[LTER-im] LTER LDAP to EDI LDAP transition plan...

[Mark Servilla]

Dear IM,

EDI has recently been notified by the LTER Network Office that the LTER
LDAP server will be decommissioned early this Fall. The EDI data repository
relies, in part, on the user id component of the LTER LDAP to authenticate
LTER users in the course of uploading and working within the EDI Data
Portal and PASTA+ environment. The authentication and access control system
built into our repository is directly dependent on the LDAP distinguished
name (e.g., uid=mservilla,o=LTER,dc=ecoinformatics,dc=org) used to uniquely
identify you in the LTER LDAP. This distinguished name is used in two
components of our system: 1) as the submitter of a data package, the
distinguished name is recorded as the authoritative owner of the data
package version you submit and 2) the distinguished name of one or more
users (including the LTER site user - e.g., HFR) are often recorded in the
“access” element of the EML metadata you submit for upload. This latter use
of the distinguished name is recorded in a separate access control table
within our repository.

With this upcoming change to the LTER LDAP in mind, I am proposing a plan
that will allow you to continue your interactions with the EDI Data Portal
and PASTA+ with the least amount of disruption as possible. In short, we
will migrate any LTER LDAP user account that we identify within our system
to that of the EDI LDAP. The end result will be that you will have a new
EDI LDAP account using the same username found in the LTER LDAP;  the full
distinguished name will change from the LTER sub-components to those of the
EDI LDAP (for example, “uid=mservilla,o=LTER,dc=ecoinformatics,dc=org” will
change to “uid=mservilla,o=EDI,dc=edirepository,dc=org”). Encrypted
passwords for these accounts would also be migrated. At present, we have
identified less than one hundred users that this transition would affect.
The second part of this plan will be to update all user distinguished names
found within the two components of our system so that they reflect the new
EDI LDAP accounts: this will preserve current access to all existing data
packages and services that rely on authentication and access control and
WILL NOT require updates or modifications to any existing EML document
(your new or revised EML documents associated with uploads, however, should
reflect the new EDI LDAP distinguished name in any “access” element
“principal” field). LTER LDAP usernames that are in conflict with an
existing EDI LDAP username will be addressed on a case-by-case basis (we
believe this will be a rare, if non-existing, case). Of course anyone not
currently identified in our system is very welcome to also be registered in
the EDI LDAP as a new user.

We ask that you consider this plan and to provide any feedback or ask
questions at your earliest convenience since this change is just around the
corner. Our goal is to make this transition simple and effective. If there
are no concerns or better alternatives suggested, I would like to implement
this plan by late September. Thank you.

Sincerely,
Mark

---
Mark Servilla
mark.servilla at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lternet.edu/pipermail/im/attachments/20200831/2ad6cbae/attachment.html>