Learning Center
Plans & pricing Sign in
Sign Out

Enterprise Directory


									Enterprise Directory                                                                                                                     3/29/11 4:14 PM

                                                                                                                            Tuesday, March 29, 2011

     Enterprise Directory: Policies

          Table of Contents

                       Purpose of this Policy
                       Enterprise Directory
                       Schema & Data Visibility
                       Data Update
                       Root Backup & Disaster Recovery Solution
                       Enterprise Directory Administrator Responsibilities
                       AuthDN Owner Responsibilities
                       Joining/Leaving/Change of Role(s) within Enterprise Directory
                       Access Request Process

                       Purpose of this policy

                       The purpose of this policy is to provide requirements and specific recommendations for the successful operation of the
                       UMD Enterprise Directory.



                       This policy applies to all computer support personnel making use of UMD's Enterprise Directory. It covers information
                       regarding the design of the Enterprise Directory, responsibilities for computer support personnel and compliance


                       Document Information Tree (DIT)

                       The Enterprise Directory contains a single DIT which is subdivided into six branches:

                               people (active users)
                               application (application specific sub-branches)
                               entity (non-person objects such as listservs)
                               extended-service (former students)
                               guest (wireless access)
                               ldap (internal service objects)

                       People objects are created for all employees, students and affiliates (as defined in PHR) of UMCP as well as employees
                       of UMBI, UMCES, UMES, and USMO.

                       The servers and services (hardware/software) which run and support the Enterprise Directory are monitored by OIT                                                                                    Page 1 of 4
Enterprise Directory                                                                                                                          3/29/11 4:14 PM

                       administrators on a 24x7 basis.


                       Schema & Data Visibility

                       The schema is a definition of all object classes and their attributes contained within the directory. An annotated attribute
                       schema can be found at The schema may be dynamically
                       extended through the approval of OIT and the Directory administrators. Schema testing in a staged environment will
                       occur before and during the request for modifications. Changes will only be implemented after two weeks of successful
                       testing with no major issues identified.

                       Data visibility is controlled by issuing applications binding credentials (dn & password) referred to as an "authDN". This
                       authDN will be associated with various Access Control Lists (ACLs) which control the objects and the attributes of
                       those objects that can be accessed.

                       All authenticated binds must be done over a secure connection (SSL/TLS).


                       Data Update

                       The Enterprise Directory is updated daily with data drawn from PHR and SIS representing people who have active
                       relationships with UMCP, UMBI, UMCES, UMES, or USMO. Students are added to the Enterprise Directory when
                       they are "admitted with letter sent" and remain active until the next occurrence of the last semester for which they were
                       registered. Employees, in general, will remain active for thirty days past the separation date of their last appointment.
                       Persons needing accounts who are neither students nor employees must be entered into PHR as an affiliate by their
                       sponsoring department.



                       Communication will occur via the appropriate mailing lists.


                       Root Backup & Disaster Recovery Solution

                       The Enterprise Directory is currently on a nightly full backup schedule with hourly incremental database snapshots.



                       Application needing to merely authenticate users should consider using the UM Single-Signon Service (CAS). EIS also
                       provides the UMCP Shibboleth Identity Provider (IdP) and is a member of the InCommon federation.


                       Enterprise Directory Administrator Responsibilities:

                       The Enterprise Directory Infrastructure is composed of many different computing, administrative and consulting
                       services. This section provides a brief description of these services and specific contact information for each. OIT
                       installs and maintains the servers and support machines which run Enterprise Directory. Staff within the Enterprise
                       Internet Services (EIS) group configure and maintain the Enterprise Directory servers for the campus Enterprise
                       Directory. Urgent problems related to directory servers or LDAP services should be reported by calling the OIT
                       Helpdesk Desk at 301.405.1500. For general discussion, this group can be contacted via e-mail at directory-                                                                                          Page 2 of 4
Enterprise Directory                                                                                                                      3/29/11 4:14 PM


