Directory services workshop
Download
1 / 45

Directory Services Workshop - PowerPoint PPT Presentation


  • 186 Views
  • Uploaded on

Directory Services Workshop. University of Colorado June 3, 2002. Agenda. 9-10 a.m. Overview 10-11 a.m. Registry Concepts 11 a.m.-noon Directory Structure Noon-1 p.m. Lunch & Campus Experiences 1-1:30 p.m. Server Environment 1:30-2 p.m. Security 2-2:30 p.m. Client Access

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Directory Services Workshop' - dexter


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Directory services workshop

Directory Services Workshop

University of Colorado

June 3, 2002


Agenda
Agenda

9-10 a.m. Overview

10-11 a.m. Registry Concepts

11 a.m.-noon Directory Structure

Noon-1 p.m. Lunch & Campus Experiences

1-1:30 p.m. Server Environment

1:30-2 p.m. Security

2-2:30 p.m. Client Access

2:30-3 p.m. Four-campus Implications


Introductory remarks
Introductory Remarks

Dennis Maloney, Director, Information Technology ServicesUniversity of Colorado at Boulder



Project history goals status
Project History – Goals & Status

  • Develop UCB Enterprise Directory

    • Initial phase implemented Nov. 5, 2001

  • Create trusted, authoritative data source

    • ED blends SIS, HR and campus data using policies, business rules and process.

  • Useable by variety of apps and services

    • Built upon LDAP standards, maximizing use

    • Current uses: white pages, printed directory, calendar pilot, affiliation verification, radius pilot, mac lab authentication pilot


Project history goals status1
Project History – Goals & Status

  • Identity, data & relationship management

    • Logic applied based upon business rules

    • Identity verification via emplid, sid, ssn, previous sid, name, dob, gender.

    • Unique, permanent identifier assigned to each person.

    • Establish current/active affiliations, primary affiliation

  • Authentication

    • Framework established

    • Solution options being tested


High level description
High-level Description

Core

Team

ucb/cusys

Enterprise

Directory

4-Campus

Registry

Business

Rules

Steering

Team

cusys

Enterprise

Directory

Campus

Experts

SIS

HR

Uniquid


Registry concepts
Registry Concepts

  • Registry/Directory and Data

  • Registry Database Design & Use


Registry directory and data

HR

fac/staff;

empID

SIS

student;

SID

FIS

faculty;

SSN

Uniquid

accounts;

unix ID

IDcard

photos;

ISO

Telecom

phone locn

phone #

Registry/Directory and Data

  • Distinct sources for distinct roles (students, employees, faculty, electronic accounts, etc.)

  • Unique identifiers for each system

  • Blending together to build a CU Person

CU Person

uuid


Student data

SIS

Registry/

Directory

(java)

For Identity Matching:

- Student ID, Previous ID

- Name,Birth date, Gender

  • For Affiliation Logic, Authorization & Data Access

  • Enrollment Status, Withdraw Code, Expected Return

  • Fees Paid Indicator

  • Privacy Flag

For Directory Publication

- Name

- Local Address and Telephone

- Major(s), Minor(s), College(s)

- Class Level

Student Data


Student affiliation
Student Affiliation

  • Enrollment status code = E

  • Withdraw code null

  • or Expected return date in the future

  • Type of student affiliation is based upon Academic Unit

    • Student (= “Student” affiliation)

    • Continuing Ed Credit Student (= “Student” affiliation)

    • Continuing Ed Non-Credit Student (= “Affiliate” affiliation)

  • Campus Affiliation based upon first character of AU


Faculty and staff data

PSHR

Registry/

Directory

sql via db link

For Identity Matching:

- Employee Number, SSN

- Name,Birth date, Gender

For Employee and Job Selection

- Job status

- Employment end date

For Directory Publication

- Name

- Campus Box and Campus Phone

- JobDepartment(s), Home Department

- Job ClassTitle(s)

- Business Title(s)

Faculty and Staff Data


Employee affiliation
Employee Affiliation

  • Appropriate employment status code

  • Appointment end date in the future

  • Type of employee affiliation is based upon Job Code

    • Faculty, Clinical Faculty, Research Faculty, Medical Resident, Fellowship/Trainee = “Faculty”

    • Student Faculty = “Student” and “Faculty”

    • Officer/Exempt Professional = “Officer/Professional” & “Staff”

    • Student Employee = “Affiliate” or “Employee”

