Presentation is loading. Please wait.

Presentation is loading. Please wait.

Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October.

Published byRosalyn Hood Modified over 8 years ago

Similar presentations

Presentation on theme: "Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October."— Presentation transcript:

1 Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October 23, 2007

2 Overview Speaker Introductions Overview of Enterprise Directory Models and implemented systems at USC and UMBC Data Transport Directory Schema Design Commercial Identity Mgmt. Products

3 Overview (cont.) Controlling Access Monitoring Performance Directory Administration Tools Directory Replication and Synchronization Authentication Services Authorization Services Managing Attribute Release

4 Overview (cont.) Directory Team Staffing Additional Issues to Consider Future Advancements Institutional Policies Inter-institutional Collaborative Resources Questions

5 Speaker Introductions

6 Brendan Bellina Identity Services Architect, USC Background in Financial Software Development and Data Warehouse Design Active in Higher-Education Identity Management / Directory Services since 2001 Designed and implemented the Enterprise Directory Service at the University of Notre Dame (2001-2004) http://eds.nd.eduhttp://eds.nd.edu Architect of USC Global Directory Service (2005- current) http://www.usc.edu/gdshttp://www.usc.edu/gds Presentations and online materials available at http://its.usc.edu/~bbellina http://its.usc.edu/~bbellina

7 Robert Banz, UMBC Director, Computing Infrastructure, UMBC. Background in UNIX systems engineering and software architecture. Likes making things work together that aren’t supposed to… Architect of UMBC’s Enterprise Directory / IDMS ( 2000 - present ) Presentations available at http://umbc.edu/~banz http://umbc.edu/~banz

8 NMI Middleware Diagram

9 Policy Data CollectionMultiple Systems of Record Identity ResolutionRegistry Functions Data MigrationMetadirectory scripts; Provisioning Entry/Attribute Access and Release LDAP Access Controls, Shibboleth ARP’s Data ConsumersLDAP designed for high-volume read, low-value write. Applications, End-users, Application/NOS directories

10 Enterprise Directory Architectures Centralized EDS –Everything queries the central EDS –Central control –Performance bottleneck risk Replicated EDS –Replicate servers for performance –Small Risk of Data Latency Derivative directories –Distribute EDS data to stand-alone directories –Potential issues managing identities –Risk of data leakage and inconsistent access controls –Risk of Data Latency

11 Initial Implementation Plan Production Hardware –Redundancy –Security –Scalability –Monitoring –Availability –Performance –Recoverability Integrated Test/Development System(s) –Pre and Post Production Systems –Crash and Burn system

12

13

14 UMBC Server Architecture

15 Design with DR in mind! –Mirrored storage across datacenters for important transactional data (registry, master directory, etc.) –Easy to bring up on similar hardware when the time comes without losing changes Replicas –N+1. Be sure you can handle all of your transactions if one is missing. –Hardware is cheap. Memory is cheap. Overbuild now, and stay ahead of the curve. –Where’s the curve you ask? We’ll get to that.

16 UMBC Directory Architecture

17

18

19

20 Future growth and projects –PeopleSoft Student Administration –Grouper-based Ad-Hoc Group Mgmt. –Expand physical access control integration –Logging & Diagnostics –Expanded services to alternative populations (alumni, pre-admits, dropouts, etc) …and others that I can’t imagine yet.

21 Data Transport

22 Batch Pros and Cons Periodic processes are easier to support Periodic processes are easier to update Batch processes allow looser integration testing Data Latency Performance spikes Effective delay of service

23 Real-Time Pros and Cons Shorter delays in processing Transactions are spread-out (generally) allowing smaller systems Like spam, it never stops Harder to test, support, and maintain

24 Why Batch Processes Cannot be Avoided Handling Time-triggered events requires a batch process Academic calendar often involves large quantity of transactions on specific dates Batch practices of SORs (imports, mass changes)

25 Data Extract Issues Codes in tables or Values in entries –Transaction systems often use codes –End services often require values. Standard LDAP attributes are expected to be values. –Single changes in code tables may result in many updates to values in entries –Values in entries alone may not provide enough information for data selection Invalid data in source systems Should directory be insulated from source system table structures?

