seminar 01f - architecting the institutional directory service advanced issues, problems, and...
TRANSCRIPT
![Page 1: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/1.jpg)
Seminar 01F - Architecting the Institutional Directory
ServiceAdvanced Issues, Problems,
and SolutionsPresented by Brendan Bellina and Rob
BanzOctober 23, 2007
![Page 2: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/2.jpg)
Overview• Speaker Introductions• Overview of Enterprise Directory
Models and implemented systems at USC and UMBC
• Data Transport• Directory Schema Design• Commercial Identity Mgmt. Products
![Page 3: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/3.jpg)
Overview (cont.)• Controlling Access• Monitoring Performance• Directory Administration Tools• Directory Replication and
Synchronization• Authentication Services• Authorization Services• Managing Attribute Release
![Page 4: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/4.jpg)
Overview (cont.)
• Directory Team Staffing• Additional Issues to Consider• Future Advancements• Institutional Policies• Inter-institutional Collaborative
Resources• Questions
![Page 5: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/5.jpg)
Speaker Introductions
![Page 6: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/6.jpg)
Brendan BellinaIdentity Services Architect, USC• Background in Financial Software
Development and Data Warehouse Design• Active in Higher-Education Identity
Management / Directory Services since 2001
• Designed and implemented the Enterprise Directory Service at the University of Notre Dame (2001-2004) http://eds.nd.edu
• Architect of USC Global Directory Service (2005-current) http://www.usc.edu/gds
• Presentations and online materials available at http://its.usc.edu/~bbellina
![Page 7: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/7.jpg)
Robert Banz, UMBC
• Director, Computing Infrastructure, UMBC.
• Background in UNIX systems engineering and software architecture.
• Likes making things work together that aren’t supposed to…
• Architect of UMBC’s Enterprise Directory / IDMS ( 2000 - present )
• Presentations available at http://umbc.edu/~banz
![Page 8: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/8.jpg)
NMI Middleware DiagramQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
![Page 9: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/9.jpg)
PolicyData Collection Multiple Systems of Record
Identity Resolution Registry Functions
Data Migration Metadirectory scripts; Provisioning
Entry/Attribute Access and Release
LDAP Access Controls, Shibboleth ARP’s
Data Consumers LDAP designed for high-volume read, low-value write.
Applications, End-users, Application/NOS directories
![Page 10: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/10.jpg)
Enterprise Directory Architectures
• Centralized EDS– Everything queries the central EDS– Central control– Performance bottleneck risk
• Replicated EDS– Replicate servers for performance– Small Risk of Data Latency
• Derivative directories– Distribute EDS data to stand-alone directories– Potential issues managing identities– Risk of data leakage and inconsistent access controls– Risk of Data Latency
![Page 11: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/11.jpg)
Initial Implementation Plan• Production Hardware
– Redundancy– Security– Scalability– Monitoring– Availability– Performance– Recoverability
• Integrated Test/Development System(s)– Pre and Post Production Systems– Crash and Burn system
![Page 12: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/12.jpg)
![Page 13: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/13.jpg)
![Page 14: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/14.jpg)
UMBC Server Architecture
![Page 15: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/15.jpg)
UMBC Server Architecture
• Design with DR in mind!– Mirrored storage across datacenters for
important transactional data (registry, master directory, etc.)
– Easy to bring up on similar hardware when the time comes without losing changes
• Replicas– N+1. Be sure you can handle all of your
transactions if one is missing.– Hardware is cheap. Memory is cheap.
Overbuild now, and stay ahead of the curve.– Where’s the curve you ask? We’ll get to that.
![Page 16: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/16.jpg)
UMBC Directory Architecture
![Page 17: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/17.jpg)
UMBC Directory Architecture
![Page 18: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/18.jpg)
UMBC Directory Architecture
![Page 19: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/19.jpg)
UMBC Directory Architecture
![Page 20: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/20.jpg)
UMBC Directory Architecture
• Future growth and projects– PeopleSoft Student Administration– Grouper-based Ad-Hoc Group Mgmt.– Expand physical access control integration– Logging & Diagnostics– Expanded services to alternative
populations(alumni, pre-admits, dropouts, etc)
• …and others that I can’t imagine yet.
![Page 21: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/21.jpg)
Data Transport
![Page 22: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/22.jpg)
Batch Pros and Cons
• Periodic processes are easier to support
• Periodic processes are easier to update• Batch processes allow looser
integration testing• Data Latency• Performance spikes• Effective delay of service
![Page 23: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/23.jpg)
Real-Time Pros and Cons
• Shorter delays in processing• Transactions are spread-out
(generally) allowing smaller systems• Like spam, it never stops• Harder to test, support, and maintain
![Page 24: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/24.jpg)
Why Batch Processes Cannot be Avoided
• Handling Time-triggered events requires a batch process
• Academic calendar often involves large quantity of transactions on specific dates
• Batch practices of SORs (imports, mass changes)
![Page 25: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/25.jpg)
Data Extract Issues• Codes in tables or Values in entries
– Transaction systems often use codes– End services often require values. Standard
LDAP attributes are expected to be values.– Single changes in code tables may result in
many updates to values in entries– Values in entries alone may not provide
enough information for data selection
• Invalid data in source systems• Should directory be insulated from source
system table structures?
![Page 26: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/26.jpg)
USC Data Transport• Batch components
– Account creation process for Members– Employee system updates to Registry– Sync between Account System and GDS– Sync between Person Registry and GDS– Rebuilding GDS groups and permissions– VIP authorized services feed between
iVIP and metadirectory
![Page 27: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/27.jpg)
USC Data Transport• Real-time components
– Identity creation in Person Registry from Student System
– Identity creation in Person Registry from Employee System
– Identity creation from Guest/Affiliate “iVIP” system
– Update of ID card information from USCard system
– Creation of Sponsored User Accounts “SASU”
![Page 28: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/28.jpg)
UMBC Data Transport
• Real Time Components– Student Status / Enrollment Changes– ID Card issuance ( Mag Strip / Library Card #)– Self / Administrative initiated changes
• Identity creation for new faculty/staff *• Identity creation for affiliates (guests, etc.)• Account creation / activation• Directory information updates
– Back-feeds of CampusID data
![Page 29: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/29.jpg)
UMBC Data Transport
• Batch Components– CMS (Blackboard) Course Creation and
Enrollments– Faculty / Staff Identity Updates– Data feeds to Library
![Page 30: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/30.jpg)
Directory Schema Design
![Page 31: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/31.jpg)
Schema Topics
– Directory Information Tree (dn format, depth)
– People– Accounts– Groups– Permissions– Standard Object Classes– Schema extensions (Get your OID on!)– Indexing
![Page 32: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/32.jpg)
Directory Design Decisions To Be Made
• DIT – Tall or Flat• Lots of attributes (“thick”) or only identifiers
(“thin”)• dn and rdn format• Direct or proxied update access• DS mastered content - entries & attributes• LDAP as password store• Duration / Permanence of directory entries and
identifiers• People vs. Accounts• Groups (subgroups, roles, dynamic groups, static
groups, managed groups, exceptions, personal groups, etc.)
![Page 33: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/33.jpg)
DIT Architecture
Tall & Spiky Flat
ou=Academic
ou=Sciences ou=Arts & Letters
ou=Physics ou=Chemistry
ou=People ou=Groups
ou=Philosophy
![Page 34: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/34.jpg)
Why not Tall & Spiky?
• Not amenable to people being in multiple organizational units simultaneously
• Not efficient when people move between organizational units frequently
• Not efficient when organizational hierarchy changes occur
![Page 35: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/35.jpg)
Distinguished Name (dn) format• Issues
– Useful for LDAP enabled apps– Visible if any attribute in the entry is visible– Must be unique within scope– Benefits in being persistent, non-reassignable, and
opaque
• Standards– X.500 naming (based on geographical location)
• cn=Bullwinkle Moose, ou=people, o=Wossamotta U, st=Confusion, c=US
– Domain Component naming (most commonly used)• cn=Bullwinkle Moose, ou=people, dc=Wossamotta, dc=edu
• Relative Distinguished Name selection– uid, cn, directory id, or something else?
