LDAP User Management LDAP User Management with PeopleSoft Campus with PeopleSoft Campus

Directory InterfaceDirectory Interface

Session #10562March 23, 2005

HEUG 2005 ConferenceLas Vegas, Nevada

Jim GallamoJim Gallamo Director Director

Carol SchafferCarol Schaffer Associate Associate DirectorDirector

Suman Rustagi Suman Rustagi Senior DeveloperSenior Developer

Today’s PresentersToday’s Presenters

Catholic University is changing their Catholic University is changing their current user account management current user account management practices and implementing practices and implementing PeopleSoft’s Campus Directory PeopleSoft’s Campus Directory Interface (CDI) to support this Interface (CDI) to support this initiative.initiative.

This presentation highlights our This presentation highlights our plans and experience with CDI.plans and experience with CDI.

OverviewOverview

• CUA and PeopleSoftCUA and PeopleSoft

• Account management processesAccount management processes

• Desired goalsDesired goals

• Campus Directory Interface Campus Directory Interface

• Wrap-upWrap-up

AgendaAgenda

5

• Located in Washington, DC

• Founded in 1887

• 5800 students

• 1500 faculty and staff

• 18,000 + user accounts

• Windows and Solaris systems

5

Catholic UniversityCatholic University of America

• Financials v8.4Financials v8.4

• Enterprise Performance Management Enterprise Performance Management

v8.8v8.8

• Enterprise Portal v8.8Enterprise Portal v8.8

• Student Administration v8.0Student Administration v8.0

• Human Resource Management Systems Human Resource Management Systems

v8.0v8.0

6

Catholic University and PeopleSoftCatholic University and PeopleSoft

Current Account Management

PeopleSoftStudent

AdministrationSystem (SAS)

AccountManagement

System

Active Directory

Student Data

Faculty/StaffData

Manual Process

Microsoft Exchange

Manual

Campus Network

Process

Manual Process

Manual/Automated Processes

ManualProcess

Future Account Management

PeopleSoftSA/HRMS

Active Directory

Microsoft Exchange

Student/Staff/Faculty Data

Campus DirectoryInterface

Campus Network

Automated Process

Automated Process

Manual/Automated Processes

• Replace legacy account management Replace legacy account management

systemsystem

• Improve account generation turnaround Improve account generation turnaround

• Facilitate data movement between Facilitate data movement between

systemssystems

• Introduce OPRIDs as primary identifierIntroduce OPRIDs as primary identifier

• Expand information in Active Directory Expand information in Active Directory

(AD)(AD)9

Phase IPhase I Goals

10

• Minimize manual processesMinimize manual processes

• Create standard account structureCreate standard account structure

• Provide increased audit functionalityProvide increased audit functionality

Phase IPhase I Goals (cont’d)

• Automatically populate all AD-based Automatically populate all AD-based

servicesservices

• Restructure account naming conventions Restructure account naming conventions

• Introduce real-time synchronizationIntroduce real-time synchronization

• Add custom graphical user interface to Add custom graphical user interface to

supplement AD supplement AD

11

Phase IPhase II Goals

• Sold separately from SA/HRMS system

• Cloned from existing HRMS PDI

• Integrates PeopleSoft security with AD

• Shares SA/HRMS data with AD

• Supports MS ADS, Novell eDirectory and iPlanet Directory Server

PeopleSoft Campus Directory Interface

• A distributed hierarchical database

• Comprised of the Directory Information Tree (DIT) and the Schema

• Each Entry in the DIT is keyed by its Distinguished Name (DN)

• A DN is a string of attributes which uniquely identifies an entry in the AD

What is Active Directory?

• A Schema is a set of rules that defines DIT attributes

• Microsoft provides a Lightweight Directory Access Protocol (LDAP) interface to AD

What is Active Directory? (cont’d)

Active Directory StructureActive Directory Structure

Campus Directory Interface Set-Campus Directory Interface Set-upup

CDI Directory Setup

CDI Directory Setup (cont’d)

CDI Directory Setup (cont’d)

• Load AD schema to PeopleSoft cache

• Active Directory schema enables selection of data elements by CDI

• Required for directory map creation

Defining AD within PeopleSoft

CDI Directory Schema Cache

CDI Mapping SetupCDI Mapping Setup

CDI DN DetailsCDI DN Details

CDI Attribute MappingCDI Attribute Mapping

CDI Attribute Mapping CDI Attribute Mapping (cont’d)(cont’d)

Transform the valueTransform the value

Transform the ValueTransform the Value

Sample Function for Sample Function for TransformationTransformation

• Based on PERSONAL_DATA, CX_SEC_TBL, and PERS_INST_REL tables

• CX_SEC_TBL, custom table, includes OPRIDs for all the students

• View selects record where STUDENT_CUR is marked as ‘Y’

Criteria for Selecting Students

29

Run File Load Process

• LDIF File option creates a data file

• File gets created in folder PS_HOME\appsrvr\Database Name\Files

• File gets loaded into Active Directory

• Run Option updates the Active Directory

File Load Process (cont’d)

dn: cn=Griffintest\, Carter H. GRIF0046,cn=users,dc=cua,dc=educhangetype: addobjectClass: topobjectClass: useraccountExpires: 0cn: Griffintest, Carter H. GRIF0046company: CUAdisplayName: Griffintest, Carter H. GRIF0046givenName: Cartermail: GRIF0046@cua.eduname: Griffintest, Carter H. GRIF0046sAMAccountName: GRIF0046scriptPath: Login.batsn: Griffintesttitle: Student

Resulting Output File

• Set up complete CDI/AD test environment

• Generated LDIF with correct data

• Loaded file in AD with new accounts

Progress to Date

• Update Directory in Real-time

• Automate AD changes and deletes

• Build consensus on new naming conventions

• Automatically populate other services (e.g., Exchange)

Next Steps

Directory Search Tools

AD search using CDI

CDI Search Results

• LDAP command line executable

• ldapsearch.exe

• Provided outside of system

• Useful in understanding AD structure

AD Search using LDAP Search Utility

ldap_open( 192.168.0.1, 389 )filter pattern: cn=Tucktest, Karlton E.returning: ALLfilter is: (cn=Tucktest, Karlton E.)CN=Tucktest\, Karlton E.,CN=Users,DC=cua,DC=educn=Tucktest, Karlton E.company=CUAdepartment=Housing & Residential Lifedescription=STAFFdisplayName=Tucktest, Karlton E.mail=Tucktestk@cua.edugivenName=KarltondistinguishedName=CN=Tucktest\, Karlton E.,CN=Users,DC=cua,DC=edu

LDAP Search Utility Result

• Separate network environment to test

• No additional hardware requirements

• Requires coordination between developers and network staff

• Create sample directory mappings using delivered script - DIRMAPIN.DMS

Considerations

• Limited knowledge in Global Support

• Not many end users of product

• Learned through trial and error

Considerations (cont’d)

QUESTIONS?QUESTIONS?

Jim GallamoJim Gallamogallamo@cua.edugallamo@cua.edu

Carol SchafferCarol Schafferschaffer@cua.eduschaffer@cua.edu

Suman Rustagirustagi@cua.edu

CONTACTSCONTACTS