26 USC Data Transport Batch components –Account creation process for Members –Employee system updates to Registry –Sync between Account System and GDS –Sync between Person Registry and GDS –Rebuilding GDS groups and permissions –VIP authorized services feed between iVIP and metadirectory

27 USC Data Transport Real-time components –Identity creation in Person Registry from Student System –Identity creation in Person Registry from Employee System –Identity creation from Guest/Affiliate “iVIP” system –Update of ID card information from USCard system –Creation of Sponsored User Accounts “SASU”

28 UMBC Data Transport Real Time Components –Student Status / Enrollment Changes –ID Card issuance ( Mag Strip / Library Card #) –Self / Administrative initiated changes Identity creation for new faculty/staff * Identity creation for affiliates (guests, etc.) Account creation / activation Directory information updates –Back-feeds of CampusID data

29 UMBC Data Transport Batch Components –CMS (Blackboard) Course Creation and Enrollments –Faculty / Staff Identity Updates –Data feeds to Library

30 Directory Schema Design

31 Schema Topics –Directory Information Tree (dn format, depth) –People –Accounts –Groups –Permissions –Standard Object Classes –Schema extensions (Get your OID on!) –Indexing

32 Directory Design Decisions To Be Made DIT – Tall or Flat Lots of attributes (“thick”) or only identifiers (“thin”) dn and rdn format Direct or proxied update access DS mastered content - entries & attributes LDAP as password store Duration / Permanence of directory entries and identifiers People vs. Accounts Groups (subgroups, roles, dynamic groups, static groups, managed groups, exceptions, personal groups, etc.)

33 DIT Architecture Tall & SpikyFlat ou=Academic ou=Sciencesou=Arts & Letters ou=Physicsou=Chemistry ou=Peopleou=Groups ou=Philosophy

34 Why not Tall & Spiky? Not amenable to people being in multiple organizational units simultaneously Not efficient when people move between organizational units frequently Not efficient when organizational hierarchy changes occur

35 Distinguished Name (dn) format Issues –Useful for LDAP enabled apps –Visible if any attribute in the entry is visible –Must be unique within scope –Benefits in being persistent, non-reassignable, and opaque Standards –X.500 naming (based on geographical location) cn=Bullwinkle Moose, ou=people, o=Wossamotta U, st=Confusion, c=US –Domain Component naming (most commonly used) cn=Bullwinkle Moose, ou=people, dc=Wossamotta, dc=edu Relative Distinguished Name selection –uid, cn, directory id, or something else?

36 USC Decisions - General dn: dc naming using unique directory id as rdn Flat DIT. Thick entries. Central authN/authZ “ where possible ” Single system for identities - Person Registry Registry is “ Cradle to Grave ” or “ Womb to Tomb ” eventually Require use of service dn ’ s for LDAP-enabled applications Passwords in Kerberos rather than LDAP where possible

37 USC Decisions - General Allow multiple accounts per person, but move to establish “NetID” for enterprise services Use of post-business-rule data source “signatures” Directory contains people who receive or have received electronic services Neither Registry nor Directory provide reporting services Groups for authorization, with group memberships and authorizations reflected in member entries

38 USC Decisions - People People entries (ou=people) –Use of standard eduPerson object class and creation of uscEduPerson object class –An entry is created for each identity in the Person Registry that requires electronic services. Entries may be deactivated when service ends, but never deleted. –People entries may be publicly accessible via LDAP protocol to allow use with email clients. –People entries have no credentials or login capability. –Example: uscrdn=usc.edu.scbs5rm6,ou=people,dc=usc,dc=edu –http://eds.nd.edu/cgi-bin/nd_ldap_search.pl?ldapurl=gds- ldap.usc.edu:389/uscrdn=usc.edu.scbs5rm6,ou=people,dc=usc,dc=edu&ldaphea dattr=displayname&displayformat=generichttp://eds.nd.edu/cgi-bin/nd_ldap_search.pl?ldapurl=gds- ldap.usc.edu:389/uscrdn=usc.edu.scbs5rm6,ou=people,dc=usc,dc=edu&ldaphea dattr=displayname&displayformat=generic

39 USC Decisions - Accounts Account entries (ou=accounts) –Use of standard posixAccount object class and creation of uscAccount object class –An entry is created for each active enterprise Unix account. These are intended to be used only by Unix services. Entries may be deactivated when service ends, but never deleted. –An “aggregate” account is created based on username for each set of Unix accounts a person has. Usually a person has a single aggregate account. This is intended to be used by Shibboleth and LDAP-enabled services.

40 USC Decisions - Accounts Account entries (ou=accounts) –A “privilege” account is created for non-Unix services, is attached to a sponsor’s person entry, and is restricted to a single application. This can accommodate LDAP-enabled applications that use reserved account names - like “sa” or “admin” or provide limited access to services for non-people (like vendors). –No account entries are visible publicly. They are visible to the owner. –LDAP-enabled apps that construct dn CANNOT WORK –Example: uscrdn=usc.edu.scdv5wtq6,ou=accounts,dc=usc,dc=e du

41 USC Decisions - Groups Group entries (ou=groups) –Use of standard groupOfUniqueNames object class and creation of uscGroupEntry object class –Static groups are used rather than dynamic groups. Members of groups can be person or account entries, but not other groups. –Groups may be rule-based. The rule is defined as an LDAP filter. Rule-based groups are reconstructed each business day. –Groups may have any number of inclusion or exclusion groups that are applied to their membership. Inclusion and exclusion groups are manually administered. Groups that have dependencies on inclusion or exclusion groups are reconstructed each business day.

42 USC Decisions - Groups Group entries (ou=groups) –Authorizations are controlled via groups. Shibboleth entitlements, eligibilities, and membership of a group are maintained in member attributes to facilitate use by Shibboleth, in group-math-based LDAP filters, and in directory access controls. –No group entries are currently visible publicly, although it is possible for a group to be defined as public. –Example: uscrdn=usc.edu.scmb9tg2,ou=groups,dc=usc,dc=edu

43 UMBC Decisions dc= naming (our public directory has it…) Registry has a long history (back to 1980 for students!) Passwords in Kerberos, but synchronized to LDAP for other uses. Group membership *or* attribute definitions may determine authorization. (e.g. affiliation=student makes you eligible for certain services such as a computer “account”) No “self modify” of entries except through approved applications

44 UMBC Decisions ou=People –You can “bind” (authenticate) as a person –Most applications are using a “person’s” rights for authorization data (shibboleth, etc) –dn’s are opaque: ( guid=6cbfa31e-6e14-11d4-9669-8020cd7816,ou=people,…) ou=Accounts –can “bind” as an account too! –dn’s aren’t opaque :( (uid=banz,ou=accounts,…) Problem: primary account objects and their owner should be merged.

45 UMBC Decisions Groups –Appear in a few places in the DIT ou=Courses –Trees of groups for each semester containing course enrollment. Used for lab access control, Blackboard course population, dynamic email lists, etc. ou=Applications –Application-specific group trees ou=Departments –Group trees for specific university departments ou=Radius –Groups used by our radius servers for VPN access

46 UMBC Decisions Two kinds of groups… –standard (groupofuniquenames) Used by external applications –Extended (umbcgroupofuniquenames) Used by internal applications Can contain nested groups (internal applications know how to grok them) Future? –These should/will both be replaced with groups generated from

47 Standard Object Classes Used at USC: top person organizationalPerson inetOrgPerson eduPerson posixAccount groupOfUniqueNames eduCourse

48 Schema Extensions Step One: Get an OID assignment for your institution from IANA Step Two: Create new objectclasses for new attributes DO NOT make up or reuse an OID DO NOT modify a standard objectclass DO NOT populate standard attributes in non-standard ways

49 USC Schema Extensions For all directory entries: –uscDirectoryEntry objectclass For people entries: –uscEduPerson objectclass –uscMailRecipient objectclass –uscEduCourse objectclass For account entries –uscEduPerson objectclass –uscAccount objectclass For group entries –uscGroupEntry objectclass

