Download presentation
Presentation is loading. Please wait.
Published byKaela Banford Modified over 9 years ago
1
LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011.
2
What is it all about? Services/resources to access the network – wireless, VPN web services – e-learning, e-library, student portal - who are you ? – what can you do ? - Authentication and authorization infrastructure makes access to protected services easier Akademska mreža Srbije www.amres.ac.rs AAI Authentication Authorization 2
3
Without AAI Akademska mreža Srbije www.amres.ac.rs wireless Faculty A Service Providers Library B Service Providers Auth Autz videoconference Auth Autz e-learning Auth Autz Student services Auth Autz wireless Auth Autz e-books Auth Autz 3
4
With AAI Akademska mreža Srbije www.amres.ac.rs Faculty A Identity Management wireless Identity provider Service Providers videoconference e-learning Student services AuthAuth Library wireless Service Providers e-books Autz 4
5
Akademska mreža Srbije www.amres.ac.rs High level AAI diagram IdP Radius User database SAML ntw SP Radius NAS web SP SAML Web resurs eduroam VPN Wiki pages Basics for development of all services that needs local and inter-institutional AutH and AutZ Circle of Trust Federation 5
6
What is digital user identity ? Set of data (attributes) about a user: Personal user data Data regarding affiliation to institution Credentials used for authentication Data that uniquely identifies a person User roles and privileges Akademska mreža Srbije www.amres.ac.rs name, surname date of birth national identification number contact information: mail, address, phone name of institution affiliation (student, employee, guest) designation (for employees) type of studies (for students) local identification number contact information: mail, address, phone username/password certificate person identifying : username@institutional.domainusername@institutional.domain non person identifying 6
7
LDAP user database Akademska mreža Srbije www.amres.ac.rs
8
Which database to use for storing user IDs? Basicaly you can choose any: Relational: MySQL, ORACLE, Postgre SQL Hierarchy: openLDAP, Active Directory But.. there are some advantages Akademska mreža Srbije www.amres.ac.rs 8
9
Akademska mreža Srbije www.amres.ac.rs Directories – made for storing user IDs ? Relational Databases vs Directories Schema Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf Relational Databases Directories No standard schema for tables and data fields International standards to describe persons and organizations 9
10
Akademska mreža Srbije www.amres.ac.rs Relational Databases vs Directories Schema Organization One logical entity can be stored in multiple tables One logical entity =One entry in DIT Directories – made for storing user IDs ? Relational Databases Directories Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf 10
11
Akademska mreža Srbije www.amres.ac.rs Relational Databases vs Directories Schema Organzation Multivalue data Mandates new table, or fixed number of multiple data fields Native support for multivalue attributes Directories – made for storing user IDs ? Relational Databases Directories Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf 11
12
Akademska mreža Srbije www.amres.ac.rs Baza korisnika – zašto LDAP? Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Changes in data fields can require big effort Granular modification of schema. Easy to add attributes Relational Databases Directories Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf 12
13
Akademska mreža Srbije www.amres.ac.rs Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Access No standard protocol for access via network Defines protocol to access via network - LDAP Directories – made for storing user IDs ? Relational Databases Directories Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf 13
14
Akademska mreža Srbije www.amres.ac.rs Relational Databases vs Directories Schema Organzation Multivalue data Flexibility Access Optimization Optimised for reading Directories – made for storing user IDs ? Relational Databases Directories Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf 14
15
LDAP dictionary
16
LDAP dictionary reveled Akademska mreža Srbije www.amres.ac.rs Data Information Tree - term for structure data is organized in - uses hierarchy manner (tree - like) 16
17
LDAP dictionary reveled Akademska mreža Srbije www.amres.ac.rs Entry - Single input in directory tree which describes one object Organization Person Organizational Unit 17
18
LDAP dictionary reveled Akademska mreža Srbije www.amres.ac.rs Attribute - Attribute Name – Attribute Value pair contained in the entry - Can be - univalued or multivalued 18
19
LDAP dictionary reveled Akademska mreža Srbije www.amres.ac.rs objectClass - logical group of attributes - entry has assigned one or more objectClasses – must have exactly one structural ! - attributes can be optional or mandatory 19
20
LDAP dictionary reveled Akademska mreža Srbije www.amres.ac.rs RDN – Relative Distinguished Name - value that entries are distinguished by in one branch - constructed from some attributes from the entry - something like folder name, or primary key in relational databases 20
21
LDAP dictionary reveled Akademska mreža Srbije www.amres.ac.rs DN – Distinguished Name - “path” to the entry, that uniquely identifies it - consists of all RDNs found on the path to the entry, separated by commas 21
22
LDAP dictionary reveled Akademska mreža Srbije www.amres.ac.rs Base DN - DN of DIT root 22
23
Akademska mreža Srbije www.amres.ac.rs LDAP schema mistery ? schema consists of one or more objectClass schema object ClassX attributeX attributeX definition 23
24
