Presentation is loading. Please wait.

Presentation is loading. Please wait.

EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This.

Published byRodger Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This."— Presentation transcript:

1 EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available for download or online viewing at: http://www.nd.edu/~bbellina Copyright © Brendan Bellina, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 EDUCAUSE Nov, 2003 About Notre Dame 33,000 enterprise accounts Single campus Affiliation with other CSC Higher-Ed Institutions No medical school Systems of Record are “integrated” Pre-existing White Pages directory (qi/CSO Nameserver) No WebISO implementation

3 EDUCAUSE Nov, 2003 Strategic Direction: Wherever practical applications use central authentication/authorization services, rather than maintaining their own password/credential stores. EDS Architecture Layer, ND Strategic Technology Draft, 2002

4 EDUCAUSE Nov, 2003 Directory Service Architectural Principles Updates proxied by applications Primary keys based on non-personal information Students able to specify privacy settings real-time Primary identifiers are not reused or changeable Enterprise account credentials stored in Kerberos, not LDAP “Fat” directory Single organizational unit for all people

5 EDUCAUSE Nov, 2003 Directory Service Architectural Principles One directory entry per person/account Cradle-to-grave (womb-to-tomb) service Anticipate both vertical and horizontal expansion Limit dependency on DSA specific features Higher-Ed Best Practices implementation

6 EDUCAUSE Nov, 2003 Enterprise directory services are wherever possible implemented according to industry-standard guidelines and in coordination with the Internet2 Middleware Architecture Committee for Education. Representatives from the Core Middleware team are active participants in industry standards bodies to ensure that the needs of Notre Dame are reflected in developing standards and communicated to application vendors. EDS Architecture Layer, ND Strategic Technology Draft, 2002

7 EDUCAUSE Nov, 2003

8 Practical Implementation Decisions Leverage existing administrator experience with the Solaris platform Leverage existing HP PERSON and qi/CSO Nameserver data sources Where network design allows and performance requires, do not require secure (SSL) binds Minimal number of machines Use LDAP directory as registry rather than a relational database

9 EDUCAUSE Nov, 2003 (1) Application Directory Service User ID Password (7) Return success or fail (2) Search by User ID (3) Return dn or fail (4) Bind with dn & psswrd Application AuthN database (9) Success or Fail (8) Fallback To Appl DB Kerberos v5 (5) Pass To Kerberos (6) Success or Fail Authentication Flow

10 EDUCAUSE Nov, 2003 Application Authentication Techniques LDAP protocol using Service dn bind over SSL (should search rather than assume dn) Fallback to local user database (primarily to support “guest” and administrative/vendor accounts) AuthN credentials can be in directory or external store such as Kerberos v5

11 EDUCAUSE Nov, 2003 Application Authorization Techniques LDAP protocol using Service dn bind over SSL – limit user space by directory ACI Mapping to LDAP groups Mapping to Microsoft Active Directory groups

12 EDUCAUSE Nov, 2003 Attribute Retrieval Techniques Retrieval of attributes via LDAP protocol Provisioning via batch feed (LDIF) or real-time (XML)

13 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: IBM Websphere Binds to EDS using Service dn at the environmental level not per application  Support for application roles –Current: Websphere admin creates Websphere groups to store dn’s of members  –Soon: Create LDAP groups with membership maintenance delegated to application administrators and map to Websphere groups Application-level authorization maintained by the apps, not directory-based  No attribute retrieval or provisioning required

14 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: WebCT (not current version) Searching Bind to EDS using Service dn No directory-based authorization  Support for external affiliates via EDS special account creation process delegated to WebCT admin via web application  Nightly batch feed from EDS published to allow provisioning and attribute usage Currently evaluating future direction

15 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Luminus Portal (in dev/test only) Searching Bind to EDS using Service dn While product supports Fallback option, financial decision to support test/admin accounts via EDS special account creation process  Authorization Roles – developer, tester, production user – maintained in EDS user attribute using delegated web application Nightly batch feed from EDS published to allow provisioning to PDS directory and attribute usage

16 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Campus Webmail (IMP) Searching Bind to EDS using Service dn No directory-based authorization  Email address lookup searches EDS No attribute retrieval or provisioning required

17 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Clarify Web Client Searching Bind to EDS using Service dn No directory-based authorization  No attribute retrieval or provisioning required

18 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Sendmail, Inc. Authenticates directly against Kerberos  No directory-based authorization  Nightly retrieval of email quota attributes from EDS Real-time retrieval and and processing of sieve filter to control user forwarding, auto-reply, spam filtering Real-time retrieval of email aliases for routing All email aliases defined in the directory, allows rejection of 20K+ bad emails per day Email options maintained real-time by account holders via EDS Website Soon – ability for end users to create their own email aliases real-time

19 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Clarify Client Uses its own id/password store  No directory-based authorization  Attributes retrieved nightly from EDS to limit access to Clarify cases by department and affiliation Currently evaluating future direction

20 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Cisco VPN Client AuthN/AuthZ via mapping of Cisco groups to Microsoft Active Directory groups  Current: AD groups maintained by VPN administrator  Soon: EDS groups automatically maintained with allowance for exceptions maintained by appropriate admins via a web app, synchronized nightly with ADS

21 EDUCAUSE Nov, 2003 Integrating with ASP Applications: eProcurement – Higher Markets Searching Bind to EDS using Service dn Authorization managed by directory attribute maintained by department admin using a web app Account provisioning managed manually by Higher Markets admin 

22 EDUCAUSE Nov, 2003 Integrating with ASP Applications: iPerform Learning Management System Searching Bind to EDS using Service dn Attributes retrieved real-time at user login Fallback to local user database used to provide service to external affiliates, managed by iPerform administrator

23 EDUCAUSE Nov, 2003 Integrating with ASP Applications: OPAC website Searching Bind to EDS using Service dn Rule-based authorization using directory ACI. Exception authorization managed by directory attribute maintained by department admin using a web app No provisioning or attribute retrieval required.

