|Introduction > Directory Architecture Design...|
Research Directory Services Architectures
Technology / Architecture
Understand the components and how they interact
An enterprise directory is generally not a stand-alone service. Rather, it is a means of publishing institutional data in an easily accessible manner. As such, one or more systems of record will provide data for import into the directory. There may also be data that only exists in the directory. There will certainly be a number of users of the directory.
Below is a diagram of the core middleware in an integrated architecture. As noted in the picture, an enterprise directory comprises a number of services and processes and is typically more than one physical system.
Data enters from the left, passes through a "join" process to merge the information under the correct identifiers, and is written to the person registry, which is a database whose primary functions are identity management, reconciliation ("Is this person the same as that person?"), and cross-indexing ("Given this person's ID on system X, find their ID on system Y.") The person registry can also serve as a reference identifier for other systems. Other types of registries, such as organization registries or group registries, may also exist; registries in general are also referred to as metadirectories. Both directory and metadirectory products often come with person registries.
Finally, not all institutions have a physical person registry. Some smaller schools or those with simpler data feeds, may not need to address identifier reconciliation, or can they do it within the metadirectory intelligence before loading into the directory. Disadvantages to this approach include:
For more information about person registries, see the Early Harvest Best Practices for Higher Education.
The data are then loaded into the physical directories used for authentication and attribute and group services (represented in green) and served out to the applications. The other consumers could be application or NOS-specific directories.
There are a number of questions to be considered, and they include:
For more information
on this and schema design, see the A
Recipe for Configuring and Operating LDAP Directories.
The nearly universal acceptance of LDAP v.3 means that many of the major email and address book clients will communicate with any compliant directory product. However, there may be older clients that want to use the ph protocol, or finger, to read information from the directory. There are products available to translate these older protocols to LDAP, but they must be included in the overall project specification
Research current higher-ed practices
Look for other campuses with a similar size population and funding model that have already implemented a directory or are in the process of doing so. Networking with others on some of the tough problems often helps. The vendors of the chosen product(s) should be able to provide references. There are campus affiliations by location (such as state organization) and by commonality of purpose. Consult the national organizations - the user groups for various vendor products, efforts such as Internet2 and EDUCAUSE, both of which have middleware resources.
Research security issues and models
Tools and Resources
A Recipe for Configuring and Operating LDAP Directories outlines specific practices for directory design in the higher education sector.
Practices in Directory Groups offers ideas and methodologies for managing groups in directories, which is for many campuses entry-level authorization.
eduMember offers a way to express groups in an LDAP directory.
eduPerson Object Class and accompanying LDIF files offers a directory person schema that once installed, can be leveraged to serve inter-campus applications.
eduOrg Object Class and accompanying LDIF files offers a directory organization schema that once installed, can be leveraged to serve inter-campus applications.
LocalDomainPerson Object Class Study highlights common attributes added to local directories across higher education.