Which schema should I use ? One can define proprietary schema to use within organization But… if inter-institutional AutH and AutZ is used – such as in NREN AAI, using the same schema becomes important Institutions that are involved in NREN AAI should use the same schema because it: Unifies attributes, their use and semantics Service Providers know what to expect during AutH and AuthZ Akademska mreža Srbije www.amres.ac.rs 24
25
Akademska mreža Srbije www.amres.ac.rs Standard LDAP schemas Designed for campus directories eduPerson (eduPerson200604) Internet2 MACE group Attributes depicts person in higher education eduOrg (eduOrg200210) Internet2 MACE group Attributes depicts organization in higher education eduMember (eduMember200507) Internet2 MACE-Dir WG Deals with problem of assigning rights and privileges for users SCHAC (SCHema for ACademia) TERENA TF za Middleware, TF-EMC2 Complements eduOrg i eduPerson with attributes specific to European education system 25
26
How to approach ? schema for national AAI should be defined Examples: rsEdu https://bpd.amres.ac.rs/doku.php?id=amres_aai_wiki:pregled_atributa hrEdu http://schema.aaiedu.hr/shema/ norEdu http://www.feide.no/feide/sites/drupal.uninett.no.feide/files/docume nts/norEdu_spec.pdf More at https://refeds.terena.org/index.php/FederationSchema https://refeds.terena.org/index.php/FederationSchema Akademska mreža Srbije www.amres.ac.rs 26
27
How to design national schema? Use standard schemas : eduPerson, eduOrganizazation, SCHAC If some attribute specific for national education system doesn’t exist, define it in national schema Have in mind that you want to describe NREN students, researchers, teachers… Enables compatibility between national AAI - confederation Akademska mreža Srbije www.amres.ac.rs 27
28
How to implement LDAP directory? LDAP is the protocol for accessing the directory Current LDAPv3, described in RFC 4510 Uses TCP, port 389 Client-server model, some operations: Start TLS Bind Search Compare Add a new entry Delete an entry Modify an entry Akademska mreža Srbije www.amres.ac.rs 28
29
Which LDAP Server software to use ? Quite long list..: Akademska mreža Srbije www.amres.ac.rs 389 Directory Server Active Directory Apache Directory Server Apple Open Directory FreeIPA IBM Tivoli Directory Server Mandriva Directory Server Novell eDirectory OpenDJ OpenDS OpenLDAP Optimal IdM Oracle Internet Directory Radiant Logic VDS Sun Java System Directory Server 29
30
How to manage LDAP data ? Manually, ldap command line LDAP browsers: Apache Directory Studio phpLDAPadmin.. Make your own application Bulk import/synhornization from other sources system - Student Informational System, Employee Registry.. Akademska mreža Srbije www.amres.ac.rs 30
31
Identity Management
32
Akademska mreža Srbije www.amres.ac.rs The lifecycle o user digital identity - IdM Set of procedures and rules which define: 1.Who has the right to own digital identity 2.When is digital identity assigned to a person 3.How is digital identity maintained 4.How is the digital identity used 5.How is the digital identity terminated Every institution should have its own IdM policy Must comply with national personal data protection law EU Data Protection Directive 32
33
1. Who has the right to own digital identity Pupils Students Teaching staff Other employes Other persons affiliated to the institution – members, guests ? Akademska mreža Srbije www.amres.ac.rs 33
34
2. When is digital identity assigned to a person When should digital identity be created? Which information should it contain ? Where do you get information from? What is the quiality of information? Akademska mreža Srbije www.amres.ac.rs Student - when apply for addmision - when enroll to faculty - on first day of studies - when he/she needs it Employee - on first working day - when he/she needs it mandatory or optional univalue or multivalue sintax predefined values rules for usernames and passwords Automatic from other source Manually from filled in form Manually verbal way Multiple sources – sync problem How and when are identity checked ? Other systems rely on that data, so it should be accurate 34
35
3. How is digital identity maintained Digital identity data should be accurate and up to date Who is responsible to report change of data and which? How do you make the changes? When are the changes made? Akademska mreža Srbije www.amres.ac.rs User Personal data Institution administration Data regarding study/employment User by using self-service portal Institution administration automatic from other source manually from filled in form manually verbal way ASAP ! 35
36
4. How is the digital identity used Which systems can access the information? Which data should be accessable? How are user rights and privileges defined? Akademska mreža Srbije www.amres.ac.rs Ones which needs AutH, AutZ and/or user data. They can access directory: Directly using LDAP protocol Using mediator authentication server: Radius, SAML.. Access should be limited to the reasonable info: mail birthday Use existing user attributes Add attribute that describes user role 36
37
5. How is the digital identity terminated When is digital identity terminated? Who reports it should be terminated? How is it terminated? Is it deleted permanently? Akademska mreža Srbije www.amres.ac.rs When person is no longer affiliated with institution student – when he/she graduates Employee – when he/she stops working guest - ? Time between person is no longer affiliated to institution and id termination should be minimum User Student administration service Employee administration service For guests ? Administration service automatic from other source manually from filled in form manually verbal way Should you reassign once used usernames ? 37
38
Thank you for your attention Questions ? Akademska mreža Srbije www.amres.ac.rs 38
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.