Directories at the University of Florida
Mike Conlon
Director of Data Infrastructure
University of Florida
Desired State
One person, one identity
Identity management across UF systems –
desktop, web-based, enterprise
Support multiple modalities for directory
services – LAN-based, web-based,
enterprise
Provide public and private identifiers, not
SSN
Authoritative source for identity and
directory information
Move toward single sign-on
Some History
Registry since 1988
Kerberos since 1997
LDAP since 1998
Directory Strategy process 6/00-8/01.
White paper.
http://www.it.ufl.edu/projects/directory/pla
nteam.htm
Directory Project 9/01-January 21, 2003.
Largest UF IT Project.
http://www.it.ufl.edu/projects/directory
Strategy Process
Fourteen months 6/00-8/01
Visit by Ken Klingenstein 4/01
Student ID Process 2/01-8/01
ID recommendation: UFID for entire
community. Follow I2 guidelines.
Integrate with directory project
Strategy white paper for directory
services at UF – why, what, how,
who, when (18 months)
Directory Project Timeline
IT Review complete 3/01
Directory white paper 8/01
Project launch 10/01
Original target date 4/03
Actual go-live January 21, 2003
Seven FTE on core team
Over 150 participants from across UF
Directory Project Charge
Use of models and standards developed by the Internet2
Initiative including the EduPerson schema.
Update to database schema in DB2 and LDAP.
Provide a support mechanism for unit level extensions as
desired.
Improve infrastructure of LDAP facility.
Develop processes and policies to ensure maintenance of
accurate directory data.
Develop of standard interfaces to reduce need for duplicate
databases and enhance accessibility of directory data.
Develop a middleware connection in support of a new UF
identifier strategy.
Develop effective data flows to and from existing data
systems such as the Registrar and Personnel.
Provide a data model, LDAP schema and set of API's to
support functional expansion and growth of new idea.
UF Directory Project
Overhaul Registry
Overhaul LDAP. eduPerson, eduPersonAffiliation
Introduce UFID. Publicly visible identifier (nnnnnnnn) used in place of SSN for business transactions.
http://ufid.ufl.edu
Introduce UUID. Private identifier used as key in core
systems
SSN as attribute
GatorLink as attribute
Over 1,500 legacy apps modified
All SSN-based processes refactored
Self-service directory access http://phonebook.ufl.edu
Consequences
1,272,228 objects in UF LDAP
People, Organizations, Groups,
Relationships
Better data through new processes
Old: Local admin + reconciliation
New: Central, self-service + replication
Positioned for new services
PeopleSoft, Active Directory, Single Sign
On
Current State
Five production middleware data systems –
LDAP, UF Registry, Kerberos, Netware
Directory Services (NDS), PeopleSoft Portal
Active Directory (AD) to be added
Existing integration between PeopleSoft,
LDAP, Kerberos and UF Registry
Adhoc integration with Kerberos and NDS
UF Registry provides authoritative source
GatorLink (email, netid), UFID (publicly
visible), UUID (private) identifiers
Why Six Systems?
LDAP is the open standard for web-based
applications
Active Directory is the standard for desktop
users
NDS is the legacy system for desktop users
PeopleSoft is the future enterprise system
Kerberos is the open standard for
authentication
UF Registry is the current authoritative
source with a known data model and service
provider for legacy systems
Middleware Roadmap
Use LDAP and Kerberos to authenticate PeopleSoft (in
place today)
Provide standards-based authentication mechanism for
free-standing web apps (in place today via GL Auth)
Implement AD based on Kerberos identity – provide a
foundation for future desktop integration. Spring 2003
through 2005
Consider the future of NDS
Migrate UF Registry to PeopleSoft Campus Community.
Analysis complete, design in progress, go-live 7/04
7/04: Integrated enterprise middleware systems – AD,
LDAP, PeopleSoft, Kerberos
0
