目錄服務(wù)和身份管理系統(tǒng)在電力企業(yè)中的設(shè)計(jì)與應(yīng)用畢業(yè)設(shè)計(jì)論文.doc

畢畢 業(yè)業(yè) 設(shè)設(shè) 計(jì)計(jì)( 論論 文文) 目錄服務(wù)和身份管理系統(tǒng)在電力企業(yè)中的設(shè)計(jì)與應(yīng)用目錄服務(wù)和身份管理系統(tǒng)在電力企業(yè)中的設(shè)計(jì)與應(yīng)用 論論文作者姓名：文作者姓名： 申申請(qǐng)請(qǐng)學(xué)位學(xué)位專業(yè)專業(yè)： ： 申申請(qǐng)請(qǐng)學(xué)位學(xué)位類別類別： ： 指指導(dǎo)導(dǎo)教教師師姓姓名名（ （職職稱稱） ）： ： 論論文提交日期：文提交日期： 目錄服務(wù)和身份管理系統(tǒng)在電力企業(yè)中的設(shè)計(jì)與應(yīng)用目錄服務(wù)和身份管理系統(tǒng)在電力企業(yè)中的設(shè)計(jì)與應(yīng)用 摘摘 要要 21 世紀(jì)初，人類社會(huì)繼工業(yè)文明之后進(jìn)入新經(jīng)濟(jì)時(shí)代。在這個(gè)時(shí)代里，如何降低用戶 管理及其對(duì)應(yīng)用系統(tǒng)訪問(wèn)的復(fù)雜性和成本，防止擅自使用企業(yè)信息，如何提高靈動(dòng)性，以 便系統(tǒng)能響應(yīng)不斷變化的業(yè)務(wù)需求已經(jīng)成為限制企業(yè)發(fā)展的重要因素。 國(guó)家電網(wǎng)公司在十一五期間啟動(dòng)了“sg186”工程。本文以此工程為背景，通過(guò)對(duì)現(xiàn)有 電力企業(yè)內(nèi)系統(tǒng)的調(diào)查，提出一套以身份目錄、企業(yè)資源目錄和認(rèn)證目錄為核心的目錄服 務(wù)來(lái)集中統(tǒng)一的存儲(chǔ)、管理和展現(xiàn)用戶身份信息。并在此基礎(chǔ)上使用身份管理產(chǎn)品對(duì)現(xiàn)有 和即將投入運(yùn)營(yíng)的系統(tǒng)進(jìn)行整合，以此實(shí)現(xiàn)整個(gè)電力企業(yè)系統(tǒng)中高效且無(wú)需手工維護(hù)的用 戶生命周期管理。同時(shí)為了保證系統(tǒng)穩(wěn)定高效的運(yùn)行，在本文中還對(duì)影響整個(gè)系統(tǒng)效率的 關(guān)鍵要點(diǎn)進(jìn)行了性能測(cè)試和分析并獲得預(yù)期結(jié)果。 關(guān)鍵詞：關(guān)鍵詞：目錄服務(wù)；身份管理；用戶生命周期 the design and application of directory services and identification management system in electric power enterprise abstract at the beginning of the 21st century, human society entered a new economic era following the industrial civilization. nowadays, there are several problems we have to face, for instance, the way to reduce the cost and complexity of user management and the access to application system; the method to protect the information of the company; how to improve the flexibility of the system in order to respond the business requirements. the “sg186“ project that state grid corp. started in the 11th five-year plan period is the background of this thesis. with the research of the system in electric power enterprise, a set of identity directory, enterprise resource directory and authentication directory has been proposed which provides a core directory services. and then it is used to store, manage and display user identity information. base on that, in order to achieve efficient and automatic lifecycle management of the electric power enterprise system, the existing and upcoming operational systems with identity management products has been commix. meanwhile, in order to ensure that the system is stable and efficient, the key features which affect the efficiency of the system were tested and analyzed and the expected results were obtained in this thesis. key words：directory service; identity management; user lifecycle 目目 錄錄 論文總頁(yè)數(shù)：33 頁(yè) 1引言1 1.1設(shè)計(jì)的目的和意義 1 1.2技術(shù)背景 1 1.2.1技術(shù)簡(jiǎn)介1 