50 uscDirectoryEntry objectclasses: ( 1.3.6.1.4.1.13363.3.2.1 NAME 'uscDirectoryEntry' DESC 'USC Directory Entry Object Class' SUP top AUXILIARY MUST ( uscGuid $ uscRDN $ uscPvid $ createTimestamp ) MAY ( uscEntryNote $ uscEntryStatus $ uscEntryExpirationDate $ uscEntrySource $ uscEntryUsage $ uscEntryCategory $ uscEntryCreateDate $ uscEntryDeactivationDate $ uscEntryReleasePolicy $ uscAttributeReleasePolicy $ uscAuthEligible $ uscAuthEligibleDN $ uscEntrySignature $ uscHistoricalPvid $ uscOwnerPvid $ creatorsName $ modifyTimestamp $ modifiersName $ searchguide $ labeledURI $ owner $ description $ userPassword ) X-ORIGIN 'user defined' )

51 uscGroupEntry objectclasses: ( 1.3.6.1.4.1.13363.3.2.5 NAME 'uscGroupEntry' DESC 'USC uscGroupEntry Object Class' SUP groupOfUniqueNames STRUCTURAL MUST ( uscGroupType ) MAY ( owner $ uscGroupMember $ uscGroupRule $ uscGroupRuleComponent $ uscGroupIncludeDN $ uscGroupExcludeDN $ uscGroupOptInDN $ uscGroupOptOutDN $ uscGroupSelfOptOut $ uscGroupEnrollmentType $ uscGroupCategory $ uscGroupLevel $ uscGroupOwner $ uscGroupOwnerProxy $ uscGroupManager $ uscGroupSponsor $ uscGroupMemberAuthEligible $ uscGroupMemberAuthEligibleDN $ uscGroupMembershipListVisibleToMembers $ uscGroupKeyword $ uscGroupIsNestable $ uscGroupUniqueMemberSignature $ uscGroupMembershipAttributeControl $ uscGroupExcludeOverrideDN $ uscGroupMemberEntitlement ) X-ORIGIN 'user defined' )

52 Commercial ID Mgmt. Products Available in bundled “suites” including –Directory Server product –Web SSO solution –Metadirectory / Provisioning system Many out there -- similar problem space

53 Sun IDM Works well with Sun Java* Directory Server Sun Access Manager –You’d rather use Shibboleth No java included.

54 Sun IDM Java-based web service Provides both an administrative and user portal to various functions Heavy focus on provisioning –Fully fleshed out collection of connectors for various ERP products, directories of an active sort Great for reconciling and synchronizing across various existing account silos

55 Sun IDM Can it really solve all of my problems? Probably not. People-registry building is really best left to external processes Account lifecycle, policy-based provisioning, population of application specific directories, and password synchronization are its strengths.

56 Controlling Access

57 Directory Access Direct access via LDAP/LDAPS –Directory Access Control Lists / Instructions Netscape / iPlanet / Sun uses ACI’s # Allow all access to the Directory Administrators Group aci: (targetattr ="*") (version 3.0;acl "Directory Administrators Group"; allow (all) (groupdn = "ldap:///cn=Directory Administrators, dc=usc,dc=edu") ; ) # Access to an entry is based on attributes of the entry. Group membership is not an attribute unless you create one like isMemberOf and populate it.

58 Directory Access Proxied access –Shibboleth ARP’s ServiceProvider attributeValue

59 Directory Access Shibboleth Rule Constraint (USC authored patch for Shibboleth 1.3; included in 2.0) <Constraint attributeName=“urn:attributeURN” matchFunction=“urn:functionURN” matches=”(any|all|none)”>value This allows Shibboleth to restrict attribute release to a Service Provider based on attributes of the entry. This mimics the capabilities of Directory ACI ’ s. See http://its.usc.edu/~bbellina/gds/software/shibboleth/Shibbol ethRuleConstraint.pdf http://its.usc.edu/~bbellina/gds/software/shibboleth/Shibbol ethRuleConstraint.pdf

60 USC Access Decisions Public entries should not have credentials - reduces risk of brute-force password attack End-user web applications should not handle user passwords –Promote use of Shibboleth rather than LDAP –Promote use of iVIP and SASU rather than local user accounts –Discourage creation of alternate user stores

61 UMBC Access Decisions Web-Based Applications should not handle their own logins –With certain exceptions, of course –Currently using in-house WebISO (WebAuth) –Shibboleth for external providers Other services (IMAP, host logins, etc) should use Kerberos if possible, LDAP if not.