![Page 36: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/36.jpg)
USC Decisions - General• dn: dc naming using unique directory id as
rdn• Flat DIT. Thick entries.• Central authN/authZ “where possible”• Single system for identities - Person Registry• Registry is “Cradle to Grave” or “Womb to
Tomb” eventually• Require use of service dn’s for LDAP-enabled
applications• Passwords in Kerberos rather than LDAP
where possible
![Page 37: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/37.jpg)
USC Decisions - General
• Allow multiple accounts per person, but move to establish “NetID” for enterprise services
• Use of post-business-rule data source “signatures”
• Directory contains people who receive or have received electronic services
• Neither Registry nor Directory provide reporting services
• Groups for authorization, with group memberships and authorizations reflected in member entries
![Page 38: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/38.jpg)
USC Decisions - People• People entries (ou=people)
– Use of standard eduPerson object class and creation of uscEduPerson object class
– An entry is created for each identity in the Person Registry that requires electronic services. Entries may be deactivated when service ends, but never deleted.
– People entries may be publicly accessible via LDAP protocol to allow use with email clients.
– People entries have no credentials or login capability.
– Example: uscrdn=usc.edu.scbs5rm6,ou=people,dc=usc,dc=edu
– http://eds.nd.edu/cgi-bin/nd_ldap_search.pl?ldapurl=gds-ldap.usc.edu:389/uscrdn=usc.edu.scbs5rm6,ou=people,dc=usc,dc=edu&ldapheadattr=displayname&displayformat=generic
![Page 39: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/39.jpg)
USC Decisions - Accounts• Account entries (ou=accounts)
– Use of standard posixAccount object class and creation of uscAccount object class
– An entry is created for each active enterprise Unix account. These are intended to be used only by Unix services. Entries may be deactivated when service ends, but never deleted.
– An “aggregate” account is created based on username for each set of Unix accounts a person has. Usually a person has a single aggregate account. This is intended to be used by Shibboleth and LDAP-enabled services.
![Page 40: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/40.jpg)
USC Decisions - Accounts• Account entries (ou=accounts)
– A “privilege” account is created for non-Unix services, is attached to a sponsor’s person entry, and is restricted to a single application. This can accommodate LDAP-enabled applications that use reserved account names - like “sa” or “admin” or provide limited access to services for non-people (like vendors).
– No account entries are visible publicly. They are visible to the owner.
– LDAP-enabled apps that construct dn CANNOT WORK
– Example: uscrdn=usc.edu.scdv5wtq6,ou=accounts,dc=usc,dc=edu
![Page 41: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/41.jpg)
USC Decisions - Groups• Group entries (ou=groups)
– Use of standard groupOfUniqueNames object class and creation of uscGroupEntry object class
– Static groups are used rather than dynamic groups. Members of groups can be person or account entries, but not other groups.
– Groups may be rule-based. The rule is defined as an LDAP filter. Rule-based groups are reconstructed each business day.
– Groups may have any number of inclusion or exclusion groups that are applied to their membership. Inclusion and exclusion groups are manually administered. Groups that have dependencies on inclusion or exclusion groups are reconstructed each business day.
![Page 42: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/42.jpg)
USC Decisions - Groups• Group entries (ou=groups)
– Authorizations are controlled via groups. Shibboleth entitlements, eligibilities, and membership of a group are maintained in member attributes to facilitate use by Shibboleth, in group-math-based LDAP filters, and in directory access controls.
– No group entries are currently visible publicly, although it is possible for a group to be defined as public.
– Example: uscrdn=usc.edu.scmb9tg2,ou=groups,dc=usc,dc=edu
![Page 43: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/43.jpg)
UMBC Decisions
• dc= naming(our public directory has it…)
• Registry has a long history (back to 1980 for students!)
• Passwords in Kerberos, but synchronized to LDAP for other uses.