1.2.2目錄服務(wù)與數(shù)據(jù)庫(kù)系統(tǒng)的差異2 1.2.3應(yīng)用歷史及現(xiàn)狀3 1.3項(xiàng)目背景 4 1.4設(shè)計(jì)方法 5 1.5全文結(jié)構(gòu) 5 1.6術(shù)語(yǔ)定義 5 2總體框架設(shè)計(jì).6 2.1目錄服務(wù) 6 2.1.1目錄服務(wù)組成6 2.1.2總部目錄6 2.1.3網(wǎng)省公司目錄7 2.2身份管理 7 2.2.1身份信息的集中管理7 2.2.2身份同步8 3邏輯設(shè)計(jì)8 3.1目錄服務(wù) 8 3.1.1邏輯架構(gòu)8 3.1.2目錄樹結(jié)構(gòu)設(shè)計(jì)9 3.1.3目錄 schema 設(shè)計(jì)11 3.1.4目錄命名編碼設(shè)計(jì)13 3.1.5目錄同步設(shè)計(jì)14 3.2身份管理 16 3.2.1邏輯架構(gòu)16 3.2.2身份生命周期管理16 3.2.3身份同步19 4物理設(shè)計(jì)21 4.1物理架構(gòu) 21 4.2高可用性設(shè)計(jì) 22 4.2.1目錄服務(wù)22 4.2.2身份管理22 4.3系統(tǒng)監(jiān)控設(shè)計(jì) 23 4.3.1目錄服務(wù)24 4.3.2身份管理24 4.4備份和恢復(fù)設(shè)計(jì) 23 4.4.1目錄服務(wù)24 4.4.2身份管理24 4.5安全性設(shè)計(jì) 24 4.5.1目錄服務(wù)25 4.5.2身份管理25 4.6目錄的分級(jí)授權(quán) 25 4.6.1目錄的分級(jí)授權(quán)機(jī)制26 4.6.2目錄的授權(quán)要素26 4.6.3目錄的授權(quán)方式26 4.7操作系統(tǒng)調(diào)優(yōu) 27 4.7.1關(guān)閉后臺(tái)進(jìn)程27 4.7.2關(guān)閉 gui.27 4.7.3處理器子系統(tǒng)調(diào)優(yōu)27 4.7.4內(nèi)存子系統(tǒng)調(diào)優(yōu)27 4.7.5文件系統(tǒng)調(diào)優(yōu)28 4.7.6網(wǎng)絡(luò)子系統(tǒng)調(diào)優(yōu)28 5性能測(cè)試28 5.1目錄系統(tǒng)測(cè)試 28 5.1.1數(shù)據(jù)初始化28 5.1.2查詢效率28 5.1.3負(fù)載均衡28 5.2身份管理系統(tǒng)測(cè)試 29 5.2.1用戶身份同步29 5.2.2高可用性29 結(jié) 論29 參考文獻(xiàn)29 致 謝31 聲 明32 第 1 頁(yè) 共 33 頁(yè) 1 1引言引言 1.11.1設(shè)計(jì)的目的和意義設(shè)計(jì)的目的和意義 我們知道每一個(gè)公司都需要保護(hù)其 it 基礎(chǔ)設(shè)施，從而防止信息失竊，遵守法規(guī)并確保 客戶、合作伙伴和員工信息的秘密。這就需要以經(jīng)濟(jì)的方法確保和保護(hù)公司資產(chǎn)的安全， 同時(shí)還不能錯(cuò)失新的業(yè)務(wù)機(jī)會(huì)或降低工作效率。但事實(shí)并不總?cè)缛艘?，讓我們考慮以下幾 種情況。 情景一：在當(dāng)今的大多數(shù)企業(yè)中，每個(gè)公司幾乎都在眾多的 it 系統(tǒng)中擁有多個(gè)身份信 息存儲(chǔ)庫(kù)，例如：人力資源系統(tǒng)、電子郵件系統(tǒng)和財(cái)務(wù)系統(tǒng)。如果需要更改系統(tǒng)中某個(gè)人 員相關(guān)的信息，it 工作人員只能以人工的方式更新每個(gè)系統(tǒng)中的信息，這是一項(xiàng)既昂貴又 耗時(shí)的工作，而且還容易出現(xiàn)錯(cuò)誤，使系統(tǒng)容易遭受攻擊。例如：當(dāng)一個(gè)員工到企業(yè)報(bào)道 之后，卻因?yàn)樾枰止じ聭?yīng)用系統(tǒng)賬號(hào)的原因而遲遲不能獲得與其工作相關(guān)的應(yīng)用系統(tǒng) 賬號(hào)，導(dǎo)致該員工無(wú)法進(jìn)行正常的工作，這將會(huì)大大降低員工工作的積極性，同時(shí)對(duì)于企 業(yè)來(lái)說(shuō)這也是一種資源的浪費(fèi)。因此，需要一種集中化的方式來(lái)管理用戶和訪問(wèn)，以確保 安全和實(shí)時(shí)性。 情景二：據(jù)美國(guó)聯(lián)邦密情局和計(jì)算機(jī)應(yīng)急相應(yīng)組（cert）的聯(lián)合報(bào)告顯示，在所有 針對(duì)公司網(wǎng)絡(luò)的非法訪問(wèn)中，有一半以上都是帶有不滿情緒的離職員工所為。為用戶配置 資源訪問(wèn)權(quán)限這一過(guò)程非常乏味且耗時(shí)，對(duì)于大多數(shù)公司而言，該人工流程會(huì)顯著降低工 作效率。此外，當(dāng)員工離職后，取消他們的訪問(wèn)權(quán)限的手工流程成為最大的安全隱患。因 此，需要一種流程化的自動(dòng)賬號(hào)配置，在企業(yè)中強(qiáng)制實(shí)施一致的安全策略。 情景三：如果一個(gè)企業(yè)中，員工必須記住大量的密碼才能訪問(wèn)日常應(yīng)用程序和服務(wù)， 這種情況可能會(huì)危及數(shù)據(jù)安全并降低工作效率。同樣，如果依靠 it 部門人工重置每個(gè)忘記 的密碼，一個(gè)公司將無(wú)法高效運(yùn)作。因此，需要讓員工負(fù)責(zé)管理自身的密碼并通過(guò)單點(diǎn)登 陸取代多個(gè)密碼的使用。 針對(duì)以上情況，我們需要一套完整而合理的方案來(lái)解決企業(yè)信息化發(fā)展中所遇到的問(wèn) 題，而目錄服務(wù)和身份管理系統(tǒng)正是為了解決這些問(wèn)題而誕生的。