directory services workshop university of colorado june 3, 2002
Post on 21-Dec-2015
215 views
TRANSCRIPT
Agenda
9-10 a.m. Overview10-11 a.m. Registry Concepts11 a.m.-noon Directory StructureNoon-1 p.m. Lunch & Campus
Experiences1-1:30 p.m. Server Environment1:30-2 p.m. Security2-2:30 p.m. Client Access2:30-3 p.m. Four-campus Implications
Introductory Remarks
Dennis Maloney, Director, Information Technology ServicesUniversity of Colorado at Boulder
Project History - Timeline
2/00
Jan 00 Nov 01
3/00 4/00 5/00 6/00 7/00 8/00 9/00 10/0011/0012/00 1/01 2/01 3/01 4/01 5/01 6/01 7/01 8/01 9/01 10/0111/01
Project Commissioned;Goals Defined
Project Core Teamformed
Interviews;Requirements Defined
Project Steering Teamformed
Design andDevelopment
Technical and Policy Development
Fine Tune; Pilot; Fine Tune; Pilot;
Fine Tune!
Nov 5, 2001Go Live!
Project History – Goals & Status
Develop UCB Enterprise DirectoryInitial phase implemented Nov. 5, 2001
Create trusted, authoritative data sourceED blends SIS, HR and campus data using policies, business rules and process.
Useable by variety of apps and servicesBuilt upon LDAP standards, maximizing useCurrent uses: white pages, printed directory, calendar pilot, affiliation verification, radius pilot, mac lab authentication pilot
Project History – Goals & Status
Identity, data & relationship managementLogic applied based upon business rulesIdentity verification via emplid, sid, ssn, previous sid, name, dob, gender.Unique, permanent identifier assigned to each person.Establish current/active affiliations, primary affiliation
AuthenticationFramework establishedSolution options being tested
High-level Description
CoreTeam
SteeringTeam
CampusExperts
BusinessRules
SIS HR Uniquid
4-CampusRegistry
ucb/cusysEnterpriseDirectory
cusysEnterpriseDirectory
Registry/Directory and DataDistinct sources for distinct roles (students, employees, faculty, electronic accounts, etc.)Unique identifiers for each systemBlending together to build a CU Person
HRfac/staff;
empID
SISstudent;
SID
FISfaculty;
SSN
Uniquidaccounts;
unix ID
IDcardphotos;
ISO
Telecomphone locn
phone #
CU Personuuid
Student Data
For Identity Matching:- Student ID, Previous ID- Name, Birth date, Gender
For Affiliation Logic, Authorization & Data Access-Enrollment Status, Withdraw Code, Expected Return-Fees Paid Indicator-Privacy Flag
For Directory Publication- Name- Local Address and Telephone- Major(s), Minor(s), College(s)- Class Level
SISRegistry/Directory
(java)
Student AffiliationEnrollment status code = EWithdraw code nullor Expected return date in the futureType of student affiliation is based upon Academic Unit
Student (= “Student” affiliation)Continuing Ed Credit Student (= “Student” affiliation)Continuing Ed Non-Credit Student (= “Affiliate” affiliation)
Campus Affiliation based upon first character of AU
Faculty and Staff Data
For Identity Matching:- Employee Number, SSN- Name, Birth date, Gender
For Employee and Job Selection- Job status- Employment end date
For Directory Publication- Name- Campus Box and Campus Phone- Job Department(s), Home Department- Job Class Title(s)- Business Title(s)
PSHR
Registry/Directory
sql via db link
Employee AffiliationAppropriate employment status codeAppointment end date in the futureType of employee affiliation is based upon Job Code
