1 / 45

Directory Services Workshop

Directory Services Workshop. University of Colorado June 3, 2002. Agenda. 9-10 a.m. Overview 10-11 a.m. Registry Concepts 11 a.m.-noon Directory Structure Noon-1 p.m. Lunch & Campus Experiences 1-1:30 p.m. Server Environment 1:30-2 p.m. Security 2-2:30 p.m. Client Access

dexter
Download Presentation

Directory Services Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Directory Services Workshop University of Colorado June 3, 2002

  2. Agenda 9-10 a.m. Overview 10-11 a.m. Registry Concepts 11 a.m.-noon Directory Structure Noon-1 p.m. Lunch & Campus Experiences 1-1:30 p.m. Server Environment 1:30-2 p.m. Security 2-2:30 p.m. Client Access 2:30-3 p.m. Four-campus Implications

  3. Introductory Remarks Dennis Maloney, Director, Information Technology ServicesUniversity of Colorado at Boulder

  4. Project History - Timeline

  5. Project History – Goals & Status • Develop UCB Enterprise Directory • Initial phase implemented Nov. 5, 2001 • Create trusted, authoritative data source • ED blends SIS, HR and campus data using policies, business rules and process. • Useable by variety of apps and services • Built upon LDAP standards, maximizing use • Current uses: white pages, printed directory, calendar pilot, affiliation verification, radius pilot, mac lab authentication pilot

  6. Project History – Goals & Status • Identity, data & relationship management • Logic applied based upon business rules • Identity verification via emplid, sid, ssn, previous sid, name, dob, gender. • Unique, permanent identifier assigned to each person. • Establish current/active affiliations, primary affiliation • Authentication • Framework established • Solution options being tested

  7. High-level Description Core Team ucb/cusys Enterprise Directory 4-Campus Registry Business Rules Steering Team cusys Enterprise Directory Campus Experts SIS HR Uniquid

  8. Registry Concepts • Registry/Directory and Data • Registry Database Design & Use

  9. HR fac/staff; empID SIS student; SID FIS faculty; SSN Uniquid accounts; unix ID IDcard photos; ISO Telecom phone locn phone # Registry/Directory and Data • Distinct sources for distinct roles (students, employees, faculty, electronic accounts, etc.) • Unique identifiers for each system • Blending together to build a CU Person CU Person uuid

  10. SIS Registry/ Directory (java) For Identity Matching: - Student ID, Previous ID - Name,Birth date, Gender • For Affiliation Logic, Authorization & Data Access • Enrollment Status, Withdraw Code, Expected Return • Fees Paid Indicator • Privacy Flag For Directory Publication - Name - Local Address and Telephone - Major(s), Minor(s), College(s) - Class Level Student Data

  11. Student Affiliation • Enrollment status code = E • Withdraw code null • or Expected return date in the future • Type of student affiliation is based upon Academic Unit • Student (= “Student” affiliation) • Continuing Ed Credit Student (= “Student” affiliation) • Continuing Ed Non-Credit Student (= “Affiliate” affiliation) • Campus Affiliation based upon first character of AU

  12. PSHR Registry/ Directory sql via db link For Identity Matching: - Employee Number, SSN - Name,Birth date, Gender For Employee and Job Selection - Job status - Employment end date For Directory Publication - Name - Campus Box and Campus Phone - JobDepartment(s), Home Department - Job ClassTitle(s) - Business Title(s) Faculty and Staff Data

  13. Employee Affiliation • Appropriate employment status code • Appointment end date in the future • Type of employee affiliation is based upon Job Code • Faculty, Clinical Faculty, Research Faculty, Medical Resident, Fellowship/Trainee = “Faculty” • Student Faculty = “Student” and “Faculty” • Officer/Exempt Professional = “Officer/Professional” & “Staff” • Student Employee = “Affiliate” or “Employee” • Retiree = “Retiree” or “Affiliate” • Staff = “Staff” • Campus Affiliation based upon first character of department code