通過(guò)對(duì)目錄服務(wù)和身份 管理系統(tǒng)的應(yīng)用設(shè)計(jì)，我們將會(huì)得到一套完整的解決方案以降低企業(yè)中管理用戶及其對(duì)系 統(tǒng)訪問(wèn)的復(fù)雜性和成本、防止擅自使用企業(yè)信息和使系統(tǒng)適應(yīng)不斷變化的業(yè)務(wù)需求。 1.21.2技術(shù)背景技術(shù)背景 1.2.11.2.1技術(shù)簡(jiǎn)介技術(shù)簡(jiǎn)介 目錄服務(wù)是統(tǒng)一身份管理系統(tǒng)所依賴的主要支撐技術(shù)，提供跨平臺(tái)身份信息存儲(chǔ)管理 和認(rèn)證支持功能。具體的說(shuō)，目錄服務(wù)是指以一定的格式記錄了大量企業(yè)資源信息，并將 各種資源信息集中管理起來(lái)，以對(duì)象的方式予以記錄，明確設(shè)定每個(gè)對(duì)象的“身份”和“位置” 。在某種程度上講它就是符合國(guó)際標(biāo)準(zhǔn)協(xié)議的一種基于對(duì)象的數(shù)據(jù)庫(kù)，支持的對(duì)象種類較 第 2 頁(yè) 共 33 頁(yè) 多，在各種平臺(tái)都能夠比較好的結(jié)合，在大量數(shù)據(jù)情況下，讀取信息的速度快。對(duì)象在目 錄的倒置樹型數(shù)據(jù)結(jié)構(gòu)中分層存儲(chǔ)，便于建立一個(gè)與企業(yè)組織結(jié)構(gòu)一致的結(jié)構(gòu)和層次。目 錄服務(wù)提供認(rèn)證和授權(quán)機(jī)制，管理員只需設(shè)定管理策略和規(guī)則，使得特定用戶只能訪問(wèn)特 定的或者授權(quán)的應(yīng)用系統(tǒng)。從功能上來(lái)說(shuō)，目錄服務(wù)通過(guò)復(fù)制技術(shù)，保持?jǐn)?shù)據(jù)信息的一致 性。 身份管理利用集中式數(shù)據(jù)儲(chǔ)存在應(yīng)用程序、數(shù)據(jù)庫(kù)和目錄之間同步、轉(zhuǎn)換和分發(fā)信息。 當(dāng)一個(gè)系統(tǒng)中的數(shù)據(jù)發(fā)生更改時(shí)，同步機(jī)制引擎將會(huì)根據(jù)定義的業(yè)務(wù)規(guī)則檢測(cè)這些更改， 并將這些更改同步到其它已連接系統(tǒng)中，達(dá)到數(shù)據(jù)共享的目的。身份管理內(nèi)容主要有用戶 身份的生命周期的管理和實(shí)現(xiàn)跨地區(qū)的信息同步和用戶認(rèn)證，定制不同安全級(jí)別的訪問(wèn)控 制和數(shù)據(jù)加密等。通過(guò)對(duì)用戶身份的生命周期的管理，實(shí)現(xiàn)了用戶賬號(hào)信息的創(chuàng)建、變更、 注銷整個(gè)周期過(guò)程的控制。利用身份同步，可以實(shí)現(xiàn)連接系統(tǒng)的數(shù)據(jù)信息的自動(dòng)同步，確 保數(shù)據(jù)信息的安全、性能和容錯(cuò)。根據(jù)應(yīng)用系統(tǒng)的情況，指定權(quán)威數(shù)據(jù)源，通過(guò)身份同步 機(jī)制，形成了全網(wǎng)范圍內(nèi)最完整、準(zhǔn)確的中央身份庫(kù)。 1.2.21.2.2目錄服務(wù)與數(shù)據(jù)庫(kù)系統(tǒng)的差異目錄服務(wù)與數(shù)據(jù)庫(kù)系統(tǒng)的差異 就像 sybase、oracle、informix 或 microsoft 的數(shù)據(jù)庫(kù)管理系統(tǒng)（dbms）是用于處理 查詢和更新關(guān)系型數(shù)據(jù)庫(kù)那樣，目錄服務(wù)也是用來(lái)處理查詢和更新目錄樹的。換句話來(lái)說(shuō) 目錄也是一種類型的數(shù)據(jù)庫(kù)，但是不是關(guān)系型數(shù)據(jù)庫(kù)。下面從幾個(gè)不同的方面來(lái)比較目錄 服務(wù)與數(shù)據(jù)庫(kù)的差異性。 （1）協(xié)議的標(biāo)準(zhǔn)性）協(xié)議的標(biāo)準(zhǔn)性 目錄服務(wù)所基于的 ldap 協(xié)議是跨平臺(tái)的和標(biāo)準(zhǔn)的協(xié)議，因此應(yīng)用程序就不用為目錄 服務(wù)放在什么樣的服務(wù)器上操心了。實(shí)際上，目錄服務(wù)得到了業(yè)界的廣泛認(rèn)可，因?yàn)樗?internet 的標(biāo)準(zhǔn)。產(chǎn)商都很愿意在產(chǎn)品中加入對(duì) ldap 的支持，因?yàn)樗麄兏静挥每紤]另一 端（客戶端或服務(wù)端）是怎么樣的。目錄服務(wù)可以是任何一個(gè)開發(fā)源代碼或商用的目錄服 務(wù)，可以用同樣的協(xié)議、客戶端連接軟件包或查詢命令與目錄服務(wù)進(jìn)行交互。 與目錄服務(wù)不同的是，如果軟件產(chǎn)商想在軟件產(chǎn)品中集成對(duì) dbms 的支持，那么通常 都要對(duì)每一個(gè)數(shù)據(jù)庫(kù)服務(wù)器單獨(dú)定制。 不像很多商用的關(guān)系型數(shù)據(jù)庫(kù)，你不必為目錄服務(wù)的每一個(gè)客戶端連接或許可協(xié)議付 費(fèi)。 （2）分布性）分布性 目錄服務(wù)可以用“推“或“拉“的方法復(fù)制部分或全部數(shù)據(jù)，例如：可以把數(shù)據(jù)“推“到遠(yuǎn)程 的辦公室，以增加數(shù)據(jù)的安全性。復(fù)制技術(shù)是內(nèi)置在目錄服務(wù)中的而且很容易配置。如果 要在 dbms 中使用相同的復(fù)制功能，數(shù)據(jù)庫(kù)產(chǎn)商就會(huì)要你支付額外的費(fèi)用，而且也很難管 理。 （3）高讀寫比）高讀寫比 第 3 頁(yè) 共 33 頁(yè) 大多數(shù)的目錄服務(wù)都為讀密集型的操作進(jìn)行專門的優(yōu)化。