24 EDUCAUSE Nov, 2003 Integrating with Internally Developed Applications myLibrary (Perl) Rector application (Websphere, Java) Career Center Services website (PHP) Campus White Pages (Cold Fusion) MCOB Faculty Work Application (CF) Web Services (attribute usage via batch) EDS Website – self-service personal information editing, email options, privacy settings (Perl cgi)

25 EDUCAUSE Nov, 2003 Integrating with Operating Systems: Microsoft Active Directory Windows 2000 Domain (circa 2000) –Accounts synched nightly via LDIF –Accounts use uid & affiliation in dn –No group synchronization Active Directory Service 2003 (ADS) –Accounts synched nightly via metadirectory processing –Accounts use dn based on ndPVid as does EDS –SAmAccountName mapped to EDS uid –cn (MS canonical name) mapped to EDS ndPVid –Enterprise groups automatically synched with EDS with dn based on cn which maps to EDS cn (soon!)

26 EDUCAUSE Nov, 2003 Integrating with Operating Systems: Mac OS X 10.2 “Jaguar” 140 machines spread over 8 clusters Link to AFS home directory retrieved from EDS at login using Service dn Local accounts for administrator only Directory Access utility –Service dn and password –Custom mappings to posixAccount object class in EDS Home directory generated from template /etc/ttys modifications for LoginHook and LogoutHook (based on Penn State University) Kerberos ticket retrieved using /etc/authorization

27 EDUCAUSE Nov, 2003 Non-directory-enabled products/services: Trends at Notre Dame CorporateTime – could be directory-enabled but may replace Meeting Maker – may replace Clarify – may replace LiveLink – could be directory-enabled, but may replace Oracle – may integrate into EDS via OID SCT Banner – may integrate into EDS via OID OIT Handscanner - ??? Business Objects – may integrate into EDS via OID SafeWord – may integrate with EDS via internally developed authN directory plug-in

28 EDUCAUSE Nov, 2003 Aids for Developers EDS Developers’ Guide: http://eds.nd.edu/docs/edsdevguide.shtml http://eds.nd.edu/docs/edsdevguide.shtml Internet2 Middleware standards: http://middleware.internet2.edu http://middleware.internet2.edu EDS Service DN Request Form http://eds.nd.edu/docs/eds_dnrequest.shtml http://eds.nd.edu/docs/eds_dnrequest.shtml EDS Schema documentation http://eds.nd.edu/docs/current_schema/EDS_ModelDoc.htm http://eds.nd.edu/docs/current_schema/EDS_ModelDoc.htm

29 EDUCAUSE Nov, 2003 Links ND Enterprise Directory Service, http://www.nd.edu/~eds ND EDS Documentation, http://www.nd.edu/~eds/docs ND EDS Schema Documentation, http://eds.nd.edu/docs/current_schema/EDS_ModelDoc.htm ND EDS Search, http://www.nd.edu/~eds/search

30 EDUCAUSE Nov, 2003 Contact Information Brendan Bellina Office of Information Technologies University of Notre Dame du Lac Email: Brendan_Bellina@nd.eduBrendan_Bellina@nd.edu Website: http://www.nd.edu/~bbellina Directory Entry: http://www3.nd.edu/~eds/cgi-bin/nd_ldap_search.pl?ldapfilter=uid=bbellina vCard: http://www3.nd.edu/~eds/cgi-bin/ldapvcard.pl?uid=bbellina

Download ppt "EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.

LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.
1 Collaborators at the Gates of Troy: Extending eServices at USC.

1 Collaborators at the Gates of Troy: Extending eServices at USC.
1 Extending Authenticated Online Services with Friend Accounts at Washington State University Brian Foley Technology Architect/Application Developer.

1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available.

Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available.
Self-Service Privacy Using LDAP at The University of Notre Dame CUMREC 2003 Brendan Bellina Office of Information Technologies University of Notre Dame.

Self-Service Privacy Using LDAP at The University of Notre Dame CUMREC 2003 Brendan Bellina Office of Information Technologies University of Notre Dame.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.

Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
Procurement From the 20 th to the 21 st Century Copyright Byron Honoré 2007. This work is the intellectual property of the author. Permission is granted.

Procurement From the 20 th to the 21 st Century Copyright Byron Honoré This work is the intellectual property of the author. Permission is granted.
Copyright Statement © Jason Rhode and Carol Scheidenhelm. 2006. This work is the intellectual property of the authors. Permission is granted for this material.

Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.
Making the Pieces Fit Together Barbara Draude, Director, Academic and Instructional Technology Services Middle Tennessee State University Lisa Rogers,

Making the Pieces Fit Together Barbara Draude, Director, Academic and Instructional Technology Services Middle Tennessee State University Lisa Rogers,

Similar presentations

Ads by Google