    • Retiree = “Retiree” or “Affiliate”

    • Staff = “Staff”

  • Campus Affiliation based upon first character of department code


Campus specific data or systems
Campus-Specific Data or Systems

Uniquid

(Java)

Account & Email data (person)

ID Card

ISO and jpeg

Registry/

Directory

Telecom

Office building/room data

FIS

Faculty Research and Degree data


Future data sources

Registry

“Self-

Update”

Registry/

Directory

Sponsored

Affiliates

Entry

Update only

Identity Match &

Reconciliation Logic

  • Data allowed:

  • - Nickname

  • - HomePage (…colorado.edu)

  • - Preferred contact

  • - Alternate contact

  • Fax

  • Cell Phone

  • Pager (phone)

  • Pager (text)

  • Activities

  • Areas of expertise

Data edits:

- Name

- Identifier

- Affiliation

- Sponsor

- Expiration

Future Data Sources


Registry schema abbreviated
Registry Schema (abbreviated)

DIR_PERSON

uuid

ssn

sid

employeeNumber

privacy

dir_uid

primaryAffiliation

homeDepartment

dob

gender

prev_sid

sis_update

hr_update

uniquid_update

self_update

…address/phone/etc data…

UCBEMAIL_ONLY

cuMailUniq

cuid

mail

emailHome

emailRewrite

DIR_COMMON_NAME

DIR_EMAIL

emailSeqNo

uuid

campus

dir_uid

mail_flag

DIR_SURNAME

DIR_GIVEN_NAME

DIR_CAMPUS_SPECIFIC

uuid

campus

ISO

roomNumber

physicalDeliveryOfficeName

DIR_ORG_UNIT_DN

DIR_AU_SPECIFIC

uuid

AU

Term

expectedReturn

feesIndicator

enrollment_status_code

withdraw_code

…academic info…

DIR_DEGREE

DIR_RESEARCH

DIR_AFFILIATION

AffiliationSeqNo

uuid

description

eduPersonAffiliation

campus

sponsored_by

expiration_date

orgDN

DIR_ACTIVITIES

DIR_CERT

DIR_JOB

JobSeqNo

uuid

job_Code

dept_ID

title

emplmnt_status_code

emp_type_code

reg_temp_code

Affiliation

Appoint_end_date

DIR_PW

DIR_EXCEPTION

uuid

sid

ssn

source

DIR_SEEALSO

DIR_PRIOR_NAME


Registry schema views
Registry Schema - views

create or replace view au_specific_view as

select h.uuid,h.au,h.feesIndicator, h.college, h.affiliation, h.college2, h.primaryMajor1, h.primaryMajor2, h.primaryMinor, h.secondaryMajor1,

h.secondaryMajor2, h.secondaryMinor, h.primaryMajor1Option, h.primaryMajor2Option, h.secondaryMajor1Option, h.secondaryMajor2Option,

l1.college_desc, l2.college_desc "COLLEGE2_DESC", m1.major_desc "PRIMARYMAJOR1_DESC", m2.major_desc "PRIMARYMAJOR2_DESC",

m3.major_desc "PRIMARYMINOR_DESC", m4.major_desc "SECONDARYMAJOR1_DESC", m5.major_desc "SECONDARYMAJOR2_DESC",

m6.major_desc "SECONDARYMINOR_DESC", n1.major_option_desc "PRIMARYMAJOR1OPTION_DESC", n2.major_option_desc

"PRIMARYMAJOR2OPTION_DESC", n3.major_option_desc "PRIMARYMAJOR3OPTION_DESC", n4.major_option_desc "PRIMARYMAJOR4OPTION_DESC", h.classlevel

from dir_au_specific h, college_table l1, college_table l2,

majors_table m1, majors_table m2, majors_table m3, majors_table m4, majors_table m5, majors_table m6, major_option_table n1, major_option_table n2, major_option_table n3, major_option_table n4

where l1.college_code (+) = h.college

and l2.college_code (+) = h.college2

and m1.major_code (+) = h.primaryMajor1

and m2.major_code (+) = h.primaryMajor2

and m3.major_code (+) = h.primaryMinor

and m4.major_code (+) = h.secondaryMajor1

and m5.major_code (+) = h.secondaryMajor2

and m6.major_code (+) = h.secondaryMinor

and n1.major_option_code (+) = h.primaryMajor1Option

and n2.major_option_code (+) = h.primaryMajor2Option

and n3.major_option_code (+) = h.secondaryMajor1Option

and n4.major_option_code (+) = h.secondaryMajor1Option

and h.affiliation = 'Y'