• Group membership *or* attribute definitions may determine authorization. (e.g. affiliation=student makes you eligible for certain services such as a computer “account”)
• No “self modify” of entries except through approved applications
![Page 44: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/44.jpg)
UMBC Decisions
• ou=People– You can “bind” (authenticate) as a person– Most applications are using a “person’s” rights
for authorization data (shibboleth, etc)– dn’s are opaque:
(guid=6cbfa31e-6e14-11d4-9669-8020cd7816,ou=people,…)
• ou=Accounts– can “bind” as an account too!– dn’s aren’t opaque :(
(uid=banz,ou=accounts,…)
• Problem: primary account objects and their owner should be merged.
![Page 45: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/45.jpg)
UMBC Decisions
• Groups– Appear in a few places in the DIT
• ou=Courses– Trees of groups for each semester containing course
enrollment. Used for lab access control, Blackboard course population, dynamic email lists, etc.
• ou=Applications– Application-specific group trees
• ou=Departments– Group trees for specific university departments
• ou=Radius– Groups used by our radius servers for VPN access
![Page 46: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/46.jpg)
UMBC Decisions
• Two kinds of groups…– standard (groupofuniquenames)
• Used by external applications
– Extended (umbcgroupofuniquenames)• Used by internal applications• Can contain nested groups (internal applications
know how to grok them)
• Future?– These should/will both be replaced with groups
generated from
![Page 47: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/47.jpg)
Standard Object ClassesUsed at USC:• top• person• organizationalPerson• inetOrgPerson• eduPerson• posixAccount• groupOfUniqueNames• eduCourse
![Page 48: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/48.jpg)
Schema Extensions
• Step One: Get an OID assignment for your institution from IANA
• Step Two: Create new objectclasses for new attributes
• DO NOT make up or reuse an OID• DO NOT modify a standard objectclass• DO NOT populate standard attributes
in non-standard ways
![Page 49: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/49.jpg)
USC Schema Extensions• For all directory entries:
– uscDirectoryEntry objectclass
• For people entries:– uscEduPerson objectclass– uscMailRecipient objectclass– uscEduCourse objectclass
• For account entries– uscEduPerson objectclass– uscAccount objectclass
• For group entries– uscGroupEntry objectclass
![Page 50: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/50.jpg)
uscDirectoryEntryobjectclasses: ( 1.3.6.1.4.1.13363.3.2.1 NAME 'uscDirectoryEntry' DESC 'USC Directory Entry Object Class' SUP top AUXILIARY MUST ( uscGuid $ uscRDN $ uscPvid $ createTimestamp ) MAY ( uscEntryNote $ uscEntryStatus $ uscEntryExpirationDate $ uscEntrySource $ uscEntryUsage $ uscEntryCategory $ uscEntryCreateDate $ uscEntryDeactivationDate $
uscEntryReleasePolicy $ uscAttributeReleasePolicy $ uscAuthEligible $ uscAuthEligibleDN $ uscEntrySignature $ uscHistoricalPvid $ uscOwnerPvid $ creatorsName $ modifyTimestamp $ modifiersName $ searchguide $ labeledURI $ owner $ description $ userPassword ) X-ORIGIN 'user defined' )
![Page 51: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/51.jpg)
uscGroupEntryobjectclasses: ( 1.3.6.1.4.1.13363.3.2.5 NAME 'uscGroupEntry' DESC 'USC uscGroupEntry Object Class' SUP groupOfUniqueNames STRUCTURAL MUST ( uscGroupType ) MAY ( owner $ uscGroupMember $ uscGroupRule $ uscGroupRuleComponent $ uscGroupIncludeDN $ uscGroupExcludeDN $ uscGroupOptInDN $ uscGroupOptOutDN $ uscGroupSelfOptOut $ uscGroupEnrollmentType $
uscGroupCategory $ uscGroupLevel $ uscGroupOwner $ uscGroupOwnerProxy $ uscGroupManager $ uscGroupSponsor $ uscGroupMemberAuthEligible $ uscGroupMemberAuthEligibleDN $ uscGroupMembershipListVisibleToMembers $ uscGroupKeyword $ uscGroupIsNestable $ uscGroupUniqueMemberSignature $ uscGroupMembershipAttributeControl $ uscGroupExcludeOverrideDN $ uscGroupMemberEntitlement ) X-ORIGIN 'user defined' )
![Page 52: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/52.jpg)
Commercial ID Mgmt. Products
• Available in bundled “suites” including– Directory Server product– Web SSO solution– Metadirectory / Provisioning system
• Many out there -- similar problem space
![Page 53: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/53.jpg)
Sun IDM
• Works well with Sun Java* Directory Server
• Sun Access Manager– You’d rather use Shibboleth
• No java included.
