Universities of Glasgow and York

Right People, Right Stuff, Right Pain?

John Byrne, James Currall, Colin Farrow

Version 1.0

June 2002


In common with many others, we have identified authentication and authorisation as crucial to the delivery of a viable intranet and see directory services as important to those processes, possibly the key component. Directories can provide the 'glue' which links other components together.

There is a clear need to separate identifying who people are from what those people are allowed to see. In addition what people are allowed to see is often as a result of the role that they occupy rather than as a result of who they are. Directory services can easily deal with these three categories of information: people, roles and groups, but only if careful work is carried out to design a suitable schema for the directory.


  1. To Link People Up with Relevant Information
             People <==> Information

    which leads to:-

        authentication -> People     Information
    | |
    | |
    V V
    Roles + rights = authorisation
  2. Flexible access control to web resources
  3. Infrastructure to support future web-based intranet/extranet services

Role-based access control

Components - a simple model

web pages, web applications
Register of users
for authentication
Register of Groups
to represent user roles
Rule sets
to associate resources and groups
Access control agents
software components to apply the rules



  1. Management and ownership
  2. Critical systems
  3. Open standards
  4. scale of operation - single/multi/national/international institution working
  5. metadirectories
  6. implications for searching
  7. Buy or build?

Experience to Date

1) York


YorkWeb hosting service

Specifying access control

Processing end-user requests for protected resources

2) Glasgow

The Glasgow University Permissions Database utilises OpenLDAP directory service to store details of:

Access to restricted web pages is based on Apache with custom mod_perl extensions for:

A web based management tool provides document providers with:



"Implementing LDAP"
Mark Cox; WROX pressFairly good introduction to the subject. A search of Amazon will reveal others.

Introductory LDAP Resources

An Introduction to LDAP
An LDAP Roadmap & FAQ
LDAP Resources
Glasgow permissions database demo

Directory Services

http://www.openldap.org/Open source implementation of the Lightweight Directory Access Protocol, short introduction in Admin Guide
iPlanet directory server
http://docs.iplanet.com/docs/manuals/directory.htmlParticularly the administrator's guide, deployment guide and schema reference
LDAP Recipe
http://www.georgetown.edu/giia/internet2/ldap-recipe/A Recipe for Configuring and Operating LDAP Directories. Recommendations and discussions which will hopefully lead us all in the direction of common directory schema and deployments.


LDAP and Group Information
http://middleware.internet2.edu/dir/groups/ The groups subgroup of MACE-Dir will establish best practices in the use of core middleware to meet the authorization and messaging needs of applications. The group's initial foci are 1) the conduct of a survey of several organizations' practices in this area and 2) investigations into meaningful definitions of, and productive ways of representing and operating on, "groups", "affiliations", "roles", and "correlations".
Middleware Architecture Committee for Education (MACE)
http://middleware.internet2.edu/MACE/MACE-Dir is the directories working group of Internet2

Inter-institutional working

http://www.educause.edu/eduperson/The eduperson object class draws on the existing standards work in higher education to select items that are of broad utility, and define a common LDAP representation for each of them, to assist in building general-purpose institutional directories.
http://middleware.internet2.edu/shibboleth/Shibboleth, a joint project of Internet2/MACE, is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. In addition, Shibboleth will develop a policy framework that will allow inter-operation within the higher education community. Key concepts within Shibboleth include: DoDHE (see below).
http://middleware.internet2.edu/dodhe/Directory of Directories for Higher Education, DoDHE, a project of MACE, is investigating technology to support inter-institutional directory searching.
http://www.rediris.es/app/papi/index.en.htmlPAPI is a system for providing access control to restricted information resources across the Internet. It intends to keep authentication as an issue local to the organisation the user belongs to, while leaving the information providers full control over the resources they offer. The authentication mechanisms are designed to be as flexible as possible, allowing each organisation to use its own authentication schema, keeping user privacy, and offering information providers data enough for statistics. Moreover, access control mechanisms are transparent to the user and compatible with the most commonly employed Web browsers, i.e., Netscape/MSIE/Lynx, and any operating system.
http://www.jisc.ac.uk/pub00/sparta_disc.htmlProposal for the Second-Generation Access Management System for UK Further and Higher Education to replace Athens (http://www.athensams.net/)


http://www.internet-standard.com/LDAPrfc.htmlThe full horror – a list of LDAP RFCs for those who have trouble getting to sleep at night.

Web-based Access Control

http://www.netegrity.com/ One of several developers of web-based access-control systems. Their SiteMinder product is a good example of a general system which can be plugged into existing infrastructure.


  1. The authoritative sources of data need to be identified (or if they do not exist, created)
  2. The people who are responsible for the maintenance of specific parts of the authoritative sources need to be identified and they have to ensure that changes in roles and membership of groups are updated in a timely fashion, so that these data may be relied upon in institutional processes.
  3. A complete database of people who are entitled to access information resources is essential. This information must be fed expeditiously from such sources as the Registry and Human Resources Systems, so that people are added to appropriate roles and groups when they join the institution and their privileges are withdrawn as soon as they leave. The security of an institution's information resources depends on this.
  4. The design of the LDAP directory needs careful thought so that it will meet all reasonable foreseeable needs, including the fact that the institution will undergo periodic reorganisation.

Then you can start to think about getting to grips with the technology!