62 NMI Shibboleth

63 Shibboleth is… An open source SAML-based Web SSO package –Provides both intra- and inter-campus Web SSO –Privacy Preserving –Attribute Delivery –Supports federation model Relies on pre-existing authentication and attribute sources. –Authentication done against existing system –Attributes obtained from existing System “Attribute Authority” SP is Apache and MS IIS compatible free to use and customize Version 1.3 available since 2005, supports SAML 1.1 spec Version 2.0 currently in alpha testing, supports SAML 2.0 spec

64 Adoption in Higher-Ed Finland Sweden Denmark Germany Switzerland Greece The Netherlands Belgium France Spain United Kingdom Australia New Zealand United States

65 Why Shibboleth? –Use same SSO for intra- and inter-campus –Easy evolution from: Intra Local partners Federated –SP support for different web servers –Increasingly, campus applications need attributes for personalization and access control –Privacy Preserving

66 Shibboleth and USC

67 Configuring Shibboleth to Preserve Privacy No attributes released through Shibboleth by default Well-defined Attribute Request Process supported by Data Stewards Shibboleth does not release attributes for non- authorized users (via Rule Constraint Patch) Shibboleth can prevent access by anonymous Service Providers (via USC patch, default in Shibboleth 2.0) Release entitlement rather than attributes Name-based identifiers replaced with persistent non- name-based id’s (uscPvid, eduPersonTargetedId) wherever possible Confidentiality respected (via Rule Constraint)

68 Use Shibboleth for… Information about the user accessing the web application Authentication using enterprise account without the application handling the enterprise password Authorization using pre-established populations defined based on SOR data and managed exceptions Single sign-on (SSO) experience Extension of services to EDS user populations - students, staff, faculty, affiliates (through iVIP) and future populations (prospects, admits, alumni, parents, donors, etc.) Federated integration with other Shibbolized institutions

69 Use LDAP rather than Shibboleth for… Information about users who are not the user logging in to the web application Information about groups For non-Shibbolizable applications, provides Authentication using enterprise credentials (single account, though not single sign-on) For non-Shibbolizable applications, provides Authorization using pre-defined populations Server queries to the Enterprise Directory

70 Using Shibboleth and iVIP to Extend eServices to Affiliates User is sponsored in iVIP which establishes a Person Registry entry and allows the assignment of USC services. User uses the USC First Login web page to establish a link between their home institution account and the USC iVIP account. User authenticates at home institution but is authorized by USC IdP to access USC services. USC assigned identifier is provided to the USC service, not the home institution identifier.

71

72 Monitoring Performance

73 Why Monitor Performance? Availability It ’ s up … isn ’ t it? Directories often require 7x24 availability Responsiveness It ’ s fast enough … maybe. Directories often require extremely fast response and can be affected by unplanned usage through public interfaces Scalability We can handle that … I think. Structural changes, indices, increases # of entries or # of attributes or # of queries may affect performance.

74 Metrics to Monitor Response time Connection requests Bind requests Bind errors Search requests Search errors Avg count & size of search results Directory Cache Hits Directory Cache Tries Bind response time Search response time Current connections Avg connection length Current binds Current searches # Bytes transmitted # Entries transmitted

75 Methods to Monitor LDAP query LDAP log monitoring Directory Probing Existing Free Utilities –Orca - open source tool for monitoring OS –Look - LDAP operational Orca "k"ollector –Cacti - open source tool for monitoring OS via SNMP

76 Directory Administration Tools

77 USC –ACI’s and schema managed via LDIF –Perl admin scripts for querying, adding attributes to entries, replacing attributes in entries, modifying group membership –Plans to write a web utility for group creation and maintenance –Plans to write a web utility to allow departments to manage group memberships

78 Directory Administration Tools UMBC –Sun One Directory Server Console (it’s almost usable again…) –Custom web applications for administration and self-service –Perl, perl, perl. (and a little bit of java) –Exploring Grouper & Signet for advanced group and role management

79 Directory Replication and Synchronization

80 Replication / Synchronization Why? –Redundancy –Capacity –Isolation of heavy directory consumers (e.g. mail servers query their own replicas) What? –The whole directory, or just some…

81 Replication / Synchronization Whole directory replicas… –“built in” to most modern directory servers OpenLDAP, Sun JDS, Active Directory, etc. –Replicas are typically “read only” –Some support “multi-master” replication Some do it well (Active Directory), some not so well…

82 Replication / Synchronization Partial / Filtered Replication… Why? –An application may only need one subtree of the DIT (e.g. mail routing) –A “white pages” directory with restricted information (outside of a firewall) –An application may need to have information represented in a “special” way (boo!) –An application may only work against “brand y” directory and you have “brand x” (tsk tsk!)