                       The responsibilities of the Enterprise Directory Administrators are:
                               Configure and maintain the Enterprise Directory servers.
                               Manage the flow of information to and from the Enterprise Directory. EIS also manages the replication of
                               directory information within the Enterprise Directory, and makes any enterprise level changes to the directory,
                               such as schema modifications.
                               Diagnose all reported directory problems.
                               Provide backups for disaster recovery purposes
                               Responsible for maintaining security of the directory.
                               Maintain test and development environments for internal and campus testing. OIT-TSS provides a test
                               environment that mimics the production environment so that services can be tested and questions answered
                               before introducing them into the production environment. Any department can participate in the test
                               environment in a manner appropriate to the way that they will participate in the production environment. Testing
                               may also be required before new services or applications are introduced into the production forest.
                               Communicate all enterprise-wide changes to the directory via listserv ( and other
                               technical team reflectors.
                               Support staff required to have working knowledge of the Enterprise Directory.
                               Maintain a well documented infrastructure diagram of their respective environments, including descriptions of
                               all services provided by directory servers.
                               Maintain the appropriate level of security and patch revisions on the directory servers as specified by OIT-TSS.
                               All changes to the directory will be approved by OIT's Change Management Committee
                               Directory servers will be monitor 24x7 to ensure high availability.
                               Must have directory servers strategically located in multiple locations to provide redundancy in case of a
                               Servers must be physically secured.
                               Servers should have a current hardware agreement with vendor.
                               On-call staff will monitor and resolve all issues pertaining to the servers
                               Must have onsite support to resolve issues during business hours
                               Must have disaster recovery & backup/recovery solution for the Enterprise Directory.
                               Communicate and coordinate all scheduled and unscheduled outages or major upgrades to authDN
                               Must coordinate any maintenance that may affect the directory (i.e. replication, adding services, etc.)
                               Follow all OU administrator responsibilities below.

                       AuthDN Owner Responsibilities

                               Agree to the policies and guidelines for authDN owners.
                               Work closely with the EIS directory support team.
                               Ensure security and privacy of all data accessed.
                               Apply for a new authDN for every application server which will utilize Enterprise Directory for authentication.

                       Leaving\Change of Role (s) within Enterprise Directory

                       If at any time a department decides that it no long requires an authDN, the department head or authDN owner will need
                       to provide a written statement (email or memo) to the director administrators indicating this. If an authDN owner
                       changes (resignation, new job responsibilities, etc.), then department head must notify the directory administrators
                       immediately of the new owner.



                       All Colleges/Departments/Units heads and designated administrators will have to sign a Memorandum of Understanding
                       and the Enterprise Directory Policy in order to make use of the campus Enterprise Directory. It is the responsibility of
                       each authDN owner/administrator to comply with the above specifications and guidelines. Department heads will be
                       notified upon repeated violations by an authDN owner/administrator and explained the impact it has on the entire                                                                                      Page 3 of 4
Enterprise Directory                                                                                                                        3/29/11 4:14 PM

                       directory infrastructure. In cases of gross negligence or refusal to adhere to the agreed policy, OIT will immediately
                       suspend the authDN credentials.


                       Access Request Process

                       Applications wishing greater access than anonymous binds to the Directory can request a Directory authDN. To initiate
                       the process, requestors must complete the Directory Data Request Questionnaire and e-mail the completed questionnaire

                       When the Directory administration staff receives the completed questionnaire they will review and work with the
                       requestor for clarification if necessary. Then an authDN data access request will be sent via email to the Unit Head and
                       campus data stewards for approvals of the specific user populations and data attributes for the application.

                       Once all approvals are received, OIT will send the requestor an e-mail with a customized Memorandum of
                       Understanding (MOU) for their application containing approved population and data attributes. The requestor is then
                       responsible for printing and signing the MOU, obtaining the Unit Head's signature and returning the MOU back to OIT
                       for review. After OIT receives the signed MOU, the authDN is created and the requestor notified via email with their
                       new authDN information.


          View the Memorandum of Understanding (MOU) (html/pdf)
          View the Enterprise Directory Best Practices (html/pdf)

                                                                                                                                       Return to index                                                                                      Page 4 of 4

To top