Presentation is loading. Please wait.

Presentation is loading. Please wait.

Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available.

Published byDaniella Fletcher Modified over 9 years ago

Similar presentations

Presentation on theme: "Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available."— Presentation transcript:

1 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available for download or online viewing at: http://www.nd.edu/~bbellina Copyright © Brendan Bellina, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 About Notre Dame 33,000 active enterprise accounts Single campus Affiliation with other CSC Higher-Ed Institutions No medical school Systems of Record “integrated” into Person Database No WebISO implementation No PKI implementation

3 AuthN/AuthZ Models Application-level Application-specific Directory Enterprise Directory

4 System of Record Application-level AuthN/AuthZ Decision Maker System of Record User Info Application AuthN+Z DB Application “In-Bounds” App Administrator “Out-of-Bounds” Filter “In-Bounds” Path: Based on Policy and/or Data in System of Record “Out-of-Bounds” Path: Discretionary Used to address limitations of Policy and/or Data in System of Record Some of the many problems: Proprietary interface Hard to know who is allowed to do what across the institution High overhead costs Not scalable architecture Can be slow to revoke access Proprietary interface

5 Application-specific Directory AuthN/AuthZ Decision Maker User Info Application “In-Bounds” Directory Administrator or App Administrator “Out-of-Bounds” Filter Less proprietary and therefore more compatible with delegated administration, which can reduce administrative overhead and “out- of-bounds” requests. Without delegated administration there is little to no benefit over the application-level model. When vendors say “LDAP- enabled” this is often what they mean... But they rarely provide tools for delegated administration. LDAP protocol or Proprietary Interface Appl AuthN+Z LDAP Directory System of Record Groups Internally developed or Proprietary Interface

6 Enterprise Directory AuthN/AuthZ Decision Maker User Info Application “In-Bounds” Directory Administrator “Out-of-Bounds” Filter Because the Enterprise Directory contains all people who use all applications, filtering must be done between the application and the directory. Directory Access Controls are an effective means of doing this and are external to the applications. Easier to delegate, but proprietary interfaces may not be usable. LDAP protocol Enterpris e LDAP Directory Internally developed web interface using LDAP System of Record Application Groups

7 Strategic Direction: Wherever practical applications use central authentication/authorization services, rather than maintaining their own password/credential stores. EDS Architecture Layer, ND Strategic Technology Draft, 2002

8 ND Enterprise Directory Service Decision Maker User Info Application “In-Bounds” Directory Administrator “Out-of-Bounds” LDAP-enabled applications: -AuthN/AuthZ via bind to LDAP -AuthZ via LDAP groups -Attribute retrieval Active Directory applications: -AuthN via AD -AuthZ via AD groups inherited from the LDAP directory LDAP protocol Enterpris e LDAP Directory Internally developed web apps using LDAP System of Record Application Groups Microsoft Active Directory Groups accounts groups My EDS Groups

9 Groups, Rules, and Exceptions User Info System of Record EDS Accounts Rule-based Groups Decision Maker My EDS Groups EDS Groups Exception Groups Enterprise Groups

10 (1) Application Directory Service User ID Password (7) Return success or fail (2) Search by User ID (3) Return dn or fail (4) Bind with dn & psswrd Application AuthN database (9) Success or Fail (8) Fallback To Appl DB Kerberos v5 (5) Pass To Kerberos (6) Success or Fail Authentication Flow

11 Application Authentication Techniques LDAP protocol using Service dn bind over SSL (search rather than construct dn) Fallback to local account database (primarily for isolated accounts) AuthN credentials can be in directory or external store such as Kerberos Authentication to Enterprise Microsoft Active Directory possible due to password synchronization

12 Application Authorization Techniques LDAP protocol using Service dn bind over SSL – limit user space by directory ACI Mapping to LDAP groups Mapping to Microsoft Active Directory groups

13 Attribute Retrieval Techniques Retrieval of attributes via LDAP protocol Provisioning via batch feed (LDIF)

14 ND Directory-Enabled Non-Internal Applications LDAP AuthN+Z via Bind LDAP AuthZ via Groups AD AuthNAD AuthZ via Groups Attribute Retrieval Vendor Applications Websphere WebCT Luminus Webmail -IMP Business Objects FreeRADIUS Roving Planet Websphere Business Objects FreeRADIUS Cisco VPN Roving Planet Microsoft VPN Citrix Metaframe Microsoft VPN Citrix Metaframe Network Appliance Filers Sendmail Clarify ASP Applications Higher Markets LMS OPAC website NACELink LMS Operating Systems MacOS10.2 MacOS10.3 AD 2003MacOS10.2 MacOS10.3 Red Hat Enterprise Linux

15 Integrating with Internally Developed Applications myLibrary (Perl) Rector application (Websphere, Java) Career Center Services website (PHP) Campus White Pages (Cold Fusion) MCOB Faculty Work Application (CF) Homepage Web Services Athletic Department Food Services EDS Website – self-service personal information editing, email options, privacy settings (Perl cgi) (http://eds.nd.edu)

16 Integrating with Operating Systems: Microsoft Active Directory Active Directory Service 2003 (ADS) –Accounts synched nightly via metadirectory processing (developed in-house in Perl) –Accounts use dn based on ndPVid as does EDS –sAMAccountName & userPrincipalName mapped to EDS uid –cn (MS canonical name) mapped to EDS ndPVid –Enterprise groups automatically synched with EDS with dn based on cn which maps to EDS cn –AD administrator accounts for delegated OU management

17 Integrating with Vendor Applications: Sendmail, Inc. Authenticates directly against Kerberos No directory-based authorization Nightly retrieval of email quota attributes from EDS Real-time retrieval and and processing of sieve filter to control forwarding, auto-reply, spam filtering Real-time retrieval of email aliases for routing All email aliases defined in the directory, allows rejection of 20K+ bad emails per day Email options maintained real-time self-service via EDS Website Ability for end users to create their own email aliases real-time

18 Integrating with Vendor Applications: SCT Luminus Portal Searching Bind to EDS using Service dn Authorization managed by automatically populated groups and delegated exception groups Nightly batch feed from EDS published to allow provisioning to PDS directory and attribute usage

19 Integrating with Vendor Applications: IBM Websphere Binds to EDS using Service dn at the environmental level not per application Support for application roles –Current: Websphere admin creates Websphere groups to store dn’s of privileged members –Planned: LDAP groups with membership maintenance delegated to application administrators and map to Websphere groups No attribute retrieval or provisioning required

20 Integrating with ASP Applications: eProcurement – Higher Markets Searching Bind to EDS using Service dn over SSL Authorization managed by LDAP group membership managed by department using web interface Account provisioning managed manually by Higher Markets admin 

21 Aids for Developers EDS Developers’ Guide: http://eds.nd.edu/docs/edsdevguide.shtml http://eds.nd.edu/docs/edsdevguide.shtml EDS Service DN Request Form http://eds.nd.edu/docs/eds_dnrequest.shtml http://eds.nd.edu/docs/eds_dnrequest.shtml EDS Schema documentation http://eds.nd.edu/docs/current_schema/EDS_ModelDoc.htm http://eds.nd.edu/docs/current_schema/EDS_ModelDoc.htm Internet2 Middleware standards: http://middleware.internet2.edu http://middleware.internet2.edu

22 Summary LDAP and LDAPS are widely adopted Authentication AND Authorization Authorization attributes in entries Authorization groups Rules are your friend Exceptions are a reality of life in higher-ed Delegation and self-service are good

23 Your turn to… Ask the speaker your questions Ask yourself why isn’t your institution using central authorization

24 Links ND EDS Website: http://eds.nd.eduhttp://eds.nd.edu ND EDS Documentation: http://eds.nd.edu/docs http://eds.nd.edu/docs ND EDS Search Page: http://eds.nd.edu/search http://eds.nd.edu/search EDS Schema documentation: http://eds.nd.edu/docs/current_schema/EDS_ModelDoc.htm http://eds.nd.edu/docs/current_schema/EDS_ModelDoc.htm

25 Contact Information Brendan Bellina Office of Information Technologies University of Notre Dame du Lac Email: Brendan_Bellina@nd.eduBrendan_Bellina@nd.edu Website: http://www.nd.edu/~bbellina Directory Entry: http://eds.nd.edu/cgi-bin/nd_ldap_search.pl?ldapfilter=uid=bbellina vCard: http://eds.nd.edu/cgi-bin/ldapvcard.pl?uid=bbellina

Download ppt "Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available."

Similar presentations

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,

The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.

LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.
Architecting Your Data and Metadirectory Model Brendan Bellina, University of Notre Dame Base CAMP - Tempe, Arizona February 5-7, 2003 Copyright Brendan.

Architecting Your Data and Metadirectory Model Brendan Bellina, University of Notre Dame Base CAMP - Tempe, Arizona February 5-7, 2003 Copyright Brendan.
EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This.

EDUCAUSE Nov, 2003 Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This.
1 Extending Authenticated Online Services with Friend Accounts at Washington State University Brian Foley Technology Architect/Application Developer.

1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Self-Service Privacy Using LDAP at The University of Notre Dame CUMREC 2003 Brendan Bellina Office of Information Technologies University of Notre Dame.

Self-Service Privacy Using LDAP at The University of Notre Dame CUMREC 2003 Brendan Bellina Office of Information Technologies University of Notre Dame.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Understanding Active Directory

Understanding Active Directory
Method: systematically gather citations by KU faculty and approach those faculty for permission to deposit on their behalf articles published in journals.

Method: systematically gather citations by KU faculty and approach those faculty for permission to deposit on their behalf articles published in journals.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
Procurement From the 20 th to the 21 st Century Copyright Byron Honoré 2007. This work is the intellectual property of the author. Permission is granted.

Procurement From the 20 th to the 21 st Century Copyright Byron Honoré This work is the intellectual property of the author. Permission is granted.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, 2004. This work is the intellectual.

Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.
GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure

GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure

Similar presentations

Ads by Google