Faculty, Clinical Faculty, Research Faculty, Medical Resident, Fellowship/Trainee = “Faculty”Student Faculty = “Student” and “Faculty”Officer/Exempt Professional = “Officer/Professional” & “Staff”Student Employee = “Affiliate” or “Employee”Retiree = “Retiree” or “Affiliate”Staff = “Staff”
Campus Affiliation based upon first character of department code
Campus-Specific Data or Systems
Registry/Directory
Telecom Office building/room data
FIS Faculty Research and Degree data
ID Card ISO and jpeg
UniquidAccount & Email data (person)
(Java)
Future Data SourcesRegistry
Registry/Directory
SponsoredAffiliates
Entry Identity Match &Reconciliation Logic
Data edits:- Name- Identifier- Affiliation- Sponsor- Expiration
“Self-Update”
Data allowed:- Nickname- HomePage (…colorado.edu)- Preferred contact- Alternate contact- Fax- Cell Phone- Pager (phone)- Pager (text)- Activities- Areas of expertise
Update only
DIR_PERSONuuidssnsidemployeeNumberprivacydir_uidprimaryAffiliationhomeDepartmentdobgenderprev_sidsis_updatehr_updateuniquid_updateself_update…address/phone/etc data…
DIR_SURNAME
DIR_JOBJobSeqNouuidjob_Codedept_IDtitleemplmnt_status_codeemp_type_codereg_temp_codeAffiliationAppoint_end_date
DIR_RESEARCH
DIR_DEGREE
DIR_AFFILIATIONAffiliationSeqNouuiddescriptioneduPersonAffiliation campussponsored_byexpiration_dateorgDN
UCBEMAIL_ONLYcuMailUniqcuidmailemailHomeemailRewrite
DIR_CERT
DIR_PW
DIR_ORG_UNIT_DN
DIR_ACTIVITIES
DIR_CAMPUS_SPECIFICuuidcampusISOroomNumberphysicalDeliveryOfficeName
DIR_AU_SPECIFICuuidAUTermexpectedReturnfeesIndicatorenrollment_status_codewithdraw_code…academic info…
DIR_SEEALSO
DIR_PRIOR_NAME
DIR_EMAILemailSeqNouuidcampusdir_uidmail_flag
DIR_EXCEPTIONuuidsidssnsource
DIR_COMMON_NAME
DIR_GIVEN_NAME
Registry Schema (abbreviated)
Registry Schema - viewscreate or replace view au_specific_view as select h.uuid,h.au,h.feesIndicator, h.college, h.affiliation, h.college2, h.primaryMajor1, h.primaryMajor2, h.primaryMinor, h.secondaryMajor1,
h.secondaryMajor2, h.secondaryMinor, h.primaryMajor1Option, h.primaryMajor2Option, h.secondaryMajor1Option, h.secondaryMajor2Option,
l1.college_desc, l2.college_desc "COLLEGE2_DESC", m1.major_desc "PRIMARYMAJOR1_DESC", m2.major_desc "PRIMARYMAJOR2_DESC",
m3.major_desc "PRIMARYMINOR_DESC", m4.major_desc "SECONDARYMAJOR1_DESC", m5.major_desc "SECONDARYMAJOR2_DESC",
m6.major_desc "SECONDARYMINOR_DESC", n1.major_option_desc "PRIMARYMAJOR1OPTION_DESC", n2.major_option_desc"PRIMARYMAJOR2OPTION_DESC", n3.major_option_desc "PRIMARYMAJOR3OPTION_DESC", n4.major_option_desc
"PRIMARYMAJOR4OPTION_DESC", h.classlevel from dir_au_specific h, college_table l1, college_table l2,majors_table m1, majors_table m2, majors_table m3, majors_table m4, majors_table m5, majors_table m6, major_option_table n1, major_option_table n2, major_option_table n3, major_option_table n4where l1.college_code (+) = h.collegeand l2.college_code (+) = h.college2and m1.major_code (+) = h.primaryMajor1and m2.major_code (+) = h.primaryMajor2and m3.major_code (+) = h.primaryMinorand m4.major_code (+) = h.secondaryMajor1and m5.major_code (+) = h.secondaryMajor2and m6.major_code (+) = h.secondaryMinorand n1.major_option_code (+) = h.primaryMajor1Optionand n2.major_option_code (+) = h.primaryMajor2Optionand n3.major_option_code (+) = h.secondaryMajor1Optionand n4.major_option_code (+) = h.secondaryMajor1Optionand h.affiliation = 'Y';
Directory Structure
I. Directory Objects: eduPerson, cuEduPerson, coloradoPerson
II. Console demoIII. Metamerge demo
Directory Objects
cndescriptionseeAlsosntelephoneNumberuserPassword uuid