83 Replication / Synchronization How ? –Some products have the ability to filter attributes and/or subtrees. –Want to do something more complicated? Sun JDS has query-able “changelog” that can advise you when a directory object has been modified to trigger a synchronization operation UMBC does it’s real-time external feeds through monitoring for interesting changelog events. Write code to do something as simple as comparing/updating an object on a remote directory to transforming attributes, groups, etc…

84 Authentication Services

85 Internal Authentication userPassword attribute Password can be encrypted using several encryption algorithms, although required compatibility with services may limit the choices LDAP bind operation LDAP compare operation

86 External Authentication Passing authentication to Kerberos –Free directory plug-ins for iPlanet/Sun available University of Notre Dame Duke USC (currently available on request, will eventually be released as open-source)

87 Authorization Services

88 USC Directory Enforced AuthZ LDAP-enabled applications use ACI’s to constrain the application service account so that authorized user entries are accessible –Group defines the authorized users of the application. Each member entry has eligibility attributes set - uscAuthEligible, uscAuthEligibleDN. –Application is assigned a service account that is constrained by an ACI to see only the entries with the uscAuthEligibleDN value for the application. –Uses wildcards to allow a single ACI to handle most constrained application service accounts. –Use an ACI to prevent constrained apps from seeing publicly visible entries

89 Managing Attribute Release

90 Attribute Release Consider impact of FERPA and HIPAA. Make sure that applications are not passing data on to other applications or displaying protected data inappropriately. Keep track of what is released to who so that impacts are known when directory changes must be made Make it easy on yourself: default == deny.

91 Attribute Release Mechanisms Releasing attributes via LDAP service accounts –Use service accounts and ACI’s to limit attribute release to those applications that require it. –Can be used to retrieve attributes about any visible entries. –Mapping to groups via LDAP may be used to reduce the need to propagate group information to applications. Releasing attributes via Shibboleth –Attributes for the user logging in are released. Shibboleth normally not used to retrieve attributes about other users, groups, or other directory objects.

92 Attribute Release Mechanisms Provisioning –Directory log watcher used to provision to an external directory real-time –Using signature attributes to facilitate provisioning of static groups Federalization (via Shibboleth) –Releasing local attributes to remote Services –Releasing local attributes about remote guests

93 Directory Team Staffing

94 USC Directory Technical Team 1 FTE Identity Services/Directory Architect 1 FTE Sr Developer focused on Registry 1 FTE Technical Analyst focused on Shibboleth, Directory Design, Metadirectory Functions, Application Integration 1 FTE Sr Application Developer 1 FTE Developer 2 FTE Sr Account System Administrators Open - 1 FTE Sr Developer for Web Services Note: Hardware and OS support are managed by resources in another department.

95 UMBC Directory Team 1 FTE IDMS Architect / Integrator 1 FTE Junior Developer (open!) … other intrepid souls in our department and others picking up tasks such as: Identity Resolution issues Managing identities of campus affiliates

96 Additional Issues to Consider Not a “safe” career path –Saying “no” in higher-ed is unhealthy. Even saying “no without data steward approval” is unhealthy when in central IT. Compatibility with all applications is not achievable –dn syntax –Use of service accounts –Use of Shibboleth Application Administrators are always a problem –Special accounts –Special privileges –Poorly managed

97 Future Advancements NMI Grouper –Groups Registry NMI Signet –Privileges Registry NMI Shibboleth 2.0 –SAML 2.0 compliant web SSO product that supports a federalized model and privacy protection

98 Institutional Policies to Consider

99 Institutional Policies Release of data should require data steward approval –Risk: They’ll stop giving you data Registry should not be used for reporting or end-user access –Risk: Access Controls between Registry and Directory may be impossible to sync, so you may release data inappropriately. Performance may suffer. Access Controls should be in the directory –Risk: Applications will use whatever data they can get. Honey pots of identity information will exist on department servers that are likely to be poorly managed and secured. Applications should not pass data to each other –Risk: Understanding of what apps are using what data will be lost. Data stewards will lose trust and stop providing data. Cripples ability to make changes in the directory which could lead to being non-standard.

100 Institutional Policies Authorization should be required –Risk: Authentication alone forces applications to do authorization. This will cause problems when you expand the population of the directory. It also makes it impossible for an audit to determine who has what authorizations. It also requires the continued bad practice of data stewards shipping data to end-user apps. Know who is using what attributes –Risk: Directory changes are inevitable. If you do not know who is using what you will be unable to make changes without knowing the impacts. Follow standards wherever possible –Risk: Following standards is the safest way to ensure compatibility with the widest possible array of applications and services. If an application cannot use your enterprise directory they will build their own.

101 Institutional Policies Applications should only be given persistent identifiers that are never reissued –Risk: Applications may have different purge practices. The reuse of identifiers risks a person getting inappropriate access to another person’s records. Anonymous access should not allow access to FERPA or otherwise private information –Risk: Privacy needs to be protected. In addition if a service tries to use the public interface to the directory without approval for their application it will not work for FERPA and private people, which will eventually force them to seek appropriate approval. Do not delete entries from the Registry or Directory –Risk: Identifiers may be mistakenly reissued. A person returning may not be recognized and given new identifiers. This means though that when people return privileges must be reexamined.

102 Inter-institutional Collaborative Resources MACE : Middleware Architecture Committee for Education MACE-Dir : MACE Directories Working Group NMI : National Middleware Initiative Internet2 EDUCAUSE

103 Questions

104 Online Resources USC Global Directory Service, http://www.usc.edu/gds UMBC Directory, http://www.umbc.edu/oit Notre Dame Enterprise Directory Service, http://eds.nd.edu eduPerson object class, http://www.educause.edu/eduperson/ Internet2 Middleware, http://middleware.internet2.edu/ ORCA software, http://www.orcaware.com Look software, http://middleware.internet2.edu/dir/look/ Cacti, http://www.cacti.net ND iDS Kerberos4/5 Plug-in, http://eds.nd.edu/docs/authnplugin Duke iDS Auth Plug-in, http://www.oit.duke.edu/~rob/krbdirp/

105 Contact Information: Brendan Bellina bbellina@usc.edu http://isd.usc.edu/~bbellina Rob Banz banz@umbc.edu http://umbc.edu/~banz bbellina@usc.edu http://isd.usc.edu/~bbellina banz@umbc.edu http://umbc.edu/~banz Copyright 2006-2007 by Brendan Bellina and Rob Banz. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

Download ppt "Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October."

Similar presentations

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.

LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.
Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.

Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.
1 Collaborators at the Gates of Troy: Extending eServices at USC.

1 Collaborators at the Gates of Troy: Extending eServices at USC.
Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available.

Directory-Enabling Applications: Techniques from the Trenches Brendan Bellina Senior Systems Engineer University of Notre Dame This presentation is available.
Information Technology Registry Services Security LDAP-based Attributes and Authentication.

Information Technology Registry Services Security LDAP-based Attributes and Authentication.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
1 No More Paper, No More Stamps: Targeted myWSU Communications Lavon R. Frazier April 27, 2005 Copyright Lavon R. Frazier, 2005. This work is the intellectual.

1 No More Paper, No More Stamps: Targeted myWSU Communications Lavon R. Frazier April 27, 2005 Copyright Lavon R. Frazier, This work is the intellectual.
Managing Enterprise Directories: Operational Issues Performance Monitoring Brendan Bellina, University of Notre Dame Base CAMP – Tempe, Arizona February.

Managing Enterprise Directories: Operational Issues Performance Monitoring Brendan Bellina, University of Notre Dame Base CAMP – Tempe, Arizona February.
Information Technology Services 1 Copyright Copyright Marc Wallman and Theresa Semmens, 2006. This work is the intellectual property of the authors. Permission.

Information Technology Services 1 Copyright Copyright Marc Wallman and Theresa Semmens, This work is the intellectual property of the authors. Permission.

Similar presentations

Ads by Google