were obtained in this thesis. key words：directory service; identity management; user lifecycle 目目 錄錄 論文總頁數(shù)：33 頁 1引言1 1.1設計的目的和意義 1 1.2技術背景 1 1.2.1技術簡介1 1.2.2目錄服務與數(shù)據庫系統(tǒng)的差異2 1.2.3應用歷史及現(xiàn)狀3 1.3項目背景 4 1.4設計方法 5 1.5全文結構 5 1.6術語定義 5 2總體框架設計.6 2.1目錄服務 6 2.1.1目錄服務組成6 2.1.2總部目錄6 2.1.3網省公司目錄7 2.2身份管理 7 2.2.1身份信息的集中管理7 2.2.2身份同步8 3邏輯設計8 3.1目錄服務 8 3.1.1邏輯架構8 3.1.2目錄樹結構設計9 3.1.3目錄 schema 設計11 3.1.4目錄命名編碼設計13 3.1.5目錄同步設計14 3.2身份管理 16 3.2.1邏輯架構16 3.2.2身份生命周期管理16 3.2.3身份同步19 4物理設計21 4.1物理架構 21 4.2高可用性設計 22 4.2.1目錄服務22 4.2.2身份管理22 4.3系統(tǒng)監(jiān)控設計 23 4.3.1目錄服務24 4.3.2身份管理24 4.4備份和恢復設計 23 4.4.1目錄服務24 4.4.2身份管理24 4.5安全性設計 24 4.5.1目錄服務25 4.5.2身份管理25 4.6目錄的分級授權 25 4.6.1目錄的分級授權機制26 4.6.2目錄的授權要素26 4.6.3目錄的授權方式26 4.7操作系統(tǒng)調優(yōu) 27 4.7.1關閉后臺進程27 4.7.2關閉 gui.27 4.7.3處理器子系統(tǒng)調優(yōu)27 4.7.4內存子系統(tǒng)調優(yōu)27 4.7.5文件系統(tǒng)調優(yōu)28 4.7.6網絡子系統(tǒng)調優(yōu)28 5性能測試28 5.1目錄系統(tǒng)測試 28 5.1.1數(shù)據初始化28 5.1.2查詢效率28 5.1.3負載均衡28 5.2身份管理系統(tǒng)測試 29 5.2.1用戶身份同步29 5.2.2高可用性29 結 論29 參考文獻29 致 謝31 聲 明32 第 1 頁 共 33 頁 1 1引言引言 1.11.1設計的目的和意義設計的目的和意義 我們知道每一個公司都需要保護其 it 基礎設施，從而防止信息失竊，遵守法規(guī)并確保 客戶、合作伙伴和員工信息的秘密。這就需要以經濟的方法確保和保護公司資產的安全， 同時還不能錯失新的業(yè)務機會或降低工作效率。但事實并不總如人意，讓我們考慮以下幾 種情況。 情景一：在當今的大多數(shù)企業(yè)中，每個公司幾乎都在眾多的 it 系統(tǒng)中擁有多個身份信 息存儲庫，例如：人力資源系統(tǒng)、電子郵件系統(tǒng)和財務系統(tǒng)。如果需要更改系統(tǒng)中某個人 員相關的信息，it 工作人員只能以人工的方式更新每個系統(tǒng)中的信息，這是一項既昂貴又 耗時的工作，而且還容易出現(xiàn)錯誤，使系統(tǒng)容易遭受攻擊。例如：當一個員工到企業(yè)報道 之后，卻因為需要手工更新應用系統(tǒng)賬號的原因而遲遲不能獲得與其工作相關的應用系統(tǒng) 賬號，導致該員工無法進行正常的工作，這將會大大降低員工工作的積極性，同時對于企 業(yè)來說這也是一種資源的浪費。因此，需要一種集中化的方式來管理用戶和訪問，以確保 安全和實時性。 情景二：據美國聯(lián)邦密情局和計算機應急相應組（cert）的聯(lián)合報告顯示，在所有 針對公司網絡的非法訪問中，有一半以上都是帶有不滿情緒的離職員工所為。為用戶配置 資源訪問權限這一過程非常乏味且耗時，對于大多數(shù)公司而言，該人工流程會顯著降低工 作效率。此外，當員工離職后，取消他們的訪問權限的手工流程成為最大的安全隱患。因 此，需要一種流程化的自動賬號配置，在企業(yè)中強制實施一致的安全策略。 情景三：如果一個企業(yè)中，員工必須記住大量的密碼才能訪問日常應用程序和服務， 這種情況可能會危及數(shù)據安全并降低工作效率。同樣，如果依靠 it 部門人工重置每個忘記 的密碼，一個公司將無法高效運作。因此，需要讓員工負責管理自身的密碼并通過單點登 陸取代多個密碼的使用。 針對以上情況，我們需要一套完整而合理的方案來解決企業(yè)信息化發(fā)展中所遇到的問 題，而目錄服務和身份管理系統(tǒng)正是為了解決這些問題而誕生的。通過對目錄服務和身份 管理系統(tǒng)的應用設計，我們將會得到一套完整的解決方案以降低企業(yè)中管理用戶及其對系 統(tǒng)訪問的復雜性和成本、防止擅自使用企業(yè)信息和使系統(tǒng)適應不斷變化的業(yè)務需求。 1.21.2技術背景技術背景 1.2.11.2.1技術簡介技術簡介 目錄服務是統(tǒng)一身份管理系統(tǒng)所依賴的主要支撐技術，提供跨平臺身份信息存儲管理 和認證支持功能。具體的說，目錄服務是指以一定的格式記錄了大量企業(yè)資源信息，并將 各種資源信息集中管理起來，以對象的方式予以記錄，明確設定每個對象的“身份”和“位置” 。在某種程度上講它就是符合國際標準協(xié)議的一種基于對象的數(shù)據庫，支持的對象種類較 第 2 頁 共 33 頁 多，在各種平臺都能夠比較好的結合，在大量數(shù)據情況下，讀取信息的速度快。對象在目 錄的倒置樹型數(shù)據結構中分層存儲，便于建立一個與企業(yè)組織結構一致的結構和層次。目 錄服務提供認證和授權機制，管理員只需設定管理策略和規(guī)則，使得特定用戶只能訪問特 定的或者授權的應用系統(tǒng)。從功能上來說，目錄服務通過復制技術，保持數(shù)據信息的一致 性。 身份管理利用集中式數(shù)據儲存在應用程序、數(shù)據庫和目錄之間同步、轉換和分發(fā)信息。 當一個系統(tǒng)中的數(shù)據發(fā)生更改時，同步機制引擎將會根據定義的業(yè)務規(guī)則檢測這些更改， 并將這些更改同步到其它已連接系統(tǒng)中，達到數(shù)據共享的目的。身份管理內容主要有用戶 身份的生命周期的管理和實現(xiàn)跨地區(qū)的信息同步和用戶認證，定制不同安全級別的訪問控 制和數(shù)據加密等。通過對用戶身份的生命周期的管理，實現(xiàn)了用戶賬號信息的創(chuàng)建、變更、 注銷整個周期過程的控制。利用身份同步，可以實現(xiàn)連接系統(tǒng)的數(shù)據信息的自動同步，確 保數(shù)據信息的安全、性能和容錯。根據應用系統(tǒng)的情況，指定權威數(shù)據源，通過身份同步 機制，形成了全網范圍內最完整、準確的中央身份庫。 1.2.21.2.2目錄服務與數(shù)據庫系統(tǒng)的差異目錄服務與數(shù)據庫系統(tǒng)的差異 就像 sybase、oracle、informix 或 microsoft 的數(shù)據庫管理系統(tǒng)（dbms）是用于處理 查詢和更新關系型數(shù)據庫那樣，目錄服務也是用來處理查詢和更新目錄樹的。換句話來說 目錄也是一種類型的數(shù)據庫，但是不是關系型數(shù)據庫。下面從幾個不同的方面來比較目錄 服務與數(shù)據庫的差異性。 （1）協(xié)議的標準性）協(xié)議的標準性 目錄服務所基于的 ldap 協(xié)議是跨平臺的和標準的協(xié)議，因此應用程序就不用為目錄 服務放在什么樣的服務器上操心了。實際上，目錄服務得到了業(yè)界的廣泛認可，因為它是 internet 的標準。