au activities & researchalternateContactcampusdegreeInstitution & YremploymentStartDateExpertisefeesIndicatorhighestDegreehomeDepartmentISOmajor, minor, classPrivacySID, SSN
cuEduPerson
organizationalPersonperson
inetOrgPerson
o & departmentNumberdisplayName, givenNameemployeeNumberemployeeTypehomePhone,homePostalAddressjpegPhoto & labeledURImail, uidmobile & pagerroomNumberuserCertificate
eduPerson
affiliationjobClassificationnickNameorgDNorgUnitDNprimaryAffiliationprincipalNameschoolCollegeName
facsimileTelephoneNumberouphysicalDeliveryOfficeNamepostalAddressstreet, st, postsalCode, lpostOfficeBoxpreferredDeliveryMethodtitle
coloradoPerson
MacgridnumberMachomelocpathMachomedir
cusysPerson
Identifiers…
Sample Directory Entry
dn: uuid=100056249, ou=people, dc=colorado, dc=edu
cn: Roberto Roybalsn: Roybalgivenname: Robertopostaladdress: 455 UCBobjectclass: topobjectclass: personobjectclass: organizationalperson
Server Environment
I. HardwareII. iPlanet Directory ServerIII. Enterprise Directory Architecture
(Directory Instances – configuration, replication, ssl, subnets)
Privacy
FERPA constraintsPrivacy-enabled studentsPublic vs. private student data
Public vs. private employee dataWho can see what?
ACLs
Where and/or what is the resource to be accessed?How can the resource be accessed?Who can and/or when can a resource be accessed?
From iPlanet Learning Solutions: iPlanet Directory Services: Analysis and Planning 5.0
ACLsAnonymous ACL example:(targetattr=“homePostalAddress||homephone”)(target=“ldap:///ou=people,dc=colorado,dc=edu”)(targetfilter!=“(|(&(edupersonprimaryaffiliation=Student) (cuedupersonprivacy=*))(!edupersonprimaryaffiliation=Student))(edupersonprimaryaffiliation=Affiliate)(cuedupersonprivacy=D))”)(version 3.0; acl “anonymous-student homeinfo”;allow (read,compare,search) userdn=“ldap:///anyone”;)
ACLs
Read-all ACL example:(targetattr=“*”)
(target !=“ldap:///*,ou=special,dc=colorado,dc=edu”)(version 3.0; acl “powerusers-read”;allow (read,compare,search)groupdn=“ldap:///cn=Readall,ou=groups,ou=special,dc=colorado,dc=edu”;)
UCB’s Kerberos and the Directory
Solutions considered…Synchronize PasswordsMigrate to “Heimdal” Kerberos Simple Authentication and Security Layer (SASL)Pre-Operation Directory Plug-in
The winner is …
Authentication with Directory Plugin
Identikey/Kerberos
Directory Enabled Application
Enterprise Directory
iPlanet Directory Server
Authentication API
Notre Dame Plugin
External KrbAuth module
1. Client sends bind request
2. Directory calls pre-operation plug-inand waits for results from plugin
3. Plugin checks to see if attribute principalname is defined4. If principalname is not defined then plugin calls SLAPI_PW_FIND toauthenticate against userpassword attribute. Result passed back fromplugin to Directory5. If principalname is defined then SLAPI_BIND_CREDENTIALS andprincipalname are passed to the external kerbauth module. Resultspassed back to directory front-end after external module complete
6. Plugin attempts to perform kerberos authentication. Results passedback to plugin and any tgt retrieved is destroyed
Note: external module can be replace to enable other authenticationmechanisms
Lessons learned and next stepsApp must be able to lookup DN (our DN is not the username)(i.e., cuedupersonuuid=100056463,ou=People,dc=Colorado,dc=edu vs. jonesdrPlugin API compatibility issues with iPlanet Directory version changes. 5.1 plugin retrieves & caches both kerberos ticket-granting-ticket and host ticket.