因此，當(dāng)從目錄服務(wù)中讀取 數(shù)據(jù)的時(shí)候會(huì)比從專門為 oltp 優(yōu)化的關(guān)系型數(shù)據(jù)庫(kù)中讀取數(shù)據(jù)快一個(gè)數(shù)量級(jí)。也是因?yàn)?專門為讀的性能進(jìn)行優(yōu)化，大多數(shù)的目錄服務(wù)并不適合存儲(chǔ)需要經(jīng)常改變的數(shù)據(jù)。 （4）層次化的數(shù)據(jù)）層次化的數(shù)據(jù) 目錄以樹狀的層次結(jié)構(gòu)來(lái)存儲(chǔ)數(shù)據(jù)。如果對(duì)自頂向下的 dns 樹或 unix 文件的目錄樹 比較熟悉，也就很容易掌握目錄樹這個(gè)概念了。就像 dns 的主機(jī)名那樣，目錄記錄的標(biāo) 識(shí)名（distinguished name，簡(jiǎn)稱 dn）是用來(lái)讀取單個(gè)記錄，以及回溯到樹的頂部。 （5）靜態(tài)數(shù)據(jù)）靜態(tài)數(shù)據(jù) 目錄中所存放的數(shù)據(jù)為半規(guī)則數(shù)據(jù)，即元數(shù)據(jù)，允許有不規(guī)則的層次化的數(shù)據(jù)存在。 而數(shù)據(jù)庫(kù)中存放的數(shù)據(jù)為規(guī)則數(shù)據(jù)，即交易數(shù)據(jù)。 （6）固定的可擴(kuò)展的）固定的可擴(kuò)展的 schema 在目錄中，不僅通過(guò) schema 定義目錄中所存儲(chǔ)的信息對(duì)象的類型，而且通過(guò) schema 定義信息對(duì)象之間的關(guān)系，從而形成目錄的完整的結(jié)構(gòu)定義。換句話說(shuō)，目錄中一個(gè)對(duì)象 的結(jié)構(gòu)是從它的上級(jí)中繼承下來(lái)的。 不像數(shù)據(jù)庫(kù)，一旦表結(jié)構(gòu)定義后想要對(duì)其中的 schema 進(jìn)行擴(kuò)展是件很麻煩得事情， 而且數(shù)據(jù)庫(kù)中的 schema 擴(kuò)展只能針對(duì)表來(lái)進(jìn)行。然而在目錄服務(wù)中，可以很容易的根據(jù) 需要對(duì)單獨(dú)的對(duì)象的屬性進(jìn)行擴(kuò)展。 （7）安全和訪問(wèn)控制）安全和訪問(wèn)控制 目錄服務(wù)根據(jù)需要提供復(fù)雜的不同層次的訪問(wèn)控制或 acl（訪問(wèn)控制列表）來(lái)控制對(duì) 數(shù)據(jù)讀和寫的權(quán)限。例如，設(shè)備管理員可以有權(quán)改變員工的工作地點(diǎn)和辦公室號(hào)碼，但是 不允許改變記錄中其它的域。acl 可以根據(jù)誰(shuí)訪問(wèn)數(shù)據(jù)、訪問(wèn)什么數(shù)據(jù)、數(shù)據(jù)存在什么地 方以及其它對(duì)數(shù)據(jù)進(jìn)行訪問(wèn)控制。因?yàn)檫@些都是由目錄服務(wù)器完成的，所以不用擔(dān)心在客 戶端的應(yīng)用程序上是否要進(jìn)行安全檢查。 1.2.31.2.3應(yīng)用歷史及現(xiàn)狀應(yīng)用歷史及現(xiàn)狀 隨著信息化產(chǎn)業(yè)的發(fā)展和實(shí)際應(yīng)用的需求，一個(gè)名為 x.500 的目錄訪問(wèn)協(xié)議誕生了， 該協(xié)議由 iso 組織(international standards organization)定義，它提供了一種方法，開發(fā)一個(gè) 組織中的成員電子目錄，使得世界各地具有因特網(wǎng)訪問(wèn)權(quán)限的任何人都可以訪問(wèn)作為全球 目錄一部分的該目錄。但不幸的是，x.500 協(xié)議相當(dāng)復(fù)雜，這使得要遵循它來(lái)開發(fā)服務(wù)程 序和客戶端具有了很大的難度。 隨后，為了彌補(bǔ) x.500 協(xié)議的不足，美國(guó)密歇根州立大學(xué)開發(fā)了一個(gè)名為 ldap(lightweight directory access protocol，輕量級(jí)目錄訪問(wèn)協(xié)議)的協(xié)議，它基于 x.500 標(biāo)準(zhǔn)，但去除了其中一些難以實(shí)現(xiàn)且實(shí)用意義不大的部分。ldap 協(xié)議的最新版本 為 v3，如今，ldap 協(xié)議已經(jīng)成為目錄訪問(wèn)的標(biāo)準(zhǔn)，其核心規(guī)范在 rfc 中都有定義。 目錄服務(wù)與身份管理應(yīng)用在國(guó)外的應(yīng)用已有近 20 年的歷史，其中有很多著名的產(chǎn)品， 第 4 頁(yè) 共 33 頁(yè) 包括：netscape directory service(后被 redhat 收購(gòu)，現(xiàn)名為 redhat directory service)、 sunone(sun java system directory server)、novell edirectory if i pursue you i will not catch you, and if i catch you-through your own slowness and clumsiness-i will not kill you, and if i kill you i will not eat you.“ nicholas had begun to back away, and at the last; words, realizing that they were a signal, he turned and began to run, splashing through the shallow water. ignacio ran after him, much helped by his longer legs, his hair flying behind his dark young face, his square teeth-each white as a bone and as big as nicholass thumbnail-showing like spectators who lined the railings of his lips. “dont run, nicholas,“ dr. island said with the voice of a wave. “it only makes him angry that you run.