1. From Chad to LDAP Twenty Years of Authorization, Authentication, and Directory Services at UAB Landy Manderson User Services UAB Telecommunications University of Alabama at Birmingham Copyright © Landy Manderson 2003 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. First, Some Numbers 26,000+ employees (four different orgs) 56,000+ students (15,500 enrolled) 54,000+ alumni 115,000+ persons in directory 1,500 entities (schools, departments, services, offices, centers, etc.)

3. 1983-84 Implement ACF2 security software on administrative mainframe. Create database of eligible users by combining info from employee and student databases. This same process is still in operation today, basically untouched!

4. 1985 First new edition of printed Campus Directory in a number of years. Office automation and data merging experience were called upon to get it done quickly. Beginning of never-ending relationship with directory issues.

5. 1985-95 Time flies when you’re having fun. Or not. Insert graphic of calendar pages flipping by. Well, a few things did happen …. –Connected to BITNET, 1985 –Founding member of SURAnet, 1986-87 –BITNET/Internet connected mailhost, 1990 Used same ID’s as admin mainframe

6. 1995-96 UIUC/CCSO qi directory brought online Handles @uab.edu e-mail forwarding “alias” registered through web page Information provided from merge of employee and student databases, users can update some personal info through web Borrowed from ACF2 merges New e-mail server accounts sync’d with qi

7. 1997-98 LDAP mirror of qi brought online New web interface “Organizational listings”/non-person entries added Online input for printed Campus Directory by departments Admin mainframe begins using @uab.edu addresses to send out reports/alerts

8. 1999 Phonebook alias used for web sign-in to authenticate SMTP relay (mail sent from outside UAB to non-UAB addresses) – anti- spamming measure Dr. Clair Goldsmith hired as CIO / VP for Information Technology PKI “push” = need to get LDAP act together

9. 2000 Dr. Goldsmith involved in eduPerson and LDAP Recipe activities LDAP committees formed Recipe 1.0 and eduPerson drafts published Windows 2000 Task Force created VPN implemented with qi authentication Library’s Virtual Desktop interfaced to qi

10. 2001 “Mail-only” aliases function added eduPerson 1.0 released Alias => BlazerID ResNet online using qi authentication LDAP committee and Win2K Task Force work continues

11. Pre-August 2002 Recommendations from LDAP committees New programming to populate based on proposed data and eligibility requirements Incorporate eduPerson/Recipe into schema New web screens for sync/security

12. UAB LDAP, pre-8/02 Wanted something online for e-mail clients only supporting LDAP query “Magazine” pressure Little guidance on schema/population Read-only – no passwords. No “unlisted” users. Only updated from qi once a day

13. UAB LDAP Committees Separate employee and student committees Propose useful attributes Define “continuums of association” and when we want people to be in directory PKI focused

14. Continuums of association EmployeesStudents Job applicantAdmissions applicant Job offer extendedAccepted for enrollment HiredEnrolled On leaveNot taking classes TerminatedDropped out RetiredGraduated

15. How NMI Helped Existing UAB schema was arbitrary, terribly out-of-date Really too much flexibility in LDAP Standard schema lacking important attributes useful to Educational institutions Opportunity to bring over additional data to support new apps

16. August 2002 Milestone New schema put into production Passwords sync’d in real-time between qi and LDAP Follows eduPerson and Recipe 1.0, committee suggestions Local attributes herded under uabPerson based on eduPerson Non-person (entity) look-up New base root per Recipe, but old still works Passwords, “unlisted” users included – allows use by WebCT, other apps Useful attributes such as “courses taken”, “courses taught”

17. Post-August 2002 Synchronize with enterprise Active Directory – enable departmental conversion Central Exchange 2000 mail service “BlazerID Central” New web screens sync BlazerID and password between qi, LDAP, AD, Novell. All authentication done through secure services. Strong passwords enforced. *ix authentication (PAM) More apps!

18. UAB LDAP, late 2002 forward CampusCards Link with Novell eDirectory for Student Center computer lab Wireless Class e-mail distribution; general bulk/broadcast e-mail coming soon Lots more apps! Including HR/Finance administrative system replacement.

