recent developments in directories

Recent Developments in Directories

Tom Barton, University of Chicago

Keith Hazelton, University of Wisconsin

14 October 2003 Internet2 Fall Member Meeting 2

Outline

Major themes• Naming & structure for courses• Group management toolset• Non-eduPerson persons!

Roundup of other active threads

Prospective: Authorization

Pipe up with questions or comments at any time!!


MACE-CourseID Working GroupLaunched July, 2003

http://middleware.internet2.edu/courseID/

Major project goals1. Propose a standard data element syntax to

describe courses and hierarchical components of courses.

2. Propose a schema describing courses and course components…


MACE-CourseID Working Group

2. Propose a schema describing courses and course components that:

• conforms to IMS standards or requirements for course description

• maps readily from existing applications that utilize course descriptions such as administrative data systems, instructional management systems,etc.

• Is Shibboleth compliant, to further leverage Shibboleth developments to enable authorization based on course enrollment

• Is valid for inter-institutional as well as international collaborations


Course Object Structure D R A F TTom Barton et al.

A Course is Offered in a given Session by means of one or more Sections that have specified Meetings.

Four ways to represent Cross Listings.

Sections have Roles (ala IMS).

Metadata about courses, sessions, meetings is unspecified … and therefore general enough!


Single, globally unique identifier for Course offering at section levelD R A F T, G. Agnew, K. Hazelton

The CourseID WG would name some agent to register as a namspace authority under the MACE urn, requesting that they be assigned the urn namespace urn:mace:courseid

Institutions would be encouraged to identify courses under their dns name, e.g. urn:mace:courseid:uchicago.edu…



Local course offering identifiers could be formed by combining whatever the institution uses as the short name in the timetable of course offerings with some indicator of the particular session in question as well as the primary section, e.g. urn:mace:courseid:uchicago.edu:Physics-101:fall-2004:section-01



Choices ahead on formation of course-offering-section identfiers

•More prescriptive, standardized vs. more local autonomy, local preferences

–Stipulate ISO start-end dates rather than idiomatic “fall-04”

•More opaque vs. more suggestive components–:uchicago.edu:35433:A2334:3002-1 vs. earlier example

•More self-contained vs. more reliant on associated metadata

–:uchicago.edu:IPEDS-Physics-sequence-for-majors:first-semester-….section-lead:j-spencer01


Discussion items

Scope of CourseID work•What to work on•What to work on first, second,…•What NOT to tackle (leave for others)•Scenarios offer guidance on scope question•Tug between mind sets of WG participants

– requirements to support individual Shib pilots– requirements to support general IMS models

Related initiatives

Inter-group coordination


Group toolset: a brief history

• February 2002: “Practices in Directory Groups” completed

• Operational issues attending deployments of groups:–Automated update from source systems–Ad hoc maintenance delegated to individuals or processes–Maintaining referential integrity–Provisioning of group information in multiple locations–Orderly removal of stale groups (aging)–Partial orderings of groups (e.g., subgroups)–Direct vs. indirect membership –Group math: referring to set theoretic combinations of

groups–Meeting security, privacy, & visibility requirements



• June 2002: Initial discussion of RIbot, Grouper, GASP

• July 2002: “SAGE” replaces “GASP”, then discussion thread GASPs…

• November 2002: initial “SAGE Scenarios” draft

• February 2003: restart MACE-Dir-Groups conference calls to develop SAGE Scenarios doc



• “SAGE Scenarios” released with NMI R3 in April 2003.

• High level requirements• Don’t build a metadirectory

• Automatic processing for enterprise groups

• Manual processing for ad hoc groups

• Multiple representations (in ldap)

• Multiple group types (security, courses, roles, …)

• Group math

• Web service



• May 2003: design oriented discussions begin

• June 2003: We discover that “SAGE” name is taken

• July 2003: Inception of “export Stanford’s Authority Manager” idea

• August-September 2003: • “Grouper” replaces “SAGE”• Begin consideration of relationship between Stanford’s work

and MACE-Dir-Groups (ergo, “Group Toolset”)

• October 2003: Straw Man architecture


Group Toolset architecture elements

http://middleware.internet2.edu/dir/groups/docs/draft-barton-grouptools-arch-01.html

