Upload
virgil-harrington
View
218
Download
1
Embed Size (px)
Citation preview
Schema: eduPerson viewsMichael R GettesDuke UniversityEuroCAMP, March 2005
Whence we came
Phoenix, Arizona Airport, February 2000Hazelton/Gettes set ground rules for development of eduPerson objectclass with eye towards DoDHE, “Shibboleth to be” and other inter-institutional applications.
• Low-hanging fruit and controlled vocabularies.• Learn why schools will want more instead of flexibility• A better definition than the “standard OCs” (like CN)• Assist local directory implementations -- not be the answer!• DomainComponent Naming (eduPerson, dukeEduPerson)
eduPerson 1.0 released Jan. 2001• First version July 2000 0.6 (or something like that)
Where we are now?
Schema (LDAP) for US Higher EducationLow hanging fruit, interoperable data
• Easy stuff that we can all agree is true
eduPerson + LDAP-Recipe go together• Auxiliary OC extending Person, orgPerson, inetOrgPerson
localEduPerson• local attributes are a local problem (clear enough?)
eduOrg (and edu* schemas being developed)usPerson / govPerson? (work just beginning)http://middleware.internet2.edu
Where are we going?
Use the past as a predictor of the futureNot much change in perspectiveCurrent view is serving wellWe are considering some new attributesWe are NOT expanding our vocabularies as much as we thought
Continuing struggle: local vs. non-localHas been difficult getting Int’l involvement
• This has been improving over the last 18 months
UML for general schema; LDAP is one expression
eduPerson 200312
eduPerson•OrgDN, OrgUnitDN, NickName, PrincipalName*, PrimaryAffiliation*, Affiliation* Entitlement*, ScopedAffiliation*,
eduPerson{Primary}Affiliation•Values: faculty, student, staff, alumni, employee, member, affiliate
•Considering: parent, prospect
eduPersonPrincipalName
What is a Principal? (think security)
This is NOT a Kerberos Principal
And it is not a Mail Address• [email protected], [email protected]
An inter-institutional identifier
SINGLE-VALUE definition
Used by Shibboleth -- this was the intent from the beginning
But, used in ACLs by other tools as well
eduPersonScopedAffiliation
Driven by Shibboleth needs
Syntax like eduPersonPrincipalName• [email protected]• [email protected]• [email protected] (!?!)
Raises problems about who is authorized to assert what
• An “inter-realm metadirectory function”• A field full of ratholes and land mines…
eduPersonEntitlement
Original problem: how to change schema without changing schema. Needed by GRIDs
Values are URIs (URL or URN)urn:mace: accepted by IETF and registered with IANA
Gives us a way to make values unique in the entitlement namespace without elaborate registry mechanism
• urn:mace:wisc.edu:bucky-bundle• urn:mace:oclc:org:autho:NNNN• urn:mace:duke.edu:library:oclc:contract-NNN
namespace registry by MACE
eduOrg 200210
Higher Ed Organization object class• Basic organizational info attributes from X.520
–Telecomm, postal, locale
• eduOrgHomePageURI• eduOrgIdentityAuthNPolicyURI• eduOrgLegalName• eduOrgSuperiorURI• eduOrgWhitePagesURI
LDAP Analyzer (part of NMI)
Todd Piket, Michigan TechWeb based tool to empirically analyze a directory
eduPerson compliance Indexing and namingLDAP-Recipe guidance (good practice)H.350 complianceeduOrg compliance
http://middleware.internet2.edu/dir/
Other related work
eduCourse• Separate Working Group• Current Status:• ????
H.350• Effort associated with Internet2 Vid-Mid working group. VidMid + MACE-Dir co-developed.
• Pushed through ITU by Tyler Johnson, UNC
LDIF Management
See http://www.educause.edu/eduperson
LDIF used to describe schema and also manage schema. Provides history and technical details in one place.
File
Other Questions???