Page One

Campus Computing News

Remedy: Take the Cure -- What is an EUID?

GroupWise Document Management: Storing Documents

Loads O'Links

RSS Matters

The Network Connection

List of the Month

WWW@UNT.EDU

Short Courses

IRC News

Staff Activities

    

Enterprise-Wide User-Id (EUID):

What is it?

A completely unique electronic identity for each individual affiliated with the University of North Texas, for each role that they have at the University (one for a staff or faculty role, and another one for a student role). It typically is three letters taken from their initials, followed by four numbers. For students, it is normally the SAME as their Eagle@Mail login name.

Why do I have one?

To provide a single login and electronic identity for as many of the University's electronic resources as possible, within the limits of existing system security structures.

Why isn't it the same as my network login (for Faculty and Staff)?

NetWare (NDS) network logins are neither unique across the campus, nor are they correlated to your University identity in any way (as defined on the mainframe databases, HRMIS and SIMS, where you are paid as an employee or register for your classes). A more detailed explanation of this problem appears below.

Introduction

Everyone directly associated with the University of North Texas has at least one EUID (Login Name) assigned to them in the Enterprise-Wide User-ID system operated by Academic Computing. Originally described in the Enterprise-Wide User-ID Specification Working Document (1997) formulated for the Information Resources Council (IRC), this system for assigning unique electronic identities to people was implemented in fall of 1999 to make the campus-wide student email system (Eagle@Mail) possible. It parallels and expands upon the existing UNIX login name system (originally called Jove and/or Sol accounts), which constituted the largest set of unique login names of any existing system on campus. As a general rule, it has no correlation to NetWare or Windows network accounts, or any other similar system, for a variety of reasons explained below.

Background

As currently implemented, the Enterprise-Wide User-ID Specification (EUID) system meets many of the original system design goals:

  • To provide a single point of contact on campus for managing computer User-ID values; to include functionality that supports the elimination and prevention of duplicate User-ID values associated with different individuals, and the tracking of system access assigned to a User-ID value.
  • To support the use of an automated on-line User-ID assignment and activation request system which will involve no or minimal paperwork processing by system users and administrative staff and which will support the use of a single User-ID value per person when possible and appropriate.

The EUID system assigns a completely unique three-letter, four-number identity to every person identified in the mainframe Human Resources (HRMIS) and Student (SIMS) databases. The letters are drawn from the initials of the person's name, and the numbers are sequential. Well over 50,000 identities have already been assigned to everyone with an entry in the two mainframe databases, and new additions are assigned as soon as they appear in these databases. Individuals who are both students and student employees will have two separate, unique, electronic identities; one as a student, and one as a staff member. Others are assigned to people affiliated with the University who do NOT appear in the mainframe databases, upon certification of their eligibility to use University Computing Resources. These identities are actually stored twice in each record, once as a permanent UID, and again as an EUID which it is possible to change later (for faculty and staff only).

These identities are stored on a large Lightweight Directory Access Protocol (LDAP) server, which will eventually become integrated into many other information resources as a campus-wide directory service.  This system currently stores the individual's nine-digit UNT ID number as the password, and this password becomes blocked as people leave the University for one reason or another. Note that UNT ID was NOT usable as a unique key because (a) it is not unique in LDAP, since there are both student and faculty/staff records for the same person, and (b) the use of Social Security Numbers for UNT IDs places the use of that data under a variety of Federal Laws and restrictions.

Application

The EUID identities stored on our LDAP server are used as Login Names (and the associated UNT IDs for passwords) for WebCT accounts, access to the Library CD-ROMs, and for the Remedy Action Request System. The logins (not the passwords) are normally the same as those on all Internet (UNIX and IMAP mail) accounts. They are the ONLY logins that are unique across campus. By keying everything to the central LDAP server we are trying to get MOST of our campus-wide electronic resource systems onto one login and password system.

For the vast majority of University of North Texas customers, the Remedy Action Request System uses a Login Name drawn from the Enterprise-Wide User-ID (EUID) system. Remedy uses the same EUID data as LDAP, but uses different Login Names for Computer Support Staff to TRY to make things easier for the heaviest system users.  Computing Center staff accounts and Remedy Computer Support staff accounts have been changed to match NetWare accounts names wherever possible. Everyone else can look up their EUID for Remedy (or any other purpose) on the What's My EUID? lookup page.

Why there is no correlation to NetWare or GroupWise

The first question many faculty and staff have about the EUID system is why it is not the same as their NetWare or GroupWise account. In fact, the EUID identities bear no relationship to Netware/GroupWise because that system (NDS) exists in complete isolation from all other campus databases - it shares no common key that we could have used to look up the NetWare names, and the form of name used is almost never the same as it is in HRMIS. Further explanation is necessary.

Historically, NetWare and GroupWise accounts were created locally on each server by departmental network managers and their staff, usually without any attempt to ensure their uniqueness on the campus.  When the campus migrated to a university wide NetWare Directory Service (NDS) several years ago, this problem was not cleaned up since Novell object names only had to be unique within their own container.  As a result, there are a large number of Login Names and GroupWise mail accounts in NDS that are actually duplicates of each other without the addition of a context (container) name. As they exist today, they are unusable in any campus-wide, unique-keyed directory like the Enterprise-Wide User-ID system.  In fact, they cannot even be correlated to one.

Compounding the problem, there is no way to correlate any of the records in NDS to the mainframe databases (HRMIS and SIMS), since NDS contains no key field that allows them to be matched to the people in the mainframe databases or in the EUID system (LDAP). They cannot be correlated on name, either, since the mainframe and LDAP EUID databases use the "official" form of the person's name, and NDS usually contains some common-use form of the name that is quite different.

EUID Convergence - the Elusive Goal of a "Single Login"

Ideally, the electronic identities in the EUID system, as stored in LDAP, will be changed for faculty and staff members to match the local area network (NDS) login names. This will NOT be done for the much more numerous student accounts. Several things have to happen first.

  1. Network managers for each department, college, or organization must hand-post the non-changeable UID identities to NDS. This was recently agreed to in the Distributed Computing Support Management Team (DCSMT), and a target set for this Spring to complete the work. It will take a long time to hand post every one of over 14,000 entries in NDS with the unique UID keys.
  2. Network managers will have to resolve all duplicate names between their individual containers in NDS, and with named EUIDs that already exist in the Enterprise-Wide User-ID system. As a result, some faculty and staff will of necessity have to be assigned new Login Names for NDS, or at a minimum, a second unique one for their EUID.
  3. When the NDS names have been keyed to UIDs and are universally unique, it will be possible to update the Enterprise-Wide User-ID system EUID field with those names. It will also be possible (finally) to correlate people in the LDAP database to GroupWise accounts, which is currently not the case.

Obviously this process will take time, especially the resolution of duplicate names. In the process of changing Remedy Login Names to match NDS names for the Computing Support staff alone (less than 300 accounts, which will be posted as EUID changes later), over a dozen duplicate names were found and had to be avoided.

Summary

The requirement to deploy campus-wide student email and bulk emailing capabilities before the Spring 2000 semester, drove the creation of the current Enterprise-Wide User-ID (EUID) system. This article may have helped you to understand why we had to programmatically generate new EUIDs for most of the campus, building on the UNIX names which have always been enforced as unique, in order to bring up a complete LDAP server for global authentication to WebCT, the Library Electronic Resources, and Remedy. The use of this system will expand even more in the future, so the concept and use of EUIDs will be with us for quite a while. Find out what yours is (or are) today.


Remedy: Take the Cure