Both the University of Alaska Anchorage (UAA) and the University of Alaska Southeast (UAS) use an industry standard directory, called Active Directory (AD). AD is a Microsoft set of services used to manage Windows server domains as well as directory-based identity-related services. It authenticates and authorizes all computers as well as users in a Windows domain network.
The University of Alaska (UA) System and the University of Alaska Fairbanks (UAF) also use AD to manage Windows server domains and computer identities. They manage user identity-related services in a directory called the Enterprise Directory (EDir). It is a nearly 20-year old, custom-built system based on Oracle iPlanet. EDir includes web-based administrative, directory search and self-service tools. It also includes legacy batch-processed scripts. The scripts extract data from Banner, and then import the data into two repositories, the EDir Person Registry and the EDir LDAP.
The extracts and imports are manually configured and scheduled at the start of each semester. If a mistake is made during configuration, the error may not be seen until users are affected. In addition, user updates occur overnight during the batch processing, delaying access to critical services. Conversely, this process allows terminated users access until the process completes, creating a potential security vulnerability.
Beyond AD being an industry standard for managing identity-related services, there are other reasons for UA and UAF to expand their use of AD.
- The EDir web-based tools reside on eventually unsupportable virtual machines that are beyond end-of-life. They are Solaris 8 virtual machine servers that reside on Solaris 10 hardware.
- UA’s Office of Information Technology (OIT) has a Windows Server Administration (WSA) department, but no longer has Solaris administrative staff to support Solaris servers.
- Also, should the hardware fail, there are no Solaris hardware replacements available in UA OIT.
- The Solaris 8 virtual machine servers’ Secure Socket Layer (SSL) certificates were last updated in 2004 and are due to expire February 2018.
- Renewing the certificate is not an option, because Solaris 8 cannot decipher today’s SSL certificates.
- Replacing EDir web-based administrative, directory search and self-service tools with similar tools for AD would enable UA OIT to retire four Solaris 10 servers, physical hosts to five Solaris 8 virtual machine servers.
- Removing the EDir LDAP would enable UA OIT to remove another eight physical servers that are running Oracle iPlanet.
Therefore, UA will retire EDir to unify UA, UAA, UAF and UAS’s directory-based identity-related services. Such directory unification will facilitate standardizing the process of provisioning, updating and storing user identity information as well as removing ten Solaris servers from UA’s network. Focusing one currently EDir-reliant service, Shibboleth, solely on AD, will facilitate combining it with the Central Authentication Service (CAS), a single sign-on protocol for the web. Combining the two services will enable the retirement of another three servers.