 | directory_services_recommendations.pdf | 240 KB |
Enterprise Architecture recommendations and opinions are intended to provide middle to long term guidance in key technology areas. They must be considered in terms of:
Within Harvard University, multiple directories have been deployed, many of which now have overlapping services and data, inconsistent provisioning, and varying levels of support. Most are on- premises while other IT directory resources are moving to the Cloud. This work proposes a strategy to rationalize the current state.
Directory services are a well-established, standardized way of providing authentication and authorization tools as well as person and resource attribute information. These services are accessed using the LDAP protocol, as implemented by several UNIX-like LDAP server solutions as well as Microsoft's Active Directory solution. Some of the traditional uses for LDAP based directory services are being superseded by more modern and manageable services. This document outlines a mid-term future-state vision, strategy and design approach for directory services across the University.
The FY18 HUIT Top 30 Strategic Goals1 document recognized the need to define a strategy, service approach and architecture for LDAP directories. Although this goal was subsequently put on hold, the FY18 University IT Strategic Plan2 identified a need for directory strategies to support the CIO Council Collaboration initiative, enabling this work to continue. Other key drivers for this effort include:
A number of directories that are candidates for rationalization exist within HUIT. These include:
An effort is underway to provide Active Directory as a Service in order to increase security, streamline user experience and reduce the administrative burden required to operate the large number of AD instances currently used across the University. Although increased resiliency to attack and fewer AD related security incidents is a primary goal of the effort, the project includes the explicit objective of building a single University Active Directory for all schools and centers. Within the Enterprise service a School/Center will retain autonomy to manage Groups, Computers, Application access, and Group Policy for their organizational units on a delegated basis.
The primary enterprise UNIX LDAP directory, HarvardLDAP, holds HarvardKey credentials and attributes for people (HUID holders). HarvardLDAP is one component of Harvard’s Enterprise Identity and Access Management (IAM) solution. This directory has been migrated to the Cloud.
PublicLDAP holds person attributes that are accessible to public and Harvard applications.
FASLDAP supports a wide variety of directory functions for the Faculty of Arts and Sciences. A number of efforts to analyze the type and volume of FASLDAP usage have been undertaken in the past. Attempts to consolidate the data into other directories and retire FASLDAP have been stymied by lack of documentation and multiple ownership of the internal resources.
In addition to HUIT managed directories, organizations such as HBS, Research Computing and HMS all maintain their own LDAP directory instances with person, group and technical attributes necessary to support local needs. The content of these directories may be candidates for promotion to the Enterprise or managed directories. HUIT should work with the owners of these directories to identify current requirements. Adding local organization data to the Enterprise or managed directories may be sufficient to support retirement of the local directory.
Directory services have been traditionally used to:
Harvard continues to use LDAP3 protocol-based services but is also introducing new services that in some cases replace LDAP functionality, and in others supplement or hide LDAP implementations.
At Harvard, authentication has been abstracted into higher level service, HarvardKey. HarvardKey supports a “single identify for life” that can be used to access a variety of University applications and services. In addition, HarvardKey provides improved security features including two-factor authentication and single sign-on to over 400 applications. The implementation of HarvardKey includes an LDAP server, HarvardLDAP. This implementation is a candidate for migration to the AD-based UNIVAD directory service. This will improve security, reduce duplication of data, and simplify the infrastructure by reducing the number of supported instances.
Groups and group membership information is now provided by the Identity and Access Management4 team through the use of Group Services. Group Services is fully integrated with HarvardKey and automatically updated based on changes to a user’s status and role. It also supports the use of local groups and an associated delegation of group administration. Some group information may be provisioned to LDAP services, but on a selective basis.
The combination of HarvardKey and Group Services can be used to manage permissions to applications and websites. Individual applications may also provide this functionality directly. In general, new applications and existing application planned for significant upgrades should utilize newer tools and services such as HarvardKey and Group Services. These new capabilities, along with operational and cost considerations, are defining a new architecture for directory services.
Until they are retired or upgraded, legacy applications that only support the LDAP protocol will require the continued use of LDAP directories.
A key goal of HUIT’s Data Management Services5 (DMS) organization is a reduction in the cost, time, and effort required to share information by simplifying the way schools and central units exchange data. One of the most commonly exchanged data sets is information about people; information traditionally housed in LDAP servers.
The Common API Platform Program (CAPP) has designed and implemented a ‘Person’ API that can be used to retrieve common attribute data about Harvard people. This service follows a well-defined governance process and is the preferred method to use when applications need person related information.
