]> http://groups.apu.edu/awg/taxonomy/term/56/0 Directory Services en http://groups.apu.edu/awg/node/166 <p>When APU was to deploy our first LDAP directory service, we were looking at running both OpenLDAP and Netscape/iPlanet Directory Server. The sole reason we were going to purchase the iPlanet directory server was because it had a password synchronization mechanism with NT 4. It was a major goal to have a single username and password for all major services running on windows and unix. However, when implementation time came around, we had moved to Windows 2000, which the iPlanet directory did not yet support sychronization with.</p> <p>Much time has passed... Thu, 22 Sep 2005 15:26:03 -0700 http://groups.apu.edu/awg/node/71 <ul> <li><a href="http://middleware.internet2.edu/internet2-mi-best-practices-00.html">Identifiers, Authentication, and Directories: Best Practices for Higher Education</a></li> <li><a href="http://www.duke.edu/~gettes/giia/ldap-recipe/">A Recipe for Configuring and Operating LDAP Directories</a></li> <li><a href="http://www.educause.edu/eduperson/">eduPerson Object Class</a></li> <li><a href="http://middleware.internet2.edu/dir/">MACE-Dir</a> - the directories working group of the Middleware Architecture Committee for Education (MACE)</li> <li><a href="http://middleware.internet2.edu/">Internet2 Middleware Initiative</a></li> <li><a href="http://www.apu.edu/imt/awg/book/view/51">IMT Architecture Working Group's Identity Management Initiative</a></li> </ul> Fri, 14 May 2004 15:16:51 -0700 http://groups.apu.edu/awg/node/70 <p>Part of the reason for choosing NetID is to clear up some confusion around the UID identifier which has two meanings.</p> <p>On Posix systems such as Unix/Linux, UID refers to <i>User ID</i>. OpenLDAP currently uses the UID attribute for the "Udeupa Username". This will continue to be true even after this "APU NetID" name change.</p> <p>UID also stands for <i>Unique Identifier</i>. This value appears as the first field in the <i>Distinguished Name (DN)</i> in LDAP. The DN represents the <em>location</em> of a record in the heirarchical Directory Information Tree (DIT). APU is using the same value for both the DN and the attribute. For example:</p> <pre> dn: uid=joestudent,ou=Students,ou=People,dc=apu,dc=edu uid: joestudent </pre> <p>According to <a href="http://middleware.internet2.edu/internet2-mi-best-practices-00.html">Identifiers, Best Practices for Higher Education</a>, the UID should be distinctly different than the NetID.</p> <blockquote cite="http://middleware.internet2.edu/internet2-mi-best-practices-00.html"> This ID is centrally provided, perhaps with distributed online clients. It is assigned to all current active users of campus electronic resources. The UID should be non-revokable and non-reassignable; hence it needs a large capacity (32 bits minimum). All other identifiers should be either directly or indirectly linked to the UID. </blockquote> <p>The identifier most closely associated with these qualities is our "APU ID Number", not the NetID. The reasons for using a value in the DN that won't change, is because changing the DN is not efficient. It requires, in most cases, removing a persons entire entry and re-adding it. It also requires changing all group memberships for that user, which are associated by DN. The fundamental concept is that an active APU person's DN should never need to be changed. As long as they are affiliated with APU their "LDAP Address" should not change. This is also the reason why the <a href="http://middleware.internet2.edu/dir/">Internet2 Directories Working Group</a> is promoting the use of a "flat" ou=People tree, not desiring to represent affiliation via the person's location in the DIT. A person is rather referenced in groups by their "permanent DN" throughout the directory.</p> Fri, 14 May 2004 15:01:33 -0700