;


Directory structure
Directory Structure

  • Directory Objects: eduPerson, cuEduPerson, coloradoPerson

  • Console demo

  • Metamerge demo


Directory objects
Directory Objects

organizational

Person

person

cn

description

seeAlso

sn

telephoneNumber

userPassword

cuEduPerson

facsimileTelephoneNumber

ou

physicalDeliveryOfficeName

postalAddress

street, st, postsalCode, l

postOfficeBox

preferredDeliveryMethod

title

coloradoPerson

uuid

au

activities & research

alternateContact

campus

degreeInstitution & Yr

employmentStartDate

Expertise

feesIndicator

highestDegree

homeDepartment

ISO

major, minor, class

Privacy

SID, SSN

Macgridnumber

Machomelocpath

Machomedir

inetOrgPerson

eduPerson

o & departmentNumber

displayName, givenName

employeeNumber

employeeType

homePhone,homePostalAddress

jpegPhoto & labeledURI

mail, uid

mobile & pager

roomNumber

userCertificate

cusysPerson

affiliation

jobClassification

nickName

orgDN

orgUnitDN

primaryAffiliation

principalName

schoolCollegeName

Identifiers…


Sample directory entry
Sample Directory Entry

dn: uuid=100056249, ou=people, dc=colorado, dc=edu

cn: Roberto Roybal

sn: Roybal

givenname: Roberto

postaladdress: 455 UCB

objectclass: top

objectclass: person

objectclass: organizationalperson




Lunch
Lunch!

  • Eat! Drink!

  • Share your experiences!


Server environment
Server Environment

  • Hardware

  • iPlanet Directory Server

  • Enterprise Directory Architecture (Directory Instances – configuration, replication, ssl, subnets)


Server environment1
Server Environment

Development

Production

Failover


Security
Security

  • ACLs

  • Privacy

  • Directory and Security Initiatives


Privacy
Privacy

  • FERPA constraints

    • Privacy-enabled students

    • Public vs. private student data

  • Public vs. private employee data

  • Who can see what?


ACLs

  • Where and/or what is the resource to be accessed?

  • How can the resource be accessed?

  • Who can and/or when can a resource be accessed?

From iPlanet Learning Solutions: iPlanet Directory Services: Analysis and Planning 5.0


ACLs

  • Anonymous ACL example:

    (targetattr=“homePostalAddress||homephone”)

    (target=“ldap:///ou=people,dc=colorado,dc=edu”)

    (targetfilter!=“(|(&(edupersonprimaryaffiliation=

    Student) (cuedupersonprivacy=*))

    (!edupersonprimaryaffiliation=Student))

    (edupersonprimaryaffiliation=Affiliate)

    (cuedupersonprivacy=D))”)

    (version 3.0; acl “anonymous-student homeinfo”;

    allow (read,compare,search)

    userdn=“ldap:///anyone”;)


ACLs

  • Read-all ACL example:

    (targetattr=“*”)

    (target !=

    “ldap:///*,ou=special,dc=colorado,dc=edu”)

    (version 3.0; acl “powerusers-read”;

    allow (read,compare,search)

    groupdn=“ldap:///cn=Readall,ou=groups,ou=special,dc=colorado,dc=edu”;)


Ucb s kerberos and the directory
UCB’s Kerberos and the Directory

  • Solutions considered…

    • Synchronize Passwords

    • Migrate to “Heimdal” Kerberos

    • Simple Authentication and Security Layer (SASL)

    • Pre-Operation Directory Plug-in

  • The winner is …



Lessons learned and next steps
Lessons learned and next steps

  • App must be able to lookup DN (our DN is not the username)(i.e., cuedupersonuuid=100056463,ou=People,dc=Colorado,dc=edu vs. jonesdr

  • Plugin API compatibility issues with iPlanet Directory version changes.

  • 5.1 plugin retrieves & caches both kerberos ticket-granting-ticket and host ticket.