“ nicholas did not answer, but cut to his left, up the beach and among the trunks of the palms, sprinting all the way because he had no way of knowing ignacio was not right behind him, about to grab him by the neck. when he stopped it was in the thick jungle, among the boles of the hardwoods, where he leaned,.; out of breath, the thumping of his own heart the only . sound in an atmosphere silent and unwaked as earths long, prehuman day. for a time he listened for any sound ignacio might make searching for him; there was none. he drew a deep breath then and said, “well, thats over,“ expecting dr. island to answer from somewhere; there was only the green hush. the light was still bright and strong and nearly, shadowless, but some interior sense told him the day, was nearly over, and he noticed that such faint shades as he could see stretched long, horizontal distortions of their objects. he felt no hunger, but he had fasted be- fore and knew on which side of hunger he stood; he was not as strong as he had been only a day past, and by this time next day he would probably be unable to outrun ignacio. he should, he now realized, have eaten the monkey he had killed; but his stomach revolted at the thought of the raw flesh, and he did not know how he might build a fire, although ignacio seemed to have done so the night before. raw fish, even if he were able to catch a fish, would be as bad, or worse, than raw monkey; he remembered his effort to open a coconut-he had failed, but it was surely not impossible. his mind was hazy as to what a coconut might contain, but there had to be an edible core, because they were eaten in books. he decided to make a wide sweep through the jungle that would bring him back to the beach well away from ignacio; he had several times seen coconuts lying in the sand under the trees. he moved quietly, still a little afraid, trying to think of ways to open the coconut when he found it. he imagined himself standing before a large and raggedly faceted stone, holding the coconut in both hands. he raised it and smashed it down, but when it struck it was no longer a coconut but mayas head; he heard her nose cartilage break with a distinct, rubbery snap. her eyes, as blue as the sky above madhya pradesh, the sparkling blue sky of the egg, looked up at him, but he could no longer look into them, they retreated from his own, and it came to him quite suddenly that lucifer, in falling, must have fallen up, into the fires and the coldness of space, never again to see the warm blues and browns and greens of earth: 1 was watching satan fall as lightning from heaven. he had heard that on tape somewhere, but he could not remember where. he had read that on earth lightning did not come down from the clouds, but leaped up from the planetary surface toward them, never to return. “nicholas.