* Lowry, Francis <[log in to unmask]> [2009-05-06 10:55]:
> Following on from Mike's response, there are additional options for
> sourcing the different attributes. We use a combination of Active
> Directory for the eduPrincipalName, a salt for the eduPersonTargetID,
> and a JDBC lookup to a SQL Server database for the affiliations and
> entitlements.
>
> This allows us to separate the management of entitlements which is a
> library function in our organsation from the AD management, on the basis
> that is is easier for us to maintain contents of database tables rather
> than add extra processing to maintain AD.
Just remember that depending on many data sources makes it harder to
achieve high(er) availability, if the need comes up. Sync'ing the data
to a single source (if management in one data source is not possible)
might provide for better resiliance (at other costs, of course).
E.g. in case you also use Shibboleth as your campus WebSSO system you
probably want to reduce the possibility of large parts of the campus
web becoming unavailable (for new sessions) because of an IdP-related
problem. Since Shib always talks to all data sources configured, that
extends the need for higher availablility to all storage engines
(databases, directories, etc.) upon the IdP depends for it's
operation. Each of which usually is both expensive and difficult to
get to a redundant, clustered mode of operation with realiable
fail-over and recovery, etc.
Cheers,
-peter
|