Enterprise Directory

The Enterprise Directory (ED) is the current generation of the Virginia Tech LDAP Directory (VTLDAP). EduPerson 1.0 compliant, ED works with a wide range of applications developed for educational institutions. The VTLDAP allows programs the ability to make finer-grained authorization decisions, provides people with greater control over their information, and protects their privacy more effectively. Below, you will find information on the Enterprise Directory components and general documentation about ED.

Contents

• Enterprise Directory Components
  • ED-Lite
  • ED-Auth
  • ED-ID
• General Documentation

Enterprise Directory Components

ED-Lite

ED-Lite is a public, anonymously accessible directory used for white pages related query. It can be accessed in several ways:

• You use it when you look up Virginia Tech faculty, staff, and students using the PeopleSearch (http://webapp.middleware.iad.vt.edu/PeopleSearch/howto.jsp) Web tool.
• You can configure your e-mail client to use ED-Lite to look up people's names and e-mail addresses.
• Application developers can use XMLPeopleSearch, which is a middleware layer for integrating ED-Lite with applications

Using PeopleSearch

Depending upon your affiliation with the university, public display of directory data is governed by various laws and university policies, such as the Family Educational Rights and Privacy Act (FERPA) (http://www.registrar.vt.edu/students/ferpa.html), the Virginia Freedom of Information Act (FOIA) (http://www.policies.vt.edu/FOIAa.php), plus internal university and IT policies and procedures. Affiliates with an exceptional need for privacy may elect to mark themselves as confidential, which means that most or all of their contact information will not appear in ED-Lite, but be aware that this significantly hinders the ability of others to contact you for legitimate university business. For more information, refer to Confidentiality Options (http://www.computing.vt.edu/accounts_and_access/confidentiality.html). For instructions on changing your confidentiality settings in PeopleSearch, see Suppressing or Unsuppressing Your Personal Information (http://answers.vt.edu/kb/entry/221/).

Configuring Your E-mail Client

To find instructions for configuring your e-mail client to use ED-Lite, go to www.answers.vt.edu (http://answers.vt.edu/) and enter directory.vt.edu in the Search text box. There you will find instructions for many of the most popular e-mail clients, including Entourage, Eudora, Evolution, Netscape, OS X Mail, Outlook,and Outlook Express.

Using XMLPeopleSearch

For more information, refer to the XML People Search (http://webapp-dev.middleware.iad.vt.edu/peoplesearch/howto.jsp) page.

ED-Auth

ED-Auth is a secure authentication and lightweight authorization service targeted at application developers. The idea behind ED-Auth is simple: For each online service provided by the university, a subset of people affiliated with Virginia Tech who have or are eligible for a PID should be able to use that PID to login to that service. In order to do this, the application should securely accept the PID and password, confirm that the person has provided the appropriate credentials, i.e. authenticated themselves, and then make a determination about whether this authenticated person should be allowed to access the system by inspecting attributes associated with that person (is authorized). ED-Auth supports PID/password verification and basic authorization services: applications can inspect affiliations associated with the authenticated person. For more information, see Person Affiliations Explained (http://www.computing.vt.edu/infrastructure_services/enterprise_directory/person_affiliations.pdf) (PDF).

Using ED-Auth

Developers may use ED-Auth to integrate PID-password authentication with open source, locally written, and some commercial applications. To use this service, you must read and agree to abide by Identity Management Services' (IMS) ED-Auth Usage Requirements (PDF) (http://computing.vt.edu/infrastructure_services/enterprise_directory/ed_usage_requirements.pdf). Middleware provides an ED LDAP Library (http://www.middleware.vt.edu/tools/ed-ldap.html) which is written in Java and developed by Middleware Services. Middleware Services provides ED-Auth Connection Instructions (http://www.middleware.vt.edu/pubs/ed_auth_connection_instructions.pdf) for integrating applications written in other languages, including C, Perl, and PHP.

ED-ID

ED-ID is a restricted directory used for authorization based on fine grained attributes and groups. It contains all the whitepage and authentication/authorization data contained in ED-Lite and ED-Auth plus additional authorization data. Access is based on service accounts that determine how much of the data in ED-ID can be viewed. ED-ID requires a client certificate signed by the VT Middleware CA in order to bind using the SASL EXTERNAL mechanism. SSL/TLS plus client certificates are required for access.

Using ED-ID

Developers can use ED-ID for integrating advanced authorization functionality with their applications. ED-ID can provide a variety of information about a user and their current relationship with the university, as well as personal demographic information. The ED-ID: Schema (http://www.middleware.vt.edu/pubs/ed_id_schema.pdf) describes the information it stores. Because much of this data is sensitive and its use is governed by university policy, as well as state and federal laws, the process for requesting access is more complex, as are the security requirements. You are responsible for using this data carefully and not expose it to people who should not see it. The best thing to do is request access to as few attributes as possible, and make sure you honor suppression attributes if appropriate for the type of application you are developing. Staff from IMS or Middleware Services can provide advice, tips, and suggestions regarding data elements and appropriate use. The Middleware-Announce (middleware-announce@listserv.vt.edu) listserv (middleware-announce@listserv.vt.edu) is also a resource for getting help, as well as for staying current with system changes and enhancements. For instructions on joining a listserv, refer to Subscribing to a LISTSERV List.

Detailed information regarding how to integrate applications written in Java, C, and Perl with ED-ID is provided in the document entitled ED-ID Connection Instructions (http://www.middleware.vt.edu/pubs/ed_id_connection_instructions.pdf). To request access to ED-ID, refer to Requesting ED-ID Service (http://answers.vt.edu/kb/entry/2707/). Since ED-ID requires a client certificate for authentication, several steps involve requesting a client certificate from the VT Middleware CA Client Certificate Authority. These certificates are different from commercial SSL certificates or VTCA server certificates. More information about the Middleware CA service is available at Public Key Infrastructure's (PKI) Virginia Tech Certificate Authority (http://www.pki.vt.edu/) site.

General Documentation

• The ED Usage Requirements (PDF) document outlines the rules a service must follow when interacting with ED-Auth and ED-ID.
• The Persons Affiliations Explained (PDF) document describes the two different affilation attributes, "eduPersonPrimaryAffiliation" and "eduPersonAffiliation" and explains:
  • what the attributes are
  • what their possible values are
  • what the values mean
  • how the attributes should be used
• The ED FAQs (PDF) is a draft of a collection of questions and their answers gathered from Enterprise Directory information sessions and may provide some details not covered on computing.vt.edu.