Friday, June 28, 2019

Sunsetting my Work at Notre Dame

Sunsetting my Work at Notre Dame

I worked in the Office of Information Technologies at the University of Notre Dame from 1999 to December 2004. As an Information Engineer one of the primary systems I was responsible for designing, implementing, and supporting was the Enterprise Directory Service we named "EDS".  The EDS was essentially an LDAP directory with a schema intentionally designed to support multiple applications for authentication, authorization, and attribute release, as well as providing enhanced user lookup for email clients and directory search web pages. Perl scripts were used to transform and import data from a variety of sources into the EDS and other scripts were used to provide group management and data exports for downstream services.

I've learned that while much of my EDS work has remained available and functioning since implementation almost 20 years ago, the system in its entirety will be replaced by a vendor product this fall. This blog post describes some of that work. For the moment it is still accessible at https://eds.nd.edu.

The EDS home page from 2004 to 2019

In addition to leveraging my own background in data modeling, my LDAP schema design was influenced by the "LDAP Recipe" of Michael Gettes, white papers on identity written by Bob Morgan, the early eduPerson object class work being done by the MACE-Dir working group (which I joined in 2000), "Understanding and Deploying LDAP Directory Services" by T. Howes, M. Smith, and G. Good, and assorted other texts. I was fortunate to have a good working partner in Jeremy McCarty and together we were able to stand up a robust, capable, and reliable service in early 2001 after several months of study, analysis, experimentation, and testing.

Initially the schema attributes that were populated were designed to provide a replacement for Notre Dame email address lookup for the campus and peer institutions. Indexing decisions and ACLs (Attribute Control Lists) were designed carefully to provide just the right information to just the right people or applications, in just the right way. It is fair to say that my design pushed the ACL flexibility of the iPlanet Directory Server to the edge. It would not have been possible with any other product. Later in 2002 attributes were added to support fine-grained authorization using groups, and then in 2003 enhancements were made to support integrations with the campus Microsoft Active Directory Service and SendMail. The final update to the schema documentation was published August 6, 2004 though subsequent schema modifications were made after I left in December of 2004.

From the very beginning though, during early design in 2000, it was necessary to be able to query the EDS and show the data and validate that not only was the data populated correctly for entries, but that the ACL's and indices were properly configured to search and release the correct entries and attributes. To that end I spent time creating a web site at eds.nd.edu to house first a search application and later online documentation and self-service privacy controls and email preferences.

At the time OIT had a team that used Dreamweaver to generate HTML sites and they wanted all OIT departments to utilize their templates so that there would be a common look and feel across our services. I embraced that idea and developed templates that included embedded functions that the Perl cgi program nd_ldap_search.pl would execute when rendering the pages. In this way I could readily leverage the common templates while still providing the customizable interface I wanted without having to constantly rewrite the Perl cgi code that generated the pages. The Perl code could be focused on the functions and the Dreamweaver template could handle the static web page content. All of this required a lot of HTML, Javascript, and Perl work and making sure that each layer was doing its part.
The EDS Search page

The best example of this collaborative architecture is the EDS advanced search page. Most searches performed at the time were based on simple common attributes such as name, affiliation, department, and the unique University NetID which was an AFS id. Notre Dame has always allowed people to have multiple email addresses, so searching by email address was also frequently needed.  The simple search page allowed these searches to be done on the web. The attributes specified for searching in the HTML form would be passed to the nd_ldap_search.pl Perl script which would construct the necessary LDAP search filter, execute the search against the EDS directory, and then construct a response page which could display one or many entries. Simple searches required only simple LDAP filters to be constructed, but the LDAP protocol allows for very complicated filters and so an Advanced Search page was also provided that could take full advantage of LDAP filter potential.




With the Advanced Search page extremely complicated search filters could be created to select entries and a large number of attributes could be returned.

When only a single entry was returned the results page was constructed to resemble a page that would be returned by a standard iPlanet search when using their UI tools.  This was done to minimize user impact if we ever decided to utilize the vendor tools rather than our own (we never did).

Clicking on the "Display Complete List of Attributes" link at the bottom would cause the search to be rerun but return the results as a list.  There were a number of other formats to return the attributes as well, including as raw LDIF. Of course any entries or attributes that were restricted in any way would not be returned. Entries and attributes could be set to public, private, or restricted to the ND network. This was very important in order to ensure compliance with FERPA.




If multiple entries were returned by the search then they would be displayed in a list with minimal attributes displayed in columns and then clicking on an entry in the list would in turn display the single entry in detail as shown above.  This same ability to display entries collectively was extended to support searches against multiple directories so that it was possible to initiate a single search for a person across as many public LDAP directories as desired. This would have been a convenient way to find colleagues at other institutions.

Full documentation was included on the site to aid in accessing the EDS and utilizing its capabilities, including how to create department specific templates and search pages, though this capability was, as far as I know, never used.



There was also a series of pages available only to authenticated users that allowed authenticated searches and email preferences to be specified for spam routing, white listing, black listing an other capabilities supported by Sendmail using sieve. There were also group management pages created so that authorization could be controlled by groups.  Unfortunately all of these pages are no longer accessible to me and I do not know which of those functions continue to be used. A search through my presentations from those years includes information about those capabilities at that time.

When I first interviewed with Notre Dame in 1999 I told the hiring manager, Gary Dobbins, that I wanted to build something that would last. While it is sad to learn that these pages and scripts will finally be retired later this year, I am proud that my work lasted in production nearly 20 years and I doubt that its replacement, no matter how expensive, will fare as well.

Wednesday, June 26, 2019

Recap: November 2017 - June 2019

Supervising Enterprise IT Architecture


From November 2017 to June 2019 I supervised the Enterprise IT Architecture team within UCLA IT Services.  I had participated in team meetings for a year before applying for the supervisor position and I was excited about accepting responsibility for developing a unit again, especially one that had the potential to assist in many IT areas within IT Services and across the campus. As supervisor of IT Architecture I also continued to organize and convene the IT Architecture Steering Committee meetings.

Diagram of the role of the IT Architecture team

To set up shop I established our website at https://spaces.ais.ucla.edu/display/itsvcea/Enterprise+IT+Architecture+Unit and began consolidating and organizing our online content and materials. I encouraged the team to participate with campus workgroups and architecture interest groups such as ITANA while increasing my own involvement in campus groups and programs.  I also attended the Gartner EA Summit in June.

As mentioned in my previous post, a wave of departures began in January 2018 and this directly impacted the EA program. The CIO had been our primary champion and he was the first to leave. Within a span of months we lost several other directors, including my own. By July 2018 the organization was reeling and the departures that had occurred began to affect decision making. At the same time the IT governance in place at UCLA was also being reconsidered. We had been hit by the perfect trifecta of uncertainty - brain drain, restructuring, and governance changes. We continued to operate but some decisions were put on hold waiting for a CIO or permanent CISO to be hired.

Bu summer one of my team had also chosen to leave and I took on the additional role of the UCLA representative for the UC ITAC - IT Architecture Committee. This systemwide group of IT architects focused on the development and review of artifacts to improve the quality of systemwide services.

Logo and catchphrase of the UCLA Green IT Taskforce - GrITT
As the fall of 2018 began I became further engaged in campus-wide activities. I volunteered to participate in the rebirth of the UCLA Green IT Taskforce, a formal task force of the UCLA Sustainability Committee, and was then asked to lead the effort. I was nominated for the campus Management Enrichment Program and completed the UC Professional Skills for Supervisors certification program.  To further the cause of Green IT I co-sponsored a campus Professional Development Project (PDP) team with the goal of polling and interviewing the campus IT leaders regarding Green IT issues. In October I ran an EA birds-of-a-feather session at the Internet2 TechEx conference and in December I presented on EA metrics on the monthly ITANA conference call. I also ran a second birds-of-a-feather EA session at the March Internet2 Global Summit.

Through the period from June 2018 to June 2019 I focused the Architecture team on developing an application inventory process that could be used to support the selection of applications to be migrated to AWS over the next year. We also leveraged the inventory for use with the campus Business Continuity program.

The Enterprise Architecture presentations and activities I led with wider audiences than UCLA during this time period included:
One of the campus activities I decided to participate in to increase my awareness of campus departments was a series of open houses sponsored by various administrative departments held in the spring of 2019.  One of these was held in the Campus Emergency Operations Center and afterwards I decided to pursue a role in the Planning Section for the EOC. This requires FEMA training as well as ongoing participation in campus exercises and EOC activations but it also offers a unique look into various departments of the campus.

As the end of the 2018-2019 fiscal year approaches many of the activities I have been engaged in these last nine months are drawing to a close. In the newly announced organizational structure my role will be focused on AWS migration and I will no longer be supervising EA. The UC ITLC has decided to shut down ITAC and the June Architecture Steering Committee meeting was the last. The PDP team completed its work and I have completed the MEP program. Going forward I will continue to chair the Green IT Taskforce and be engaged in Sustainability activities and CEOG activities. We should have a new CISO and a new CIO later this calendar year and I will have a new supervisor and be reporting to a new director.

It has been an exciting time and more excitement awaits.