Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006.

Published byJade Gilmore Modified over 8 years ago

Similar presentations

Presentation on theme: "LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006."— Presentation transcript:

1 LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006

2 LDAP Management at Stony Brook Background Project Team Project Mandates Problems to Solve Realizations Decisions Active Directory How it’s designed What is the NetID? ADAM (Active Directory Application Mode) What is it? How it integrates with Active Directory LDAP Schema (stonybrookEduPerson) What is it? How it’s incorporated into ADAM NetID Process Management How NetID’s are provisioned/de-provisioned How AD, ADAM and PeopleSoft are synchronized Authentication/Authorization using AD/ADAM Applications/Systems which currently utilize AD/ADAM PeopleSoft’s Role How PeopleSoft is used in the LDAP management process Future Plans…

3 LDAP Management at Stony Brook: About Stony Brook Situated on 1,000 wooded acres on the north shore of Long Island Undergraduate students: 14,287 Total students: 22,011 More than 1,900 faculty More than 12,000 total employees

4 LDAP Management at Stony Brook: Project Team Comprised of members from each of the DoIT departments Client Support Computer Operations Information Systems Instructional Computing Systems Support Telecommunication and Networking Other technical areas Lots of expertise Many problems to solve Many opinions

5 LDAP Management at Stony Brook: Project Mandates Develop a mechanism for determining individuals’ eligibility for campus services Conform to I2/Educause standards Use the eduPerson model for LDAP

6 LDAP Management at Stony Brook: Problems to solve Individuals have different user IDs in different systems Too many passwords to remember Different methods for resetting forgotten passwords Redundant efforts by system administrators Delays in provisioning/de-provisioning accounts How to handle guest accounts How to handle club accounts Need to extend access for users who are no longer “active” Difficulty troubleshooting users’ problems

7 LDAP Management at Stony Brook: Realizations LDAP itself doesn’t solve problems No magic bullet solution (can’t solve every problem or handle every single exception with technology) If we try to do everything, we’ll end up doing nothing

8 LDAP Management at Stony Brook: Decisions Break up project into discreet tasks Phased-in approach Look at things that are working and keep them or improve them Computer Accounts Database Manages user accounts Most userid’s are standard across systems Set of rules for provisioning/de-provisioning Existing Microsoft Network Upgrade to Windows 2003…Active Directory Leverage existing infrastructure, expertise PeopleSoft Authoritative source for person data Single identifier (Stony Brook ID) for all Students, Faculty, Staff, Alumni Existing method for tracking affiliates Self-Service system (SOLAR) provides secure, personalized web content. Customizable

9 LDAP Management at Stony Brook: Active Directory Active Directory Design A simple Windows 2003 AD (Native Mode) AD Forest consists of two domains Empty root domain (sbroot.stonybrook.edu) Hosts DDNS servers Primary domain (campus.stonybrook.edu) Contains all user accounts, known as NetID’s All objects, including accounts, are maintained in OU’s whose management can be delegated External trusts to other AD’s

10 LDAP Management at Stony Brook: Active Directory

11 What is the NetID? User accounts in AD NetID’s provisioned for all students, staff, faculty, affiliates, etc. Intended to be the single source of authentication for multiple systems and applications (not just for Windows PC’s) Licensing costs per NetID (Microsoft Campus Agreement)

12 LDAP Management at Stony Brook: ADAM ADAM (Active Directory Application Mode) It is an LDAP Directory Service Consider it Active Directory Lite, without the overhead of a full AD implementation Runs as a service on Windows Server 2003 R2 or Windows XP Pro SP2 Can be run on a stand-alone server or member of a domain (Windows 2000, 2003 AD or NT 4.0 Domain) Multiple instances of ADAM can be run on the same server It’s free!!!

13 LDAP Management at Stony Brook: ADAM Integrates with Active Directory Supports SASL (Windows) for authentication Can use AD credentials for authentication Supports simple bind for authentication Bind redirection used to create security principles (userProxy accounts) in ADAM which redirect authentication to AD NetID synchronized between AD and ADAM ADAMSYNC.EXE tool used to synchronize from AD to ADAM NetID’s are replicated to ADAM as userProxy accounts Schema changes can be implemented in ADAM without affecting the AD schema Since ADAM synchronizes with AD, this effectively allows us to extend the AD schema without ever having touched it

14 LDAP Management at Stony Brook: LDAP Schema (stonybrookEduPerson) stonybrookEduPerson A schema definition based upon eduPerson Extends eduPerson to provide specific attributes required at Stony Brook This schema was defined in the ADAM instance that is synchronized with AD

15 LDAP Management at Stony Brook: NetID Process Management NetID Provisioning Person information/status entered into PeopleSoft Computer Accounts Database reads in new information and assigns a NetID Scripts read in updates from Computer Accounts Database and creates new NetID in AD and updates the associated person information in PeopleSoft with NetID information NetID creations synchronized from AD to ADAM

16 LDAP Management at Stony Brook: NetID Process Management NetID De-provisioning Person status changes in PeopleSoft (terminated, graduated, etc.) Computer Accounts Database reads in new information and disables associated NetID Computer Accounts deletes NetID’s if they remain disabled for a predetermined amount of time Scripts read in updates from Computer Accounts and disables/deletes accounts in AD and updates associated person information in PeopleSoft with NetID information NetID deletions synchronized from AD to ADAM. No need to synchronize disabled NetID’s, as AD remains the single source of authentication through use of bind redirection

17 LDAP Management at Stony Brook: NetID Process Management Attribute/Group Synchronization Specific attributes as defined in “stonybrookEduPerson” are stored and maintained in PeopleSoft for each person who has a NetID Group membership is also stored and maintained in PeopleSoft for each person who has a NetID StudentActive, StudentEnrolled, EmployeeActive, etc. Scripts read in this information and update the associated attributes or group memberships for each NetID in ADAM

18 LDAP Management at Stony Brook: NetID Process Management User Self-Service A web interface is provided through PeopleSoft which allows users to reset their NetID password Web interface utilizes a separate authentication based upon Stony Brook ID# Security questions must also be answered before a password reset can occur Scripts read in these password resets and update AD with the new passwords. No need to synchronize password resets for NetID’s, as AD remains the single source of authentication through use of bind redirection

19 LDAP Management at Stony Brook: NetID Process Management

20 LDAP Management at Stony Brook: Authentication/Authorization using AD/ADAM Applications/Systems can choose to authenticate using LDAP can do so against AD or ADAM using SASL or simple bind over SSL Applications/Systems which require specific attributes or group memberships for authorization purposes utilize ADAM Applications/Systems which are currently using AD/ADAM for authentication/authorization: Remote Access (VPN, dial-up, wireless) via RADIUS Student PC Registration Blackboard (Online Courses) Ex Libris - Aleph (Library System)

21 LDAP Management at Stony Brook: PeopleSoft’s Role Provide general information about NetID and services

22 LDAP Management at Stony Brook: PeopleSoft’s Role Give users their NetID

23 LDAP Management at Stony Brook: PeopleSoft’s Role NetID password change

24 LDAP Management at Stony Brook: PeopleSoft’s Role Test NetID Password from SOLAR

25 LDAP Management at Stony Brook: PeopleSoft’s Role Help desk view of AD accounts

26 LDAP Management at Stony Brook: PeopleSoft’s Role Group maintenance Send attributes to AD/ADAM Reconcile discrepancies between PS and directory Allow system administrators to disable accounts using service indicators

27 LDAP Management at Stony Brook: Future Plans… Migrate functionality of Computer Accounts Database into PeopleSoft All NetID provisioning/de-provisioning will occur directly in PeopleSoft Add functionality to update LDAP directly from PeopleSoft, eliminating the need and delay inherent in the use of scheduled scripts Continue adding applications and systems to utilize AD/ADAM for authentication and authorization ezProxy SoftWeb (allows authorized persons to download software) UNIX Logons And more….

28 LDAP Management at Stony Brook: Contact us Andrew Kirsch andrew.kirsch@stonybrook.edu (631) 632-8722 Brian Heller brian.heller@stonybrook.edu (631) 632-9254

Download ppt "LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006."

Similar presentations

AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU?  Campus/college/VP level units  Considerations: Is there.

AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU?  Campus/college/VP level units  Considerations: Is there.
FSU Directory Project The Issue of Identity Management Jeff Bauer Florida State University

FSU Directory Project The Issue of Identity Management Jeff Bauer Florida State University
1 Extending Authenticated Online Services with Friend Accounts at Washington State University Brian Foley Technology Architect/Application Developer.

1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Prepared by Dept. of Information Technology & Telecommunication, October 24, 2005 Enterprise Directory Services and Identity Management.

Prepared by Dept. of Information Technology & Telecommunication, October 24, 2005 Enterprise Directory Services and Identity Management.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
UW Windows Infrastructure: Delegated OUs Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management,

UW Windows Infrastructure: Delegated OUs Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management,
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Streamlining Support and Management through the Implementation of Active Directory Educause 2003 Mid-Atlantic Regional Gale D. Fritsche –

Streamlining Support and Management through the Implementation of Active Directory Educause 2003 Mid-Atlantic Regional Gale D. Fritsche –
Gale D. Fritsche Lehigh University Library and Technology Services Client Service Insanity A Campus-wide Novell to Active Directory Migration EDUCAUSE.

Gale D. Fritsche Lehigh University Library and Technology Services Client Service Insanity A Campus-wide Novell to Active Directory Migration EDUCAUSE.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google