產商都很愿意在產品中加入對 ldap 的支持，因為他們根本不用考慮另一 端（客戶端或服務端）是怎么樣的。目錄服務可以是任何一個開發(fā)源代碼或商用的目錄服 務，可以用同樣的協(xié)議、客戶端連接軟件包或查詢命令與目錄服務進行交互。 與目錄服務不同的是，如果軟件產商想在軟件產品中集成對 dbms 的支持，那么通常 都要對每一個數(shù)據庫服務器單獨定制。 不像很多商用的關系型數(shù)據庫，你不必為目錄服務的每一個客戶端連接或許可協(xié)議付 費。 （2）分布性）分布性 目錄服務可以用“推“或“拉“的方法復制部分或全部數(shù)據，例如：可以把數(shù)據“推“到遠程 的辦公室，以增加數(shù)據的安全性。復制技術是內置在目錄服務中的而且很容易配置。如果 要在 dbms 中使用相同的復制功能，數(shù)據庫產商就會要你支付額外的費用，而且也很難管 理。 （3）高讀寫比）高讀寫比 第 3 頁 共 33 頁 大多數(shù)的目錄服務都為讀密集型的操作進行專門的優(yōu)化。因此，當從目錄服務中讀取 數(shù)據的時候會比從專門為 oltp 優(yōu)化的關系型數(shù)據庫中讀取數(shù)據快一個數(shù)量級。也是因為 專門為讀的性能進行優(yōu)化，大多數(shù)的目錄服務并不適合存儲需要經常改變的數(shù)據。 （4）層次化的數(shù)據）層次化的數(shù)據 目錄以樹狀的層次結構來存儲數(shù)據。如果對自頂向下的 dns 樹或 unix 文件的目錄樹 比較熟悉，也就很容易掌握目錄樹這個概念了。就像 dns 的主機名那樣，目錄記錄的標 識名（distinguished name，簡稱 dn）是用來讀取單個記錄，以及回溯到樹的頂部。 （5）靜態(tài)數(shù)據）靜態(tài)數(shù)據 目錄中所存放的數(shù)據為半規(guī)則數(shù)據，即元數(shù)據，允許有不規(guī)則的層次化的數(shù)據存在。 而數(shù)據庫中存放的數(shù)據為規(guī)則數(shù)據，即交易數(shù)據。 （6）固定的可擴展的）固定的可擴展的 schema 在目錄中，不僅通過 schema 定義目錄中所存儲的信息對象的類型，而且通過 schema 定義信息對象之間的關系，從而形成目錄的完整的結構定義。換句話說，目錄中一個對象 的結構是從它的上級中繼承下來的。 不像數(shù)據庫，一旦表結構定義后想要對其中的 schema 進行擴展是件很麻煩得事情， 而且數(shù)據庫中的 schema 擴展只能針對表來進行。然而在目錄服務中，可以很容易的根據 需要對單獨的對象的屬性進行擴展。 （7）安全和訪問控制）安全和訪問控制 目錄服務根據需要提供復雜的不同層次的訪問控制或 acl（訪問控制列表）來控制對 數(shù)據讀和寫的權限。例如，設備管理員可以有權改變員工的工作地點和辦公室號碼，但是 不允許改變記錄中其它的域。acl 可以根據誰訪問數(shù)據、訪問什么數(shù)據、數(shù)據存在什么地 方以及其它對數(shù)據進行訪問控制。因為這些都是由目錄服務器完成的，所以不用擔心在客 戶端的應用程序上是否要進行安全檢查。 1.2.31.2.3應用歷史及現(xiàn)狀應用歷史及現(xiàn)狀 隨著信息化產業(yè)的發(fā)展和實際應用的需求，一個名為 x.500 的目錄訪問協(xié)議誕生了， 該協(xié)議由 iso 組織(international standards organization)定義，它提供了一種方法，開發(fā)一個 組織中的成員電子目錄，使得世界各地具有因特網訪問權限的任何人都可以訪問作為全球 目錄一部分的該目錄。但不幸的是，x.500 協(xié)議相當復雜，這使得要遵循它來開發(fā)服務程 序和客戶端具有了很大的難度。 隨后，為了彌補 x.500 協(xié)議的不足，美國密歇根州立大學開發(fā)了一個名為 ldap(lightweight directory access protocol，輕量級目錄訪問協(xié)議)的協(xié)議，它基于 x.500 標準，但去除了其中一些難以實現(xiàn)且實用意義不大的部分。ldap 協(xié)議的最新版本 為 v3，如今，ldap 協(xié)議已經成為目錄訪問的標準，其核心規(guī)范在 rfc 中都有定義。 目錄服務與身份管理應用在國外的應用已有近 20 年的歷史，其中有很多著名的產品， 第 4 頁 共 33 頁 包括：netscape directory service(后被 redhat 收購，現(xiàn)名為 redhat directory service)、 sunone(sun java system directory server)、novell edirectory if i pursue you i will not catch you, and if i catch you-through your own slowness and clumsiness-i will not kill you, and if i kill you i will not eat you.“ nicholas had begun to back away, and at the last; words, realizing that they were a signal, he turned and began to run, splashing through the shallow water. ignacio ran after him, much helped by his longer legs, his hair flying behind his dark young face, his square teeth-each white as a bone and as big as nicholass thumbnail-showing like spectators who lined the railings of his lips. “dont run, nicholas,“ dr. island said with the voice of a wave. “it only makes him angry that you run.“ nicholas did not answer, but cut to his left, up the beach and among the trunks of the palms, sprinting all the way because he had no way of knowing ignacio was not right behind him, about to grab him by the neck. when he stopped it was in the thick jungle, among the boles of the hardwoods, where he leaned,.; out of breath, the thumping of his own heart the only . sound in an atmosphere silent and unwaked as earths long, prehuman day. for a time he listened for any sound ignacio might make searching for him; there was none. he drew a deep breath then and said, “well, thats over,“ expecting dr. island to answer from somewhere; there was only the green hush. the light was