Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011.

Similar presentations


Presentation on theme: "LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011."— Presentation transcript:

1 LDAP user database Marina Vermezović Academic Network of Serbia Skopje

2 What is it all about? Services/resources to access the network – wireless, VPN web services – e-learning, e-library, student portal - who are you ? – what can you do ? - Authentication and authorization infrastructure makes access to protected services easier Akademska mreža Srbije AAI Authentication Authorization 2

3 Without AAI Akademska mreža Srbije wireless Faculty A Service Providers Library B Service Providers Auth Autz videoconference Auth Autz e-learning Auth Autz Student services Auth Autz wireless Auth Autz e-books Auth Autz 3

4 With AAI Akademska mreža Srbije Faculty A Identity Management wireless Identity provider Service Providers videoconference e-learning Student services AuthAuth Library wireless Service Providers e-books Autz 4

5 Akademska mreža Srbije High level AAI diagram IdP Radius User database SAML ntw SP Radius NAS web SP SAML Web resurs eduroam VPN Wiki pages Basics for development of all services that needs local and inter-institutional AutH and AutZ Circle of Trust Federation 5

6 What is digital user identity ? Set of data (attributes) about a user: Personal user data Data regarding affiliation to institution Credentials used for authentication Data that uniquely identifies a person User roles and privileges Akademska mreža Srbije name, surname date of birth national identification number contact information: mail, address, phone name of institution affiliation (student, employee, guest) designation (for employees) type of studies (for students) local identification number contact information: mail, address, phone username/password certificate person identifying : non person identifying 6

7 LDAP user database Akademska mreža Srbije

8 Which database to use for storing user IDs? Basicaly you can choose any: Relational: MySQL, ORACLE, Postgre SQL Hierarchy: openLDAP, Active Directory But.. there are some advantages Akademska mreža Srbije 8

9 Akademska mreža Srbije Directories – made for storing user IDs ? Relational Databases vs Directories Schema Resource: Relational Databases Directories No standard schema for tables and data fields International standards to describe persons and organizations 9

10 Akademska mreža Srbije Relational Databases vs Directories Schema Organization One logical entity can be stored in multiple tables One logical entity =One entry in DIT Directories – made for storing user IDs ? Relational Databases Directories Resource: 10

11 Akademska mreža Srbije Relational Databases vs Directories Schema Organzation Multivalue data Mandates new table, or fixed number of multiple data fields Native support for multivalue attributes Directories – made for storing user IDs ? Relational Databases Directories Resource: 11

12 Akademska mreža Srbije Baza korisnika – zašto LDAP? Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Changes in data fields can require big effort Granular modification of schema. Easy to add attributes Relational Databases Directories Resource: 12

13 Akademska mreža Srbije Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Access No standard protocol for access via network Defines protocol to access via network - LDAP Directories – made for storing user IDs ? Relational Databases Directories Resource: 13

14 Akademska mreža Srbije Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Access Optimization Optimised for reading Directories – made for storing user IDs ? Relational Databases Directories Resource: 14

15 LDAP dictionary

16 LDAP dictionary reveled Akademska mreža Srbije Data Information Tree - term for structure data is organized in - uses hierarchy manner (tree - like) 16

17 LDAP dictionary reveled Akademska mreža Srbije Entry - Single input in directory tree which describes one object Organization Person Organizational Unit 17

18 LDAP dictionary reveled Akademska mreža Srbije Attribute - Attribute Name – Attribute Value pair contained in the entry - Can be - univalued or multivalued 18

19 LDAP dictionary reveled Akademska mreža Srbije objectClass - logical group of attributes - entry has assigned one or more objectClasses – must have exactly one structural ! - attributes can be optional or mandatory 19

20 LDAP dictionary reveled Akademska mreža Srbije RDN – Relative Distinguished Name - value that entries are distinguished by in one branch - constructed from some attributes from the entry - something like folder name, or primary key in relational databases 20

21 LDAP dictionary reveled Akademska mreža Srbije DN – Distinguished Name - “path” to the entry, that uniquely identifies it - consists of all RDNs found on the path to the entry, separated by commas 21

22 LDAP dictionary reveled Akademska mreža Srbije Base DN - DN of DIT root 22

23 Akademska mreža Srbije LDAP schema mistery ? schema consists of one or more objectClass schema object ClassX attributeX attributeX definition 23

24 Which schema should I use ? One can define proprietary schema to use within organization But… if inter-institutional AutH and AutZ is used – such as in NREN AAI, using the same schema becomes important Institutions that are involved in NREN AAI should use the same schema because it: Unifies attributes, their use and semantics Service Providers know what to expect during AutH and AuthZ Akademska mreža Srbije 24

