1 / 16

FSUID & AD Integration

FSUID & AD Integration. Partnering with the College of Human Sciences Jeff Bauer, AIS http://fsuid.fsu.edu/admin. FSUIDs – Quick Overview. Combined identity from CARS, OTI Win, etc. FSUID authentication used to access PeopleSoft Financials and HR (i.e.: your paycheck information!)

onawa
Download Presentation

FSUID & AD Integration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FSUID & AD Integration Partnering with the College of Human Sciences Jeff Bauer, AIS http://fsuid.fsu.edu/admin

  2. FSUIDs – Quick Overview • Combined identity from CARS, OTI Win, etc. • FSUID authentication used to access PeopleSoft Financials and HR (i.e.: your paycheck information!) • FSUID authentication used to log into Secure Login • FSUID authentication used to log into Blackboard • FSUID authentication used for other projects in OTI: VPN access, BlueSocket, RADIUS, PAM/LDAP UNIX logins • FSUID used to access FSUID personal and Helpdesk • FSUID used to build “CAS ring”

  3. FSUID Architecture • Novell’s eDirectory 8.7.3.3 housed on RedHat servers • Five servers in three physical locations • Same schema, local databases • Auto-syncs value changes across ring

  4. FSUID Schema • Expressed in standard LDAP terms as a set of attributes and values. • Combination of a new class called “fsuEduPerson” and existing standard classes (such as “inetOrgPerson”, “Person” and “organizationPerson”) • Attributes are updated from various sources (PeopleSoft HR feed, DB2 tables on NWRDC, existing LDAPs, etc.) • One attribute exists to handle “associations” with known Windows servers (fsuEduAdSamaAccountName)

  5. “Associate a Windows Account” • Creates a link between an FSUID and a Windows account • Used for one-way password sync and directory attribute updating on the OTI-managed Exchange domains • WinAD communication is through LDAPS – LDAP protocol over an SSL connection using a single “proxy” administrative Win account (no requirement for a department to have an official “Windows trust” relationship, with all that entails)

  6. FSUIDs and CHS CHS approached us interested in doing quasi-automated account management Established a Windows administrator proxy account & punched firewall hole for port 636 (ldapssl) traffic to their server Worked over account creation & updating details and who would be responsible for which attributes for which types of users

  7. FSUIDs and CHS Arrived at this: New employees and new grad students are created by an FSUID daily script using a “first initial + last name” algorithm for SAM account name Many attributes are set and the association between the faculty/staff FSUID and SAM account is made (for future updates of attributes) Daily email is sent to CHS systems staff, telling them what happened (updates & creates)

  8. FSUIDs and CHS Arrived at this: Accounts are created in a CHS-specified container, depending on type of person and which department they are in; CHS is free to move the account around Account is disabled, with a random password CHS will enable account and perform some other initialization (home directory, ACLs, etc.) and handle informing end user End user will be told to go to their FSUID web page to set their Win AD password

  9. FSUIDs and CHS Arrived at this: An FSUID script is being developed that will scan daily for former CHS employees or students; if found, the Win account will be disabled and the Win systems staff emailed Push password management to end user using FSUID web page, CHS FSUID helpdesk and User Services helpdesk staff End result is a nice blend of “grunt work” done by automatically central IT, with full autonomy retained by the College (either side can “pull the plug” in case of emergency)

  10. Win-win for CHS Win! FSUID project got a boost from College’s requests for refinements (Helpdesk advanced search; “Courtesy” attribute) CHS Win staff didn’t have to manually create some ~200 Win accounts after bringing up a new AD Once in place it’s “hands-free” and can be easily tweaked Heavy lifting done with a 600 line Perl script  A departmental Perl script does “local-side” tasks, too

  11. Future Directions Interested in developing more custom Win or even non-Win account management for departments (e.g., College of Medicine, etc.) A “Blackboard as university Portal” project is starting up Attempt to tie in more university enterprise data (e.g., FSUCard door security system) Bring more systems under “native” FSUID authentication (CARS, mailer, garnet, etc.)

  12. Thanks! OTI is ready to assist other departments with their own Windows-based auto-account management needs, tailored to your specific department rules Thanks to the “eDir Team”: Ethan Kromhout, Dongmei Gao, Donny Shrum & others Special thanks to Jeanne Pecha, College of Human Sciences for trusting central IT  Questions?

More Related