“ he listened, but did not hear his name again. faintly water was babbling; had dr. island used that sound to speak to him? he walked toward it and found a little rill that threaded a way among the trees, and followed it. in a hundred steps it grew broader, slowed, and ended in a long blind pool under a dome of leaves. . diane was sitting on moss on the side opposite him; she looked up as she saw him, and smiled. “hello,“ he said. “hello, nicholas. i thought i heard you. i wasnt mistaken after all, was i?“ “i didnt think i said anything.“ he tested the dark water with his foot and found that it was very cold. 第 33 頁(yè) 共 33 頁(yè) “you gave a little gasp, i fancy. i heard it, and i said to myself, thats nicholas, and i called you. then i thought i might be wrong, or that it might be ignacio.“ “ignacio was chasing me. maybe he still is, but h think hes probably given up by now.“ the girl nodded, looking into the dark waters of they pool, but did not seem to have heard him. he began to work his way around to her, climbing across the snakelike roots of the crowding trees. “why does ignacio want to kill me, diane?“ “sometimes he wants to kill me, too,“ the girl said. “but why?“ “i think hes a bit frightened of us. have you ever talked to him, nicholas?“ “today i did a little. he told me a story about a pet fish he used to have.“ “ignacio grew up all alone; did he tell you that? on= earth. on a plantation in brazil, way up the amazon -dr. island told me.“ “i thought it was crowded on earth.“ “the cities are crowded, and the countryside closes to the cities. but there are places where its emptie than it used to be. where ignacio was, there would have been red indian hunters two or three hundred years ago; when he was there, there wasnt anyone, just the machines. now he doesnt want to be looked at, doesnt want anyone around him.“ nicholas said slowly, “dr. island said lots of people wouldnt be sick if only there werent other people around all the time. remember that?“ a “only there. are other people around all the time; thats how the world is.“ “not in brazil, maybe,“ nicholas said. he was trying to remember something about brazil, but the only thing he could think of was a parrot singing in a straw hat from the comview cartoons; and then a turtle and a hedgehog that turned into armadillos for the love of god, montressor. he said, “why didnt he stay there?“ “did i tell you about the bird, nicholas?“ she had been not listening again. “what bird?