still bright and strong and nearly, shadowless, but some interior sense told him the day, was nearly over, and he noticed that such faint shades as he could see stretched long, horizontal distortions of their objects. he felt no hunger, but he had fasted be- fore and knew on which side of hunger he stood; he was not as strong as he had been only a day past, and by this time next day he would probably be unable to outrun ignacio. he should, he now realized, have eaten the monkey he had killed; but his stomach revolted at the thought of the raw flesh, and he did not know how he might build a fire, although ignacio seemed to have done so the night before. raw fish, even if he were able to catch a fish, would be as bad, or worse, than raw monkey; he remembered his effort to open a coconut-he had failed, but it was surely not impossible. his mind was hazy as to what a coconut might contain, but there had to be an edible core, because they were eaten in books. he decided to make a wide sweep through the jungle that would bring him back to the beach well away from ignacio; he had several times seen coconuts lying in the sand under the trees. he moved quietly, still a little afraid, trying to think of ways to open the coconut when he found it. he imagined himself standing before a large and raggedly faceted stone, holding the coconut in both hands. he raised it and smashed it down, but when it struck it was no longer a coconut but mayas head; he heard her nose cartilage break with a distinct, rubbery snap. her eyes, as blue as the sky above madhya pradesh, the sparkling blue sky of the egg, looked up at him, but he could no longer look into them, they retreated from his own, and it came to him quite suddenly that lucifer, in falling, must have fallen up, into the fires and the coldness of space, never again to see the warm blues and browns and greens of earth: 1 was watching satan fall as lightning from heaven. he had heard that on tape somewhere, but he could not remember where. he had read that on earth lightning did not come down from the clouds, but leaped up from the planetary surface toward them, never to return. “nicholas.“ he listened, but did not hear his name again. faintly water was babbling; had dr. island used that sound to speak to him? he walked toward it and found a little rill that threaded a way among the trees, and followed it. in a hundred steps it grew broader, slowed, and ended in a long blind pool under a dome of leaves. . diane was sitting on moss on the side opposite him; she looked up as she saw him, and smiled. “hello,“ he said. “hello, nicholas. i thought i heard you. i wasnt mistaken after all, was i?“ “i didnt think i said anything.“ he tested the dark water with his foot and found that it was very cold. 第 33 頁 共 33 頁 “you gave a little gasp, i fancy. i heard it, and i said to myself, thats nicholas, and i called you. then i thought i might be wrong, or that it might be ignacio.“ “ignacio was chasing me. maybe he still is, but h think hes probably given up by now.“ the girl nodded, looking into the dark waters of they pool, but did not seem to have heard him. he began to work his way around to her, climbing across the snakelike roots of the crowding trees. “why does ignacio want to kill me, diane?“ “sometimes he wants to kill me, too,“ the girl said. “but why?