LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011.

Slides:



Advertisements
Similar presentations
Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.
Advertisements

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Active Directory: Final Solution to Enterprise System Integration
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Chapter 4 Chapter 4: Planning the Active Directory and Security.
Directory & Naming Services CS-328 Dick Steflik. A Directory.
CS603 Directory Services January 30, Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Authenticating REST/Mobile clients using LDAP and OERealm
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
CAMP Integration Reflect & Join A Case Study The University of Texas Health Science Center at Houston William A. Weems Assistant Vice President Academic.
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Directory services Unit objectives
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
AAI with simpleSAMLphp
Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,
Feide is a identity management system on a national level for the educational sector in Norway. Federated Electronic Identity for Norwegian Education Tromsø,
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Introduce LDAP 张海鹏 SOA Mult - Little system User Manager System (share between other systems) How to store user Information How to access.
The Directory A distributed database Distributed maintenance.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
A detailed look at the Microsoft Windows Infrastructure at UWE including Active Directory (AD), MIIS, Exchange, SMS, IIS, SQL Server, Terminal Services.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
NMI-EDIT CAMP Synopsis, ISCSI Storage Solution, Linux Blade Cluster, And Current State Of NetID By Jonathan Higgins Presentation Template available from.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Are you feeling secure ? Lee Donaldson Information Builders.
1 st LDAP Conference 2007, Köln Germany 6-7 September 2007 Moving LDAP Writes to Web Services Kostas Kalevras National Technical University of Athens,
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22.
John Douglass, Developer Ron Hutchins, Dir. Engineering Herbert Baines, Dir. InfoSec.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Authentication at Penn State: The Present State of Affairs and Future Directions James A. Vuccolo, Manager, Software Technologies Group Phil Pishioneri,
Copyright © 2006, Infinite Campus, Inc. All rights reserved. User Security Administration.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
1 CEG 2400 Fall 2012 Directory Services Directory Services eDirLDAP Active Directory.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
Introduction to LDAP Frank A. Kuse.
Punching data to the authentication server
Introduction to SQL Server 2000 Security
Implementation and configuration of LDAP
Cisco Real Exam Dumps IT-Dumps
CS 174: Server-Side Web Programming February 12 Class Meeting
Teaching slides Chapter 8.
Architecture Competency Group
Matthew Levy Azure AD B2B vs B2C Matthew Levy
Identity Management at the University of Florida
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

LDAP user database Marina Vermezović Academic Network of Serbia Skopje

What is it all about? Services/resources to access the network – wireless, VPN web services – e-learning, e-library, student portal - who are you ? – what can you do ? - Authentication and authorization infrastructure makes access to protected services easier Akademska mreža Srbije AAI Authentication Authorization 2

Without AAI Akademska mreža Srbije wireless Faculty A Service Providers Library B Service Providers Auth Autz videoconference Auth Autz e-learning Auth Autz Student services Auth Autz wireless Auth Autz e-books Auth Autz 3

With AAI Akademska mreža Srbije Faculty A Identity Management wireless Identity provider Service Providers videoconference e-learning Student services AuthAuth Library wireless Service Providers e-books Autz 4

Akademska mreža Srbije High level AAI diagram IdP Radius User database SAML ntw SP Radius NAS web SP SAML Web resurs eduroam VPN Wiki pages Basics for development of all services that needs local and inter-institutional AutH and AutZ Circle of Trust Federation 5

What is digital user identity ? Set of data (attributes) about a user: Personal user data Data regarding affiliation to institution Credentials used for authentication Data that uniquely identifies a person User roles and privileges Akademska mreža Srbije name, surname date of birth national identification number contact information: mail, address, phone name of institution affiliation (student, employee, guest) designation (for employees) type of studies (for students) local identification number contact information: mail, address, phone username/password certificate person identifying : non person identifying 6

LDAP user database Akademska mreža Srbije

Which database to use for storing user IDs? Basicaly you can choose any: Relational: MySQL, ORACLE, Postgre SQL Hierarchy: openLDAP, Active Directory But.. there are some advantages Akademska mreža Srbije 8

Akademska mreža Srbije Directories – made for storing user IDs ? Relational Databases vs Directories Schema Resource: Relational Databases Directories No standard schema for tables and data fields International standards to describe persons and organizations 9

Akademska mreža Srbije Relational Databases vs Directories Schema Organization One logical entity can be stored in multiple tables One logical entity =One entry in DIT Directories – made for storing user IDs ? Relational Databases Directories Resource: 10

Akademska mreža Srbije Relational Databases vs Directories Schema Organzation Multivalue data Mandates new table, or fixed number of multiple data fields Native support for multivalue attributes Directories – made for storing user IDs ? Relational Databases Directories Resource: 11

Akademska mreža Srbije Baza korisnika – zašto LDAP? Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Changes in data fields can require big effort Granular modification of schema. Easy to add attributes Relational Databases Directories Resource: 12

Akademska mreža Srbije Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Access No standard protocol for access via network Defines protocol to access via network - LDAP Directories – made for storing user IDs ? Relational Databases Directories Resource: 13

Akademska mreža Srbije Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Access Optimization Optimised for reading Directories – made for storing user IDs ? Relational Databases Directories Resource: 14

LDAP dictionary

LDAP dictionary reveled Akademska mreža Srbije Data Information Tree - term for structure data is organized in - uses hierarchy manner (tree - like) 16

LDAP dictionary reveled Akademska mreža Srbije Entry - Single input in directory tree which describes one object Organization Person Organizational Unit 17