19. Obligatory Confusing Diagram qi “Official sources” Employees (HURS, HSF, EFH, VIVA) Students Organizational Hierarchy Oracle HR (STEPS) www.uab.edu/phonebook @uab.edu forwarding “User-input” Alias/BlazerID/password Personal info update ‘Unofficial’ entities Org listings (“bluepages”) VPN ResNet SMTP relay LDAP AD Admin apps Student portals For people and entities alike! Wi-Fi Call Center Libraries Official Sources PAMdirXML WebCT Email clients NMI CEDS Exchange Computer labs DFS Desktop PEBBLES Course info (stu/instr) Printed Phonebook

20. Okay, why qi? Thing to use when we started Still most efficient for @uab.edu mail Still friendliest for basic queries Very simple text-based protocol Current efforts just now addressing LDAP issues/weaknesses/lack of standardization MacGyver rules!

21. What Can BlazerIDs Do? For everyone at UAB: · @uab.edu e-mail addresses · free UAB e-mail and Web site (WWW) accounts · Lister Hill Library (LHL) Virtual Desktop · download of certain UAB site-licensed software · access to the UAB Virtual Private Network (VPN) For employees: · e-mail alerts from various online administrative applications (e.g., purchase order queue notifications) · update of departmental information in the UAB Electronic Phonebook · login access to some departmental networks and services (with more on the way) · to receive important information e-mailed from your department, school and designated UAB support areas (some of this is already being done, with more applications being discussed) · inter- and intracampus videoconferencing access (under development) · numerous other online administrative and employee portal applications (e.g., Data Warehouse, STEPS) which are currently being deployed, tested, procured, or developed For students: · access to the ResNet residence hall network · some departmental computer labs (with more on the way) · WebCT online courses · DARS Degree Audit system (when it comes online) · class mailing lists, and to receive important information e-mailed from your department, school, and designated UAB support areas · other student online portals which are currently in testing or under development For faculty/researchers, in addition to the employee services listed above: · WebCT online course shell management (tentatively for Fall semester) · automatically generated/managed class mailing lists · grant information/submission (under development) · online grade posting (under development) · DARS Degree Audit system (when it comes online) (This info taken from link off BlazerID Central… more apps are coming online daily.)

22. UAB LDAP, going forward Incorporate eduPerson 1.5 and Recipe 2.0; voice concerns to NMI. NMI: Groups, SAGE, eduOrg, commObject, etc. Even more apps! Determine if the proposed specs and suggestions really enable cross-institution access/authentication.

23. What’s Next In General? Continue bringing new apps, resources on board CampusCards, BlazerID education New HR/Finance systems coming online NMI R2 eval finished, starting R3 –Push for more continuum, student, entity attributes in eduPerson –Middleware roadmap, validation tools –Do some inter-institutional stuff! “LDAP Committees” still need to fully address continuum, privacy granularity, workflow What about PKI?

24. Closing Thoughts Really helps to have a couple of decades of experience with identity management and resource security! Hopefully these presentations help shorten that. Right place, right time At any given time, any given technology has a bleeding, leading and very long trailing edge –This is true for feeder systems, Internet protocols, server software, user interfaces –Middleware can help

25. More Closing Thoughts Great to finally have some guidelines for attribute schema and population But … more work needs to be done That said, technical considerations are just the tip of the iceberg: –Privacy –Ongoing management, education –Who owns the data? –Continuums of association –Who can vouch for X? –Beware the L-word when committees involved!

26. Links UAB Electronic Phonebook: http://www.uab.edu/phonebook ldap://ldap.uab.edu (port 389, root “dc=uab,dc=edu” BlazerID Resources: http://www.uab.edu/blazeridhttp://www.uab.edu/blazerid (BlazerID Central) http://www.dpo.uab.edu/BlazerID.htmhttp://www.dpo.uab.edu/BlazerID.htm (FAQ) Author’s e-mail: landy@uab.edu