Stream Loader – automated• Processes streams of records according to a set of rules

to add/remove members from groups• Must already have an identity management system –

distinct member identifiers in source streams must refer to distinct real world objects

Groups Manager Applications – ad hoc• Delegate aspects of group management to humans• One per “type” of group being managed



Groups Registry• Relational database containing membership & other

group metadata• Supports multiple (locally defined) group types

– Basic– Course (ala courseID work, perhaps)– Department– Role– Your type here

• Supports multiple “membership attributes”– Members, owners, enrollees, instructors, TAs, permissions,

obligations, …

• Supports subgroups



API• Integrates all access to the Groups Registry by elements of this architecture

• Serializes updates• Determines & enumerates atomic changes

Provisioning Connectors• Pulls all changes since last change number• Responsible for all aspects of group presentation in connected consumer

• LDAP, AD, flat files, xml docs, …


Group Toolset: next steps

Refine the architecture into finer level of detail

Resolve several thorny issues• Nature of rules to process streams• Representation of compound groups• Representation of changes

Decide which subset of the result should be built, initially


otherPerson schema efforts

localPerson schema survey by MACE-Dir

Int’l coordination of person schema efforts



http://middleware.internet2.edu/dir/

http://middleware.internet2.edu/dir/localsurvey.html



institution-level need for attributes not provided in existing object classes

describe the attributes you’ve added & why

have you created a container object class for them?

•Auxiliary, structural?



Are there emergent common or best practices?

Are there some attributes that could be promoted to eduPerson?

Other actions suggested by survey results?

Thanks to Brendan Bellina (Notre Dame) and Ann West (Mich. Tech. U) for driving this!


Int’l Collaboration on Schema Work

Person schema activities are flourishing

http://domen.uninett.no/~im/schema/ (Ingrid Melve, Uninett)• norEduPerson• funetEduPerson• swissEduPerson• NLEduPerson

• DEEP survey questions on schema needs• & further afield, WALAP activity in Australia


Collaboration on Schema Work

What to work toward?

(In order of increasing difficulty and decreasing probability of success)• Agreement on a list of interesting attributes• Common syntax and semantics across schema for given attribute

type– A kind of inter-federation diplomatic activity

• Agreement on inclusion in a standard schema– eduPerson?– Next release of X.520?– Other candidates?

• Processes for ongoing schema coordination

Even common syntax & semantics would boost interoperability in attribute mapping


Collaboration on Schema Work

How will we do the work?

Internet2 is scheduling a concentrated series of conference calls• Europe & US (one set of calls)• …and Pacific -- US (a second, parallel set of calls)

Charter is to tackle the identified work items• Time permitting, move on to organizational object

schema


Roundup of other activity

eduPersonScopedAffiliation attribute• Driven by Shibboleth needs• Syntax like eduPersonPrincipalName

–[email protected]

• Raises problems about who is authorized to assert what

–An “inter-realm metadirectory function”–A field full of ratholes and land mines…

eduPersonAffiliation value vocabulary growth• Prospect, parent



eduPerson implementation files• .ldif, .schema, programmatic loader

eduOrg• Should it support Shibboleth based Federations?

H.350 & video middleware cookbook• http://metric.it.uab.edu/vnet/cookbook

LDAP Analyzer• Will rev to track changes to eduPerson, eduOrg, & H.350.



isMemberOf• What: attribute in member objects that lists references to groups to which that object belongs

• Status: Related work in IETF being reviewed, prior to submitting a proposal to ITU study group 16 to include in X.520.


Authorization Perspective on MACE-Dir Work Areas

Support for authZ: metadir, registry, directory• Coming to fore in Group toolset work with

Grouper, Stanford• Info model to support authZ requirements:

– Non-person objects (courses, services, resources,...)– Relationally structured authZ info: "instructors in physics”– Identifiers for each and every one of these info objects

(principles on naming)


MACE-Dir BoF

Where: Lincoln room

When: 5:45 – 7:15 tonight (i.e., now)

What: • Discussion of future work• Food & drink

recent developments in directories

Documents

course descriptions

course descriptionmaps

idiomatic fall

hazelton local course

mace urn

section leveld r

course enrollmentis

courseid institutions