Purpose of policy

The purpose of this policy is to provide requirements and specific recommendations for the successful operation of the UMD Enterprise Directory.

Top

Scope

This policy applies to all computer support personnel making use of UMD's Enterprise Directory. It covers information regarding the design of the Enterprise Directory, responsibilities for computer support personnel and compliance guidelines.

Top

Access request process

Applications that need Single Sign-On (SSO authentication) and information retrieval integration services should see the UMD Enterprise Directory: Requesting SSO & Integration Services article.

Top

Enterprise Directory

Document Information Tree (DIT)

The Enterprise Directory contains a single DIT which is subdivided into six branches:

• people (active users)
• application (application specific sub-branches)
• entity (non-person objects such as listservs)
• extended-service (former students)
• associate (wireless access)
• ldap (internal service objects)
  
  

People objects are created for all employees, students and affiliates (as defined in PHR) of UMCP as well as employees of UMBI, UMCES, UMES, and USMO.

The servers and services (hardware/software) which run and support the Enterprise Directory are monitored by DIT administrators on a 24x7 basis.

Top

Schema & data visibility

The schema is a definition of all object classes and their attributes contained within the directory. An annotated attribute schema can be found at UMD Directory Services: Schema. The schema may be dynamically extended through the approval of DIT and the Directory administrators. Schema testing in a staged environment will occur before and during the request for modifications. Changes will only be implemented after two weeks of successful testing with no major issues identified.

Data visibility is controlled by registering an application and associating it with various Access Control Lists (ACLs) which control the objects and the attributes of those objects that can be accessed.  Issuing applications LDAP binding credentials (dn & password) is referred to as an "authDN", however, other binding methods/protocol are supported (e.g. CAS & SAML). 

All authenticated binds must be done over a secure connection (SSL/TLS).

Top

Data update

The Enterprise Directory is updated daily with data drawn from PHR and SIS representing people who have active relationships with UMCP, UMBI, UMCES, UMES, or USMO. Students are added to the Enterprise Directory when they are "admitted with letter sent" and remain active until the next occurrence of the last semester for which they were registered. Employees, in general, will remain active for thirty days past the separation date of their last appointment. Persons needing accounts who are neither students nor employees must be entered into PHR as an affiliate by their sponsoring department.

Top

Communication

Communication will occur via the appropriate mailing lists.

Top

Root backup & disaster recovery solution

The Enterprise Directory is currently on a nightly full backup schedule.

Top

Authentication

Application needing to merely authenticate users should consider using the UM Single-Signon Service (CAS). The SAML protocol is also supported via the UMCP Shibboleth Identity Provider (IdP), a member of the InCommon federation.

Top

Enterprise Directory administrator responsibilities

The Enterprise Directory Infrastructure is composed of many different computing, administrative and consulting services. This section provides a brief description of these services and specific contact information for each. DIT installs and maintains the servers and support machines which run Enterprise Directory. Staff within the Identity and Access Management (IAM) group configure and maintain the Enterprise Directory servers for the campus Enterprise Directory. Urgent problems related to directory servers or LDAP services should be reported by calling the DIT Help Desk Desk at 301.405.1500. For general discussion, this group can be contacted via e-mail at directory-administrator@umd.edu.

The responsibilities of the Enterprise Directory Administrators are:

• Configure and maintain the Enterprise Directory servers.
• Manage the flow of information to and from the Enterprise Directory. IAM also manages the replication of directory information within the Enterprise Directory, and makes any enterprise level changes to the directory, such as schema modifications.
• Diagnose all reported directory problems.
• Provide backups for disaster recovery purposes
• Responsible for maintaining security of the directory.
• Maintain test and development environments for internal and campus testing. DIT-TSS provides a test environment that mimics the production environment so that services can be tested and questions answered before introducing them into the production environment. Any department can participate in the test environment in a manner appropriate to the way that they will participate in the production environment. Testing may also be required before new services or applications are introduced into the production forest.
• Communicate all enterprise-wide changes to the directory via listserv and other technical team Google groups.
• Support staff required to have working knowledge of the Enterprise Directory.
• Maintain a well documented infrastructure diagram of their respective environments, including descriptions of all services provided by directory servers.
• Maintain the appropriate level of security and patch revisions on the directory servers as specified by DIT-TSS.
• All changes to the directory will be approved by DIT's Change Management Committee
• Directory servers will be monitor 24x7 to ensure high availability.
• Must have directory servers strategically located in multiple locations to provide redundancy in case of a disaster.
• Servers must be physically secured.
• Servers should have a current hardware agreement with vendor.
• On-call staff will monitor and resolve all issues pertaining to the servers
• Must have onsite support to resolve issues during business hours
• Must have disaster recovery & backup/recovery solution for the Enterprise Directory.
• Communicate and coordinate all scheduled and unscheduled outages or major upgrades to integrated application owners/administrators.
• Must coordinate any maintenance that may affect the directory (i.e. replication, adding services, etc.)
• Follow all OU administrator responsibilities below.

Top

AuthDN owner responsibilities

• Agree to the policies and guidelines for integrated application owners.
• Work closely with the IAM directory support team.
• Ensure security and privacy of all data accessed.
• Apply for a new integration for every application server which will utilize Enterprise Directory for authentication.

Top

Joining/leaving/change of role (s) within Enterprise Directory

If at any time a department decides that it no long requires an Enterprise Directory integration, the department head or application owner will need to provide a written statement (email or memo) to the director administrators indicating this. If an application owner changes (resignation, new job responsibilities, etc.), then department head must notify the directory administrators immediately of the new owner.

Top

Compliance

All Colleges/Departments/Units heads and designated administrators will have to sign a Memorandum of Understanding and the Enterprise Directory Policy in order to make use of the campus Enterprise Directory. It is the responsibility of each application owner/administrator to comply with the above specifications and guidelines. Department heads will be notified upon repeated violations by an application owner/administrator and explained the impact it has on the entire directory infrastructure. In cases of gross negligence or refusal to adhere to the agreed policy, DIT will immediately suspend the application credentials.

Top