Directory’s Role in Security
Directory Enabled ApplicationsAuthenticationAuthorizationNetwork Security & Radius
Directory’s Role in Security
Service RequestAuthentication
AuthorizationAuthentication andAuthorization
Web Application
RoutersSwitches
Kerberos
Enterprise Directory
Web Logon Server
Active Directory
Radius PWR
OK
WIC0ACT/CH0
ACT/CH1
WIC0ACT/CH0
ACT/CH1
ETHACT
COL
Network ServicesModem, DSL, VPN
MIT domaintrusted
Directory EnabledApplication(Calendar)
Directory feed
Client
Client Access
I. White Pages architectureII. Unix command line lookupIII. Address Book mappingsIV. LDAP Browser
White Pages ArchitectureApache web server with mod_jk.so plugin module
Tomcat servlet engine running under Java JDK 1.3
Cocoon publishing framework or other Java servlet using XML/XSL & JNDI
Directory
anonymous LDAP query
HTTP request
AJP 1.3 on port 8009(Apache-Java Protocol)
JNDI LDAP query
Desktop client web browser
(1)
(3)(4)
(6)
(5)
(2)
Desktop email client(Outlook, Netscape, Eudora)
or other LDAP client
White Pages – xml example (part 1)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><page><cnfull>marangak</cnfull><campus>*</campus><affiliation>*</affiliation><ldapsearch>
White Pages – xml example (part 2)<searchresult id="cuEduPersonUUID=100038089"> <displayname>Andrew Marangakis</displayname> <givenname>ANDREW</givenname> <cuedupersonemailhome>[email protected]</cuedupersonemailhome> <cuedupersoncampus>Boulder Campus</cuedupersoncampus> <objectclass>top</objectclass> <objectclass>person</objectclass> <objectclass>organizationalperson</objectclass> <objectclass>inetorgperson</objectclass> <objectclass>eduPerson</objectclass> <objectclass>cuEduPerson</objectclass> <cuedupersonhomedepartment>ITS-Administration</cuedupersonhomedepartment> <edupersonaffiliation>Staff</edupersonaffiliation> <edupersonaffiliation>Employee</edupersonaffiliation> <ou>ITS-Administration</ou> <mail>[email protected]</mail> <cn>Marangakis,Andrew</cn> <cn>Andrew Marangakis</cn> <cn>Marangakis Andrew</cn> <telephonenumber>303 492 0527</telephonenumber> <cuedupersonclass>UNCLASSIFIED NON-CREDIT CE</cuedupersonclass> <cuedupersonuuid>100038089</cuedupersonuuid> <postaladdress>455 UCB</postaladdress> <description>Staff</description> <sn>MARANGAKIS</sn> <edupersonprimaryaffiliation>Staff</edupersonprimaryaffiliation> <cuedupersonjobclassification>IT Professional III</cuedupersonjobclassification> <title>IT Professional III</title>
Client Access – Unix Command Lineldapsearch -h directory.colorado.edu -b "dc=Colorado,
dc=EDU" "cn=*${1}*" displayname telephonenumber
cuedupersonschoolcollegename cuedupersonprimarymajor1 cuedupersonclass title
description cuedupersonhomedepartmen postaladdres
homepostaladdress homephone mail cuedupersonemailhome | grep -v cuEduPersonUUID | awk -F= '{print $2}'
Client Access – Address BooksEudora – Tools/Directory Services
LDAP Database: directory.colorado.eduSearch base: dc=colorado,dc=eduAttributes: can specify name and heading
Netscape – Address Book/File/New DirectoryLDAP Server: directory.colorado.eduSearch Root: dc=colorado,dc=edu
Outlook – Address Book/Internet Accounts Directory Service wizardUCB Address Book instructions: http://www.colorado.edu/its/docs/usingemail.html
Four Campus Implications
CommonalitiesCampus-specificities
PeopleData sourcesDataPolicies
Infrastructure applicable to University and Campuses
Directory Structure Today
SISHR
Recon
report
RegistryIdentity
Recon.
Directory
Build
cu.edu(concept)
University-wide
Campus-specific
CommonInfrastructure
ucb
Directory
cusys
Directory
White
Pages
AuthN
testing
Calendar
pilot
Radius
concept
MacOSAuthNEmail
Addresses Affiliation
Check Printed
Directory
Uniquid
Send
Project ContactsDennis Maloney, Director of [email protected]
Bob Fryberger, IT [email protected]
Paula Vaughan, Project Manager [email protected]
Melinda Jones, Directory [email protected]
Enterprise Directory Project Web Pagehttp://www.Colorado.EDU/committees/DirectoryServices/or from the UCB - ITS home page (“About ITS” ž“Projects & Initiatives” ž “Architecture and Infrastructure Initiatives”)