Presentation is loading. Please wait.

Presentation is loading. Please wait.

EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This.

Similar presentations


Presentation on theme: "EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This."— Presentation transcript:

1 EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available for download or online viewing at: Copyright © Brendan Bellina, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 EDUCAUSE Nov, 2003 About Notre Dame 33,000 enterprise accounts Single campus Affiliation with other CSC Higher-Ed Institutions No medical school Systems of Record are “integrated” Pre-existing White Pages directory (qi/CSO Nameserver) No WebISO implementation

3 EDUCAUSE Nov, 2003 Strategic Direction: Wherever practical applications use central authentication/authorization services, rather than maintaining their own password/credential stores. EDS Architecture Layer, ND Strategic Technology Draft, 2002

4 EDUCAUSE Nov, 2003 Directory Service Architectural Principles Updates proxied by applications Primary keys based on non-personal information Students able to specify privacy settings real-time Primary identifiers are not reused or changeable Enterprise account credentials stored in Kerberos, not LDAP “Fat” directory Single organizational unit for all people

5 EDUCAUSE Nov, 2003 Directory Service Architectural Principles One directory entry per person/account Cradle-to-grave (womb-to-tomb) service Anticipate both vertical and horizontal expansion Limit dependency on DSA specific features Higher-Ed Best Practices implementation

6 EDUCAUSE Nov, 2003 Enterprise directory services are wherever possible implemented according to industry-standard guidelines and in coordination with the Internet2 Middleware Architecture Committee for Education. Representatives from the Core Middleware team are active participants in industry standards bodies to ensure that the needs of Notre Dame are reflected in developing standards and communicated to application vendors. EDS Architecture Layer, ND Strategic Technology Draft, 2002

7 EDUCAUSE Nov, 2003

8 Practical Implementation Decisions Leverage existing administrator experience with the Solaris platform Leverage existing HP PERSON and qi/CSO Nameserver data sources Where network design allows and performance requires, do not require secure (SSL) binds Minimal number of machines Use LDAP directory as registry rather than a relational database

9 EDUCAUSE Nov, 2003 (1) Application Directory Service User ID Password (7) Return success or fail (2) Search by User ID (3) Return dn or fail (4) Bind with dn & psswrd Application AuthN database (9) Success or Fail (8) Fallback To Appl DB Kerberos v5 (5) Pass To Kerberos (6) Success or Fail Authentication Flow

10 EDUCAUSE Nov, 2003 Application Authentication Techniques LDAP protocol using Service dn bind over SSL (should search rather than assume dn) Fallback to local user database (primarily to support “guest” and administrative/vendor accounts) AuthN credentials can be in directory or external store such as Kerberos v5

11 EDUCAUSE Nov, 2003 Application Authorization Techniques LDAP protocol using Service dn bind over SSL – limit user space by directory ACI Mapping to LDAP groups Mapping to Microsoft Active Directory groups

12 EDUCAUSE Nov, 2003 Attribute Retrieval Techniques Retrieval of attributes via LDAP protocol Provisioning via batch feed (LDIF) or real-time (XML)

13 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: IBM Websphere Binds to EDS using Service dn at the environmental level not per application  Support for application roles –Current: Websphere admin creates Websphere groups to store dn’s of members  –Soon: Create LDAP groups with membership maintenance delegated to application administrators and map to Websphere groups Application-level authorization maintained by the apps, not directory-based  No attribute retrieval or provisioning required

14 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: WebCT (not current version) Searching Bind to EDS using Service dn No directory-based authorization  Support for external affiliates via EDS special account creation process delegated to WebCT admin via web application  Nightly batch feed from EDS published to allow provisioning and attribute usage Currently evaluating future direction

15 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Luminus Portal (in dev/test only) Searching Bind to EDS using Service dn While product supports Fallback option, financial decision to support test/admin accounts via EDS special account creation process  Authorization Roles – developer, tester, production user – maintained in EDS user attribute using delegated web application Nightly batch feed from EDS published to allow provisioning to PDS directory and attribute usage

16 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Campus Webmail (IMP) Searching Bind to EDS using Service dn No directory-based authorization  address lookup searches EDS No attribute retrieval or provisioning required

17 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Clarify Web Client Searching Bind to EDS using Service dn No directory-based authorization  No attribute retrieval or provisioning required