  14. Campus-Specific Data or Systems Uniquid (Java) Account & Email data (person) ID Card ISO and jpeg Registry/ Directory Telecom Office building/room data FIS Faculty Research and Degree data

  15. Registry “Self- Update” Registry/ Directory Sponsored Affiliates Entry Update only Identity Match & Reconciliation Logic • Data allowed: • - Nickname • - HomePage (…colorado.edu) • - Preferred contact • - Alternate contact • Fax • Cell Phone • Pager (phone) • Pager (text) • Activities • Areas of expertise Data edits: - Name - Identifier - Affiliation - Sponsor - Expiration Future Data Sources

  16. Registry Schema (abbreviated) DIR_PERSON uuid ssn sid employeeNumber privacy dir_uid primaryAffiliation homeDepartment dob gender prev_sid sis_update hr_update uniquid_update self_update …address/phone/etc data… UCBEMAIL_ONLY cuMailUniq cuid mail emailHome emailRewrite DIR_COMMON_NAME DIR_EMAIL emailSeqNo uuid campus dir_uid mail_flag DIR_SURNAME DIR_GIVEN_NAME DIR_CAMPUS_SPECIFIC uuid campus ISO roomNumber physicalDeliveryOfficeName DIR_ORG_UNIT_DN DIR_AU_SPECIFIC uuid AU Term expectedReturn feesIndicator enrollment_status_code withdraw_code …academic info… DIR_DEGREE DIR_RESEARCH DIR_AFFILIATION AffiliationSeqNo uuid description eduPersonAffiliation campus sponsored_by expiration_date orgDN DIR_ACTIVITIES DIR_CERT DIR_JOB JobSeqNo uuid job_Code dept_ID title emplmnt_status_code emp_type_code reg_temp_code Affiliation Appoint_end_date DIR_PW DIR_EXCEPTION uuid sid ssn source DIR_SEEALSO DIR_PRIOR_NAME

  17. Registry Schema - views create or replace view au_specific_view as select h.uuid,h.au,h.feesIndicator, h.college, h.affiliation, h.college2, h.primaryMajor1, h.primaryMajor2, h.primaryMinor, h.secondaryMajor1, h.secondaryMajor2, h.secondaryMinor, h.primaryMajor1Option, h.primaryMajor2Option, h.secondaryMajor1Option, h.secondaryMajor2Option, l1.college_desc, l2.college_desc "COLLEGE2_DESC", m1.major_desc "PRIMARYMAJOR1_DESC", m2.major_desc "PRIMARYMAJOR2_DESC", m3.major_desc "PRIMARYMINOR_DESC", m4.major_desc "SECONDARYMAJOR1_DESC", m5.major_desc "SECONDARYMAJOR2_DESC", m6.major_desc "SECONDARYMINOR_DESC", n1.major_option_desc "PRIMARYMAJOR1OPTION_DESC", n2.major_option_desc "PRIMARYMAJOR2OPTION_DESC", n3.major_option_desc "PRIMARYMAJOR3OPTION_DESC", n4.major_option_desc "PRIMARYMAJOR4OPTION_DESC", h.classlevel from dir_au_specific h, college_table l1, college_table l2, majors_table m1, majors_table m2, majors_table m3, majors_table m4, majors_table m5, majors_table m6, major_option_table n1, major_option_table n2, major_option_table n3, major_option_table n4 where l1.college_code (+) = h.college and l2.college_code (+) = h.college2 and m1.major_code (+) = h.primaryMajor1 and m2.major_code (+) = h.primaryMajor2 and m3.major_code (+) = h.primaryMinor and m4.major_code (+) = h.secondaryMajor1 and m5.major_code (+) = h.secondaryMajor2 and m6.major_code (+) = h.secondaryMinor and n1.major_option_code (+) = h.primaryMajor1Option and n2.major_option_code (+) = h.primaryMajor2Option and n3.major_option_code (+) = h.secondaryMajor1Option and n4.major_option_code (+) = h.secondaryMajor1Option and h.affiliation = 'Y' ;

