Transcript Presentation title on one or two lines. It is Times Roman, 33pt, white.

Middleware Early Adopters Report:
Technical Implementations
31 October 2000
Panelists
• Tom Barton, University of Memphis
• Louise Miller-Finn, Johns Hopkins University
• Jack Suess and Rob Banz,
University of Maryland, Baltimore County
• Moderator:
Ken Klingenstein, Internet2 /University of Colorado
Internet2 Fall 2000 Meeting: Early Adopters Report
2
Early Adopters Middleware Reports
Technical Implementation
The University of Memphis
Dr. Tom Barton
Initial Middleware Architecture
BuildUser
cardswipe
WebPh
SMTP
routing
HTTP
authen
Dialup
HTTP
author
2
rsh utils
Ph
DS
Address
books
qiSynch
IMAP
email
1
HRS
Ph Rebuild
& AMP
3
UMDI
NDSv5
HTTP
email
SIS
Calendar
Labs &
Desktops
UUIDs
Internet2 Fall 2000 Meeting: Early Adopters Report
4
Project Scope
• Replace or reengineer Ph applications
• Enhance existing data feeds from
administrative systems
• New metadirectory solution and registry
process
• Group messaging & group authorization
facilities
• New account maintenance facilities & practices
• Prepare for next stage: PKI and Roles
Internet2 Fall 2000 Meeting: Early Adopters Report
5
Final Middleware Architecture
Acct Maint
Web Site
Other
Actions
Labs &
Desktops
AD
HRS
DSGW
2
FRS
NDSv8
Change
Dispatcher
SIS
HTTP
authen
HTTP
author
1
Registry &
AMP
DS
Address
books
UUIDs
Misc Ph
Clients
RADIUS
Ph<->DS
Shim
Group
messaging
IMAP/HTTP
email
PAM/
NSS
SMTP
AUTH
SMTP
routing
Calendar
CMS/
Portal
Internet2 Fall 2000 Meeting: Early Adopters Report
6
LDAP SMTP Routing
• Two phases: Identification & Routing
• Routing issue: when to rewrite envelope recipient
• One solution: “LDAP routing domain” concept
Definition: all MTAs that use the same set of LDAP
searches against the same directory for the same set of
SMTP domains to make email handling decisions.
Guideline: Entries whose mailbox resides on a mailbox
host inside the LDAP email routing domain should only
have mailHost populated. Other entries should only have
mailRoutingAddress populated. With this guideline, it is
unnecessary to ever have both attributes populated.
Internet2 Fall 2000 Meeting: Early Adopters Report
7
LDAP SMTP Routing (cont’d)
Attribute
mail
mailAlternateAddress
mailHost
mailRoutingAddress
Idx
eq
eq
Description
Displayed email address.
Additional addresses by which
this entry is known. Multi-valued.
none Mailbox hostname (if within the
same LDAP routing domain).
none rfc822mailbox, provided that the
mailbox host lies outside of the
LDAP routing domain.
Internet2 Fall 2000 Meeting: Early Adopters Report
8
LDAP SMTP Routing (cont’d)
That complicated real world legacy:
• Old “Ph aliases” still had to be deliverable.
• Fallback routing methods embodied in custom
extensions to phquery
• Aliases files on mailbox hosts being retired
• “Vanity” email domain addressing
Put legacy addresses in mailAlternateAddress
Analyze mail logs proactively to catch legacies
Leave “passthru mode” enabled for a good while
Internet2 Fall 2000 Meeting: Early Adopters Report
9
Group Messaging & Authorization
Populate LDAP group objects to support authorized
access to email distribution lists & web resources.
• Top-down; majors; class; section; org related
• LDAP backed SMTP AUTH over TLS used to
identify poster’s uid. LDAP (uid=) search to find
poster’s DN, which is compared to a list of
permitted DNs for each mail group.
• Uses Netscape Messaging Server’s mailGroup
objectclass for its “allowedBroadcaster”
attribute.
Internet2 Fall 2000 Meeting: Early Adopters Report
10
Representing Organizational
Structure
Labelled organizational hierarchy tree structure from:
• FRS responsibility rollup
• FRS DBD
• Ad hoc rules to prune or identify certain nodes and
to create realistic labels (the hardest part)
Payroll data is then used to assign each employee to
one or more nodes in the tree.
FRS security file indirectly identifies dept heads at each
node.
Tree is mapped to ou=orgUM branch of DIT and orgrelated attributes of people objects.
Internet2 Fall 2000 Meeting: Early Adopters Report
11
Representing Organizational
Structure (cont’d)
ou=Anthropology, ou=College of Arts & Sciences, ou=Provost, …
umOrgDeptHead: <DN> single-valued
umOrgBudgetHead: <DN> multi-valued
umOrgMemberGroupDN: <DN of groupOfUniqueNames>
umOrgRollupMemberGroupDN: ditto
umOrgRollupDeptHeadsGroupDN: ditto
umOrgRollupBudgetHeadsGroupDN: ditto
Or labeledURI
in searchGuide?
People attributes:
ou: <list of ouRDNs>
umRollupID, umSuperiorRollupID: <FRS rollup IDs> single-valued
Internet2 Fall 2000 Meeting: Early Adopters Report
12
Representing Roles & Sets of
Correlated Information
Example: jdoe is faculty in Law & staff in Econ. Don’t want jdoe when
searching for faculty in Econ.
role: {-affiliation:faculty-dept:law, -affiliation:staff-dept:Econ}
roleDN: {DN of role1, DN of role2}
cn=role1, ou=Roles, …
roleDept: Law
roleAffiliation: Faculty
…
cn=role2, ou=umRoles, …
roleDept: Econ
roleAffiliation: Staff
Internet2 Fall 2000 Meeting: Early Adopters Report
13
Early Adopters Middleware Reports
Technical Implementation
Johns Hopkins University
Louise Miller-Finn
Johns Hopkins
Directory Data Flows
•Establish methodology for populating
the directory
•Select vendor products and tools
•Establish standards
•Staff the team
•Use iterative development cycle
Internet2 Fall 2000 Meeting: Early Adopters Report
15
Johns Hopkins Insititutions
October 2000
Stage 1
JHU
Payroll
Stage 2
Stage 3
Stage 4
Stage 5
Stage 6
Database Load
Back End
Business Rules
and Processing
Prepare and
export data for
directory
Load Enterprise
Directory
Directory Status
View
Registry
(Oracle)
Directory Files
JHU USIS
Enterprise
Directory
(iPlanet)
__________
Stage 7
Define and
implement
business rules for
the T&E
application;
ID Badging
__________
Ingenium
Database
Define the
attributes needed
for the T&E front
end;
Identify Data sources
needed for front end
authentication;
Directory
UpdateHolding
Area
Web Enabled T&E
Front End
Authentication
Provide front end
business rules
and user
requirements to
present and
capture data;
Define the
database
requirements
here and map to
the ESG Oracle
Gold Source -ESG Directory;
Directory Update
Log to Data
Sources
Stage 8
Johns Hopkins
Stage 1 – Analyze Data Sources
•Identify Data Sources
• Where do the data feeds originate; what data
fields are required;
• Provide Standard Data Collection Model
• What is the frequency of the data feed; require
fixed length fields and records;
•Define database load procedure
•Produce audit log
Internet2 Fall 2000 Meeting: Early Adopters Report
17
Johns Hopkins Insititutions
October 2000
Stage 1
Stage 2
Stage 3
Stage 4
JHU Payroll
Database
Load
Back End
Business Rules
and Processing
Prepare and
export data for
directory
Registry
(Oracle)
Directory Files
Stage 5
Stage 6
Directory Status
View
Load Enterprise
Directory
JHU USIS
Enterprise
Directory
__________
Stage 7
Define and
implement
business rules for
the T&E
application;
ID Badging
__________
Define the
attributes needed
for the T&E front
end;
Identify Data
sources needed
for front end
authentication;
Directory
UpdateHolding