![Page 54: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/54.jpg)
Sun IDM
• Java-based web service• Provides both an administrative and
user portal to various functions• Heavy focus on provisioning
– Fully fleshed out collection of connectors for various ERP products, directories of an active sort
• Great for reconciling and synchronizing across various existing account silos
![Page 55: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/55.jpg)
Sun IDM
• Can it really solve all of my problems?Probably not.
• People-registry building is really best left to external processes
• Account lifecycle, policy-based provisioning, population of application specific directories, and password synchronization are its strengths.
![Page 56: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/56.jpg)
Controlling Access
![Page 57: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/57.jpg)
Directory Access• Direct access via LDAP/LDAPS
– Directory Access Control Lists / Instructions• Netscape / iPlanet / Sun uses ACI’s
# Allow all access to the Directory Administrators Groupaci: (targetattr ="*") (version 3.0;acl "Directory Administrators Group"; allow (all) (groupdn = "ldap:///cn=Directory Administrators,
dc=usc,dc=edu") ; )#
Access to an entry is based on attributes of the entry. Group membership is not an attribute unless you create one like isMemberOf and populate it.
![Page 58: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/58.jpg)
Directory Access
• Proxied access– Shibboleth ARP’s
<AttributeReleasePolicy>
<Rule>
<Target>
<Requester>ServiceProvider</Requester>
</Target>
<Attribute name=“urn:attributeURN”>
<AnyValue release=“permit”|“deny” matchFunction=
“urn:functionURN”>attributeValue</Value>
</Attribute>
</Rule>
</AttributeReleasePolicy>
![Page 59: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/59.jpg)
Directory Access• Shibboleth Rule Constraint (USC authored patch for
Shibboleth 1.3; included in 2.0)<Constraint attributeName=“urn:attributeURN”
matchFunction=“urn:functionURN”
matches=”(any|all|none)”>value</Constraint>
This allows Shibboleth to restrict attribute release to a Service Provider based on attributes of the entry. This mimics the capabilities of Directory ACI’s.
See http://its.usc.edu/~bbellina/gds/software/shibboleth/ShibbolethRuleConstraint.pdf
![Page 60: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/60.jpg)
USC Access Decisions
• Public entries should not have credentials - reduces risk of brute-force password attack
• End-user web applications should not handle user passwords– Promote use of Shibboleth rather than LDAP– Promote use of iVIP and SASU rather than
local user accounts– Discourage creation of alternate user stores
![Page 61: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/61.jpg)
UMBC Access Decisions
• Web-Based Applications should not handle their own logins– With certain exceptions, of course– Currently using in-house WebISO
(WebAuth)– Shibboleth for external providers
• Other services (IMAP, host logins, etc) should use Kerberos if possible, LDAP if not.
![Page 62: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/62.jpg)
NMI Shibboleth
![Page 63: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/63.jpg)
Shibboleth is…• An open source SAML-based Web SSO package
– Provides both intra- and inter-campus Web SSO– Privacy Preserving– Attribute Delivery– Supports federation model
• Relies on pre-existing authentication and attribute sources.– Authentication done against existing system– Attributes obtained from existing System “Attribute Authority”
• SP is Apache and MS IIS compatible• free to use and customize• Version 1.3 available since 2005, supports SAML 1.1 spec• Version 2.0 currently in alpha testing, supports SAML 2.0
spec
![Page 64: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/64.jpg)
Adoption in Higher-Ed
• Finland• Sweden• Denmark• Germany• Switzerland• Greece• The Netherlands
• Belgium• France• Spain• United Kingdom• Australia• New Zealand• United States
![Page 65: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/65.jpg)
Why Shibboleth?– Use same SSO for intra- and inter-
campus– Easy evolution from:
• Intra• Local partners• Federated
– SP support for different web servers– Increasingly, campus applications need
attributes for personalization and access control
– Privacy Preserving
![Page 66: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/66.jpg)
Shibboleth and USC
![Page 67: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/67.jpg)
Configuring Shibboleth to Preserve Privacy
• No attributes released through Shibboleth by default
• Well-defined Attribute Request Process supported by Data Stewards
• Shibboleth does not release attributes for non-authorized users (via Rule Constraint Patch)
• Shibboleth can prevent access by anonymous Service Providers (via USC patch, default in Shibboleth 2.0)
• Release entitlement rather than attributes• Name-based identifiers replaced with persistent
non-name-based id’s (uscPvid, eduPersonTargetedId) wherever possible
• Confidentiality respected (via Rule Constraint)
![Page 68: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/68.jpg)
Use Shibboleth for…• Information about the user accessing the web
application• Authentication using enterprise account without the
application handling the enterprise password• Authorization using pre-established populations
defined based on SOR data and managed exceptions• Single sign-on (SSO) experience• Extension of services to EDS user populations -
students, staff, faculty, affiliates (through iVIP) and future populations (prospects, admits, alumni, parents, donors, etc.)