“ “i think hes a bit frightened of us. have you ever talked to him, nicholas?“ “today i did a little. he told me a story about a pet fish he used to have.“ “ignacio grew up all alone; did he tell you that? on= earth. on a plantation in brazil, way up the amazon -dr. island told me.“ “i thought it was crowded on earth.“ “the cities are crowded, and the countryside closes to the cities. but there are places where its emptie than it used to be. where ignacio was, there would have been red indian hunters two or three hundred years ago; when he was there, there wasnt anyone, just the machines. now he doesnt want to be looked at, doesnt want anyone around him.“ nicholas said slowly, “dr. island said lots of people wouldnt be sick if only there werent other people around all the time. remember that?“ a “only there. are other people around all the time; thats how the world is.“ “not in brazil, maybe,“ nicholas said. he was trying to remember something about brazil, but the only thing he could think of was a parrot singing in a straw hat from the comview cartoons; and then a turtle and a hedgehog that turned into armadillos for the love of god, montressor. he said, “why didnt he stay there?“ “did i tell you about the bird, nicholas?“ she had been not listening again. “what bird?“ “i have a bird. inside.“ she patted the flat stomach below her small breasts, and for a moment, nicholas thought she had really found food. “she sits in here. she has tangled a nest in my entrails, where she sits and tears at my breath with her beak. i look healthy to you, dont i? but inside im hollow and rotten and turning brown, dirt and old feathers, oozing away. her beak will break through soon.“ “okay.“ nicholas turned to go. “ive been drinking water here, trying to drown her. i think ive swallowed so much i couldnt stand up now if i tried, but she isnt even wet, and do you know something, nicholas? ive found out im not really me, im her.“ turning back nicholas asked, “when was the last time you had anything to eat?“ “i dont know. two, three days ago. ignacio gave me something.“ “im going to try to open a coconut. if i can ill bring you back some.“ when he reached the beach, nicholas turned and walked slowly back in the direction of the dead fire, this time along the rim of dampened sand between the sea and the palms. he was thinking about machines. there were hundreds of thousands, perhaps millions, of machines out beyond the belt, but few or none of the sophisticated servant robots of earth-those were luxuries. would ignacio, in brazil (whatever that was like), have had such luxuries? nicholas thought not; those robots were almost like people, and living with them would be like living with people. nicholas wished that he could speak brazilian. there had been the therapy robots at st. johns; nicholas had not liked them, and he did not think ignacio would have liked them either. if he had liked his therapy robot he probably would not have 第 34 頁 共 33 頁 had to be sent here. he thought of the chipped and rusted old machine that had cleaned the corridors-maya had called it corradora, but no one else ever called it any- f thing but hey! it could not (or at least did not) speak, 1 and nicholas doubted that it had emotions, except possibly a sort of love of cleanness that did not extend to its own person. “you will understand,“ someone was saying inside his head, “that motives of all sorts can be divided into two sorts.