Area
Web Enabled T&E
Front End
Authentication
Ingenium
Database
Provide front end
business rules
and user
requirements to
present and
capture data;
Define the
database
requirements
here and map to
the ESG Oracle
Gold Source -ESG Directory;
Directory Update
Log to Data
Sources
Stage 8
Johns Hopkins
Stage 2 – Database Requirements
•Define the input tables to represent the
clients’ data; define key fields to tie tables
together;
•Provide data model using an Entity
Relationship tool (e.g. ERWin);
•Document and store common database
procedures;
•Provide standard database templates for
reuse;
•Provide audit log
Internet2 Fall 2000 Meeting: Early Adopters Report
19
Johns Hopkins Insititutions
October 2000
Stage 1
JHU Payroll
Stage 2
Stage 3
Stage 4
Stage 5
Stage 6
Database Load
Back End
Business Rules
and Processing
Prepare and
export data for
directory
Load Enterrpise
Directory
Directory Status
View
Registry
(Oracle)
Directory Files
JHU USIS
Enterprise
Directory
(iPlanet)
__________
Stage 7
Define and
implement
business
rules
ID Badging
__________
Ingenium
Database
Define the
attributes needed
for the T&E front
end;
Identify Data
sources needed
for front end
authentication;
Directory
UpdateHolding
Area
Web Enabled T&E
Front End
Authentication
Provide front end
business rules
and user
requirements to
present and
capture data;
Define the
database
requirements
here and map to
the ESG Oracle
Gold Source -ESG Directory;
Directory Update
Log to Data
Sources
Stage 8
Johns Hopkins
Stage 3 – Back End Processing
•Develop procedures (PLSQL) to process
high level business rules;
•Implement ER diagrams that define table
fields;
•Create intermediate tables with directory
records;
•Store common procedure templates for
reuse;
•Provide audit log
Internet2 Fall 2000 Meeting: Early Adopters Report
21
Johns Hopkins Insititutions
October 2000
Stage 1
JHU Payroll
Stage 2
Stage 3
Stage 4
Stage 5
Stage 6
Database Load
Back End
Business Rules
and Processing
Prepare and
export data
for directory
Load Enterprise
Directory
Directory Status
View
Registry
(Oracle)
Directory
Files
JHU USIS
Enterprise
Directory
(iPlanet)
__________
Stage 7
Define and
implement
business rules for
the T&E
application;
ID Badging
Ingenium
Database
Define the
attributes
needed for
the front
end;
__________
Identify Data
sources needed
for front end
authentication;
Directory
UpdateHolding
Area
Web Enabled T&E
Front End
Authentication
Provide front end
business rules
and user
requirements to
present and
capture data;
Define the
database
requirements
here and map to
the ESG Oracle
Gold Source -ESG Directory;
Directory Update
Log to Data
Sources
Stage 8
Johns Hopkins
Stage 4 – Database Export
•Create export file in fixed field, fixed record
format;
•Develop status field processing using eye
catcher (e.g. ‘ADD’, ‘DELETE’, ‘UPDATE’,
‘NOCHANGE’)
•Document export procedure and standard
field values;
•Create and store common export procedure
template;
•Produce activity log
Internet2 Fall 2000 Meeting: Early Adopters Report
23
Johns Hopkins Insititutions
October 2000
Stage 1
JHU Payroll
Stage 2
Stage 3
Stage 4
Stage 5
Stage 6
Database Load
Back End
Business Rules
and Processing
Prepare and
export data for
directory
Load
Directory
Directory Status
View
Registry
(Oracle)
Directory Files
JHU USIS
Enterprise
Directory
__________
Stage 7
Define and
implement
business rules for
the T&E
application;
ID Badging
__________
Ingenium
Database
Define the
attributes needed
for the T&E front
end;
Identify Data
sources needed
for front end
authentication;
Directory
UpdateHolding
Area
Web Enabled T&E
Front End
Authentication