Identity as a Service are SaaS-based service offerings that allow organizations to use single sign-on authentation and access controls to provide secure access to their growing number of applications. Trends in the industry point to this approach as the long-term solution. Much of this proposed Directory Strategy prepares the ground for leveraging this capability.
Continue to provision from one enterprise dataset for person data - The enterprise dataset is derived from the IAM Identity registry and holds the essential person information that is used by the enterprise.
At a basic level, master data management methods seek to ensure that an organization does not use multiple, potentially inconsistent versions of the same data in different parts of its operations. Master data is the consistent and uniform set of identifiers and extended attributes that describes the core entities of an enterprise. A single master dataset is necessary to provide accurate and timely information on Harvard people and resources. Coherence in the data stored across all directories must be established, maintained and synchronized through automated means.
Continue to use one UNIX-based LDAP and one Microsoft AD, which is necessary to meet the current set of enterprise directory requirements. Over time, consolidate to one AD implementation for enterprise directory services, including HarvardKey.
The current design of two enterprise-level directory implementations, one UNIX-based and one MS- AD-based, should be consolidated over time to reduce duplication of data and simplify the infrastructure by reducing the number of supported instances. A progressive approach is recommended, starting with migrating the UNIX authentication services to AD, followed by migration of person attribute information and then the remaining non-person data. At that point HarvardLDAP should be retired.
HUIT should create a directory management service to allow schools and centers with existing UNIX-like directories the option of delegating the administration and operation of such directories to a central team with the level of technical expertise and resources required.
The decentralized nature of Harvard often results in high levels of duplication and complexity. The shared-services approach can combine the advantages of centralization and decentralization, achieving economies of scale and scope while remaining responsive to user needs. A directory service offering would allow some parts of the organization to reduce their operational level of support for LDAP directories while meeting existing local needs.
Local, non-managed directories should be limited to those that provide application-specific or locally valuable directory services. These typically provide directory information in narrowly-scoped environments such as individual or small sets of applications.
The need for local directories that support specific applications and/or contain locally valuable person/resource data will continue to exist. Local data should be limited to those objects and attributes not contained in master or managed directories.
When differences exist in the business meaning of a particular attribute or set of attributes, local directories should extend the schema used in the master directory and avoid using the same attribute name(s) for locally different definitions, enabling synchronization with authoritative data at the higher level.
To the greatest extent possible, all directories should be automatically provisioned/deprovisioned using a top-down approach beginning with the IAM program databases and systems.
Consistent and timely provisioning and de-provisioning of information in directories is required for reasons that range from supporting a high-quality user experience for new employee on-boarding to rapid and secure removal/archiving of accounts for terminated employees.
Achieving this across multiple directories is almost impossible absent automated tools and standard processes. Provisioning of person information must be accomplished through a business service that automatically adds people to the directory. Manual addition of people should not be allowed. De- provisioning should be accomplished through the same business service. Provisioning and de- provisioning of technical resources should be accomplished through a similar business service.
Consolidation of LDAP skills into one organization for critical mass and coverage.
Directory design, management and administration, for both Active Directory and UNIX-like LDAP directories servers, requires a unique set of skills. The University would benefit from an effort to identify and consolidate, formally or informally, staff with this experience in order to reduce duplication of effort and provide quality, sustainable services.
This document does not address the operational and cost considerations related to the proposed design and strategy. These would need to addressed prior to implementation of these recommendations.
Directory services should be aligned with the University’s Enterprise Architecture principles, particularly the infrastructure and security principles.
| Change Area | Expected Outcome | Change from Current State |
|---|---|---|
| Fewer directories across the enterprise |
|
|
| Simpler and more secure deployment pattern for AD |
|
|
| Better support for managed directories |
|
|
| Improved physical and logical data model |
|
|
| Better synchronization between different directories using provisioning services |
|
|
| Consolidate LDAP skills into one organization for critical mass and coverage |
|
|
FY18 Top 30 Goals - https://huit.harvard.edu/files/huit/files/fy18_top30_goals-handout-v2.pdf
University Information Technology Strategic Plan, 2018 https://huit.harvard.edu/files/huit/files/final_2018_itstrategicplan.pdf
Lightweight Directory Access Protocol - https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
HUIT Identity and Access Management – https://iam.harvard.edu/
HUIT Data management Services - https://huit.harvard.edu/data-management-services
