6 Nov 2003 A. Vandenberg © Teach A Man to Fish Educause 2003 Anaheim, CA 1 Enterprise Directory...

6 Nov 2003A. Vandenberg ©

Teach A Man to FishEducause 2003 Anaheim, CA

1

Enterprise DirectoryImplementation Roadmap –

Directions Provided

Art VandenbergDirector, Advanced Campus Services

Georgia State University

[email protected]

“Copyright Art Vandenberg 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate

otherwise or to republish requires written permission from the author.”

mailto:[email protected]



2

Roadmap – Introduction

http://www.nmi-edit.org/roadmap/directories.html



3

Roadmap’s Layered Detail

• Roadmap Intro & main sections (5 pp.)– Project Planning, Prep & Requirements– Architecture Design, Policy Development– Data Flow, Business Process– Implementation & Deployment

• Next level, outline of topics (24 pp.)• Detail level articles, documents, links (~340 pp.)• Dual tracks: Technical & Policy

• Technology/architecture & policy/management activity work together• GOAL: directory-enable applications• Directories reflect (variety of) institutional goals and environments




4

Roadmap – Project Planning

http://www.nmi-edit.org/roadmap/plan/plan-set.html

• Develop business case, secure support (educate, assemble drivers, business case)

• Develop project plan• Decide on implementation strategy, timing, and organizational approach• Develop communications and PR plan• Discuss with stakeholders when appropriate• Develop project specifics

• Assemble resources (funding, structure, communication plan)

• Articles, documents, templates, links – READY TO USE!

http://www.nmi-edit.org/roadmap/plan/plan-set.html



5

Roadmap – Architecture & Policy

http://www.nmi-edit.org/roadmap/design/design-set.html

• Campus identifier strategy– Guidelines, templates, examples– Do you know where your identifiers are?

• Directory Services Architecture– Models, recipe, schemas for higher education

• Education and communication• Policy and process development

http://www.nmi-edit.org/roadmap/design/design-set.html



6

Identifiers, Authentication& Directories

• Directory components (1,000 words)



7

Directories & Details!

• Best Practice Design for LDAP Directory• Schema

– Flat as possible - minimizes update overhead– UID unique across tree– Create “campus person” (CampusEduPerson)– Use dc naming: dc=yourschool, dc=edu– ... and more

• Naming– Choose distinguishedName (DN) carefully– UID rather than commonName (Jim Smit, Jim Smit?)

• You have a rich Roadmap to guide you



8

LDAP Recipe

• Recommendations to lead to common directory schema and deployments

• Started 2000, living doc, now 30 pp.

• Good source of information – USE THIS!

• Directory Information Tree (DIT)– Dc naming (leverage Domain Name System)

– Ou=people, dc=yourschool, dc=edu

– uid=avandenberg, ou=people, dc=gsu, dc=edu



9

Non-flat, non unique uid, no dc-naming

o=Georgia State University

ou=Information Systems

ou=ACS ou=UCCS

cn=Art Vann

cn=Jan Smit

cn=Sue West

cn=Mae Jones

cn=Jan Smit

Cn=Jan Smit, ou=ACS, ou=Information Systems, o=Georgia State University



10

Flat, unique uid, dc-naming

dc=edu

dc=gsu

ou=people ou=unit

uid=avann

uid=jsmit

uid=jsmit2

ou=acs

ou=uccs

uid=jsmit2, ou=people, dc=gsu, dc=edu



11

eduPerson object Class• LDIF (LDAP Data Interchange Format)...dn: cn=schemachangetype: modify...add: attributetypesattributetypes: ( 1.3.6.1.4.1.5923.1.1.1.1 NAME 'eduPersonAffiliation' DESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )...add: objectclassesobjectclasses: ( 1.3.6.1.4.1.5923.1.1.2 NAME 'eduPerson' AUXILIARY MAY ( eduPersonAffiliation $ eduPersonNickname $ eduPersonOrgDN $ eduPersonOrgUnitDN $ eduPersonPrimaryAffiliation $ eduPersonPrincipalName $ eduPersonEntitlement $ eduPersonPrimaryOrgUnitDN $ ))

Directory Architectures -cont’d



13

Working with Stakeholders

• Who are the stakeholders?– Technical, functional, management, users...

– What are key application drivers? Get that buy-in!

• Ad hoc or formal committees?

• Stewardship (preferred) vs. ownership– Data administration – how’s it done?

• Identifying policy gaps is important

• Establish same enterprise focus as for ERP systems



14

Roadmap – Data Flow &Business Process

http://www.nmi-edit.org/roadmap/data/data-set.html

• Integrated provisioning architecture:– data sources/providers

– data flow & meta-processes

– Application targets/consumer

• Chicken & egg: business flow & technical– You have to solve it together (functional & technical)

• Keeping that in mind… let’s look at overall concept






15

Directory Business Flowconsolidation, intelligence, provisioning



16

Select Meta-Directory Model

• Enterprise directory / metadirectory

• Physical or virtual “person registry”

• Data load requirements

• Provisioning model for consumer apps

• ETL (extract, transform, load) tools

• Integration/synchronization services



17

UMBC Meta-Directory

• Source systems: HR and SIS with data in Oracle RDBMS• Database triggers create change logs• Updates applied to iPlanet LDAP• Perl scripts query iPlanet change logs

– update Active Directory– Update Remedy trouble ticket

• Perl scripts = intelligence• iPlanet directory = registry



18

BC Meta-Directory

• Source is the registry (corporate DB, VSAM files)

• Single entry point/identifier create (even Peoplesoft)

• Identity reconciliation moot

• Student & HR “activate” user, marking for feed

• Fed to iPlanet, email, voicemail, Radius, etc.

• Transactions real-time or batch (ftp & update scripts)

• Initial user entry/activation/script triggers = intelligence



19

Business Process Design/Impact

• Policies & procedures of existing systems of record– Human Resources, Student, Financial, Alumni, ancilliary…

• Can you leverage an existing initiative?

• What are directory update or service targets?

• Directory use policy (users & applications)

• Is there a Data Stewardship Policy?

• Do users know how their data is used?

• New identifier issues (new identifiers, new issues both)



20

Roadmap – Enterprise Directory &Applications Implementation

http://www.nmi-edit.org/roadmap/app/app-set.html

• Requirements & Analysis complete...– Business processes, data flows complete– Meta directory architecture complete

• Design– system & network, schema (eduPerson), metadirectory flow

• Implement– LDAP server, eduPerson data load, access controls, applications

• Deploy– testing, verification, transition & release to ops






21

The Communication Plan

• Who knows what and when?

• Content and context for the plan

• Words to live by:– No surprises! Manage expectations. “Under promise, over-

deliver.”

• Phased approach with multiple communication modes

• Optimal result:– Deliver what they want, which just happens to be what you are

offering...



22

Repeat as needed…



23

Contact

Enterprise Directory Implementation Roadmaphttp://www.nmi-edit.org/roadmap/directories.html

Art [email protected]

Thank you


http://middleware.internet2.edu/




6 Nov 2003 A. Vandenberg © Teach A Man to Fish Educause 2003 Anaheim, CA 1 Enterprise Directory...

Documents

Transcript of 6 Nov 2003 A. Vandenberg © Teach A Man to Fish Educause 2003 Anaheim, CA 1 Enterprise Directory...