User Tools

Site Tools


Table of Contents

Enterprise Directory Changelog

Author Daniel Fisher

May 2013

Deployment Changes

  • GIT now used for source repository

Mail Updates

  • Replication to the new mail LDAP
  • Updated max aliases from 3 to 5

DAT Updates

  • Improved the display of account types for mail creation
  • Added external datasources to person display: EDLdap, AD, Mail, Google

Google Updates

  • Support for replicating ED Groups to Google Groups

PeopleSearch Updates

  • Improved search algorithm for firstname/lastname matching
  • Departments now included in the search algorithm

LDAP Updates

  • Added networkPassword attribute
  • Added vt-research affiliations

Web Service Updates

  • Support for network password
  • Support for ED Google Groups

November 2012

Deployment Changes

  • AIDE now used for filesystem check pointing


  • Web applications removed
  • Replication code removed
  • Management code removed

Mail Updates

  • Added support for routing mail directly to EXCHANGE and HUME center
  • Fixed 4Help phone number on account recovery email
  • Google force provisioning
    • Moved VE accounts to GE accounts
    • Moved VAE accounts to GAE accounts

DAT Updates

  • Added mail routing data to the person information page

June 2012

Deployment Changes

  • Sensitive data now stored in a Truecrypt volume
  • Externalized all passwords
  • Farming process now uses scp with RSA keys rather than JBoss deployment farming

PidGen Updates

  • #generatePid() no longer creates VE account
  • #generatePid() now supports (2) passwords; creates PID and google account in same transaction

Google Updates

  • Replication sets forwards matching @*; removes forward from the Registry
  • Email Locking:
    • Disable google forward
    • Set random password
  • Aliases from VE account merged if GE account exists
  • WS API added #setGooglePrimary(uid)

Mail Updates

  • VE accounts can no longer be created (group exists for override)
  • Welcome email is no longer sent
  • Expiration email is no longer sent for VE accounts if person has a GE account; existing expiration email used for GE accounts

Ldap Updates

  • mail related attributes on the person now convert from to; GE is the primary mail account
  • entitlement attribute now stores the form 'uusid:data' instead of 'uusid:data:person_uid:sponsor_uid'
  • All email account creation removed from this process

DAT Updates

  • GE accounts support changing of preferred address
  • Many VE options removed for persons who have transitioned to google
    • aliases changes
    • forward changes
    • junk mail
    • transition back to active
  • PID shelve dates can no longer be set in the past
  • Added support for entitling services
  • Searching for address, uses @* to include the google domain

Guest Updates

  • Missing method on GuestManager#inviteGuest has been added
  • Emails sent from dev and pprd systems must be formatted as '.*\' to avoid being logged

PKI Updates

  • new PKI role added for TAS service for invocation of
    • setCertificate()
    • removeCertificate()
    • addSuppressedAttribute() (only allowed to suppress certificate attributes)
    • removeSuppressedAttribute() (only allowed to unsuppress certificate attributes)

Auditing Updates

  • Auditing payload changed from XML to JSON

Web Service Updates

  • Services must now be entitled to invoked web services
  • Roles now include:
    • PORTAL
    • PKI
    • ADMIN

December 2011

PidGen Updates

  • e-mail and PID suppressed for anyone with VT-STUDENT

Replication Updates

  • Health check monitoring
  • Updated version of Hornetq

Password Updates

  • Bug allowed unicode passwords, characters are now restricted

DAT Updates

  • Account recovery options shown on person view

Guest Updates

  • Web service API change for setting ticket context

Group Updates

  • Expiration dates can now be set up to 14 months in the future

June 2011

Directory Changes

  • new affiliation VT-AFFILIATE-LCI

Self-Service Password Reset

  • store password recovery maintenance date in VTUSERIDS, rather than computing it from available recovery methods
  • allow for password recovery notification


  • provision e-mail accounts for VT-AFFILIATE-LCI

April 2011

Directory Changes

  • accountRecoveryMaintenanceDate added for CAS as part of SSPR
  • passwordState exposed as part of PC.
    • passwordState = (accountState==LOCKED && transitionType==passwordExpired) ? 'EXPIRED' : 'ACTIVE'
  • confidentialFlag added to complement suppressDisplay

Password Updates

  • password expiration always set for password changes, either 1 year or 1 day
  • new password rules:
    • must be between 8 and 64 characters long1
    • cannot contain whitespace
    • must meet all 4 of the following characteristics1
      • contain 1 digit
      • contain 1 non-alphanumeric
      • contain 1 uppercase character
      • contain 1 lowercase character
    • must not contain a dictionary word2
    • must not contain a 5 character alphabetical sequence1
    • must not contain a 5 character numerical sequence
    • must not contain a 5 character QWERTY keyboard sequence
    • must not contain a 5 character repeat sequence
    • must not contain the userid, forwards or backwards, case insensitive
    • must not be any of the last 5 passwords1
    • must not be the active password on any e-mail account

DAT Updates

  • password changes respect password recovery option to disallow 4Help resets
  • management interface for password recovery options
  • management interface for group member expiration
  • exposed for person record view:
    • password state
    • password source
    • e-mail account state, transition

GAMS Updates

  • text changes to e-mail invitation

Group Updates

  • group relation expiration supported added

Web Service Updates

  • exposed schema for group member expiration
  • exposed schema for password recovery options
  • exposed schema for password change without the existing password
  • exposed email account state data in person detail

Registry Updates


June 2010

Deployment Changes

  • Unified build deployed on 4 machines (apps-[1-4])
    • two VIPs, apps and webapps routed to these 4 machines
  • Unified build deployed on msg machine
  • Code updated to use local JVM invocations

Software Upgrades

  • Debian Etch → Ubuntu 8.04
  • JDK 1.5 → JDK 1.6
  • JBoss 4.2.3 → JBoss 5.1.0
  • JBossMQ → HornetQ
  • JBoss Scheduler → Quartz

Replication Updates

  • Backslash characters '\' cause problems due to stricter address syntax checking in OpenLDAP 2.4, now escaped
  • Prevalidated guests filtered out
  • GE accounts are back in the mail* attributes

New Directory Attributes

  • mailExternalAddress attribute added to contain external address data

DAT Updates

  • Password fields now accept up to 16 characters
  • Google password reset now respects both input fields
  • Comment length increased from 256 to 1024 characters
  • PID management defaults radio buttons
  • Regex for service DNs now denies problematic characters

Google Updates

  • Google aliases are copied when VE account is re-provisioned

Scheduler Updates

  • Scheduler refactored to use Quartz
  • Fixes for jobs that delete large number of rows

Registry Updates

  • All tables and sequences now have synonyms
  • Many new constraints added?

October 2009

DAT Updates

  • Google e-mail information added to person details
  • E-mail management interfaces updated to support google accounts
  • Web service invocations now show in the audit interface
  • Password data is now obfuscated in the audit interface
  • Removed VCOM and Guest external e-mail address types in external e-mail address management
  • Entitlement info now display the service manager
  • Google namespace can be searched from the name arbiter interface
  • Pid generation for sponsored people now correctly expires the password

Replication Updates


  • Replication client developed


  • Client updated to send correct account (VE or GE) depending on the state of the VE account
  • E-mail is now sent when a VE account is created to welcome the new user


  • People eligible for google e-mail and are not VT-STUDENT-RECENT have their VE accounts automatically deprovisioned
  • People eligible for VT e-mail with GE accounts have their VE accounts automatically re-provisioned
  • Person names have been refactored to include:
    • Banner Name
    • Preferred Name
    • Alumni Name
  • UDCIdentifier is now replicating from Banner and is stored in the Registry

Groups Updates

  • Uugids minimum length changed from 3 characters to 1

Guest Updates

  • Guest invitations no longer require a sponsor
  • PersonQuery web service has been exposed to services, only guests can be searched
  • GuestManager.guestIdExists() now lowercases input
  • Entitlement creation dates are now exposed to services

New Directory Attributes

  • virginiaTechAffiliation is now a proxy attribute for eduPersonAffiliation
  • bannerName has been added and legalName has been kept as an alias for bannerName


  • EJBCA required us to change the format in which we store DNs on the Registry

March 2009

DAT Updates

  • PID/GuestID label is now used where ever a guestId is accepted
  • Added Registry audit section
  • Added Authentication audit section
  • Query changes
    • Affiliation is now included as a search attribute in person query
    • Search pagination and controls added to all query interfaces
    • Reordered side menu links to place Query at the top
  • Person Management
    • Person Comments section added, number of comments shown on the person info tile
    • Gender management controls added for sponsored people
    • PID accounts can now be moved between people (VE email accounts are moved with the PID)
    • SSN have been entirely removed from the Registry
  • New Directory Data Management section includes the following controls
    • Display email address (no longer in email management)
    • Labeled URI
    • Instant Messaging ID
    • Certificates
    • External Email Addresses
    • Attribute suppression
  • Email Management
    • Email creation now defaults selection to VE account if VE is allowed, otherwise defaults to FE
    • Accounts can now be moved between people (includes FE and AE only)
  • Group Management
    • Services can now be members of groups
    • Added Labeled URI controls

