1 / 38

LDAP user database

LDAP user database. Marina Vermezovi ć Academic Network of Serbia Skopje 15.09.2011. What is it all about?. Services/resources to access the network – wireless, VPN web services – e-learning, e-library, student portal - who are you ?

jorryn
Download Presentation

LDAP user database

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011.

  2. What is it all about? • Services/resources • to access the network– wireless, VPN • web services – e-learning, e-library, student portal - who are you ? – what can you do ? - Authentication and authorization infrastructure makes access to protected services easier • Authentication • Authorization • AAI Akademska mreža Srbije www.amres.ac.rs

  3. Without AAI FacultyA Service Providers wireless Auth Autz videoconference Auth Autz e-learning Auth Autz Student services Auth Autz Library B Service Providers wireless Auth Autz e-books Auth Autz Akademska mreža Srbije www.amres.ac.rs

  4. With AAI Autz Autz Autz Autz Autz Autz Autz Autz Autz Autz Autz Autz FacultyA Service Providers wireless videoconference Identity provider Auth e-learning Identity Management Student services Library Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  5. Circle of Trust Federation High level AAI diagram ntw SP webSP NAS Web resurs eduroam VPN Wiki pages Radius SAML IdP Radius SAML Basics for development of all services that needs local and inter-institutional AutH and AutZ User database Akademska mreža Srbije www.amres.ac.rs

  6. What is digital user identity ? • Set of data (attributes) about a user: • Personal user data • Data regarding affiliation to institution • Credentials used for authentication • Data that uniquely identifies a person • User roles and privileges name, surname date of birth national identification number contact information: mail, address, phone name of institution affiliation (student, employee, guest) designation (for employees) type of studies (for students) local identification number contact information: mail, address, phone username/password certificate person identifying : username@institutional.domain non person identifying Akademska mreža Srbije www.amres.ac.rs

  7. LDAP user database Akademska mreža Srbije www.amres.ac.rs

  8. Which database to use for storing user IDs? • Basicaly you can choose any: • Relational: MySQL, ORACLE, Postgre SQL • Hierarchy: openLDAP, Active Directory • But.. there are some advantages Akademska mreža Srbije www.amres.ac.rs

  9. Relational Databases Directories No standard schema for tables and data fields International standards to describe persons and organizations Directories – made for storing user IDs ? Relational Databases vs Directories Schema Akademska mreža Srbije www.amres.ac.rs Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf

  10. One logical entity can be stored in multiple tables One logical entity =One entry in DIT Directories – made for storing user IDs ? Relational Databases vs Directories Schema Organization Relational Databases Directories Akademska mreža Srbije www.amres.ac.rs Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf

  11. Mandates new table, or fixed number of multiple data fields Native support for multivalue attributes Directories – made for storing user IDs ? Relational Databases vs Directories Schema Organzation Multivalue data Relational Databases Directories Akademska mreža Srbije www.amres.ac.rs Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf

  12. Changes in data fields can require big effort Granular modification of schema. Easy to add attributes Baza korisnika – zašto LDAP? Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Relational Databases Directories Akademska mreža Srbije www.amres.ac.rs Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf

  13. No standard protocol for access via network Defines protocol to access via network -LDAP Directories – made for storing user IDs ? Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Access Relational Databases Directories Akademskamreža Srbije www.amres.ac.rs Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf

  14. Optimised for reading Directories – made for storing user IDs ? Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Access Optimization Relational Databases Directories Akademska mreža Srbije www.amres.ac.rs Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf

  15. LDAP dictionary

  16. LDAP dictionary reveled Data Information Tree - term for structure data is organized in - uses hierarchy manner (tree - like) Akademska mreža Srbije www.amres.ac.rs

  17. LDAP dictionary reveled Organization Organizational Unit Person Entry - Single input in directory tree which describes one object Akademska mreža Srbije www.amres.ac.rs

  18. LDAP dictionary reveled • Attribute • Attribute Name – Attribute Value pair contained in the entry • Can be • univalued or multivalued Akademska mreža Srbije www.amres.ac.rs

  19. LDAP dictionary reveled objectClass - logical group of attributes - entry has assigned one or more objectClasses – must have exactly one structural ! - attributes can be optional or mandatory Akademska mreža Srbije www.amres.ac.rs

  20. LDAP dictionary reveled RDN – Relative Distinguished Name - value that entries are distinguished by in one branch - constructed from some attributes from the entry - something like folder name, or primary key in relational databases Akademska mreža Srbije www.amres.ac.rs

  21. LDAP dictionary reveled DN – Distinguished Name - “path” to the entry, that uniquely identifies it - consists of all RDNs found on the path to the entry, separated by commas Akademska mreža Srbije www.amres.ac.rs

  22. LDAP dictionary reveled Base DN - DN of DIT root Akademska mreža Srbije www.amres.ac.rs

  23. LDAP schema mistery ? • schema consists of one or more objectClass schema object ClassX attributeX attributeX definition Akademska mreža Srbije www.amres.ac.rs

  24. Which schema should I use ? • One can define proprietary schema to use within organization • But… if inter-institutional AutH and AutZ is used – such as in NREN AAI, using the same schema becomes important • Institutions that are involved in NREN AAI should use the same schema because it: • Unifies attributes, their use and semantics • Service Providers know what to expect during AutH and AuthZ Akademska mreža Srbije www.amres.ac.rs

