Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDAP, Loads of People, and Account Management

Published byPhoebe Golden Modified over 6 years ago

Similar presentations

Presentation on theme: "LDAP, Loads of People, and Account Management"— Presentation transcript:

1 LDAP, Loads of People, and Account Management
LDAP, Loads of People, and Account Management

2 Middleware @UMBC Motivations Introduction to LDAP Managing People
Our First Application: Account Management

3 What is a Directory Service?
Data Hardware and Software Policies and Procedures

4 Why build a Directory Service?
Consolidation of existing directories Reduce replication of: Policies Data Means: LESS WORK!

5 Internet 2 Middleware Project
UMBC is one of 11 participating institutions Goal: Enable inter- & intra-institutional collaboration How: Agreed upon data representation and policies

6 UMBC’s Environment Tightly centralized environment
One department (OIT) manages most data sources Human Resources SIS “Technical” Data Access problems are simple to solve

7 Pre LDAP Environment PH/CSO Nameserver Authorization (Unix): NIS
Account Database @umbc.edu Mail Redirection Authorization (Unix): NIS Authentication (Unix, NT): Kerberos Account Management: AGUS

8 PH/CSO Nameserver Designed by UIUC, early to mid ’90’s.
Indexed for speedy lookups Flat organization “Static” Schema “Synchronized” with HR & SIS systems via text file dumps + perl scripts

9 Kerberos Developed at MIT
Cross-platform network authentication, including mutual client-server authentication

10 AGUS Account Generationg <something something>
Developed at UMBC in 1992, overhauled in

11 Brief Introduction to LDAP
Definition Features Example Entries

12 LDAP - Definition Lightweight Directory Access Protocol
Originally designed as a front-end to X.500 Not reliant on the bulky OSI protocol stack

13 LDAP - Features Structure Flexible Schema Security (authentication)
Security (access) Replication / Distribution of Services

14 LDAP - Structure Formed by the interpretation of the “Distinguished Names” of elements Uid=banz,ou=accounts,o=umbc.edu O=umbc.edu Ou=accounts Ou=people Uid=banz

15 LDAP - Structure Distinguished Names are unique
Attribute Types that make it up are not restricted Typical Attributes: Ou: Organizational Unit O: Organization

16 LDAP – Schema (objects)
Entry is a member of one or more object classes An Object Class defines which attributes are required or optional

17 LDAP – Schema (attributes)
An attribute has an identifier (name), and associated meaning. The meaning of the attribute is typically described in the objectClass definition that first used the attribute. While attributes can be used in other objectClasses, it’s “meaning” should remain the same.

18 LDAP – Schema (attributes cont)
An attribute is typically one of CIS ( Case Ignore String) CES ( Case Sensitive String ) BIN ( Binary ) DN (A Distinguished Name) INT (An Integer) …Other attribute syntaxes exist, these are just the most typical Attributes can be Single Valued or Multi-Valued

19 Example Object - Person
The following is a very simple objectclass, “person” Objectclass person oid superior top requires sn, (sirname) cn (common name) allows description, seeAlso telephoneNumber, userPassword

20 Example Object - organizationalPerson
The following is a very simple objectclass, “person” Objectclass person oid superior person allows detinationIndicator, fascimilieTelephoneNumber, internationalSDNNumber, l, ou, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, registeredAddress, st, street, Note, that since org…Person includes person...

21 LDAP – Security (authentication)
“Bind” (connect) to the service Anonymously, or A DN Usually with a simple password, however other methods are supported Kerberos SSL … extensible

22 LDAP - Replication Multiple Servers == Redundancy
Can replication parts, or all, of the directory Implementation Specific

23 A “Person” Here’s a “typical” Person entry, of class umbcPerson (superior inetOrgPerson) Affiliation: staff Billingaddress: 8107 Callo Ln\nBaltimore, MD 21237 CampusPostalAddress: 8107 Callo Ln\nBaltimore, MD 21237 Cn: Robert Banz Cn: Banz, robert A. Createtimestamp: Z Creatorsname: uid=admin,ou=Administrators,ou=TopologyManagment,o=NetscapeRoot Dateofbirth: 08-Aug-72 Departmentnumber: Givenname: robert Guid= 6cbfa31e-6e14-11d cd7816 Homephone: Mailacceptinggeneralid: robert_banz Mailacceptinggeneralid: robert.banz Maildrop: Modifiersname: uid=admin,ou=Administrators,ou=TopologyManagment,o=NetscapeRoot Modifytimestamp: Z

