topics in directories: metadirectories practices in higher education brendan bellina, university of...
TRANSCRIPT
Topics in Directories: Metadirectories
Practices in Higher Education
Brendan Bellina, University of Notre Dame
I2 Base CAMP June 2002, Boulder, CO
I2 Base CAMP - June 25, 2002 Middleware: Directories 2
Presentation Overview - Visual
IntroductionBodySummationQuestions
I2 Base CAMP - June 25, 2002 Middleware: Directories 3
Presentation Outline
Metadirectory Definition & Role
Metadirectory Processes
• The “Join”
• “Intelligence” & The Registry
• Consumer Provisioning
Questions
I2 Base CAMP - June 25, 2002 Middleware: Directories 4
What is meant by “Metadirectory”?
A technology or class of functionality required to build an enterprise directory infrastructure.
Any directory capable of consolidating information found in both standards-based and proprietary directories, and then exposing it through standard interfaces… A system capable of heterogeneous, multi-master, attribute-level replication.
- “Enterprise Directory Infrastructure: Meta-directory Concepts and Functions”, Jamie Lewis, The Burton Group, July, 1998
I2 Base CAMP - June 25, 2002 Middleware: Directories 5
Role of the Metadirectory
Provides the infrastructure capable of maintaining consistency and data integrity between the chosen enterprise directory and the other local and system- or application-specific directories that will always be present in the organization.
-“Enterprise Directory Infrastructure: Meta-directory Concepts and Functions”, Jamie Lewis, The Burton Group, July, 1998
I2 Base CAMP - June 25, 2002 Middleware: Directories 6
Role of the Metadirectory
The glue that binds directories together
The directory umbrella which covers all directories
The duct tape of your directory infrastructure
I2 Base CAMP - June 25, 2002 Middleware: Directories 8
Metadirectory Processes - Overview
The “Join”
-Using identity matching to produce a registry of constituents with links (aliases or alternate keys) back to source systems.
“Intelligence”
-Managing how data is inserted, modified, and deleted from the registry based upon the business rules of the institution.
Consumer Provisioning
- Notifying/populating the directory consumers appropriately.
I2 Base CAMP - June 25, 2002 Middleware: Directories 10
Metadirectory Processes – The “Join”
The process by which disparate identifiers for multiple source systems are extracted and examined, producing a single master record of identifiers for each individual entity which can be used as a link back to the source system records.
I2 Base CAMP - June 25, 2002 Middleware: Directories 11
Directory Sources – You want sources? We got sources!
FacultyStudents
Donors
Alumni
Email accounts
Windows 2000Windows NT
etc/passwd
Novell
etc/aliases
OracleTrustees
Vendors
Athletic Fans
Portal users
Applicants
Staff
Affiliates
RetireesAnd more!!!
I2 Base CAMP - June 25, 2002 Middleware: Directories 12
Source Issues
- Quantity of diverse sources
- Platform differences
- Differences in quality of data entered
- People with multiple simultaneous roles
- Data ownership issues – politics
- Varying availability of data sources
- Sometimes too much data – 34 address types?!?
I2 Base CAMP - June 25, 2002 Middleware: Directories 13
Identity Matching
Haven’t I seen you somewhere before?
Students who are also part-time staff
Staff or faculty who take classes
People who arrive, and leave, and return, and…
I2 Base CAMP - June 25, 2002 Middleware: Directories 14
Identity Matching
Generally forced to use infrequently changing attributes to attempt to determine when two records describe the same person:
-U.S. Social Security Number or other government assigned unique single lifetime pseudo-meaningless short easy-to-memorize alpha-numeric identifier
-Formal name (at birth or initial contact)
-Date of birth
-Gender (at birth or initial contact)
-Permanent home address
… Quality of the data really matters!
I2 Base CAMP - June 25, 2002 Middleware: Directories 15
Building the Registry - Choice of ETL Tools
Choose an ETL (extract-transform-load) tool:
- Perl scripts – most common approach at this time, fairly easy to write, can be difficult to maintain
- Metamerge – free license for higher ed, many connectors, scripting capability
- Java applications
- Other
I2 Base CAMP - June 25, 2002 Middleware: Directories 16
Building the Registry - Choice of Storage
Choose a storage platform:
- Relational database - recommended
- LDAP Directory – not recommended due to limitations in data typing, lack of standard referential integrity controls.
