fsuid ad integration n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
FSUID & AD Integration PowerPoint Presentation
Download Presentation
FSUID & AD Integration

Loading in 2 Seconds...

play fullscreen
1 / 16

FSUID & AD Integration - PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on

FSUID & AD Integration. Partnering with the College of Human Sciences Jeff Bauer, AIS http://fsuid.fsu.edu/admin. FSUIDs – Quick Overview. Combined identity from CARS, OTI Win, etc. FSUID authentication used to access PeopleSoft Financials and HR (i.e.: your paycheck information!)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'FSUID & AD Integration' - onawa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
fsuid ad integration

FSUID & AD Integration

Partnering with the College of Human Sciences

Jeff Bauer, AIS

http://fsuid.fsu.edu/admin

fsuids quick overview

FSUIDs – Quick Overview

  • Combined identity from CARS, OTI Win, etc.
  • FSUID authentication used to access PeopleSoft Financials and HR (i.e.: your paycheck information!)
  • FSUID authentication used to log into Secure Login
  • FSUID authentication used to log into Blackboard
  • FSUID authentication used for other projects in OTI: VPN access, BlueSocket, RADIUS, PAM/LDAP UNIX logins
  • FSUID used to access FSUID personal and Helpdesk
  • FSUID used to build “CAS ring”
fsuid architecture

FSUID Architecture

  • Novell’s eDirectory 8.7.3.3 housed on RedHat servers
  • Five servers in three physical locations
  • Same schema, local databases
  • Auto-syncs value changes across ring
fsuid schema

FSUID Schema

  • Expressed in standard LDAP terms as a set of attributes and values.
  • Combination of a new class called “fsuEduPerson” and existing standard classes (such as “inetOrgPerson”, “Person” and “organizationPerson”)
  • Attributes are updated from various sources (PeopleSoft HR feed, DB2 tables on NWRDC, existing LDAPs, etc.)
  • One attribute exists to handle “associations” with known Windows servers (fsuEduAdSamaAccountName)
associate a windows account

“Associate a Windows Account”

  • Creates a link between an FSUID and a Windows account
  • Used for one-way password sync and directory attribute updating on the OTI-managed Exchange domains
  • WinAD communication is through LDAPS – LDAP protocol over an SSL connection using a single “proxy” administrative Win account (no requirement for a department to have an official “Windows trust” relationship, with all that entails)
fsuids and chs

FSUIDs and CHS

CHS approached us interested in doing quasi-automated account management

Established a Windows administrator proxy account & punched firewall hole for port 636 (ldapssl) traffic to their server

Worked over account creation & updating details and who would be responsible for which attributes for which types of users

fsuids and chs1

FSUIDs and CHS

Arrived at this:

New employees and new grad students are created by an FSUID daily script using a “first initial + last name” algorithm for SAM account name

Many attributes are set and the association between the faculty/staff FSUID and SAM account is made (for future updates of attributes)

Daily email is sent to CHS systems staff, telling them what happened (updates & creates)

fsuids and chs2

FSUIDs and CHS

Arrived at this:

Accounts are created in a CHS-specified container, depending on type of person and which department they are in; CHS is free to move the account around

Account is disabled, with a random password

CHS will enable account and perform some other initialization (home directory, ACLs, etc.) and handle informing end user

End user will be told to go to their FSUID web page to set their Win AD password

fsuids and chs3

FSUIDs and CHS

Arrived at this:

An FSUID script is being developed that will scan daily for former CHS employees or students; if found, the Win account will be disabled and the Win systems staff emailed

Push password management to end user using FSUID web page, CHS FSUID helpdesk and User Services helpdesk staff

End result is a nice blend of “grunt work” done by automatically central IT, with full autonomy retained by the College (either side can “pull the plug” in case of emergency)

win win for chs win

Win-win for CHS Win!

FSUID project got a boost from College’s requests for refinements (Helpdesk advanced search; “Courtesy” attribute)

CHS Win staff didn’t have to manually create some ~200 Win accounts after bringing up a new AD

Once in place it’s “hands-free” and can be easily tweaked

Heavy lifting done with a 600 line Perl script 

A departmental Perl script does “local-side” tasks, too

future directions

Future Directions

Interested in developing more custom Win or even non-Win account management for departments (e.g., College of Medicine, etc.)

A “Blackboard as university Portal” project is starting up

Attempt to tie in more university enterprise data (e.g., FSUCard door security system)

Bring more systems under “native” FSUID authentication (CARS, mailer, garnet, etc.)

thanks

Thanks!

OTI is ready to assist other departments with their own Windows-based auto-account management needs, tailored to your specific department rules

Thanks to the “eDir Team”: Ethan Kromhout, Dongmei Gao, Donny Shrum & others

Special thanks to Jeanne Pecha, College of Human Sciences for trusting central IT 

Questions?