24 …more person Objectclass: top Objectclass: person
Objectclass: organizationalPerson objectClass: inetOrgPerson objectClass: umbcPerson postalAddress: 1 Wellhaven Cir\nApt 1225\nOwings Mills, MD 21117 Roomnumber: ECS Sn: banz Socialsecuritynumber: xxx885013 telephoneNumber: Umbcbuckley: 00 Umbcdatasource: SIS Umbcdatasource: HR Umbcdatecurrenttitle: Z Umbcdepartment: Office of Informaiton Technology Umbchiredate: Z Umbclasttermelig: Umbclasttermreg: Umbcnameconfidential: 00 Umbcofficebuilding: Engineering/Computer Science Umbcterminationcode: N Umbctitle: Technical Coordinator

25 UMBC’s Person Database
Represent all needed HR & SIS information in an LDAP Database (near) Real-Time synchronization Entries are Eternal Unique Non-Reusable

26 Our Identifier Must be “Universally Unique” Using the DCE UUID
Guaranteed unique over all time and space Not particularly for human consumption

27 Structure - Hierarchical
Location in the tree conveys meaning Ideal for corporate environments Difficult for Universities

28 Structure - Flat No meaning is conveyed by position, but by
Group Membership, or Information in entry Person’s position remains static, while position in the organization can be fluid

29 UMBC’s Schema Keep in mind Internet2 Middleware Standards, it’s all about “interoperation” Unfortunately, standards are not complete Eduperson

30 Implementation Made up of three main elements LDAP Server Software
Hardware Glue

31 Implementation - Software
Chose Netscape Directory Server Mature product Considered the best, but not cheap Handles the Load Our Person Database has ~300,000 entries Other Alternatives OpenLDAP Innosoft NDS … many more

32 Hardware Master Server Slave Servers (2) Sun Enterprise 220R,
2G RAM (yes, it uses it) 2x 440mhz processors Slave Servers (2) Sun NetraT1 512M RAM (would love to have more) 1x 440mhz processor

33 Glue Changes to Oracle SIS & HR tables cause entries to be made in a changelog table Perl script Scans the log table, and makes the appropriate changes Web Based utilities for editing & adding entries

34 Future Directions Campus MetaDirectory Driving Other Applications
Synchronize the data sources we are synchronizing with Driving Other Applications Card Key Access Control Single Application Interface

35 UMBC’s Account Management
First application to make use of the LDAP Person Directory It, itself, keeps most of it’s data in LDAP

36 Account Management - Goals
Utilize the Person Database for account authorization information Web-Enabled, for Self Service Account Creation Password Changing Near-Real-Time Creation Manage both Krb5 & AFS metadata Populate User’s account w/ default files Manage Address Space Utilize RFC2307 Compliant Schema

37 Account Management - Bitses
WebAdmin Interfaces Kerberos & AFS Manager (accountqd) LDAP Based Mail Redirector NIS Map Generator

38 WebAdmin Interfaces Allows both self-service & Administrator level
Account Creation Account Activation Account Editing Kerberos 5 Password Changes … other administrative tasks

39 accountqd Perl Daemon Periodically (every 5 minutes), checks for account entries that need processing Creates Kerberos 5 Instance AFS ‘pts’ database entry AFS Volume Populates AFS volume with default files

40 LDAP Based Mail Redirector
Part of Sendmail 8.11 Also in previous versions, but less mature Listed as other Alias maps One map keys on “mailacceptinggeneralid” in ou=People,o=umbc.edu – returns the maildrop entry(s) that are associated with the matching dn. Other keys on “uid” in ou=Accounts,o=umbc.edu – returns the maildrop entries(s). Much quicker than the old “phquery” mailer 

41 NIS Map Updater Perl Script
Runs every 15 minutes on NIS master servers Generates NIS maps based on information in the ou=Accounts tree Will be replaced…

42 Future Stuff WebAdmin interface isn’t complete
Alias Management Account Deletion (yay!) … however, first few weeks of a semester are kind of busy  OS’s that support it (Solaris, IRIX, etc) can query LDAP directly (the RFC2307 Schema thing)

43 Places to Visit Internet2 – http://www.internet2.edu
WebAdmin – LDAPworld – ModPerl (all of our interfaces are written in it) – UMBC’s UCE Home – If we post any of our code, this is where you’ll find it.

Download ppt "LDAP, Loads of People, and Account Management"

Similar presentations

Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.

Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
 Introduction Originally developed by Open Software Foundation (OSF), which is now called The Open Group (www.opengroup.org) Provides a set of tools and.

 Introduction Originally developed by Open Software Foundation (OSF), which is now called The Open Group ( Provides a set of tools and.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory.

Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.

Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group

Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group
Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.

Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

Similar presentations

Ads by Google