140 likes | 378 Views
Schema: eduPerson views. Michael R Gettes Duke University EuroCAMP, November 2005. Whence we came. Phoenix, Arizona Airport, February 2000
E N D
Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005
Whence we came • Phoenix, Arizona Airport, February 2000 • Hazelton/Gettes set ground rules for development of eduPerson objectclass with eye towards DoDHE, “Shibboleth to be” and other inter-institutional applications. • Low-hanging fruit and controlled vocabularies. • Learn why schools will want more instead of flexibility • A better definition than the “standard OCs” (like CN) • Assist local directory implementations -- not be the answer! • DomainComponent Naming (eduPerson, dukeEduPerson) • eduPerson 1.0 released Jan. 2001 • First version July 2000 0.6 (or something like that)
Where we are now? • Schema (LDAP) for US Higher Education • Low hanging fruit, interoperable data • Easy stuff that we can all agree is true • eduPerson + LDAP-Recipe go together • Auxiliary OC extending Person, orgPerson, inetOrgPerson • localEduPerson • local attributes are a local problem (clear enough?) • eduOrg (and edu* schemas being developed) • usPerson / govPerson? (work just beginning) • http://middleware.internet2.edu
Where are we going? • Use the past as a predictor of the future • Not much change in perspective • Current view is serving well • We are considering some new attributes • We are NOT expanding our vocabularies as much as we thought • Continuing struggle: local vs. non-local • Has been difficult getting Int’l involvement • This has been improving over the last 18 months • UML for general schema; LDAP is one expression
eduPerson 200312 • eduPerson • OrgDN, OrgUnitDN, NickName, PrincipalName*, PrimaryAffiliation*, Affiliation* Entitlement*, ScopedAffiliation*, • eduPerson{Primary}Affiliation • Values: faculty, student, staff, alumni, employee, member, affiliate • Considering: parent, prospect
eduPersonPrincipalName • What is a Principal? (think security) • This is NOT a Kerberos Principal • And it is not a Mail Address • gettes@duke.edu, pbh@mit.edu • An inter-institutional identifier • SINGLE-VALUE definition • Used by Shibboleth -- this was the intent from the beginning • But, used in ACLs by other tools as well
eduPersonScopedAffiliation • Driven by Shibboleth needs • Syntax like eduPersonPrincipalName • student@brown.edu • alumni@duke.edu • subscriber@nytimes.com (!?!) • Raises problems about who is authorized to assert what • An “inter-realm metadirectory function” • A field full of ratholes and land mines…
eduPersonEntitlement • Original problem: how to change schema without changing schema. Needed by GRIDs • Values are URIs (URL or URN) • urn:mace: accepted by IETF and registered with IANA • Gives us a way to make values unique in the entitlement namespace without elaborate registry mechanism • urn:mace:wisc.edu:bucky-bundle • urn:mace:oclc:org:autho:NNNN • urn:mace:duke.edu:library:oclc:contract-NNN • namespace registry by MACE
eduPersonTargetedID • Not likely to be found in Directories • Form: id (no context, a problem??) • Persistent, non-reassigned, privacy preserving. At some definition of persistent. • Further discussion in the shibboleth and federation talks at EuroCAMP.
eduOrg 200210 • Higher Ed Organization object class • Basic organizational info attributes from X.520 • Telecomm, postal, locale • eduOrgHomePageURI • eduOrgIdentityAuthNPolicyURI • eduOrgLegalName • eduOrgSuperiorURI • eduOrgWhitePagesURI
LDAP Analyzer (part of NMI) • Todd Piket, Michigan Tech • Web based tool to empirically analyze a directory • eduPerson compliance • Indexing and naming • LDAP-Recipe guidance (good practice) • H.350 compliance • eduOrg compliance http://middleware.internet2.edu/dir/
Other related work • eduCourse (200506) • eduCourse Data Model (200505) • Globally unique identifiers for course offerings (200505) • LDAP representations of eduCourse attributes and an auxiliary object class (200505) • H.350 • Effort associated with Internet2 Vid-Mid working group. VidMid + MACE-Dir co-developed. • Pushed through ITU by Tyler Johnson, UNC
LDIF Management • See http://www.educause.edu/eduperson • LDIF used to describe schema and also manage schema. Provides history and technical details in one place. • File