1 / 14

University of Maryland LDAP Directory

University of Maryland LDAP Directory. David Henry Office of Information Technology University of Maryland College Park david_henry@umail.umd.edu. University of Maryland Stats. Land Grant University 13 Colleges, 1 Campus ~35,000 Undergrad ~15,000 Grad ~8,500 Faculty ~5,200 Staff.

theola
Download Presentation

University of Maryland LDAP Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. University of MarylandLDAP Directory David Henry Office of Information Technology University of Maryland College Park david_henry@umail.umd.edu David Henry, CSG - May, 2000

  2. University of Maryland Stats • Land Grant University • 13 Colleges, 1 Campus • ~35,000 Undergrad • ~15,000 Grad • ~8,500 Faculty • ~5,200 Staff David Henry, CSG - May, 2000

  3. U of MD History • 1988 – Rollout of email system with integrated directory for faculty and staff (aka umail) • Faculty/Staff only • Finger, whois servers • Email forwarding service • 1993 – CSO name server • Faculty/staff only • Used by Web directory page • 1997 – installed Esys/Simeon X.500/LDAP server (based on ISODE/Quipu) • Decommissioned in Feb 2000 • 1999 – installed IBM Secureway LDAP directory • Faculty/Staff + Students + Affiliates • ~60,000 DN’s David Henry, CSG - May, 2000

  4. How we got where we are • Extemporize… • Reorg • LDAP committee • Data feeds • Savings argument David Henry, CSG - May, 2000

  5. The DN • DN • Employeenumber=<uid>,dc=people,dc=umd.edu • Sample <uid>: 103660231 • Qualities of uid • NOT SSN • Can be public • Never will change • Contains a check digit • Everyone gets one (even unadmitted student applicants) David Henry, CSG - May, 2000

  6. Some of our local attributes • Major, department,etc. • umID (aka SSN, not public) • umIDhash • sha1 hash of umID • Read/search for authenticated access • Set of Booleans • umFaculty, umStaff, umEmployee, umStudent, umAffiliate, umAlumni, umBuckleyflag • Also umPINhash and UMParentPINhash • Sha1 has of student and parent PINs David Henry, CSG - May, 2000

  7. IBM Secureway LDAP Issues • ACL Support • Object Level Only • Each attribute within an object is assigned to an access level (normal, sensitive, critical) • We want to fully populate all attributes and control access by ACL • IBM says ACL support is fixed in next release (GA July) • Attribute level ACL support consistent with proposed standard • LDIF syntax for ACL NOT consistent with proposed standard David Henry, CSG - May, 2000

  8. IBM Secureway LDAP Issues • Bulkload – disaster recovery • 60,000 entries takes ~24 hours to load • ACL processing (23.75 hours) • IBM is looking at problem – no solution • Kerberos Support • K5 authentication supported in the next release • No support for K4… maybe through Transarc • Next release GA July 2000 • We received early release yesterday David Henry, CSG - May, 2000

  9. Anticipated Uses of Directory • Authentication/authorization for modem pool, central mail drop, student records, etc. • Lost card digit • Place holder for students who are “admitted, letter sent” • Dynamic email lists (major, course, student status) • Door swipe access • Library patron authorization • Userid reserve list • Tie in to NDS? W2K? David Henry, CSG - May, 2000

  10. Current Uses of Directory • Email forwarding service @umd.edu • Email client searches • Web directory searches • Authentication services for web pages • Corporatetime David Henry, CSG - May, 2000

  11. Corporatetime vs. LDAP • CT only supports Netscape DS and Control Data Systems Global DS • Schema/ACL syntax fixes for IBM LDAP • ACL Issues – separate server for CT until attribute level ACL support • No support for multivalue attributes • It is not possible to create CT user w/o being in LDAP • Meeting related data is stored on CT server not in LDAP server David Henry, CSG - May, 2000

  12. Corporatetime vs. LDAP • Defined ctCalUser, ctCalAdmin, ctCalResource object classes • Attributes specific to CT stored in CT specific part of the tree • cn=ctserv,dc=ct • Example attributes • ctCalAccess, ctCalFlags, ctCalHost David Henry, CSG - May, 2000

  13. Some Policy Issues • Student information is accessible only after authenticated to LDAP • Who gets to be added? • Students, Faculty, Staff, Affiliates • Admitted students, letter sent • Removed after they decline • Affiliates • Volunteers, collaborating faculty, business partners • Alumni? (not so far at UMD) • Who gets the rights to add affiliates? • Currently, one year duration. David Henry, CSG - May, 2000

  14. That’s it! David Henry Office of Information technology Universty of Maryland College Park David_henry@umail.umd.edu David Henry, CSG - May, 2000

More Related