18 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Sendmail, Inc. Authenticates directly against Kerberos  No directory-based authorization  Nightly retrieval of quota attributes from EDS Real-time retrieval and and processing of sieve filter to control user forwarding, auto-reply, spam filtering Real-time retrieval of aliases for routing All aliases defined in the directory, allows rejection of 20K+ bad s per day options maintained real-time by account holders via EDS Website Soon – ability for end users to create their own aliases real-time

19 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Clarify Client Uses its own id/password store  No directory-based authorization  Attributes retrieved nightly from EDS to limit access to Clarify cases by department and affiliation Currently evaluating future direction

20 EDUCAUSE Nov, 2003 Integrating with Vendor Applications: Cisco VPN Client AuthN/AuthZ via mapping of Cisco groups to Microsoft Active Directory groups  Current: AD groups maintained by VPN administrator  Soon: EDS groups automatically maintained with allowance for exceptions maintained by appropriate admins via a web app, synchronized nightly with ADS

21 EDUCAUSE Nov, 2003 Integrating with ASP Applications: eProcurement – Higher Markets Searching Bind to EDS using Service dn Authorization managed by directory attribute maintained by department admin using a web app Account provisioning managed manually by Higher Markets admin 

22 EDUCAUSE Nov, 2003 Integrating with ASP Applications: iPerform Learning Management System Searching Bind to EDS using Service dn Attributes retrieved real-time at user login Fallback to local user database used to provide service to external affiliates, managed by iPerform administrator

23 EDUCAUSE Nov, 2003 Integrating with ASP Applications: OPAC website Searching Bind to EDS using Service dn Rule-based authorization using directory ACI. Exception authorization managed by directory attribute maintained by department admin using a web app No provisioning or attribute retrieval required.

24 EDUCAUSE Nov, 2003 Integrating with Internally Developed Applications myLibrary (Perl) Rector application (Websphere, Java) Career Center Services website (PHP) Campus White Pages (Cold Fusion) MCOB Faculty Work Application (CF) Web Services (attribute usage via batch) EDS Website – self-service personal information editing, options, privacy settings (Perl cgi)

25 EDUCAUSE Nov, 2003 Integrating with Operating Systems: Microsoft Active Directory Windows 2000 Domain (circa 2000) –Accounts synched nightly via LDIF –Accounts use uid & affiliation in dn –No group synchronization Active Directory Service 2003 (ADS) –Accounts synched nightly via metadirectory processing –Accounts use dn based on ndPVid as does EDS –SAmAccountName mapped to EDS uid –cn (MS canonical name) mapped to EDS ndPVid –Enterprise groups automatically synched with EDS with dn based on cn which maps to EDS cn (soon!)

26 EDUCAUSE Nov, 2003 Integrating with Operating Systems: Mac OS X 10.2 “Jaguar” 140 machines spread over 8 clusters Link to AFS home directory retrieved from EDS at login using Service dn Local accounts for administrator only Directory Access utility –Service dn and password –Custom mappings to posixAccount object class in EDS Home directory generated from template /etc/ttys modifications for LoginHook and LogoutHook (based on Penn State University) Kerberos ticket retrieved using /etc/authorization

27 EDUCAUSE Nov, 2003 Non-directory-enabled products/services: Trends at Notre Dame CorporateTime – could be directory-enabled but may replace Meeting Maker – may replace Clarify – may replace LiveLink – could be directory-enabled, but may replace Oracle – may integrate into EDS via OID SCT Banner – may integrate into EDS via OID OIT Handscanner - ??? Business Objects – may integrate into EDS via OID SafeWord – may integrate with EDS via internally developed authN directory plug-in

28 EDUCAUSE Nov, 2003 Aids for Developers EDS Developers’ Guide: Internet2 Middleware standards: EDS Service DN Request Form EDS Schema documentation

29 EDUCAUSE Nov, 2003 Links ND Enterprise Directory Service, ND EDS Documentation, ND EDS Schema Documentation, ND EDS Search,

30 EDUCAUSE Nov, 2003 Contact Information Brendan Bellina Office of Information Technologies University of Notre Dame du Lac Website: Directory Entry: vCard:


Download ppt "EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This."

Similar presentations


Ads by Google