The purpose of this policy is to provide requirements and specific recommendations for the successful operation of the UMD Enterprise Directory.
This policy applies to all computer support personnel making use of UMD's Enterprise Directory. It covers information regarding the design of the Enterprise Directory, responsibilities for computer support personnel and compliance guidelines.
Applications that need Single Sign-On (SSO authentication) and information retrieval integration services should see the UMD Enterprise Directory: Requesting SSO & Integration Services article.
The Enterprise Directory contains a single DIT which is subdivided into six branches:
People objects are created for all employees, students and affiliates (as defined in PHR) of UMCP as well as employees of UMBI, UMCES, UMES, and USMO.
The servers and services (hardware/software) which run and support the Enterprise Directory are monitored by DIT administrators on a 24x7 basis.
The schema is a definition of all object classes and their attributes contained within the directory. An annotated attribute schema can be found at UMD Directory Services: Schema. The schema may be dynamically extended through the approval of DIT and the Directory administrators. Schema testing in a staged environment will occur before and during the request for modifications. Changes will only be implemented after two weeks of successful testing with no major issues identified.
Data visibility is controlled by registering an application and associating it with various Access Control Lists (ACLs) which control the objects and the attributes of those objects that can be accessed. Issuing applications LDAP binding credentials (dn & password) is referred to as an "authDN", however, other binding methods/protocol are supported (e.g. CAS & SAML).
All authenticated binds must be done over a secure connection (SSL/TLS).
The Enterprise Directory is updated daily with data drawn from PHR and SIS representing people who have active relationships with UMCP, UMBI, UMCES, UMES, or USMO. Students are added to the Enterprise Directory when they are "admitted with letter sent" and remain active until the next occurrence of the last semester for which they were registered. Employees, in general, will remain active for thirty days past the separation date of their last appointment. Persons needing accounts who are neither students nor employees must be entered into PHR as an affiliate by their sponsoring department.
Communication will occur via the appropriate mailing lists.
The Enterprise Directory is currently on a nightly full backup schedule.
Application needing to merely authenticate users should consider using the UM Single-Signon Service (CAS). The SAML protocol is also supported via the UMCP Shibboleth Identity Provider (IdP), a member of the InCommon federation.
The Enterprise Directory Infrastructure is composed of many different computing, administrative and consulting services. This section provides a brief description of these services and specific contact information for each. DIT installs and maintains the servers and support machines which run Enterprise Directory. Staff within the Identity and Access Management (IAM) group configure and maintain the Enterprise Directory servers for the campus Enterprise Directory. Urgent problems related to directory servers or LDAP services should be reported by calling the DIT Help Desk Desk at 301.405.1500. For general discussion, this group can be contacted via e-mail at firstname.lastname@example.org.
The responsibilities of the Enterprise Directory Administrators are:
If at any time a department decides that it no long requires an Enterprise Directory integration, the department head or application owner will need to provide a written statement (email or memo) to the director administrators indicating this. If an application owner changes (resignation, new job responsibilities, etc.), then department head must notify the directory administrators immediately of the new owner.
All Colleges/Departments/Units heads and designated administrators will have to sign a Memorandum of Understanding and the Enterprise Directory Policy in order to make use of the campus Enterprise Directory. It is the responsibility of each application owner/administrator to comply with the above specifications and guidelines. Department heads will be notified upon repeated violations by an application owner/administrator and explained the impact it has on the entire directory infrastructure. In cases of gross negligence or refusal to adhere to the agreed policy, DIT will immediately suspend the application credentials.