Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDAP/Active Directory Integration Making Active Directory a slave to your enterprise environment. Robert Banz Copyright Robert Banz,

Published byAdam Compton Modified over 9 years ago

Similar presentations

Presentation on theme: "LDAP/Active Directory Integration Making Active Directory a slave to your enterprise environment. Robert Banz Copyright Robert Banz,"— Presentation transcript:

1 LDAP/Active Directory Integration Making Active Directory a slave to your enterprise environment. Robert Banz Robert.banz@umbc.edu Copyright Robert Banz, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 2 Background UMBC’s Stats: 11,700 Students 1200 Faculty “Centralized” computing environment

3 3 Deep Background Pre-Enterprise Directory environment MIT K5 for Authentication PH/CSO for account management AFS for enterprise file service

4 4 Foreground Enterprise Directory: August 2000 Included… Identity management system. Account management system. Web SSO (initially for mgmt. apps & Blackboard) Email Routing (no more sendmail alias files!)

5 5 UMBC’s Enterprise Directory

6 6 Demystifying Active Directory Microsoft Active Directory is: –A “NOS” specific directory –LDAP based –Relies on MIT Kerberos 5 for authentication –DNS service records for resource discovery Commentary: It’s a “good thing tm ”

7 7 What is Kerberos? Kerberos is: “…a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.” -http://web.mit.edu/kerberos/www “Embraced and Extended” by Microsoft …but not as much as the Anti-MS crowd would have you think.

8 8 Directory Services Architecture

9 9 Integration Goals One password between the Windows & UNIX environment Little “manual” administration of the Windows environment Access to AFS file space from UNIX

10 10 Password Integration Options Use Microsoft’s KDC Pros: –Easy integration with MS –MIT K5 applications will integrate cleanly –MIT K4 applications (such as AFS) *are* integrateable ( see OpenAFS mailing list) Cons: –Uses the Microsoft KDC (not only a religious issue) –Need to “re-register” all users’ passwords, a logistical nightmare

11 11 Password Integration Options Use existing KDC Pros: –No need to “re-register” user passwords –Easy Kerberos 4 compatibility for old applications Cons: –Need to configure Win2k/XP workstations for “cross realm” authentication –Problems with “downlevel” applications and clients.

12 12 Administration Options Use Microsoft AD as the enterprise directory Pros: –Easy integration. –AD has very good access control & schema management capabilities Cons: –Schema is not 100% “standards” compliant –Need to migrate existing enterprise –Reliance on “vendor specific” extensions could follow…

13 13 Administration Options “Pull” data from enterprise directory Pros: –Managing AD from the Windows platform is well documented. –ADSI tools can control every aspect, even remotely, of the AD tree. Cons: –We’re UNIX geeks, and all other directory connectors exist on UNIX.

14 14 Administration Options “Push” data from enterprise directory Pros: –We’re UNIX geeks, and it can run with our existing connector infrastructure. –Most of AD can be managed directly via standard LDAP calls Cons: –Some security/access control features are “opaque” from the LDAP perspective. –Undocumented, unsupported, etc. (but since when has that stopped us?)

15 15 Our Choices Use our existing MIT KDC –Involves “cross-realm” authentication Managed AD via LDAP from UNIX –“just another perl connector”

16 16 WHAT is this “cross realm” thing? From the Kerberos FAQ: Any Kerberos principal can authenticate to other principals within the same Kerberos realm. However, it is also possible to configure a Kerberos realm so principals in one realm can authenticate to principals in another realm. This is called cross-realm authentication. The way this is implemented is the KDCs in the two realms share a special cross-realm secret, and this secret is used to prove the identity of principals when crossing the boundary between realms.

17 17 What’s Missing? ntSecurityDescriptor is an “opaque” field. Is a binary structure, “only usable” via the ADSI libraries. –…but someone may have decoded this by now.

18 18 Basically… Everything else works: Users authenticate via Kerberos They can get to their files via AFS Their profiles are stored there …it’s all good.

19 19 Step By Step: Kerberos Integration Setting up Cross-Realm Kerberos http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp –Configure the workstations with your non-AD Kerberos realm Ksetup /addkdc UMBC.EDU kerberos.umbc.edu –Create cross-realm tickets on the MIT KDC –Configure the AD server to accept cross-realm tickets …via the Domain Tree Management tool

20 20 Step By Step: Kerberos Integration Configure user accounts to accept “foreign” security credentials –Enable “Advanced Features” in “Active Directory Users and Computers” –Right click on the appropriate user, and pick “Name Mappings” –Add the appropriate kerberos identity to the list…

21 21 On To LDAP 1.Create a “working” cross realm account 2.Look at the resulting account via LDAP 3.…lather, rinse… Try to repeat.

22 22 …and a little LDAP dn: CN=banz,CN=Users,DC=sysad,DC=umbc,DC=edu memberOf: CN=Users,CN=Builtin,DC=sysad,DC=umbc,DC=edu memberOf: CN=Administrators,CN=Builtin,DC=sysad,DC=umbc,DC=edu accountExpires: 0 adminCount: 1 altSecurityIdentities: Kerberos:banz@UMBC.EDU badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: banz countryCode: 0 displayName: Robert Banz instanceType: 4 lastLogoff: 0 lastLogon: 126810736570214704 logonCount: 1 logonHours:: //////////////////////////// distinguishedName: CN=banz,CN=Users,DC=sysad,DC=umbc,DC=edu …

23 23 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=sysad,DC=umbc,DC=edu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectGUID:: ia22S8MoEEWpMBCsP0U6aw== objectSid:: AQUAAAAAAAUVAAAAFSWvRxHDX3Pb6wxQ7gMAAA== primaryGroupID: 513 pwdLastSet: 126810732088463792 name: banz sAMAccountName: banz sAMAccountType: 805306368 userAccountControl: 66048 uSNChanged: 2726 uSNCreated: 1415 whenChanged: 20021111212224.0Z whenCreated: 20021111205605.0Z

24 24 LDAP Oddities Password changes (userPassword) have special rules: –It’s actually unicodePwd –…and it’s a double-wide character string (grr…) –…and it can only be set over SSL, either at object creation, or in a single operation Some attributes don’t show up… –ntSecurityDescriptor is not returned unless asked for.