  25. Standard LDAP schemas Designed for campus directories • eduPerson (eduPerson200604) • Internet2 MACE group • Attributes depicts person in higher education • eduOrg (eduOrg200210) • Internet2 MACE group • Attributes depicts organization in higher education • eduMember (eduMember200507) • Internet2 MACE-Dir WG • Deals with problem of assigning rights and privileges for users • SCHAC (SCHema for ACademia) • TERENA TF za Middleware, TF-EMC2 • Complements eduOrg i eduPerson with attributes specific to European education system Akademska mreža Srbije www.amres.ac.rs

  26. How to approach ? • schema for national AAI should be defined • Examples: • rsEdu https://bpd.amres.ac.rs/doku.php?id=amres_aai_wiki:pregled_atributa • hrEdu http://schema.aaiedu.hr/shema/ • norEdu http://www.feide.no/feide/sites/drupal.uninett.no.feide/files/documents/norEdu_spec.pdf More at https://refeds.terena.org/index.php/FederationSchema Akademska mreža Srbije www.amres.ac.rs

  27. How to design national schema? • Use standard schemas : eduPerson, eduOrganizazation, SCHAC • If some attribute specific for national education system doesn’t exist, define it in national schema • Have in mind that you want to describe NREN students, researchers, teachers… • Enables compatibility between national AAI - confederation Akademska mreža Srbije www.amres.ac.rs

  28. How to implement LDAP directory? • LDAP is the protocol for accessing the directory • Current LDAPv3, described in RFC 4510 • Uses TCP, port 389 • Client-server model, some operations: • Start TLS • Bind • Search • Compare • Add a new entry • Delete an entry • Modify an entry Akademska mreža Srbije www.amres.ac.rs

  29. Which LDAP Server software to use ? • Quite long list ..: 389 Directory Server Active Directory Apache Directory Server Apple Open Directory FreeIPA IBM Tivoli Directory Server Mandriva Directory Server Novell eDirectory OpenDJ OpenDS OpenLDAP Optimal IdM Oracle Internet Directory Radiant Logic VDS Sun Java System Directory Server Akademska mreža Srbije www.amres.ac.rs

  30. How to manage LDAP data ? • Manually, ldap command line • LDAP browsers: • Apache Directory Studio • phpLDAPadmin • .. • Make your own application • Bulk import/synhornization from other sources system - Student Informational System, Employee Registry.. Akademska mreža Srbije www.amres.ac.rs

  31. Identity Management

  32. The lifecycle o user digital identity - IdM • Set of proceduresandruleswhichdefine: • Who has the right to own digital identity • When is digital identity assigned to a person • How is digital identity maintained • How is the digital identity used • How is the digital identity terminated • Every institution should have its own IdM policy • Must comply with national personal data protection law • EU Data Protection Directive Akademska mreža Srbije www.amres.ac.rs

  33. 1. Who has the right to own digital identity • Pupils • Students • Teaching staff • Other employes • Other persons affiliated to the institution – members, guests? Akademska mreža Srbije www.amres.ac.rs

  34. 2. When is digital identity assigned to a person • When should digital identity be created? • Which information should it contain ? • Where do you get information from? • What is the quiality of information? Student - when apply for addmision - when enroll to faculty - on first day of studies - when he/she needs it  Employee - on first working day - when he/she needs it • mandatory or optional • univalue or multivalue • sintax • predefined values • rules for usernames and passwords • Automatic from other source • Manually from filled in form • Manually verbal way • Multiple sources – sync problem • How and when are identity checked ? Other systems rely on that data, so it should be accurate Akademska mreža Srbije www.amres.ac.rs

  35. 3. How is digital identity maintained • Digital identity data should be accurate and up to date • Who is responsible to report change of data and which? • How do you make the changes? • When are the changes made? • User • Personal data • Institution administration • Data regarding study/employment • User • by usingself-serviceportal • Institution administration • automatic from other source • manually from filled in form • manually verbal way ASAP ! Akademska mreža Srbije www.amres.ac.rs

  36. 4. How is the digital identity used • Which systems can access the information? • Which data should be accessable? • How are user rights and privileges defined? • Ones which needs AutH, AutZ and/or user data. They can access directory: • Directly using LDAP protocol • Using mediator authentication server: Radius, SAML.. Access should be limited to the reasonable info: mail birthday • Use existing user attributes • Add attribute that describes user role Akademska mreža Srbije www.amres.ac.rs

  37. 5. How is the digital identity terminated • When is digital identity terminated? • Who reports it should be terminated? • How is it terminated? • Is it deleted permanently? • When person is no longer affiliated with institution • student – when he/she graduates • Employee – when he/she stops working • guest - ? • Time between person is no longer affiliated to institution and id termination should be minimum • User  • Student administration service • Employee administration service • For guests ? • Administration service • automatic from other source • manually from filled in form • manually verbal way Should you reassign once used usernames ? Akademska mreža Srbije www.amres.ac.rs

  38. Thank you for your attention • Questions? Akademska mreža Srbije www.amres.ac.rs

More Related