What is Directory Services?

Directory services is a shared information infrastructure that provides a comprehensive picture of an individual's relationship with the university by merging identification and role information from all systems of record on campus.

The directory services infrastructure is central to campus identity management, authentication and authorization. Numerous services and processes are involved as well as more than one physical system.

Directory services architecture has three components: the registry, enterprise directory, and metadirectory.

Image from Enterprise Directory Roadmap

Registry

The registry is the system in which resource identity is resolved. While directory services requires a person registry, it can also house registries for organizations and groups. The primary functions of the registry are identity management, reconciliation (is this person/organization the same as that person/organization?), and cross-indexing (given this person's ID on system X, find their ID on system Y).

Enterprise Directory

The enterprise directory is the interface to consumer applications, i.e., the mechanisms used by consumer applications to access data. The enterprise directory is a core middleware architecture that provides common authentication, authorization, and attribute services to electronic services offered by the institution.

Metadirectory

The metadirectory is the infrastructure that controls the flow of information between systems of records, the enterprise directory components, and consumer applications (resource provisioning). The metadirectory consists of three processes:

• The join process copies data from institutional information sources, creates a resolved entry for individuals, and moves it into a registry to fulfill application requests.
• The intelligence processes are concerned with architecture and the operation of the registry itself. The business rules and policies are implemented in the intelligence processes (formatting of entries, which data source is authoritative for what information, etc.)
• The consumer processes support all applications and systems using the directory. One facet of this component of the metadirectory concerns the permissions an application/system has to read data from the registry/directory (RDBMS view-edit settings/LDAP ACLs). Another facet of resource provisioning addresses resources tied to an account status.

More Info

For more information on directory services, please read:

• Enterprise Directory Roadmap
• Identifiers, Authentication, and Directories: Best Practices for Higher Education
• Metadirectory Practices for Enterprise Directories in Higher Education