directory workshop parallel sessions n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Directory Workshop Parallel Sessions PowerPoint Presentation
Download Presentation
Directory Workshop Parallel Sessions

Loading in 2 Seconds...

play fullscreen
1 / 22

Directory Workshop Parallel Sessions - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

Directory Workshop Parallel Sessions. Rob Banz, Univ. of Maryland, Baltimore County Tom Barton, University of Memphis Keith Hazelton, University of Wisconsin, Madison Richard Jones, University of Colorado, Boulder 02 February 2002. Overview.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Directory Workshop Parallel Sessions' - eavan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
directory workshop parallel sessions

Directory Workshop Parallel Sessions

Rob Banz, Univ. of Maryland, Baltimore County

Tom Barton, University of Memphis

Keith Hazelton, University of Wisconsin, Madison

Richard Jones, University of Colorado, Boulder

02 February 2002

overview
Overview

Interactive tour of directory design & implementation issues:

  • Data flow from source systems through enterprise directory to applications
  • Infrastructure services provided to applications & service platforms
  • Directory enabled applications
  • Groups
  • Metadirectories & affiliated directories

I2 CAMP

generic institutional middleware architecture
Generic Institutional Middleware Architecture

Core Business Systems

Enterprise directory

authN service

Metadirectory

Applications & service platforms

Business logic

Business logic

Object registry

Async sources

attribute & group service

I2 CAMP

source s of identity
Source(s) of Identity

What is the system of record for identity data? (trick question)

  • Several. Some of HRS, SIS, Academic Personnel, Med School, Law School, Telecommunications Management System, Alumni System, Library, … are sources, and others must be reconciled.
  • All core business systems obtain identity data from the object registry.

Answer B may prove to be fundamental to having substantial online services & programs…

I2 CAMP

managed objects
Managed Objects
  • Objects that describe:
    • People
    • Groups
    • Aliases, Roles, Affiliations
    • Network devices
  • Security policies
  • Network services
  • Org structure
  • Application specific objects

The object classes and source data to populate them are determined by the applications to be directory enabled, with institutional policy folded in.

I2 CAMP

continuous deployment cycle
Continuous deployment cycle

Object definitions

Data sources

Business logic

Application requirements

Metadirectory processes

Staging of new objects in directory

I2 CAMP

authentication service models
Authentication Service Models
  • Several authentication services may need to be provided “on the front end”: RADIUS, LDAP, Kerberos, WebISO, basic auth,… .
  • Best practice to work towards is to base them all on a strong system such as Kerberos or PKI, implementing backend callouts from other authN services where possible.
  • (and of course ensure basic auth is only done over encrypted channels in the meanwhile!)

I2 CAMP

attribute group services facilitate
Attribute & group services facilitate…
  • Customization – application UI tailored to user’s affiliation with the organization.
  • Personalization – application UI tailored to user’s preferences.
  • General authorization (but especially affiliation based authZ).
  • Group messaging.
  • Naming services (for unix at least).

I2 CAMP

application examples 1
Application Examples 1
  • White & blue pages: find contact info for persons and departments
  • SMTP routing
  • Mailbox access & personalization
  • Group messaging
  • Calendar authN, customization (calendar roles), personalization.

I2 CAMP

application examples 2
Application Examples 2
  • Web basic authN, authZ: “require user”, “require group”, and “require filter”.
  • Course management system: authN, customization, personalization.
  • Portal: ditto
  • Generic application server (egs, EJB, J2EE): ditto + authZ.
  • Specialized application server (egs, Brio, Cognos, RightNow, ARS, …): authN, authZ.

I2 CAMP

application examples 3
Application Examples 3
  • Account self-maintenance (password, PIN, email, personal URL, pager, …)
  • E-provisioning – automated account management. Basic life cycle for accounts and access privileges.
  • Unix naming services

I2 CAMP

application examples 4
Application examples 4
  • NAS authN, authZ, customization.
  • Proxy access
  • Network auto-registration
  • Computer lab (& desktop) authN, authZ, customization, personalization.
  • Integration of LAN specific directory…

I2 CAMP

active directory
Active Directory
  • As application specific directory (for LAN management), needs accounts to be synchronized from institutional directory service. A metadirectory problem?
  • Want groups too (for LAN management)??
  • AD as enterprise directory?

I2 CAMP

types of groups how sourced
Types of groups: howsourced
  • Institutional
    • Automated
    • Manual
    • Delegated
  • Personal
  • Joinable

I2 CAMP

types of groups content
Types of groups: content
  • Enterprise (e.g. all faculty, staff & students; all non-exempt employees)
  • Departmental (e.g. History Dept staff; all dept heads and above in College of Education)
  • Academic (e.g. students in PHYS101 section 001 Spring 2002; all seniors in MIS)
  • Application specific (e.g. persons permitted to run special Brio queries; answerers for questions about the Law program)
  • Activity specific (e.g. Chess Club; Helpdesk Team)

I2 CAMP

types of groups representations
Types of groups: representations
  • Static: uniqueMember=<DN>
  • Dynamic

(&(acadcourse=PHYS101001)(|(state=active)(state=grace)))

  • Forward reference

isMemberOf: <group_A_handle>

isMemberOf: <group_B_handle>

  • Spatial: children of

ou=EE,ou=CollegeOfEngineering,ou=Org,…

I2 CAMP

groups techniques issues
Groups: techniques & issues
  • Naming & location
  • Group math
  • Referential integrity
  • Privacy
  • Aging
  • Delegated management
  • Forward referencing

I2 CAMP

groups choosing a representation
Groups: choosing a representation
  • how the group information is to be maintained
  • how it is to be most commonly accessed (e.g., is X a member of, list all members,…)
  • interactions between the type of representation, the nature of the group (such as size and privacy requirements), and capabilities of the particular directory service agent (DSA) being used.

I2 CAMP

metadirectories why
Metadirectories: why?
  • Replication solves some problems but not all
  • You will need directories with
    • special ACLs
    • special objects or attributes
    • handling multicampus issues
    • etc
  • You WILL end up running multiple (different) directories. How? ...

I2 CAMP

metadirectory what it is isn t
Metadirectory: what it is & isn’t
  • An overworked term
    • Not just a meta-database (not necessarily a directory!)
  • Data transformation among data sources and directories including identity management, organizational policy, and e-provisioning.

I2 CAMP

metadirectory tools
Metadirectory tools
  • MetaMerge--a metatool (use free to higher ed) to solve metadirectory problems.
  • Examples:
    • Move data from a person registry to the enterprise directory
    • Transform data from enterprise directory to special application directory
    • DoDHE

I2 CAMP

affiliated directories
Affiliated directories
  • Trying to characterize the problem is itself a problem! E.g.s:
    • currency of information in a personal address book
    • Maintaining integrity of PI contact information at granting agencies
  • Verification/currency of data outside of the bounds of a unified enterprise directory.
  • The things that flow out to target repositories are data + metadata bundles

I2 CAMP