Integration objectives

We have implemented a phased integration of the data in our campus LDAP3-based CalNet Directory with the CalNet Active Directory (CalNetAD). The design and coding allows basic user account information to be synchronized between the two directories as detailed in the table of data elements below. Our implementation is based on the IBM Directory Integrator engine and custom ADSI scripting using primarily JScript code. The technical design is documented in a separate article.

The synchronization process constantly monitors the changelog for the CalNet Directory and sends events of interest as messages to a FioranoMQ JMS Topic maintained by the CalNet Messaging system. This means that any CalNet account change, including CalNet ID changes, will be automatically synchronized and available to the CalNetAD within about a minute. To validate any CalNetAD changes that may have occurred to user accounts via normal administrative activites, a nightly comparison of user data from the two directories is made. Any differences found in comparison with the authoritative data in the CalNet directory are also sent into the synchronization process to be corrected in the CalNetAD.

Data elements

The following data elements are being synchronized between the CalNet Directory and the CalNetAD:

User attribute:	GUI label:	Unique within:	Initial values (CNID=CalNetID):
altSecurityIdentities	Kerberos Principal Name	Forest	Kerberos:CNID@BERKELEY.EDU
cn	Full name	OU	CNID (when first created)
displayName	Display name	[not unique]	"displayname" from CalNet directory (CNID for students)
mail	E-mail	[not unique]	"mail" from CalNet directory
sAMAccountName	User logon name (pre-Win2K)	Domain	CNID
userPrincipalName	User logon name	Forest	CNID@BERKELEY.EDU
uid	[none]	Forest	"uid" from CalNet directory

Policies

The following policies relating to data conversions and security and privacy of data elements have been implemented: