Search | Directories | Reference Tools
UW Windows Infrastructure Service banner image
Skip Navigation LinksUW Home > Computing and Networking > Support > UW Domains > UW Windows Infrastructure > UWWI Architecture Guide > Slurpee: GDS Group Synchronization

Slurpee: GDS Group Synchronization

Slurpee

The Groups Directory Service (GDS) is designed to be an institutional repository for groups that are re-usable across multiple technologies. As such, it's desirable for UWWI to be closely integrated with it, and this is the goal of Slurpee.

GDS currently supports 4 types of groups:

  • standard groups
  • privacy groups
  • course groups
  • affiliation groups

Support for these groups required custom schema modifications, implementation of the eduPerson schema, and configuration changes to support private membership.

Standard and Privacy Groups

Standard groups are basic groups, sometimes with a few fancy things on them, but usually they are very straightforward.

Privacy groups are standard groups with an option to keep the membership private. There are very few of these types of groups.

Only standard groups can become mail-enabled, creating email-enabled security groups within UWWI that are usable as Exchange distribution groups or for authorization purposes on Exchange resources; privacy can not become mail-enabled. The mail-enable mechanism currently is limited to Exchange support staff.

Course Groups

Course groups correspond to courses that students enroll in. Their membership is private because FERPA applies to them. Course groups have lots of bits of info associated with them including: displayName (the course title), uwYear (the year offered), uwQuarter (quarter offered: SUM|SPR|WIN|AUT), uwSln (the decimal number in the catalog for this course), uwCurric (the departmental discipline), uwCrsNo (the course level number), uwSectID (the section), uwInstructor (the instructor(s)), and of course the members.

Within UWWI, the members include the enrolled students AND the instructor(s). In contrast, within GDS, students and instructors are kept separate, and there is no "member", instead members are on a student attribute.

An example name of a course group (as represented in UWWI) is: course_2005sum-psych101a. In contrast, within GDS, there is no unique human-compatible name on course groups; instead a uwregid, a long hex string, is used for uniqueness.

There are a large number of course groups in UWWI--greater than 100,000 course groups exist.

Course group membership is kept private by a mechanism described in detail here. From a high-level, it's important to know that the 'Pre-Windows 2000 Compatible Access' group is empty, and that by default, no one has access to the memberOf attribute on user objects. Some applications and services make assumptions about these two items, causing problems. The number of applications and services that make such an assumption is believed to be very rare, but it is something to keep in mind.

Affiliation Groups

Affiliation groups are groups that represent the eduPersonAffiliation values associated with each person. There is a known number of affiliations that correspond to affiliation groups that is unlikely to increase very rapidly. The affiliation groups are:

  • uw_affiliate
  • uw_alum
  • uw_employee
  • uw_faculty
  • uw_member
  • uw_staff
  • uw_student

These groups have a large number of members, and have obvious use in terms of authorization.

It should be carefully noted that for the purposes of affiliations, Slurpee also modifies user objects. The eduPersonAffiliation attribute on user objects is kept in sync with the UW enterprise data. The affiliation groups are likely more useful, but the attributes may have some use. Slurpee is the only process which synchronizes the eduPersonAffiliation user attributes in UWWI.

GDS Group Support

All groups created by Slurpee are created as universal groups to maximize their usefulness. In the future, additional AD group types might be supported by GDS, but at this time, that functionality is not present.

GDS supports a couple member types that include:

  • UW NetID
  • Named certificate
  • Group, i.e. support for nested groups
  • Federated IDs

It's possible that in the future, GDS will support the greater diversity of member types allowed by Active Directory, including: computers, Exchange public folders, Exchange distribution lists, and contacts.

When Slurpee encounters a member which it does not recognize, that member is discarded. This can happen in several cases:

  • A UW NetID which has been abandoned, has become a prior NetID (i.e. a UW NetID rename has happened), or for which no Kerberos service is active.
  • All named certificates are dropped, as they don't map to any security principal object in Active Directory
  • All federated IDs are dropped, as they don't map to any security principal in Active Directory
GDS Feature Support

The Groups Service supports several features, including:

  • Display Name. An additional name other than the "group ID" (the cn attribute) can be asserted.
  • Email-enabled group. Various features which allow services like Exchange to use the group.
  • Access control. Restrict who can view the membership and other attributes.

Slurpee supports all of these features.

Exchange email-enabled group functionality does depend upon the Exchange service.

Access controls can cause problems for applications that expect they will have access to information. If slurpee encounters a problem applying access controls, it stops processing that group in an attempt to limit information disclosure.

Slurpee Operational Details

Slurpee is a command line .NET application which polls GDS for groups which have been created or modified in the past 14 days, processes the GDS data tranforming that data appropriately, and writes any needed updates to UWWI.

Group Synchronization Process

In the diagram above, a client interacts with the Groups Web Service (GWS), creating or modifying a group [1]. GWS interacts with GDS, making the appropriate changes [2]. Slurpee initiates a request for which GDS groups have changed [3]. GDS sends back a LDAP response with all the pertinent info [4]. Finally, Slurpee transforms this GDS data and writes the appropriate info to UWWI in the form of groups (and eduPersonAffiliations) [5]. The client can then see this group information in UWWI [6].

Slurpee runs in four configurations:

  • Cherry Flavor: Once a day, at 4am, it processes all affiliations.
  • Grape Flavor: Once a day, at 10am, it processes all course groups which have been created or modified in the past 14 days.
  • Raspberry Lemonade Flavor: Once a day, at 4pm, it processes all standard and privacy groups with greater than 1000 members, i.e. all large groups, that have been created or modified in the past 7 days.
  • Blue Raspberry Flavor: 24 times a day, every hour on the hour, it processes all standard and privacy groups with less than 1000 members, i.e. all small groups, that have been created or modified in the past 7 days.

Course groups and affiliations are only updated daily so more frequent processing would not be useful.

Reprocessing groups is a redundant failsafe built into the design to help ensure that the quality of synchronization is high.

Large groups are very costly to synchronize, and so are only attempted once a day.

The full details of how Slurpee maps GDS data to UWWI are here.