Directory s role in security
Directory’s Role in Security

  • Directory Enabled Applications

  • Authentication

  • Authorization

  • Network Security & Radius



Client access
Client Access

  • White Pages architecture

  • Unix command line lookup

  • Address Book mappings

  • LDAP Browser


White pages architecture
White Pages Architecture

Apache web server with mod_jk.so plugin module

Desktop client

web browser

(1)

(6)

HTTP request

(5)

AJP 1.3 on port 8009

(Apache-Java Protocol)

(2)

Tomcat servlet engine running under Java JDK 1.3

Directory

Cocoon publishing framework or other Java servlet using XML/XSL & JNDI

JNDI LDAP query

(4)

(3)

anonymous LDAP query

Desktop email client(Outlook, Netscape, Eudora)or other LDAP client


White pages xml example part 1
White Pages – xml example (part 1)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">

<page>

<cnfull>marangak</cnfull>

<campus>

*

</campus>

<affiliation>

*

</affiliation>

<ldapsearch>


White pages xml example part 2
White Pages – xml example (part 2)

<searchresult id="cuEduPersonUUID=100038089">

<displayname>Andrew Marangakis</displayname>

<givenname>ANDREW</givenname>

<cuedupersonemailhome>[email protected]</cuedupersonemailhome>

<cuedupersoncampus>Boulder Campus</cuedupersoncampus>

<objectclass>top</objectclass>

<objectclass>person</objectclass>

<objectclass>organizationalperson</objectclass>

<objectclass>inetorgperson</objectclass>

<objectclass>eduPerson</objectclass>

<objectclass>cuEduPerson</objectclass>

<cuedupersonhomedepartment>ITS-Administration</cuedupersonhomedepartment>

<edupersonaffiliation>Staff</edupersonaffiliation>

<edupersonaffiliation>Employee</edupersonaffiliation>

<ou>ITS-Administration</ou>

<mail>[email protected]</mail>

<cn>Marangakis,Andrew</cn>

<cn>Andrew Marangakis</cn>

<cn>Marangakis Andrew</cn>

<telephonenumber>303 492 0527</telephonenumber>

<cuedupersonclass>UNCLASSIFIED NON-CREDIT CE</cuedupersonclass>

<cuedupersonuuid>100038089</cuedupersonuuid>

<postaladdress>455 UCB</postaladdress>

<description>Staff</description>

<sn>MARANGAKIS</sn>

<edupersonprimaryaffiliation>Staff</edupersonprimaryaffiliation>

<cuedupersonjobclassification>IT Professional III</cuedupersonjobclassification>

<title>IT Professional III</title>


Client access unix command line
Client Access – Unix Command Line

ldapsearch -h directory.colorado.edu -b "dc=Colorado, dc=EDU" "cn=*${1}*"

displayname telephonenumber cuedupersonschoolcollegename

cuedupersonprimarymajor1 cuedupersonclass title description

cuedupersonhomedepartmen postaladdres homepostaladdress homephone mail

cuedupersonemailhome

| grep -v cuEduPersonUUID

| awk -F= '{print $2}'


Client access address books
Client Access – Address Books

  • Eudora – Tools/Directory Services

    • LDAP Database: directory.colorado.edu

    • Search base: dc=colorado,dc=edu

    • Attributes: can specify name and heading

  • Netscape – Address Book/File/New Directory

    • LDAP Server: directory.colorado.edu

    • Search Root: dc=colorado,dc=edu

  • Outlook – Address Book/Internet Accounts Directory Service wizard

  • UCB Address Book instructions: http://www.colorado.edu/its/docs/usingemail.html



Four campus implications
Four Campus Implications

  • Commonalities

  • Campus-specificities

    • People

    • Data sources

    • Data

    • Policies

  • Infrastructure applicable to University and Campuses


Directory structure today

MacOS

AuthN

Radius

concept

Calendar

pilot

AuthN

testing

White

Pages

Send

Mail

Email

Addresses

Affiliation

Check

Printed

Directory

ucb

Directory

cusys

Directory

Campus-

specific

Uniquid

Registry

Identity

Recon.

Directory

Build

cu.edu

(concept)

Common

Infrastructure

Recon

report

University-wide

HR

SIS

Directory Structure Today


Project contacts
Project Contacts

  • Dennis Maloney, Director of [email protected]

  • Bob Fryberger, IT [email protected]

  • Paula Vaughan, Project Manager [email protected]

  • Melinda Jones, Directory [email protected]

  • Enterprise Directory Project Web Pagehttp://www.Colorado.EDU/committees/DirectoryServices/or from the UCB - ITS home page (“About ITS” ž“Projects & Initiatives” ž “Architecture and Infrastructure Initiatives”)


ad