Schema: eduPerson viewsMichael R GettesDuke UniversityEuroCAMP, March 2005

Whence we came

Phoenix, Arizona Airport, February 2000Hazelton/Gettes set ground rules for development of eduPerson objectclass with eye towards DoDHE, “Shibboleth to be” and other inter-institutional applications.

• Low-hanging fruit and controlled vocabularies.• Learn why schools will want more instead of flexibility• A better definition than the “standard OCs” (like CN)• Assist local directory implementations -- not be the answer!• DomainComponent Naming (eduPerson, dukeEduPerson)

eduPerson 1.0 released Jan. 2001• First version July 2000 0.6 (or something like that)

Where we are now?

Schema (LDAP) for US Higher EducationLow hanging fruit, interoperable data

• Easy stuff that we can all agree is true

eduPerson + LDAP-Recipe go together• Auxiliary OC extending Person, orgPerson, inetOrgPerson

localEduPerson• local attributes are a local problem (clear enough?)

eduOrg (and edu* schemas being developed)usPerson / govPerson? (work just beginning)http://middleware.internet2.edu

Where are we going?

Use the past as a predictor of the futureNot much change in perspectiveCurrent view is serving wellWe are considering some new attributesWe are NOT expanding our vocabularies as much as we thought

Continuing struggle: local vs. non-localHas been difficult getting Int’l involvement

• This has been improving over the last 18 months

UML for general schema; LDAP is one expression

eduPerson 200312

eduPerson•OrgDN, OrgUnitDN, NickName, PrincipalName*, PrimaryAffiliation*, Affiliation* Entitlement*, ScopedAffiliation*,

eduPerson{Primary}Affiliation•Values: faculty, student, staff, alumni, employee, member, affiliate

•Considering: parent, prospect

eduPersonPrincipalName

What is a Principal? (think security)

This is NOT a Kerberos Principal

And it is not a Mail Address• gettes@duke.edu, pbh@mit.edu

An inter-institutional identifier

SINGLE-VALUE definition

Used by Shibboleth -- this was the intent from the beginning

But, used in ACLs by other tools as well

eduPersonScopedAffiliation

Driven by Shibboleth needs

Syntax like eduPersonPrincipalName• student@brown.edu• alumni@duke.edu• subscriber@nytimes.com (!?!)

Raises problems about who is authorized to assert what

• An “inter-realm metadirectory function”• A field full of ratholes and land mines…

eduPersonEntitlement

Original problem: how to change schema without changing schema. Needed by GRIDs

Values are URIs (URL or URN)urn:mace: accepted by IETF and registered with IANA

Gives us a way to make values unique in the entitlement namespace without elaborate registry mechanism

• urn:mace:wisc.edu:bucky-bundle• urn:mace:oclc:org:autho:NNNN• urn:mace:duke.edu:library:oclc:contract-NNN

namespace registry by MACE

eduOrg 200210

Higher Ed Organization object class• Basic organizational info attributes from X.520

–Telecomm, postal, locale

• eduOrgHomePageURI• eduOrgIdentityAuthNPolicyURI• eduOrgLegalName• eduOrgSuperiorURI• eduOrgWhitePagesURI

LDAP Analyzer (part of NMI)

Todd Piket, Michigan TechWeb based tool to empirically analyze a directory

eduPerson compliance Indexing and namingLDAP-Recipe guidance (good practice)H.350 complianceeduOrg compliance

http://middleware.internet2.edu/dir/

Other related work

eduCourse• Separate Working Group• Current Status:• ????

H.350• Effort associated with Internet2 Vid-Mid working group. VidMid + MACE-Dir co-developed.

• Pushed through ITU by Tyler Johnson, UNC

LDIF Management

See http://www.educause.edu/eduperson

LDIF used to describe schema and also manage schema. Provides history and technical details in one place.

File

Other Questions???