• Federated integration with other Shibbolized institutions
![Page 69: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/69.jpg)
Use LDAP rather than Shibboleth for…
• Information about users who are not the user logging in to the web application
• Information about groups• For non-Shibbolizable applications, provides
Authentication using enterprise credentials (single account, though not single sign-on)
• For non-Shibbolizable applications, provides Authorization using pre-defined populations
• Server queries to the Enterprise Directory
![Page 70: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/70.jpg)
Using Shibboleth and iVIP to Extend eServices to
Affiliates• User is sponsored in iVIP which establishes a Person Registry entry and allows the assignment of USC services.
• User uses the USC First Login web page to establish a link between their home institution account and the USC iVIP account.
• User authenticates at home institution but is authorized by USC IdP to access USC services. USC assigned identifier is provided to the USC service, not the home institution identifier.
![Page 71: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/71.jpg)
![Page 72: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/72.jpg)
Monitoring Performance
![Page 73: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/73.jpg)
Why Monitor Performance?• Availability It’s up… isn’t it?
Directories often require 7x24 availability• Responsiveness It’s fast enough… maybe.
Directories often require extremely fast response and can be affected by unplanned usage through public interfaces
• Scalability We can handle that… I think.
Structural changes, indices, increases # of entriesor # of attributes or # of queries may affect performance.
![Page 74: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/74.jpg)
Metrics to Monitor
Response timeConnection requestsBind requestsBind errorsSearch requestsSearch errorsAvg count & size of search resultsDirectory Cache Hits
Directory Cache Tries
Bind response time
Search response time
Current connections
Avg connection length
Current binds
Current searches
# Bytes transmitted
# Entries transmitted
![Page 75: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/75.jpg)
Methods to Monitor
• LDAP query• LDAP log monitoring• Directory Probing• Existing Free Utilities
– Orca - open source tool for monitoring OS– Look - LDAP operational Orca "k"ollector– Cacti - open source tool for monitoring OS
via SNMP
![Page 76: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/76.jpg)
Directory Administration Tools
![Page 77: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/77.jpg)
Directory Administration Tools
• USC– ACI’s and schema managed via LDIF– Perl admin scripts for querying, adding
attributes to entries, replacing attributes in entries, modifying group membership
– Plans to write a web utility for group creation and maintenance
– Plans to write a web utility to allow departments to manage group memberships
![Page 78: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/78.jpg)
Directory Administration Tools
• UMBC– Sun One Directory Server Console
(it’s almost usable again…)
– Custom web applications for administration and self-service
– Perl, perl, perl. (and a little bit of java)
– Exploring Grouper & Signet for advanced group and role management
![Page 79: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/79.jpg)
Directory Replication and Synchronization
![Page 80: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/80.jpg)
Replication / Synchronization
• Why?– Redundancy– Capacity– Isolation of heavy directory consumers
(e.g. mail servers query their own replicas)
• What?– The whole directory, or just some…
![Page 81: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/81.jpg)
Replication / Synchronization
• Whole directory replicas…– “built in” to most modern directory
servers• OpenLDAP, Sun JDS, Active Directory, etc.