Provide front end
business rules
and user
requirements to
present and
capture data;
Define the
database
requirements
here and map to
the ESG Oracle
Gold Source -ESG Directory;
Directory Update
Log to Data
Sources
Stage 8
Johns Hopkins
Stage 5 – Directory Import
•Process export files using generic (PERL)
script to import/update enterprise directory;
• Keep code free of business rules;
•Create and store common script template
for reuse;
•Provide web based report interface to track
activity and status;
•Provide audit log
Internet2 Fall 2000 Meeting: Early Adopters Report
25
Directory Structure
Source
System Data
Feeds
Registry
Directory
Updates
Web Enabled
Front End
Application
Enterprise
Directory
For example:
user provides
last name to
search, and a
barcode/PIN to
authenticate to
the patron
library
directory
branch;
The directory
update uses
the unique
identifier as
the key link for
all entries in
the various
branches of
the directory;
Source data is
loaded into the
staging area and
assigned a
unique identifier;
Authentication
Branch
(holds unique identifier (UID) for
person)
______
(keyed by
UID)
admin branch
(keyed by
UID)
library patron
(keyed by
UID)
jh_userid
(keyed by
UID)
jh_person
(keyed by UID)
The UID is
derived from
the Oracle
Repository as a
primary key;
uses a JH ISO
number
scheme;
Johns Hopkins Insititutions
October 2000
Stage 1
JHU Payroll
Stage 2
Stage 3
Stage 4
Stage 5
Stage 6
Database Load
Back End
Business Rules
and Processing
Prepare and
export data for
directory
Load Directory
Directory
Status View
Registry
(Oracle)
Directory Files
JHU USIS
Enterprise
Directory
__________
Stage 7
Define and
implement
business rules for
the application;
ID Badging
__________
Ingenium
Database
Define the
attributes needed
for the front end;
Identify Data
sources needed
for front end
authentication;
Directory
UpdateHolding
Area
Web Enabled
Front End
Authentication
Provide front end
business rules
and user
requirements to
present and
capture data;
Define the
database
requirements
here and map to
the Registry -Enterprise
Directory;
Directory Update
Log to Data
Sources
Stage 8
Johns Hopkins
Stage 6 – Directory Status
•Provide complete audit log of directory
activity;
• Create and store common report template;
• Generate standard web based activity report;
•Provide backup/recovery procedure;
•Provide replication service
Internet2 Fall 2000 Meeting: Early Adopters Report
28
Johns Hopkins Insititutions
October 2000
Stage 1
JHU Payroll
Stage 2
Stage 3
Stage 4
Stage 5
Stage 6
Database Load
Back End
Business Rules
and Processing
Prepare and
export data for
directory
Load Directory
Directory Status
View
Registry
(Oracle)
Directory Files
JHU USIS
Enterprise
Directory
__________
Stage 7
Define and
implement
business rules for
the T&E
application;
ID Badging
__________
Ingenium
Database
Define the
attributes needed
for the T&E front
end;
Identify Data
sources needed
for front end
authentication;
Directory
UpdateHolding
Area
Web Enabled
T&E Front End
Authentication
Provide front
end business
rules and
user
requirements
to present
and capture
data;
Define the
database
requirements
here and
map to the
Registry -Enterprise
Directory;
Directory Update
Log to Data
Sources
Stage 8
Johns Hopkins
Stage 7 – Front End Processing
•Define and deploy access control (ACL);
• Define JHI policy for the global user, the person, and
the administrator;
• Develop and document scope and visibility to the
directory attributes;
•Develop and deploy common web enabled
directory access (a common ‘look and feel’ to
the front end);
• Use a common set of development tools (e.g.
