Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available for download or online viewing at: Copyright © Brendan Bellina, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
About Notre Dame 33,000 active enterprise accounts Single campus Affiliation with other CSC Higher-Ed Institutions No medical school Systems of Record “integrated” into Person Database No WebISO implementation No PKI implementation
AuthN/AuthZ Models Application-level Application-specific Directory Enterprise Directory
System of Record Application-level AuthN/AuthZ Decision Maker System of Record User Info Application AuthN+Z DB Application “In-Bounds” App Administrator “Out-of-Bounds” Filter “In-Bounds” Path: Based on Policy and/or Data in System of Record “Out-of-Bounds” Path: Discretionary Used to address limitations of Policy and/or Data in System of Record Some of the many problems: Proprietary interface Hard to know who is allowed to do what across the institution High overhead costs Not scalable architecture Can be slow to revoke access Proprietary interface
Application-specific Directory AuthN/AuthZ Decision Maker User Info Application “In-Bounds” Directory Administrator or App Administrator “Out-of-Bounds” Filter Less proprietary and therefore more compatible with delegated administration, which can reduce administrative overhead and “out- of-bounds” requests. Without delegated administration there is little to no benefit over the application-level model. When vendors say “LDAP- enabled” this is often what they mean... But they rarely provide tools for delegated administration. LDAP protocol or Proprietary Interface Appl AuthN+Z LDAP Directory System of Record Groups Internally developed or Proprietary Interface
Enterprise Directory AuthN/AuthZ Decision Maker User Info Application “In-Bounds” Directory Administrator “Out-of-Bounds” Filter Because the Enterprise Directory contains all people who use all applications, filtering must be done between the application and the directory. Directory Access Controls are an effective means of doing this and are external to the applications. Easier to delegate, but proprietary interfaces may not be usable. LDAP protocol Enterpris e LDAP Directory Internally developed web interface using LDAP System of Record Application Groups
Strategic Direction: Wherever practical applications use central authentication/authorization services, rather than maintaining their own password/credential stores. EDS Architecture Layer, ND Strategic Technology Draft, 2002
ND Enterprise Directory Service Decision Maker User Info Application “In-Bounds” Directory Administrator “Out-of-Bounds” LDAP-enabled applications: -AuthN/AuthZ via bind to LDAP -AuthZ via LDAP groups -Attribute retrieval Active Directory applications: -AuthN via AD -AuthZ via AD groups inherited from the LDAP directory LDAP protocol Enterpris e LDAP Directory Internally developed web apps using LDAP System of Record Application Groups Microsoft Active Directory Groups accounts groups My EDS Groups
Groups, Rules, and Exceptions User Info System of Record EDS Accounts Rule-based Groups Decision Maker My EDS Groups EDS Groups Exception Groups Enterprise Groups
(1) Application Directory Service User ID Password (7) Return success or fail (2) Search by User ID (3) Return dn or fail (4) Bind with dn & psswrd Application AuthN database (9) Success or Fail (8) Fallback To Appl DB Kerberos v5 (5) Pass To Kerberos (6) Success or Fail Authentication Flow
Application Authentication Techniques LDAP protocol using Service dn bind over SSL (search rather than construct dn) Fallback to local account database (primarily for isolated accounts) AuthN credentials can be in directory or external store such as Kerberos Authentication to Enterprise Microsoft Active Directory possible due to password synchronization
Application Authorization Techniques LDAP protocol using Service dn bind over SSL – limit user space by directory ACI Mapping to LDAP groups Mapping to Microsoft Active Directory groups
Attribute Retrieval Techniques Retrieval of attributes via LDAP protocol Provisioning via batch feed (LDIF)
ND Directory-Enabled Non-Internal Applications LDAP AuthN+Z via Bind LDAP AuthZ via Groups AD AuthNAD AuthZ via Groups Attribute Retrieval Vendor Applications Websphere WebCT Luminus Webmail -IMP Business Objects FreeRADIUS Roving Planet Websphere Business Objects FreeRADIUS Cisco VPN Roving Planet Microsoft VPN Citrix Metaframe Microsoft VPN Citrix Metaframe Network Appliance Filers Sendmail Clarify ASP Applications Higher Markets LMS OPAC website NACELink LMS Operating Systems MacOS10.2 MacOS10.3 AD 2003MacOS10.2 MacOS10.3 Red Hat Enterprise Linux
Integrating with Internally Developed Applications myLibrary (Perl) Rector application (Websphere, Java) Career Center Services website (PHP) Campus White Pages (Cold Fusion) MCOB Faculty Work Application (CF) Homepage Web Services Athletic Department Food Services EDS Website – self-service personal information editing, options, privacy settings (Perl cgi) (
Integrating with Operating Systems: Microsoft Active Directory Active Directory Service 2003 (ADS) –Accounts synched nightly via metadirectory processing (developed in-house in Perl) –Accounts use dn based on ndPVid as does EDS –sAMAccountName & userPrincipalName mapped to EDS uid –cn (MS canonical name) mapped to EDS ndPVid –Enterprise groups automatically synched with EDS with dn based on cn which maps to EDS cn –AD administrator accounts for delegated OU management
Integrating with Vendor Applications: Sendmail, Inc. Authenticates directly against Kerberos No directory-based authorization Nightly retrieval of quota attributes from EDS Real-time retrieval and and processing of sieve filter to control forwarding, auto-reply, spam filtering Real-time retrieval of aliases for routing All aliases defined in the directory, allows rejection of 20K+ bad s per day options maintained real-time self-service via EDS Website Ability for end users to create their own aliases real-time
Integrating with Vendor Applications: SCT Luminus Portal Searching Bind to EDS using Service dn Authorization managed by automatically populated groups and delegated exception groups Nightly batch feed from EDS published to allow provisioning to PDS directory and attribute usage
Integrating with Vendor Applications: IBM Websphere Binds to EDS using Service dn at the environmental level not per application Support for application roles –Current: Websphere admin creates Websphere groups to store dn’s of privileged members –Planned: LDAP groups with membership maintenance delegated to application administrators and map to Websphere groups No attribute retrieval or provisioning required
Integrating with ASP Applications: eProcurement – Higher Markets Searching Bind to EDS using Service dn over SSL Authorization managed by LDAP group membership managed by department using web interface Account provisioning managed manually by Higher Markets admin
Aids for Developers EDS Developers’ Guide: EDS Service DN Request Form EDS Schema documentation Internet2 Middleware standards:
Summary LDAP and LDAPS are widely adopted Authentication AND Authorization Authorization attributes in entries Authorization groups Rules are your friend Exceptions are a reality of life in higher-ed Delegation and self-service are good
Your turn to… Ask the speaker your questions Ask yourself why isn’t your institution using central authorization
Links ND EDS Website: ND EDS Documentation: ND EDS Search Page: EDS Schema documentation:
Contact Information Brendan Bellina Office of Information Technologies University of Notre Dame du Lac Website: Directory Entry: vCard: