educause nov, 2003 directory-enabling applications: techniques from the trenches brendan bellina...
TRANSCRIPT
EDUCAUSE Nov, 2003
Directory-Enabling Applications:Techniques from the Trenches
Brendan BellinaSenior Systems EngineerUniversity of Notre Dame
This presentation is available for download or online viewing at: <http://www.nd.edu/~bbellina>
Copyright © Brendan Bellina, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
EDUCAUSE Nov, 2003
About Notre Dame• 33,000 enterprise accounts• Single campus• Affiliation with other CSC Higher-Ed Institutions• No medical school• Systems of Record are “integrated”• Pre-existing White Pages directory (qi/CSO Nameserver)• No WebISO implementation
EDUCAUSE Nov, 2003
Strategic Direction:
Wherever practical applications use central authentication/authorization services, rather than maintaining their own password/credential stores.
EDS Architecture Layer,
ND Strategic Technology Draft, 2002
EDUCAUSE Nov, 2003
Directory Service Architectural Principles
• Updates proxied by applications• Primary keys based on non-personal information• Students able to specify privacy settings real-time• Primary identifiers are not reused or changeable• Enterprise account credentials stored in Kerberos,
not LDAP• “Fat” directory• Single organizational unit for all people
EDUCAUSE Nov, 2003
Directory Service Architectural Principles
• One directory entry per person/account
• Cradle-to-grave (womb-to-tomb) service
• Anticipate both vertical and horizontal expansion
• Limit dependency on DSA specific features
• Higher-Ed Best Practices implementation
EDUCAUSE Nov, 2003
Enterprise directory services are wherever possible implemented according to industry-standard guidelines and in coordination with the Internet2 Middleware Architecture Committee for Education.
Representatives from the Core Middleware team are active participants in industry standards bodies to ensure that the needs of Notre Dame are reflected in developing standards and communicated to application vendors.
EDS Architecture Layer,
ND Strategic Technology Draft, 2002
EDUCAUSE Nov, 2003
Practical Implementation Decisions
• Leverage existing administrator experience with the Solaris platform
• Leverage existing HP PERSON and qi/CSO Nameserver data sources
• Where network design allows and performance requires, do not require secure (SSL) binds
• Minimal number of machines• Use LDAP directory as registry rather than a
relational database
EDUCAUSE Nov, 2003
(1) ApplicationDirectoryService
User IDPassword
(7) Return success or fail
(2) Search by User ID
(3) Return dn or fail
(4) Bind with dn & psswrd
ApplicationAuthN
database
(9)Success
orFail
(8)FallbackTo Appl
DB
Kerberos v5
(5)PassTo
Kerberos
(6)Success
orFail
Authentication Flow
EDUCAUSE Nov, 2003
Application Authentication Techniques
• LDAP protocol using Service dn bind over SSL (should search rather than assume dn)
• Fallback to local user database (primarily to support “guest” and administrative/vendor accounts)
• AuthN credentials can be in directory or external store such as Kerberos v5
EDUCAUSE Nov, 2003
Application Authorization Techniques
• LDAP protocol using Service dn bind over SSL – limit user space by directory ACI
• Mapping to LDAP groups
• Mapping to Microsoft Active Directory groups
EDUCAUSE Nov, 2003
Attribute Retrieval Techniques
• Retrieval of attributes via LDAP protocol
• Provisioning via batch feed (LDIF) or real-time (XML)
EDUCAUSE Nov, 2003
Integrating with Vendor Applications:IBM Websphere
• Binds to EDS using Service dn at the environmental level not per application
• Support for application roles– Current: Websphere admin creates Websphere groups to
store dn’s of members – Soon: Create LDAP groups with membership maintenance
delegated to application administrators and map to Websphere groups
• Application-level authorization maintained by the apps, not directory-based
• No attribute retrieval or provisioning required
EDUCAUSE Nov, 2003
Integrating with Vendor Applications:WebCT (not current version)
• Searching Bind to EDS using Service dn • No directory-based authorization • Support for external affiliates via EDS
special account creation process delegated to WebCT admin via web application
• Nightly batch feed from EDS published to allow provisioning and attribute usage
• Currently evaluating future direction
EDUCAUSE Nov, 2003
Integrating with Vendor Applications:Luminus Portal (in dev/test only)
• Searching Bind to EDS using Service dn • While product supports Fallback option, financial
decision to support test/admin accounts via EDS special account creation process
• Authorization Roles – developer, tester, production user – maintained in EDS user attribute using delegated web application
• Nightly batch feed from EDS published to allow provisioning to PDS directory and attribute usage
EDUCAUSE Nov, 2003
Integrating with Vendor Applications:Campus Webmail (IMP)
• Searching Bind to EDS using Service dn • No directory-based authorization • Email address lookup searches EDS • No attribute retrieval or provisioning
required
EDUCAUSE Nov, 2003
Integrating with Vendor Applications:Clarify Web Client
• Searching Bind to EDS using Service dn • No directory-based authorization • No attribute retrieval or provisioning
required
EDUCAUSE Nov, 2003
Integrating with Vendor Applications:Sendmail, Inc.