ColdFusion);
•Apply front end application level business
rules (more specific rules than the back end
process);
Internet2 Fall 2000 Meeting: Early Adopters Report
30
Johns Hopkins Insititutions
October 2000
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
Stage 6
JHU Payroll
Database Load
Back End
Business Rules
and Processing
Prepare and
export data for
directory
Load Directory
Directory Status
View
Registry
(Oracle)
Directory Files
JHU USIS
Enterprise
Directory
__________
Stage 7
Define and
implement
business rules for
the T&E
application;
ID Badging
__________
Ingenium
Database
Define the
attributes needed
for the T&E front
end;
Identify Data
sources needed
for front end
authentication;
Directory
Update
Holding Area
Web Enabled
Front End
Authentication
Provide front
end business
rules and
user
requirements
to present
and capture
data;
Define the
database
requirements
here and map to
the Registry -Enterprise
Directory;
Directory
Update Log to
Data Sources
Stage 8
Johns Hopkins
Stage 8 – Directory Updates
•Provide a log dataset of directory activity
(updates, deletes, etc.);
•Provide standard procedure for data owners
to pull the activity log;
•Design and implement a standard record
layout using a status field and an audit trailer
record;
Internet2 Fall 2000 Meeting: Early Adopters Report
32
Johns Hopkins
Iterative Development Cycle
•Provide complete data-to-directory path;
•Push the data through one cycle to kickoff
development process;
•Each iteration flushes more detail to the
requirements in a rapid application
development process adding data, business
rules and/or policy changes;
•Each iteration provides intense unit testing
followed by QC test cycle;
Internet2 Fall 2000 Meeting: Early Adopters Report
33
Early Adopters Middleware Reports
Technical Implementation
University of Maryland
Baltimore County
Robert Banz
UMBC – Present Architecture
Internet2 Fall 2000 Meeting: Early Adopters Report
35
UMBC – Hardware & Software
•Hardware
• 1 Sun Enterprise 220 (2x CPU, 2G RAM) –
Primary Directory Server
• 2 Sun NetraT1 – Slave Directory Servers
•Software
• iPlanet (Netscape) Directory Server
• Loads and loads of Perl
Internet2 Fall 2000 Meeting: Early Adopters Report
36
UMBC – Person Directory
•
Contains over 275,000 Entries from:
•
•
•
•
•
Human Resources -- in Oracle
SIS – Resides on an HP MPE machine, data
is mirrored “almost real time” into Oracle
PH/CSO Database Contents (retired)
“Other” entities not contained in either of
these data sources
Not (yet) the System of Record
Internet2 Fall 2000 Meeting: Early Adopters Report
37
UMBC – Directory Schema
•
“Flat” person directory
•
Uses “umbcPerson” objectclass
•
•
•
Derived from InetOrgPerson
Proposed “eduPerson” attribute names &
definitions used when possible.
Account management data stored in
RFC2307 (NIS Objects in LDAP) compliant
schema.
Internet2 Fall 2000 Meeting: Early Adopters Report
38
UMBC – Data Synchronization
•
Currently “One-Way”
(changes must still be made through
legacy applications and myUMBC web
portal)
•
Changes to HR & SIS data are written to
a log table via PL/SQL triggers
•
Perl daemon constantly checks the log
table and takes appropriate action
Internet2 Fall 2000 Meeting: Early Adopters Report
39
UMBC – Directory Enabled
Applications
•WebAdmin
• UNIX Account Management (self service and
administrative access)
• Person Directory Management
• Email Namespace Management
•MyUMBC
• Uses directory to resolve “people” from “usernames”
•@umbc.edu EMail Addresses
• Destination addresses of all @umbc.edu are resolved
via a LDAP map in Sendmail.
• Replaced PH/CSO “phquery”
Internet2 Fall 2000 Meeting: Early Adopters Report
40
UMBC – Future Applications
•@umbc.edu Email Addresses for Alumni
•Tighter integration of On-Line course tools
(WebCT, Blackboard), including:
• Automagic enrollment of students in registered
courses
•“Single Sign On” to campus Web services
•Integration with PeopleSoft
• Most likely will become the “Registry of Record”
Internet2 Fall 2000 Meeting: Early Adopters Report
41
For More Information
• www.internet2.edu/middleware/earlyadopters/
• University of Memphis
– Tom Barton
[email protected]
• Johns Hopkins University
– Louise Miller-Finn [email protected]
• University of Maryland, Baltimore County
– Jack Suess
[email protected]
Internet2 Fall 2000 Meeting: Early Adopters Report
42