directory workshop parallel sessions n.
Skip this Video
Loading SlideShow in 5 Seconds..
Directory Workshop Parallel Sessions PowerPoint Presentation
Download Presentation
Directory Workshop Parallel Sessions

Loading in 2 Seconds...

play fullscreen
1 / 22

Directory Workshop Parallel Sessions - PowerPoint PPT Presentation

  • Uploaded on

Directory Workshop Parallel Sessions. Rob Banz, Univ. of Maryland, Baltimore County Tom Barton, University of Memphis Keith Hazelton, University of Wisconsin, Madison Richard Jones, University of Colorado, Boulder 02 February 2002. Overview.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Directory Workshop Parallel Sessions

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
directory workshop parallel sessions

Directory Workshop Parallel Sessions

Rob Banz, Univ. of Maryland, Baltimore County

Tom Barton, University of Memphis

Keith Hazelton, University of Wisconsin, Madison

Richard Jones, University of Colorado, Boulder

02 February 2002


Interactive tour of directory design & implementation issues:

  • Data flow from source systems through enterprise directory to applications
  • Infrastructure services provided to applications & service platforms
  • Directory enabled applications
  • Groups
  • Metadirectories & affiliated directories


generic institutional middleware architecture
Generic Institutional Middleware Architecture

Core Business Systems

Enterprise directory

authN service


Applications & service platforms

Business logic

Business logic

Object registry

Async sources

attribute & group service


source s of identity
Source(s) of Identity

What is the system of record for identity data? (trick question)

  • Several. Some of HRS, SIS, Academic Personnel, Med School, Law School, Telecommunications Management System, Alumni System, Library, … are sources, and others must be reconciled.
  • All core business systems obtain identity data from the object registry.

Answer B may prove to be fundamental to having substantial online services & programs…


managed objects
Managed Objects
  • Objects that describe:
    • People
    • Groups
    • Aliases, Roles, Affiliations
    • Network devices
  • Security policies
  • Network services
  • Org structure
  • Application specific objects

The object classes and source data to populate them are determined by the applications to be directory enabled, with institutional policy folded in.


continuous deployment cycle
Continuous deployment cycle

Object definitions

Data sources

Business logic

Application requirements

Metadirectory processes

Staging of new objects in directory


authentication service models
Authentication Service Models
  • Several authentication services may need to be provided “on the front end”: RADIUS, LDAP, Kerberos, WebISO, basic auth,… .
  • Best practice to work towards is to base them all on a strong system such as Kerberos or PKI, implementing backend callouts from other authN services where possible.
  • (and of course ensure basic auth is only done over encrypted channels in the meanwhile!)


attribute group services facilitate
Attribute & group services facilitate…
  • Customization – application UI tailored to user’s affiliation with the organization.
  • Personalization – application UI tailored to user’s preferences.
  • General authorization (but especially affiliation based authZ).
  • Group messaging.
  • Naming services (for unix at least).


application examples 1
Application Examples 1
  • White & blue pages: find contact info for persons and departments
  • SMTP routing
  • Mailbox access & personalization
  • Group messaging
  • Calendar authN, customization (calendar roles), personalization.


application examples 2
Application Examples 2
  • Web basic authN, authZ: “require user”, “require group”, and “require filter”.
  • Course management system: authN, customization, personalization.
  • Portal: ditto
  • Generic application server (egs, EJB, J2EE): ditto + authZ.
  • Specialized application server (egs, Brio, Cognos, RightNow, ARS, …): authN, authZ.


application examples 3
Application Examples 3
  • Account self-maintenance (password, PIN, email, personal URL, pager, …)
  • E-provisioning – automated account management. Basic life cycle for accounts and access privileges.
  • Unix naming services


application examples 4
Application examples 4
  • NAS authN, authZ, customization.
  • Proxy access
  • Network auto-registration
  • Computer lab (& desktop) authN, authZ, customization, personalization.
  • Integration of LAN specific directory…


active directory
Active Directory
  • As application specific directory (for LAN management), needs accounts to be synchronized from institutional directory service. A metadirectory problem?
  • Want groups too (for LAN management)??
  • AD as enterprise directory?


types of groups how sourced
Types of groups: howsourced
  • Institutional
    • Automated
    • Manual
    • Delegated
  • Personal
  • Joinable


types of groups content
Types of groups: content
  • Enterprise (e.g. all faculty, staff & students; all non-exempt employees)
  • Departmental (e.g. History Dept staff; all dept heads and above in College of Education)
  • Academic (e.g. students in PHYS101 section 001 Spring 2002; all seniors in MIS)
  • Application specific (e.g. persons permitted to run special Brio queries; answerers for questions about the Law program)
  • Activity specific (e.g. Chess Club; Helpdesk Team)


types of groups representations
Types of groups: representations
  • Static: uniqueMember=<DN>
  • Dynamic


  • Forward reference

isMemberOf: <group_A_handle>

isMemberOf: <group_B_handle>

  • Spatial: children of



groups techniques issues
Groups: techniques & issues
  • Naming & location
  • Group math
  • Referential integrity
  • Privacy
  • Aging
  • Delegated management
  • Forward referencing


groups choosing a representation
Groups: choosing a representation
  • how the group information is to be maintained
  • how it is to be most commonly accessed (e.g., is X a member of, list all members,…)
  • interactions between the type of representation, the nature of the group (such as size and privacy requirements), and capabilities of the particular directory service agent (DSA) being used.


metadirectories why
Metadirectories: why?
  • Replication solves some problems but not all
  • You will need directories with
    • special ACLs
    • special objects or attributes
    • handling multicampus issues
    • etc
  • You WILL end up running multiple (different) directories. How? ...


metadirectory what it is isn t
Metadirectory: what it is & isn’t
  • An overworked term
    • Not just a meta-database (not necessarily a directory!)
  • Data transformation among data sources and directories including identity management, organizational policy, and e-provisioning.


metadirectory tools
Metadirectory tools
  • MetaMerge--a metatool (use free to higher ed) to solve metadirectory problems.
  • Examples:
    • Move data from a person registry to the enterprise directory
    • Transform data from enterprise directory to special application directory
    • DoDHE


affiliated directories
Affiliated directories
  • Trying to characterize the problem is itself a problem! E.g.s:
    • currency of information in a personal address book
    • Maintaining integrity of PI contact information at granting agencies
  • Verification/currency of data outside of the bounds of a unified enterprise directory.
  • The things that flow out to target repositories are data + metadata bundles