  18. Directory Structure • Directory Objects: eduPerson, cuEduPerson, coloradoPerson • Console demo • Metamerge demo

  19. Directory Objects organizational Person person cn description seeAlso sn telephoneNumber userPassword cuEduPerson facsimileTelephoneNumber ou physicalDeliveryOfficeName postalAddress street, st, postsalCode, l postOfficeBox preferredDeliveryMethod title coloradoPerson uuid au activities & research alternateContact campus degreeInstitution & Yr employmentStartDate Expertise feesIndicator highestDegree homeDepartment ISO major, minor, class Privacy SID, SSN Macgridnumber Machomelocpath Machomedir inetOrgPerson eduPerson o & departmentNumber displayName, givenName employeeNumber employeeType homePhone,homePostalAddress jpegPhoto & labeledURI mail, uid mobile & pager roomNumber userCertificate cusysPerson affiliation jobClassification nickName orgDN orgUnitDN primaryAffiliation principalName schoolCollegeName Identifiers…

  20. Sample Directory Entry dn: uuid=100056249, ou=people, dc=colorado, dc=edu cn: Roberto Roybal sn: Roybal givenname: Roberto postaladdress: 455 UCB objectclass: top objectclass: person objectclass: organizationalperson

  21. Directory Structure - Console • demo

  22. Directory Structure - Metamerge • demo

  23. Lunch! • Eat! Drink! • Share your experiences!

  24. Server Environment • Hardware • iPlanet Directory Server • Enterprise Directory Architecture (Directory Instances – configuration, replication, ssl, subnets)

  25. Server Environment Development Production Failover

  26. Security • ACLs • Privacy • Directory and Security Initiatives

  27. Privacy • FERPA constraints • Privacy-enabled students • Public vs. private student data • Public vs. private employee data • Who can see what?

  28. ACLs • Where and/or what is the resource to be accessed? • How can the resource be accessed? • Who can and/or when can a resource be accessed? From iPlanet Learning Solutions: iPlanet Directory Services: Analysis and Planning 5.0

  29. ACLs • Anonymous ACL example: (targetattr=“homePostalAddress||homephone”) (target=“ldap:///ou=people,dc=colorado,dc=edu”) (targetfilter!=“(|(&(edupersonprimaryaffiliation= Student) (cuedupersonprivacy=*)) (!edupersonprimaryaffiliation=Student)) (edupersonprimaryaffiliation=Affiliate) (cuedupersonprivacy=D))”) (version 3.0; acl “anonymous-student homeinfo”; allow (read,compare,search) userdn=“ldap:///anyone”;)

  30. ACLs • Read-all ACL example: (targetattr=“*”) (target != “ldap:///*,ou=special,dc=colorado,dc=edu”) (version 3.0; acl “powerusers-read”; allow (read,compare,search) groupdn=“ldap:///cn=Readall,ou=groups,ou=special,dc=colorado,dc=edu”;)

  31. UCB’s Kerberos and the Directory • Solutions considered… • Synchronize Passwords • Migrate to “Heimdal” Kerberos • Simple Authentication and Security Layer (SASL) • Pre-Operation Directory Plug-in • The winner is …

  32. Authentication with Directory Plugin

  33. Lessons learned and next steps • App must be able to lookup DN (our DN is not the username)(i.e., cuedupersonuuid=100056463,ou=People,dc=Colorado,dc=edu vs. jonesdr • Plugin API compatibility issues with iPlanet Directory version changes. • 5.1 plugin retrieves & caches both kerberos ticket-granting-ticket and host ticket.