- Indexed files
- Other
I2 Base CAMP - June 25, 2002 Middleware: Directories 17
Building the Registry - Choice of Model
Choose a model: “fat” or “thin”
“thin”: registry will contain only the information required to provide linkages back to systems of record. Requires systems of record to be both highly available and readily accessible.
“fat”: registry will contain and serve, in addition to linkage information, information about an entry to consuming applications, reducing the dependency on the systems of record. Fat registries are more common than thin registries.
I2 Base CAMP - June 25, 2002 Middleware: Directories 18
Metadirectory Processes – “Intelligence”
“Intelligence”
The application of an institution’s business rules and policies within the metadirectory. This involves the creation of a unique identifier (guid), rules regarding the creation and removal of registry entries and the population of attributes, and providing for operational reporting and auditing requirements.
I2 Base CAMP - June 25, 2002 Middleware: Directories 19
Unique Identifiers
“There can be only one!!!”One entry per person, that is.
Establish a globally unique identifier (guid) for each person in the registry.
- Unchanging and persistent
- Non-recyclable
- Unique
- Meaningless
- Hidden
I2 Base CAMP - June 25, 2002 Middleware: Directories 20
Addressing Institutional Policies
- Reformatting data to meet standards (telephone)
- Breaking up data into discrete parts (addresses, names)
- Consolidating/summarizing data (statuses)
- Population of default attributes
- Population of groups
- Default authorizations
- Resolving partial or missing data from sources
I2 Base CAMP - June 25, 2002 Middleware: Directories 21
Operational Design Requirements
- Data flow requirements – batch or real-time?
- Recovery planning – thresholds, roll-back, grace periods, logging
- Problem resolution tools for the helpdesk and administrators
- Audit reporting
I2 Base CAMP - June 25, 2002 Middleware: Directories 22
Metadirectory Processes – Consumer Provisioning
Consumers are the applications which make use of information presented in the enterprise directory infrastructure. The metadirectory provisioning process ensures that data is made available to the consumer interfaces. Often modern consumers can interface via the LDAP protocol, but often multiple LDAP directories are required to meet consumer needs.
I2 Base CAMP - June 25, 2002 Middleware: Directories 23
Multiple Consumers
Application specific or “embedded” directories will be needed for several reasons:
- Performance needs, particularly for updates
- Application-specific data
- Special access
- Security requirements
- Because vendors seem to want it that way
I2 Base CAMP - June 25, 2002 Middleware: Directories 24
Integrating Multiple Directories
Methods:- LDIF
- Metamerge
- Log processing
Probably unavoidable
I2 Base CAMP - June 25, 2002 Middleware: Directories 25
Resource Provisioning
Automated handling of the tasks associated with the establishment, modification, and deletion of resources and entitlements provided to people as they join or leave an organization or undergo changes in affiliation or status.
Wouldn’t it be nice!
I2 Base CAMP - June 25, 2002 Middleware: Directories 26
Resource Provisioning
What to do?
-Identify existing automated processes
-Identify existing manual processes
-Directory-enable processes where possible
How to do it?
-Perl
-Metamerge
I2 Base CAMP - June 25, 2002 Middleware: Directories 27
Why Are There More Questions Than Answers?
-Confusion over terminology, created in part by metadirectory vendors
-Merging of directory and metadirectory vendors (where have all the vendors gone?)
-Tools and standards are still maturing
-Getting early success is fairly easy, going beyond white pages can prove difficult – for institutions that are riddled with exceptions centralized authorization and provisioning can be very complex
-Enterprise work can be an uphill battle in the educational environment – CIO can help
I2 Base CAMP - June 25, 2002 Middleware: Directories 28
Links
Internet 2 - MACE-Dir Metadirectories page
<http://middleware.internet2.edu/dir/metadirectories/>
RPR 1.0 Metadirectories Practices document
<http://middleware.internet2.edu/dir/metadirectories/rpr-nmi-edit-mace_dir-metadirectories_practices-1.0.html>
Author: [email protected]