25 25 Tips & Tricks Creating Accounts Via LDAP Only a small subset of the attributes in the account object need to be provided – the rest are generated by the directory. We set: (items in bold are required in our environment) –distinguishedName – The DN of the object in Active Directory –wwwHomepage – The user’s homepage location (informational) –mail – The user’s advertised mail address (informational) –altSecurityIdentities – The user’s foreign KDC principal. –displayName – The “full name” of the person. –givenName – The person’s first name. –Sn – The person’s last name. –homeDirectory – Location of their home directory.

26 26 Tips & Tricks Creating Accounts Via LDAP We set – continued (items in bold are required in our environment) –profilePath – Location of their roaming profile. –name – Name (user ID) of the account –samAccountName – The account name, again –userAccountControl – Bit field of certain account properties (by default, an account is in a “locked” state) –userPrincipalName – The princpal of the AD account (user@AD.REALM.COM) –ntSecurityDescriptor – Security settings for this object. –cn – The “common name” of the account (==name)

27 27 The Goods. Our iPlanet 4.x -> AD connector is freely available (as well as other useful middleware stuffs) http://www.umbc.edu/oit/syssw –lbridged – processes the iPlanet 4.x LDAP changelog –perl-ldap – contains perl modules which make up the actual translation/connection logic

28 28 For More Information Microsoft’s Website http://www.microsoft.com (yes, in this case, it is helpful) http://www.microsoft.com MIT’s Project Pismere (now WinAthena) http://web.mit.edu/pismere/ http://web.mit.edu/pismere/

29 29 This page intentionally left blank.

Download ppt "LDAP/Active Directory Integration Making Active Directory a slave to your enterprise environment. Robert Banz Copyright Robert Banz,"

Similar presentations

11/2/2013 2:02:38 AM 5864_ER_FED 1 Importing Certificates into Lotus Notes R6.

11/2/2013 2:02:38 AM 5864_ER_FED 1 Importing Certificates into Lotus Notes R6.
1 IDX. 2 What you will learn: What IDX is Why its important How to use it Tips and tricks Introduction Q & A.

1 IDX. 2 What you will learn: What IDX is Why its important How to use it Tips and tricks Introduction Q & A.
Follow the instruction to install the PC Suite from the SD card: 1.Go to the settings -> SD Card & phone storage -> Enable the mass storage only mode 2.Connect.

Follow the instruction to install the PC Suite from the SD card: 1.Go to the settings -> SD Card & phone storage -> Enable the mass storage only mode 2.Connect.
Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.
UNIVERSITY OF EDUCATION BY H.M.ISHTIAQ RAFIQUE. Domain Name Structure.

UNIVERSITY OF EDUCATION BY H.M.ISHTIAQ RAFIQUE. Domain Name Structure.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
What's a Proxy Printer Provider? PWG WIMS-CIM Working Group Rick Landau Dell, CTO Office 2008/08/08 v0.2.

What's a Proxy Printer Provider? PWG WIMS-CIM Working Group Rick Landau Dell, CTO Office 2008/08/08 v0.2.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Click to edit Master title style Page - 1 OneSky Teams Step-by-Step Online Corporate Communication Support 2006.

Click to edit Master title style Page - 1 OneSky Teams Step-by-Step Online Corporate Communication Support 2006.
Tutorial 9 – Creating On-Screen Forms Using Advanced Table Techniques

Tutorial 9 – Creating On-Screen Forms Using Advanced Table Techniques
XP New Perspectives on Microsoft Office Word 2003 Tutorial 6 1 Microsoft Office Word 2003 Tutorial 6 – Creating Form Letters and Mailing Labels.

XP New Perspectives on Microsoft Office Word 2003 Tutorial 6 1 Microsoft Office Word 2003 Tutorial 6 – Creating Form Letters and Mailing Labels.
XP New Perspectives on Microsoft Office Word 2003 Tutorial 2 1 Microsoft Office Word 2003 Tutorial 2 – Editing and Formatting a Document.

XP New Perspectives on Microsoft Office Word 2003 Tutorial 2 1 Microsoft Office Word 2003 Tutorial 2 – Editing and Formatting a Document.
Title Subtitle.

Title Subtitle.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Microsoft Office 2010 Basics and the Internet

Microsoft Office 2010 Basics and the Internet
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
How To Use Google Forms to Create A Test Quick Easy Self-Graded!! Instant Reports.

How To Use Google Forms to Create A Test Quick Easy Self-Graded!! Instant Reports.
Page 1 of 30 To the Create Assignment Request Online Training Course An assignment request is created by an assignor to initiate the electronic assignment.

Page 1 of 30 To the Create Assignment Request Online Training Course An assignment request is created by an assignor to initiate the electronic assignment.
Campaign Overview Mailers Mailing Lists

Campaign Overview Mailers Mailing Lists

Similar presentations

Ads by Google