LDAP Directory Updates

  • Dynuupid overlay added; returns the uupid to ED-Auth consumers for the following use-case
    1. the uupid is suppressed
    2. the search is anonymous and is using TLS/SSL
    3. the exact uupid was searched for

fix for vendor clients who are expecting to get the uupid returned and have no recourse

  • New Attributes
    • employeeOffCampus: whether this employee resides off campus (true|false)
    • gender: male|female|unreported
  • Person Addresses are now deleted properly (previously addresses were orphaned)

New AD Attributes

  • AD is now receiving the following ED attributes via replication:
    • objectclass
    • accountCreationDate
    • accountExpirationDate
    • accountShelveDate
    • accountState
    • eduPersonAffiliation
    • eduPersonPrimaryAffiliation
    • expirationDate
    • passwordState
    • personType
    • responsiblePerson
    • suppressDisplay
    • suppressedAttribute
    • uid

Scheduler Updates

  • Emails generated by the schedulers no longer reference emailing 4Help. A link to the 4Help website is provided where necessary.
  • Updated the language in the email deletion email.
  • Fixed a misspelling in the guest-did-not-active email.

July 2008

DAT Updates

  • interface for guest invitation
  • management interface for entitlements
  • info display on main person page now includes entitlements
  • addresses can now be deleted from sponsored people
  • email address input forms no longer have the form <field>@<field>
  • CAS session timeouts redirects user to home url rather than displaying an error
  • people can now be deleted from the registry (see archiving)

New Directory Attributes

  • guestId and authId
    • guestId is the credential for guests
    • authId contains any and all credentials for a given person
      currently this attribute will contain either the value of the uupid or the guestId
    • Data available in ED-ID and ED-AUTH, not ED-LITE
  • LDAP schema updated to include ou=entitlements branch
  • serviceDN
    • contains a service's certificate, used for looking up services
  • suppressEmployeeDisplay
    • whether an employee has their confidential flag set


  • GAMS interface for guest validation, password resets, password changes, and attribute management


  • person deletion now archives the person record in DSML format

Group Updates

  • UUGIDs can now be 128 characters long
  • multiple contacts are now supported
  • group members can now be suppressed in ed-auth in the ou=groups branch
  • services can now be group admins
  • joinability and leaveability concepts have been removed
  • manger concept added, people and services can be managers
  • uugids are no longer in the PID namespace

Services Updates

  • multiple contacts are now supported
  • multiple certificates are now supported
  • certificate revocation now supported by removing expired cert in the DAT
  • service authorization is now done by searching for serviceDN

March 2008

Code base refactored to leverage EJB 3.0 specification

E-mail Management

  • Database schema modified to improve email entity representation
  • Email accounts now support multiple forwards
  • Email accounts now support both forwarding and local delivery

DAT Updates

  • Person create no longer accepts address data, it can be modified after creation
  • Added NameArbiter interface for the searching and creation of arbitrated names
  • Added replication interface for people, groups, and services


  • Using EJB-QL now rather than JBoss-QL (artifact of the EJB 3.0 upgrade)
  • Both trigger based replication and bean based replication now flow through a single JMS topic
  • Implemented caching layer in registry-change to eliminate the processing of duplicate records

June 2007

E-mail Management

  • Junk Mail Management now being tracked by ED
  • Mail replication updated to send junk mail management attributes
  • Mail replication updated to not check UID when updating accounts (for changing account ownership)
  • Group Email type renamed to Forward-Only


  • Exposed PidGen session bean methods as web services
  • Refactored namearbiter to allow stateless communication and improve reservation performance

DAT Updates

  • Added CAS integration
  • Added documentation links to the wiki
  • Added group membership to person query details
  • Added junk mail managemant data to person query details
  • Added PID transition state to person query details
  • Added responsible pid to person create confirmation page

E-mail Updates

  • Modified e-mail management forms to append '' on fields that require that domain
  • Modified e-mail creation:
    • modified forms to append ''
    • uupid automatically set for VE accounts
    • VE creation option removed if person already has an active VE account
  • All form field lengths correspond to my.vt field lengths
  • Accounts in deleted state cannot be modified, they must be placed in active state first