“ a doctor? a therapy robot? it did not matter. “extrinsic and intrinsic. an extrinsic motive has always some further end in view, and that end we call an intrinsic motive. thus when we have reduced motivation to intrinsic motivation we have reduced it to its simplest parts. take that machine over there.“ what machine? “freud would have said that it was fixated at the latter anal stage, perhaps due to the care its builders exercised in seeing that the dirt it collects is not released again. because of its fixation it is, as you see, obsessed with cleanliness and order; compulsive sweeping and scrubbing palliate its anxieties. it is a strength of freuds theory, and not a weakness, that it serves to explain many of the activities of machines as well as the acts of persons.“ hello there, corradora. and hello, ignacio. my head, moving from side to side, must remind you of a radar scanner. my steps are measured, slow, and precise. 1 emit a scarcely audible humming as 1 walk, and my eyes are fixed, as 1 swing my head, not on you, ignacio, but on the waves at the edge of sight, where they curve up into the sky. 1 stop ten meters short of you, and 1 stand. you go 1 follow, ten meters behind. what do 1 want? nothing. yes, 1 will pick up the sticks, and 1 will follow-five meters behind. “break them, and put them on the fire. not all of them, just a few.“ yes. “ignacio keeps the fire here burning all the time. sometimes he takes the coals of fire from it to start others, but here, under the big palm log, he has a fire always. the rain does not strike it here. always the fire. do you know how he made it the first time? reply to him!“ “ “ no. “no, patrdo!“ “ no, patrao.“ “ignacio stole it from the gods, from poseidon. now poseidon is dead, lying at the bottom of the water. which is the top. would you like to see him?“ “if you wish it, patrdo.“ “it will soon be dark, and that is the time to fish; do you have a spear?“ “no, patrdo.“ “then ignacio will get you one.“ ignacio took a handful of the sticks and thrust the ends into the fire, blowing on them. after a moment nicholas leaned over and blew, too, until all the sticks were blazing. 第 35 頁 共 33 頁 “now we must find you some bamboo, and there is some back here. follow me.“ the light, still nearly shadowless, was dimming now, so that it seemed to nicholas that they walked on insubstantial soil, though he could feel it beneath his feet. ignacio stalked ahead, holding up the burning sticks until the fire seemed about to die, then pointing the ends down, allowing it to lick upward toward his hand and come to life again. there was a gentle wind blowing out toward the sea, carrying away the sound of the surf and bringing a damp coolness; and when they had been walking for several minutes, nicholas heard in it a faint, dry, almost rhythmic rattle. ignacio looked back at him and said, “the music. the big stems talking; hear it?“ they found a cane a little thinner than nicholass wrist and piled the burning sticks around its base, then added more. when it fell, ignacio burned through the upper end, too, making a pole about as long as nicholas was tall, and with the edge of a seashell scraped the larger end to a point. “now you are a fisherman,“ he said. nicholas said, “yes, pardo,“ still careful not to meet his eyes. “you are h