25 Akademska mreža Srbije Standard LDAP schemas Designed for campus directories eduPerson (eduPerson200604) Internet2 MACE group Attributes depicts person in higher education eduOrg (eduOrg200210) Internet2 MACE group Attributes depicts organization in higher education eduMember (eduMember200507) Internet2 MACE-Dir WG Deals with problem of assigning rights and privileges for users SCHAC (SCHema for ACademia) TERENA TF za Middleware, TF-EMC2 Complements eduOrg i eduPerson with attributes specific to European education system 25

26 How to approach ? schema for national AAI should be defined Examples: rsEdu https://bpd.amres.ac.rs/doku.php?id=amres_aai_wiki:pregled_atributa hrEdu norEdu nts/norEdu_spec.pdf More at https://refeds.terena.org/index.php/FederationSchema https://refeds.terena.org/index.php/FederationSchema Akademska mreža Srbije 26

27 How to design national schema? Use standard schemas : eduPerson, eduOrganizazation, SCHAC If some attribute specific for national education system doesn’t exist, define it in national schema Have in mind that you want to describe NREN students, researchers, teachers… Enables compatibility between national AAI - confederation Akademska mreža Srbije 27

28 How to implement LDAP directory? LDAP is the protocol for accessing the directory Current LDAPv3, described in RFC 4510 Uses TCP, port 389 Client-server model, some operations: Start TLS Bind Search Compare Add a new entry Delete an entry Modify an entry Akademska mreža Srbije 28

29 Which LDAP Server software to use ? Quite long list..: Akademska mreža Srbije 389 Directory Server Active Directory Apache Directory Server Apple Open Directory FreeIPA IBM Tivoli Directory Server Mandriva Directory Server Novell eDirectory OpenDJ OpenDS OpenLDAP Optimal IdM Oracle Internet Directory Radiant Logic VDS Sun Java System Directory Server 29

30 How to manage LDAP data ? Manually, ldap command line LDAP browsers: Apache Directory Studio phpLDAPadmin.. Make your own application Bulk import/synhornization from other sources system - Student Informational System, Employee Registry.. Akademska mreža Srbije 30

31 Identity Management

32 Akademska mreža Srbije The lifecycle o user digital identity - IdM Set of procedures and rules which define: 1.Who has the right to own digital identity 2.When is digital identity assigned to a person 3.How is digital identity maintained 4.How is the digital identity used 5.How is the digital identity terminated Every institution should have its own IdM policy Must comply with national personal data protection law EU Data Protection Directive 32

33 1. Who has the right to own digital identity Pupils Students Teaching staff Other employes Other persons affiliated to the institution – members, guests ? Akademska mreža Srbije 33

34 2. When is digital identity assigned to a person When should digital identity be created? Which information should it contain ? Where do you get information from? What is the quiality of information? Akademska mreža Srbije Student - when apply for addmision - when enroll to faculty - on first day of studies - when he/she needs it Employee - on first working day - when he/she needs it mandatory or optional univalue or multivalue sintax predefined values rules for usernames and passwords Automatic from other source Manually from filled in form Manually verbal way Multiple sources – sync problem How and when are identity checked ? Other systems rely on that data, so it should be accurate 34

35 3. How is digital identity maintained Digital identity data should be accurate and up to date Who is responsible to report change of data and which? How do you make the changes? When are the changes made? Akademska mreža Srbije User Personal data Institution administration Data regarding study/employment User by using self-service portal Institution administration automatic from other source manually from filled in form manually verbal way ASAP ! 35

36 4. How is the digital identity used Which systems can access the information? Which data should be accessable? How are user rights and privileges defined? Akademska mreža Srbije Ones which needs AutH, AutZ and/or user data. They can access directory: Directly using LDAP protocol Using mediator authentication server: Radius, SAML.. Access should be limited to the reasonable info: mail birthday Use existing user attributes Add attribute that describes user role 36

37 5. How is the digital identity terminated When is digital identity terminated? Who reports it should be terminated? How is it terminated? Is it deleted permanently? Akademska mreža Srbije When person is no longer affiliated with institution student – when he/she graduates Employee – when he/she stops working guest - ? Time between person is no longer affiliated to institution and id termination should be minimum User Student administration service Employee administration service For guests ? Administration service automatic from other source manually from filled in form manually verbal way Should you reassign once used usernames ? 37

38 Thank you for your attention Questions ? Akademska mreža Srbije 38


Download ppt "LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011."

Similar presentations


Ads by Google