March 2007

New Directory Attributes

  • accountCreationDate, accountExpirationDate, accountShelveDate
  • Data will not be shown in MyVT’s ‘My Profile’
  • Data available in ED-ID, not ED-LITE or ED-AUTH

Replication Changes

  • JBoss service now processes XML payload from Banner
  • Previous PL/SQL retired
  • Business logic now leveraged in replication stream

ED-Lite suppression flag

  • Data now in the Registry
  • Will not be used until use case is better understood and tools available for setting

PID Transitions

  • A transition type is now required whenever a PID changes state

Available transitions

  • Former Employee
  • Password Expired
  • Password Reset
  • Do Not Know
  • Userid Assigned
  • Userid Generated
  • Shelve Date Arrived
  • To Be Released Date Arrived
  • Active Former Employee
  • Deceased
  • Shelve Requested
  • Duplicate Record

DAT Updates

  • DAT now uses ED Groups for authz
  • DAT now uses the struts framework
  • Updates no longer redirect back to the info page
  • Layout of some pages has changed
  • More sanity checking has been added
  • Service attribute management refactored

May 2006

New Directory Attributes

  • Cell, Fax, and Pager replicated from Banner
  • Data can be set in Hokie Spa
  • Data will not be shown in MyVT’s ‘My Profile’
  • Data available in ED-ID, not ED-LITE
  • Employee related data will be available in AD

E-mail Expiration

  • Accounts can be put directly into the ‘Deleted State’ via the DAT (PID renames)
  • 2nd notification email sent 14 days before account enters ‘Deleted State’

Authentication Statistics

  • The following statistics are now displayed in the DAT
    • Last Authentication From: <host>:<port>
    • Last Successful Authentication: <date>
    • Last Failed Authentication: <date>
    • Failed Authentication Attempts: <number>

Password Expiration

  • Password resets performed in the DAT will only be valid for 24 hours

Social Security Numbers

  • SSNs no longer shown in the DAT
  • SSNs can be searched on

Person Creation

  • ‘Revokable’ people can now be created via the DAT
  • Exists for people who need to exist in the Registry, but not Banner

January 2006

New E-mail Account Types

  • Two new account types are available: Group and Admin
  • A person can have any number of Group or Admin e-mail accounts
  • Group accounts are always locked, we expect them to be forwarded to Exchange accounts (impossible hash)
  • Admin accounts do not replicate with a password, we expect the password to be set on the mail system by the account owner
  • A person does not need to have a PID in order to have a Group or Admin e-mail account

E-mail Expiration

  • Delete function no longer exists in the DAT, replaced with expiration function

Expiration Timeline

  1. E-mail account expiration date set to 66 days in the future
  2. Account owner notified they have 30 days to retrieve mail
  3. After 30 days account enters the deleted state
  4. After 62 days account is removed from the e-mail server
  5. After 66 days account is removed from the registry
  • E-mail account can be renewed at any time during the expiration period
  • A person can have any number of VT accounts, but only one can be active at any given time (PID renames)
  • Only active VT accounts will be shown in ED-Lite

PID Account States

  • Locked
    • PID cannot authenticate
    • VT e-mail account cannot pop mail (impossible hash)
    • Forwards on VT e-mail accounts are removed
    • Expired VT e-mail accounts cannot be renewed
  • Shelved
    • PID cannot authenticate
    • VT e-mail account automatically expired
    • Expired VT e-mail accounts cannot be renewed
  • To Be Released
    • PID cannot authenticate
    • PID cannot enter this state if VT e-mail account exists
    • PID expiration date set to 7 days in the future

DAT Changes

  • All relevant data available in the ‘Account Information’ section
  • Max Aliases can be used to control the number of aliases an e-mail account is allowed to have
  • Display E-mail can be used to override a person’s preferred address in ED-Lite
  • Preferred E-mail and Display E-mail not available to Admin and Group e-mail accounts or VT e-mail accounts in the deleted state

Portal Behavior

  • Honors the max alias setting
  • Display e-mail is reflected in ‘Personal Profile’, it is not reflected in ‘Mail Settings’
  • If VT e-mail account is in the deleted state, then the ‘Edit’ link is not available
middleware/deploy/ed/changelog.txt · Last modified: 2015/06/01 12:02 (external edit)