“ “i have a bird. inside.“ she patted the flat stomach below her small breasts, and for a moment, nicholas thought she had really found food. “she sits in here. she has tangled a nest in my entrails, where she sits and tears at my breath with her beak. i look healthy to you, dont i? but inside im hollow and rotten and turning brown, dirt and old feathers, oozing away. her beak will break through soon.“ “okay.“ nicholas turned to go. “ive been drinking water here, trying to drown her. i think ive swallowed so much i couldnt stand up now if i tried, but she isnt even wet, and do you know something, nicholas? ive found out im not really me, im her.“ turning back nicholas asked, “when was the last time you had anything to eat?“ “i dont know. two, three days ago. ignacio gave me something.“ “im going to try to open a coconut. if i can ill bring you back some.“ when he reached the beach, nicholas turned and walked slowly back in the direction of the dead fire, this time along the rim of dampened sand between the sea and the palms. he was thinking about machines. there were hundreds of thousands, perhaps millions, of machines out beyond the belt, but few or none of the sophisticated servant robots of earth-those were luxuries. would ignacio, in brazil (whatever that was like), have had such luxuries? nicholas thought not; those robots were almost like people, and living with them would be like living with people. nicholas wished that he could speak brazilian. there had been the therapy robots at st. johns; nicholas had not liked them, and he did not think ignacio would have liked them either. if he had liked his therapy robot he probably would not have 第 34 頁(yè) 共 33 頁(yè) had to be sent here. he thought of the chipped and rusted old machine that had cleaned the corridors-maya had called it corradora, but no one else ever called it any- f thing but hey! it could not (or at least did not) speak, 1 and nicholas doubted that it had emotions, except possibly a sort of love of cleanness that did not extend to its own person. “you will understand,“ someone was saying inside his head, “that motives of all sorts can be divided into two sorts.“ a doctor? a therapy robot? it did not matter. “extrinsic and intrinsic. an extrinsic motive has always some further end in view, and that end we call an intrinsic motive. thus when we have reduced motivation to intrinsic motivation we have reduced it to its simplest parts. take that machine over there.“ what machine? “freud would have said that it was fixated at the latter anal stage, perhaps due to the care its builders exercised in seeing that the dirt it collects is not released again. because of its fixation it is, as you see, obsessed with cleanliness and order; compulsive sweeping and scrubbing palliate its anxieties. it is a strength of freuds theory, and not a weakness, that it serves to explain many of the activities of machines as well as the acts of persons.