• Authenticates directly against Kerberos • No directory-based authorization • Nightly retrieval of email quota attributes from EDS • Real-time retrieval and and processing of sieve filter to control
user forwarding, auto-reply, spam filtering • Real-time retrieval of email aliases for routing • All email aliases defined in the directory, allows rejection of
20K+ bad emails per day • Email options maintained real-time by account holders via EDS
Website • Soon – ability for end users to create their own email aliases
real-time
EDUCAUSE Nov, 2003
Integrating with Vendor Applications:Clarify Client
• Uses its own id/password store • No directory-based authorization • Attributes retrieved nightly from EDS to
limit access to Clarify cases by department and affiliation
• Currently evaluating future direction
EDUCAUSE Nov, 2003
Integrating with Vendor Applications:Cisco VPN Client
• AuthN/AuthZ via mapping of Cisco groups to Microsoft Active Directory groups
• Current: AD groups maintained by VPN administrator
• Soon: EDS groups automatically maintained with allowance for exceptions maintained by appropriate admins via a web app, synchronized nightly with ADS
EDUCAUSE Nov, 2003
Integrating with ASP Applications:eProcurement – Higher Markets
• Searching Bind to EDS using Service dn • Authorization managed by directory
attribute maintained by department admin using a web app
• Account provisioning managed manually by Higher Markets admin
EDUCAUSE Nov, 2003
Integrating with ASP Applications:iPerform Learning Management System
• Searching Bind to EDS using Service dn • Attributes retrieved real-time at user login
• Fallback to local user database used to
provide service to external affiliates, managed by iPerform administrator
EDUCAUSE Nov, 2003
Integrating with ASP Applications:OPAC website
• Searching Bind to EDS using Service dn • Rule-based authorization using directory
ACI.• Exception authorization managed by
directory attribute maintained by department admin using a web app
• No provisioning or attribute retrieval required.
EDUCAUSE Nov, 2003
Integrating with Internally Developed Applications
• myLibrary (Perl)• Rector application (Websphere, Java)• Career Center Services website (PHP)• Campus White Pages (Cold Fusion)• MCOB Faculty Work Application (CF)• Web Services (attribute usage via batch)• EDS Website – self-service personal information
editing, email options, privacy settings (Perl cgi)
EDUCAUSE Nov, 2003
Integrating with Operating Systems:Microsoft Active Directory
• Windows 2000 Domain (circa 2000)– Accounts synched nightly via LDIF– Accounts use uid & affiliation in dn– No group synchronization
• Active Directory Service 2003 (ADS)– Accounts synched nightly via metadirectory processing– Accounts use dn based on ndPVid as does EDS– SAmAccountName mapped to EDS uid– cn (MS canonical name) mapped to EDS ndPVid– Enterprise groups automatically synched with EDS with dn
based on cn which maps to EDS cn (soon!)
EDUCAUSE Nov, 2003
Integrating with Operating Systems:Mac OS X 10.2 “Jaguar”
• 140 machines spread over 8 clusters• Link to AFS home directory retrieved from EDS at login
using Service dn • Local accounts for administrator only• Directory Access utility
– Service dn and password– Custom mappings to posixAccount object class in EDS
• Home directory generated from template• /etc/ttys modifications for LoginHook and LogoutHook
(based on Penn State University)• Kerberos ticket retrieved using /etc/authorization
EDUCAUSE Nov, 2003
Non-directory-enabled products/services:Trends at Notre Dame
• CorporateTime – could be directory-enabled but may replace
• Meeting Maker – may replace• Clarify – may replace• LiveLink – could be directory-enabled, but may replace• Oracle – may integrate into EDS via OID• SCT Banner – may integrate into EDS via OID• OIT Handscanner - ???• Business Objects – may integrate into EDS via OID• SafeWord – may integrate with EDS via internally
developed authN directory plug-in
EDUCAUSE Nov, 2003
Aids for Developers
• EDS Developers’ Guide: http://eds.nd.edu/docs/edsdevguide.shtml
• Internet2 Middleware standards: http://middleware.internet2.edu
• EDS Service DN Request Form http://eds.nd.edu/docs/eds_dnrequest.shtml
• EDS Schema documentation http://eds.nd.edu/docs/current_schema/EDS_ModelDoc.htm
EDUCAUSE Nov, 2003
LinksND Enterprise Directory Service, <http://www.nd.edu/~eds>
ND EDS Documentation, <http://www.nd.edu/~eds/docs>
ND EDS Schema Documentation, <http://eds.nd.edu/docs/current_schema/EDS_ModelDoc.htm>
ND EDS Search, <http://www.nd.edu/~eds/search>
EDUCAUSE Nov, 2003
Contact Information
Brendan Bellina
Office of Information Technologies
University of Notre Dame du LacEmail: [email protected]
Website: <http://www.nd.edu/~bbellina>
Directory Entry:
<http://www3.nd.edu/~eds/cgi-bin/nd_ldap_search.pl?ldapfilter=uid=bbellina>
vCard: <http://www3.nd.edu/~eds/cgi-bin/ldapvcard.pl?uid=bbellina>