LDAP dictionary reveled Akademska mreža Srbije Attribute - Attribute Name – Attribute Value pair contained in the entry - Can be - univalued or multivalued 18

LDAP dictionary reveled Akademska mreža Srbije objectClass - logical group of attributes - entry has assigned one or more objectClasses – must have exactly one structural ! - attributes can be optional or mandatory 19

LDAP dictionary reveled Akademska mreža Srbije RDN – Relative Distinguished Name - value that entries are distinguished by in one branch - constructed from some attributes from the entry - something like folder name, or primary key in relational databases 20

LDAP dictionary reveled Akademska mreža Srbije DN – Distinguished Name - “path” to the entry, that uniquely identifies it - consists of all RDNs found on the path to the entry, separated by commas 21

LDAP dictionary reveled Akademska mreža Srbije Base DN - DN of DIT root 22

Akademska mreža Srbije LDAP schema mistery ? schema consists of one or more objectClass schema object ClassX attributeX attributeX definition 23

Which schema should I use ? One can define proprietary schema to use within organization But… if inter-institutional AutH and AutZ is used – such as in NREN AAI, using the same schema becomes important Institutions that are involved in NREN AAI should use the same schema because it: Unifies attributes, their use and semantics Service Providers know what to expect during AutH and AuthZ Akademska mreža Srbije 24

Akademska mreža Srbije Standard LDAP schemas Designed for campus directories eduPerson (eduPerson200604) Internet2 MACE group Attributes depicts person in higher education eduOrg (eduOrg200210) Internet2 MACE group Attributes depicts organization in higher education eduMember (eduMember200507) Internet2 MACE-Dir WG Deals with problem of assigning rights and privileges for users SCHAC (SCHema for ACademia) TERENA TF za Middleware, TF-EMC2 Complements eduOrg i eduPerson with attributes specific to European education system 25

How to approach ? schema for national AAI should be defined Examples: rsEdu hrEdu norEdu nts/norEdu_spec.pdf More at Akademska mreža Srbije 26

How to design national schema? Use standard schemas : eduPerson, eduOrganizazation, SCHAC If some attribute specific for national education system doesn’t exist, define it in national schema Have in mind that you want to describe NREN students, researchers, teachers… Enables compatibility between national AAI - confederation Akademska mreža Srbije 27

How to implement LDAP directory? LDAP is the protocol for accessing the directory Current LDAPv3, described in RFC 4510 Uses TCP, port 389 Client-server model, some operations: Start TLS Bind Search Compare Add a new entry Delete an entry Modify an entry Akademska mreža Srbije 28

Which LDAP Server software to use ? Quite long list..: Akademska mreža Srbije Directory Server Active Directory Apache Directory Server Apple Open Directory FreeIPA IBM Tivoli Directory Server Mandriva Directory Server Novell eDirectory OpenDJ OpenDS OpenLDAP Optimal IdM Oracle Internet Directory Radiant Logic VDS Sun Java System Directory Server 29

How to manage LDAP data ? Manually, ldap command line LDAP browsers: Apache Directory Studio phpLDAPadmin.. Make your own application Bulk import/synhornization from other sources system - Student Informational System, Employee Registry.. Akademska mreža Srbije 30

Identity Management

Akademska mreža Srbije The lifecycle o user digital identity - IdM Set of procedures and rules which define: 1.Who has the right to own digital identity 2.When is digital identity assigned to a person 3.How is digital identity maintained 4.How is the digital identity used 5.How is the digital identity terminated Every institution should have its own IdM policy Must comply with national personal data protection law EU Data Protection Directive 32

1. Who has the right to own digital identity Pupils Students Teaching staff Other employes Other persons affiliated to the institution – members, guests ? Akademska mreža Srbije 33

2. When is digital identity assigned to a person When should digital identity be created? Which information should it contain ? Where do you get information from? What is the quiality of information? Akademska mreža Srbije Student - when apply for addmision - when enroll to faculty - on first day of studies - when he/she needs it Employee - on first working day - when he/she needs it mandatory or optional univalue or multivalue sintax predefined values rules for usernames and passwords Automatic from other source Manually from filled in form Manually verbal way Multiple sources – sync problem How and when are identity checked ? Other systems rely on that data, so it should be accurate 34

3. How is digital identity maintained Digital identity data should be accurate and up to date Who is responsible to report change of data and which? How do you make the changes? When are the changes made? Akademska mreža Srbije User Personal data Institution administration Data regarding study/employment User by using self-service portal Institution administration automatic from other source manually from filled in form manually verbal way ASAP ! 35

4. How is the digital identity used Which systems can access the information? Which data should be accessable? How are user rights and privileges defined? Akademska mreža Srbije Ones which needs AutH, AutZ and/or user data. They can access directory: Directly using LDAP protocol Using mediator authentication server: Radius, SAML.. Access should be limited to the reasonable info: mail birthday Use existing user attributes Add attribute that describes user role 36

5. How is the digital identity terminated When is digital identity terminated? Who reports it should be terminated? How is it terminated? Is it deleted permanently? Akademska mreža Srbije When person is no longer affiliated with institution student – when he/she graduates Employee – when he/she stops working guest - ? Time between person is no longer affiliated to institution and id termination should be minimum User Student administration service Employee administration service For guests ? Administration service automatic from other source manually from filled in form manually verbal way Should you reassign once used usernames ? 37

Thank you for your attention Questions ? Akademska mreža Srbije 38

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.