“ hello there, corradora. and hello, ignacio. my head, moving from side to side, must remind you of a radar scanner. my steps are measured, slow, and precise. 1 emit a scarcely audible humming as 1 walk, and my eyes are fixed, as 1 swing my head, not on you, ignacio, but on the waves at the edge of sight, where they curve up into the sky. 1 stop ten meters short of you, and 1 stand. you go 1 follow, ten meters behind. what do 1 want? nothing. yes, 1 will pick up the sticks, and 1 will follow-five meters behind. “break them, and put them on the fire. not all of them, just a few.“ yes. “ignacio keeps the fire here burning all the time. sometimes he takes the coals of fire from it to start others, but here, under the big palm log, he has a fire always. the rain does not strike it here. always the fire. do you know how he made it the first time? reply to him!“ “ “ no. “no, patrdo!“ “ no, patrao.“ “ignacio stole it from the gods, from poseidon. now poseidon is dead, lying at the bottom of the water. which is the top. would you like to see him?“ “if you wish it, patrdo.“ “it will soon be dark, and that is the time to fish; do you have a spear?“ “no, patrdo.“ “then ignacio will get you one.“ ignacio took a handful of the sticks and thrust the ends into the fire, blowing on them. after a moment nicholas leaned over and blew, too, until all the sticks were blazing. 第 35 頁(yè) 共 33 頁(yè) “now we must find you some bamboo, and there is some back here. follow me.“ the light, still nearly shadowless, was dimming now, so that it seemed to nicholas that they walked on insubstantial soil, though he could feel it beneath his feet. ignacio stalked ahead, holding up the burning sticks until the fire seemed about to die, then pointing the ends down, allowing it to lick upward toward his hand and come to life again. there was a gentle wind blowing out toward the sea, carrying away the sound of the surf and bringing a damp coolness; and when they had been walking for several minutes, nicholas heard in it a faint, dry, almost rhythmic rattle. ignacio looked back at him and said, “the music. the big stems talking; hear it?“ they found a cane a little thinner than nicholass wrist and piled the burning sticks around its base, then added more. when it fell, ignacio burned through the upper end, too, making a pole about as long as nicholas was tall, and with the edge of a seashell scraped the larger end to a point. “now you are a fisherman,“ he said. nicholas said, “yes, pardo,“ still careful not to meet his eyes. “you are h