– Replicas are typically “read only”– Some support “multi-master” replication
• Some do it well (Active Directory), some not so well…
![Page 82: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/82.jpg)
Replication / Synchronization
• Partial / Filtered Replication… Why?– An application may only need one subtree of
the DIT (e.g. mail routing)– A “white pages” directory with restricted
information (outside of a firewall)– An application may need to have information
represented in a “special” way (boo!)– An application may only work against “brand
y” directory and you have “brand x” (tsk tsk!)
![Page 83: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/83.jpg)
Replication / Synchronization
• How ?– Some products have the ability to filter
attributes and/or subtrees.– Want to do something more complicated?
• Sun JDS has query-able “changelog” that can advise you when a directory object has been modified to trigger a synchronization operation
• UMBC does it’s real-time external feeds through monitoring for interesting changelog events.
• Write code to do something as simple as comparing/updating an object on a remote directory to transforming attributes, groups, etc…
![Page 84: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/84.jpg)
Authentication Services
![Page 85: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/85.jpg)
Internal Authentication
• userPassword attribute• Password can be encrypted using
several encryption algorithms, although required compatibility with services may limit the choices
• LDAP bind operation• LDAP compare operation
![Page 86: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/86.jpg)
External Authentication
• Passing authentication to Kerberos– Free directory plug-ins for iPlanet/Sun
available• University of Notre Dame• Duke• USC (currently available on request, will
eventually be released as open-source)
![Page 87: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/87.jpg)
Authorization Services
![Page 88: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/88.jpg)
USC Directory Enforced AuthZ
LDAP-enabled applications use ACI’s to constrain the application service account so that authorized user entries are accessible– Group defines the authorized users of the
application. Each member entry has eligibility attributes set - uscAuthEligible, uscAuthEligibleDN.
– Application is assigned a service account that is constrained by an ACI to see only the entries with the uscAuthEligibleDN value for the application.
– Uses wildcards to allow a single ACI to handle most constrained application service accounts.
– Use an ACI to prevent constrained apps from seeing publicly visible entries
![Page 89: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/89.jpg)
Managing Attribute Release
![Page 90: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/90.jpg)
Attribute Release• Consider impact of FERPA and
HIPAA. Make sure that applications are not passing data on to other applications or displaying protected data inappropriately.
• Keep track of what is released to who so that impacts are known when directory changes must be made
• Make it easy on yourself: default == deny.
![Page 91: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/91.jpg)
Attribute Release Mechanisms
Releasing attributes via LDAP service accounts– Use service accounts and ACI’s to limit attribute
release to those applications that require it.– Can be used to retrieve attributes about any visible
entries.– Mapping to groups via LDAP may be used to reduce
the need to propagate group information to applications.
Releasing attributes via Shibboleth– Attributes for the user logging in are released.
Shibboleth normally not used to retrieve attributes about other users, groups, or other directory objects.
![Page 92: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/92.jpg)
Attribute Release Mechanisms
Provisioning– Directory log watcher used to provision to
an external directory real-time– Using signature attributes to facilitate
provisioning of static groups
Federalization (via Shibboleth)– Releasing local attributes to remote
Services– Releasing local attributes about remote
guests
![Page 93: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/93.jpg)
Directory Team Staffing
![Page 94: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/94.jpg)
USC Directory Technical Team• 1 FTE Identity Services/Directory Architect
• 1 FTE Sr Developer focused on Registry• 1 FTE Technical Analyst focused on
Shibboleth, Directory Design, Metadirectory Functions, Application Integration
• 1 FTE Sr Application Developer• 1 FTE Developer• 2 FTE Sr Account System Administrators• Open - 1 FTE Sr Developer for Web Services
• Note: Hardware and OS support are managed by resources in another department.
![Page 95: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/95.jpg)
UMBC Directory Team
• 1 FTE IDMS Architect / Integrator• 1 FTE Junior Developer (open!)• … other intrepid souls in our
department and others picking up tasks such as:• Identity Resolution issues• Managing identities of campus affiliates
![Page 96: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/96.jpg)
Additional Issues to Consider• Not a “safe” career path
– Saying “no” in higher-ed is unhealthy. Even saying “no without data steward approval” is unhealthy when in central IT.
