Directories at the University of Florida
Mike Conlon
Director of Data Infrastructure
University of Florida
Desired State
 One person, one identity
 Identity management across UF systems –
desktop, web-based, enterprise
 Support multiple modalities for directory
services – LAN-based, web-based,
enterprise
 Provide public and private identifiers, not
SSN
 Authoritative source for identity and
directory information
 Move toward single sign-on
Some History
Registry since 1988
Kerberos since 1997
LDAP since 1998
Directory Strategy process 6/00-8/01.
White paper.
http://www.it.ufl.edu/projects/directory/pla
nteam.htm
 Directory Project 9/01-January 21, 2003.
Largest UF IT Project.
http://www.it.ufl.edu/projects/directory




Strategy Process
 Fourteen months 6/00-8/01
 Visit by Ken Klingenstein 4/01
 Student ID Process 2/01-8/01
 ID recommendation: UFID for entire
community. Follow I2 guidelines.
Integrate with directory project
 Strategy white paper for directory
services at UF – why, what, how,
who, when (18 months)
Directory Project Timeline







IT Review complete 3/01
Directory white paper 8/01
Project launch 10/01
Original target date 4/03
Actual go-live January 21, 2003
Seven FTE on core team
Over 150 participants from across UF
Directory Project Charge









Use of models and standards developed by the Internet2
Initiative including the EduPerson schema.
Update to database schema in DB2 and LDAP.
Provide a support mechanism for unit level extensions as
desired.
Improve infrastructure of LDAP facility.
Develop processes and policies to ensure maintenance of
accurate directory data.
Develop of standard interfaces to reduce need for duplicate
databases and enhance accessibility of directory data.
Develop a middleware connection in support of a new UF
identifier strategy.
Develop effective data flows to and from existing data
systems such as the Registrar and Personnel.
Provide a data model, LDAP schema and set of API's to
support functional expansion and growth of new idea.
UF Directory Project
 Overhaul Registry
 Overhaul LDAP. eduPerson, eduPersonAffiliation
 Introduce UFID. Publicly visible identifier (nnnnnnnn) used in place of SSN for business transactions.
http://ufid.ufl.edu
 Introduce UUID. Private identifier used as key in core
systems
 SSN as attribute
 GatorLink as attribute
 Over 1,500 legacy apps modified
 All SSN-based processes refactored
 Self-service directory access http://phonebook.ufl.edu
Consequences
 1,272,228 objects in UF LDAP
 People, Organizations, Groups,
Relationships
 Better data through new processes
 Old: Local admin + reconciliation
 New: Central, self-service + replication
 Positioned for new services
 PeopleSoft, Active Directory, Single Sign
On
Current State
 Five production middleware data systems –
LDAP, UF Registry, Kerberos, Netware
Directory Services (NDS), PeopleSoft Portal
 Active Directory (AD) to be added
 Existing integration between PeopleSoft,
LDAP, Kerberos and UF Registry
 Adhoc integration with Kerberos and NDS
 UF Registry provides authoritative source
 GatorLink (email, netid), UFID (publicly
visible), UUID (private) identifiers
Why Six Systems?
 LDAP is the open standard for web-based
applications
 Active Directory is the standard for desktop
users
 NDS is the legacy system for desktop users
 PeopleSoft is the future enterprise system
 Kerberos is the open standard for
authentication
 UF Registry is the current authoritative
source with a known data model and service
provider for legacy systems
Middleware Roadmap
 Use LDAP and Kerberos to authenticate PeopleSoft (in
place today)
 Provide standards-based authentication mechanism for
free-standing web apps (in place today via GL Auth)
 Implement AD based on Kerberos identity – provide a
foundation for future desktop integration. Spring 2003
through 2005
 Consider the future of NDS
 Migrate UF Registry to PeopleSoft Campus Community.
Analysis complete, design in progress, go-live 7/04
 7/04: Integrated enterprise middleware systems – AD,
LDAP, PeopleSoft, Kerberos