  34. Directory’s Role in Security • Directory Enabled Applications • Authentication • Authorization • Network Security & Radius

  35. Directory’s Role in Security

  36. Client Access • White Pages architecture • Unix command line lookup • Address Book mappings • LDAP Browser

  37. White Pages Architecture Apache web server with mod_jk.so plugin module Desktop client web browser (1) (6) HTTP request (5) AJP 1.3 on port 8009 (Apache-Java Protocol) (2) Tomcat servlet engine running under Java JDK 1.3 Directory Cocoon publishing framework or other Java servlet using XML/XSL & JNDI JNDI LDAP query (4) (3) anonymous LDAP query Desktop email client(Outlook, Netscape, Eudora)or other LDAP client

  38. White Pages – xml example (part 1) <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <page> <cnfull>marangak</cnfull> <campus> * </campus> <affiliation> * </affiliation> <ldapsearch>

  39. White Pages – xml example (part 2) <searchresult id="cuEduPersonUUID=100038089"> <displayname>Andrew Marangakis</displayname> <givenname>ANDREW</givenname> <cuedupersonemailhome>marangak@spot.Colorado.EDU</cuedupersonemailhome> <cuedupersoncampus>Boulder Campus</cuedupersoncampus> <objectclass>top</objectclass> <objectclass>person</objectclass> <objectclass>organizationalperson</objectclass> <objectclass>inetorgperson</objectclass> <objectclass>eduPerson</objectclass> <objectclass>cuEduPerson</objectclass> <cuedupersonhomedepartment>ITS-Administration</cuedupersonhomedepartment> <edupersonaffiliation>Staff</edupersonaffiliation> <edupersonaffiliation>Employee</edupersonaffiliation> <ou>ITS-Administration</ou> <mail>Andrew.Marangakis@Colorado.EDU</mail> <cn>Marangakis,Andrew</cn> <cn>Andrew Marangakis</cn> <cn>Marangakis Andrew</cn> <telephonenumber>303 492 0527</telephonenumber> <cuedupersonclass>UNCLASSIFIED NON-CREDIT CE</cuedupersonclass> <cuedupersonuuid>100038089</cuedupersonuuid> <postaladdress>455 UCB</postaladdress> <description>Staff</description> <sn>MARANGAKIS</sn> <edupersonprimaryaffiliation>Staff</edupersonprimaryaffiliation> <cuedupersonjobclassification>IT Professional III</cuedupersonjobclassification> <title>IT Professional III</title>

  40. Client Access – Unix Command Line ldapsearch -h directory.colorado.edu -b "dc=Colorado, dc=EDU" "cn=*${1}*" displayname telephonenumber cuedupersonschoolcollegename cuedupersonprimarymajor1 cuedupersonclass title description cuedupersonhomedepartmen postaladdres homepostaladdress homephone mail cuedupersonemailhome | grep -v cuEduPersonUUID | awk -F= '{print $2}'

  41. Client Access – Address Books • Eudora – Tools/Directory Services • LDAP Database: directory.colorado.edu • Search base: dc=colorado,dc=edu • Attributes: can specify name and heading • Netscape – Address Book/File/New Directory • LDAP Server: directory.colorado.edu • Search Root: dc=colorado,dc=edu • Outlook – Address Book/Internet Accounts Directory Service wizard • UCB Address Book instructions: http://www.colorado.edu/its/docs/usingemail.html

  42. Client Access – LDAP Browser • demo

  43. Four Campus Implications • Commonalities • Campus-specificities • People • Data sources • Data • Policies • Infrastructure applicable to University and Campuses

  44. MacOS AuthN Radius concept Calendar pilot AuthN testing White Pages Send Mail Email Addresses Affiliation Check Printed Directory ucb Directory cusys Directory Campus- specific Uniquid Registry Identity Recon. Directory Build cu.edu (concept) Common Infrastructure Recon report University-wide HR SIS Directory Structure Today

  45. Project Contacts • Dennis Maloney, Director of ITSDennis.Maloney@colorado.edu • Bob Fryberger, IT ArchitectRobert.Fryberger@colorado.edu • Paula Vaughan, Project Manager Paula.Vaughan@colorado.edu • Melinda Jones, Directory ManagerMelinda.Jones@colorado.edu • Enterprise Directory Project Web Pagehttp://www.Colorado.EDU/committees/DirectoryServices/or from the UCB - ITS home page (“About ITS” ž“Projects & Initiatives” ž “Architecture and Infrastructure Initiatives”)

More Related