• Compatibility with all applications is not achievable– dn syntax– Use of service accounts– Use of Shibboleth
• Application Administrators are always a problem– Special accounts– Special privileges– Poorly managed
![Page 97: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/97.jpg)
Future Advancements
• NMI Grouper– Groups Registry
• NMI Signet– Privileges Registry
• NMI Shibboleth 2.0– SAML 2.0 compliant web SSO product
that supports a federalized model and privacy protection
![Page 98: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/98.jpg)
Institutional Policies to Consider
![Page 99: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/99.jpg)
Institutional Policies• Release of data should require data steward approval
– Risk: They’ll stop giving you data
• Registry should not be used for reporting or end-user access– Risk: Access Controls between Registry and Directory may be
impossible to sync, so you may release data inappropriately. Performance may suffer.
• Access Controls should be in the directory– Risk: Applications will use whatever data they can get. Honey
pots of identity information will exist on department servers that are likely to be poorly managed and secured.
• Applications should not pass data to each other– Risk: Understanding of what apps are using what data will be
lost. Data stewards will lose trust and stop providing data. Cripples ability to make changes in the directory which could lead to being non-standard.
![Page 100: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/100.jpg)
Institutional Policies• Authorization should be required
– Risk: Authentication alone forces applications to do authorization. This will cause problems when you expand the population of the directory. It also makes it impossible for an audit to determine who has what authorizations. It also requires the continued bad practice of data stewards shipping data to end-user apps.
• Know who is using what attributes– Risk: Directory changes are inevitable. If you do not
know who is using what you will be unable to make changes without knowing the impacts.
• Follow standards wherever possible– Risk: Following standards is the safest way to ensure
compatibility with the widest possible array of applications and services. If an application cannot use your enterprise directory they will build their own.
![Page 101: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/101.jpg)
Institutional Policies• Applications should only be given persistent
identifiers that are never reissued– Risk: Applications may have different purge practices. The
reuse of identifiers risks a person getting inappropriate access to another person’s records.
• Anonymous access should not allow access to FERPA or otherwise private information– Risk: Privacy needs to be protected. In addition if a service
tries to use the public interface to the directory without approval for their application it will not work for FERPA and private people, which will eventually force them to seek appropriate approval.
• Do not delete entries from the Registry or Directory– Risk: Identifiers may be mistakenly reissued. A person
returning may not be recognized and given new identifiers. This means though that when people return privileges must be reexamined.
![Page 102: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/102.jpg)
Inter-institutional Collaborative Resources
• MACE : Middleware Architecture Committee for Education
• MACE-Dir : MACE Directories Working Group
• NMI : National Middleware Initiative• Internet2• EDUCAUSE
![Page 103: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/103.jpg)
Questions
![Page 104: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/104.jpg)
Online Resources• USC Global Directory Service,<http://www.usc.edu/gds>• UMBC Directory, <http://www.umbc.edu/oit>• Notre Dame Enterprise Directory Service, <http://eds.nd.edu>• eduPerson object class, <http://www.educause.
edu/eduperson/>• Internet2 Middleware, <http://middleware.internet2.edu/>• ORCA software, <http://www.orcaware.com>• Look software, <http://middleware.internet2.edu/dir/look/>• Cacti, <http://www.cacti.net>• ND iDS Kerberos4/5 Plug-in, <http://eds.nd.
edu/docs/authnplugin>• Duke iDS Auth Plug-in, <http://www.oit.duke.
edu/~rob/krbdirp/>
![Page 105: Seminar 01F - Architecting the Institutional Directory Service Advanced Issues, Problems, and Solutions Presented by Brendan Bellina and Rob Banz October](https://reader035.vdocuments.mx/reader035/viewer/2022070323/56649da05503460f94a8b15e/html5/thumbnails/105.jpg)
Contact Information:
Brendan [email protected]://isd.usc.edu/~bbellina
Rob [email protected]://umbc.edu/~banz
Copyright 2006-2007 by Brendan Bellina and Rob Banz. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.