Presentation is loading. Please wait.

Presentation is loading. Please wait.

Event-Driven Architecture for Synchronizing Active Directory Groups Nathan Dors – University of Washington Eric Kool-Brown – University of.

Published byJob Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: "Event-Driven Architecture for Synchronizing Active Directory Groups Nathan Dors – University of Washington Eric Kool-Brown – University of."— Presentation transcript:

1 Event-Driven Architecture for Synchronizing Active Directory Groups Nathan Dors – University of Washington dors@uw.edu Eric Kool-Brown – University of Washington kool@uw.edu

2 Active Directory in Higher Ed IT Granting access to Windows resources via Access Control List entries Best practice to use groups as ACE trustees rather than individual user accounts Groups being used as Exchange Distribution Lists Interop with Linux/Unix systems via LDAP, Kerberos, and SAMBA Customers continue to figure out new ways to use our AD services EDA & Syncing AD Groups 2013.11.072

3 Connecting Access Management Systems The Vision Seamless information flow through IT systems Architectural agility for updating IT systems Traditional Solutions Domain-specific, hardwired, batch oriented Scheduled rather than real-time IDM Suites (OpenIDM, OIM, AD/FIM) Relatively heavyweight alternatives Enterprise Integration Patterns Guidance on how to roll your own heavyweight system Event Driven Architecture – a lightweight approach EDA & Syncing AD Groups 2013.11.073

4 Event Driven Architecture EDA facilitates the transfer of information between producing and consuming systems It is a design pattern that decouples components An intermediate component: a message queue An intermediate format: a message schema Flexibility as to the propagation model It provides near real-time information propagation Components and systems can evolve independently The message schema is versioned EDA can facilitate a GR/DR capability if the queue is in the cloud EDA & Syncing AD Groups 2013.11.074

5 Propagating Access Management Changes The UW uses Grouper as the groups data master There are multiple downstream consumers of Grouper changes AD changes used to be pulled via scheduled batch processes We switched to EDA via Apache ActiveMQ a year ago Requires in-house hardware and support We are moving to Amazon SNS and SQS AWS is an attractive option due to simplicity, flexibility, and reasonable cost Trivial to add new consumer queues to an SNS topic EDA & Syncing AD Groups 2013.11.075

6 Information Security Considerations Group data risk assessment and classification Assessment conducted by Michael Brogan 2 years ago http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001722&event=1035 UW policy data classes: public, restricted, or confidential Groups have a hierarchical administrative model Admin controls on who can create groups and modify their attributes and membership Group data is signed and encrypted while in transit In addition to the SSL data channel encryption Groups with viewer restrictions cannot be Exchange email-enabled EDA & Syncing AD Groups 2013.11.076

7 UW AD as a Group Event Consumer Group Sync Agent is a Windows Service and reads from the ActiveMQ or SQS queue Periodic reconciliation compares Grouper data to AD data and adjusts the latter as needed Group viewership restrictions result in the updating of AD group ACLs Brian’s Hiding Data in AD http://blogs.uw.edu/uwwi-blog/http://blogs.uw.edu/uwwi-blog/ Administrative model is enforced in Grouper, AD groups updated only by Group Sync (with a few exceptions) AD replication latency issues resolved by using domain controller affinity Event queues are abstracted as interfaces EDA & Syncing AD Groups 2013.11.077

8 What's Next? Completing the switch over to Amazon SNS/SQS Implementations for other queues, e.g. Azure Message Bus? Using the message queue model for bi-directional group change flow (for those exceptional groups) Perhaps inserting a workflow processor in place of a simple queue Sharing code? EDA & Syncing AD Groups 2013.11.078

9 Conclusion Happy with results, it’s very reliable and usually quite fast ~50k messages per month Course group creation at quarter start imposes an unusual load; ACL setting causes queue back ups Prioritizing interactive group changes over bulk updates Release course creation over a longer period of time Looking at other places were the EDA pattern can be applied EDA & Syncing AD Groups 2013.11.079

10 Appendix EDA & Syncing AD Groups 2013.11.0710

11 EDA & Syncing AD Groups 2013.11.0711

Download ppt "Event-Driven Architecture for Synchronizing Active Directory Groups Nathan Dors – University of Washington Eric Kool-Brown – University of."

Similar presentations

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Federal Student Aid Technical Architecture Initiatives Sandy England

Federal Student Aid Technical Architecture Initiatives Sandy England
Web Services Members Troy Tony Ellen Vincent. Web Services What is it Why is it useful What have been solved Demo Alternative technologies Question.

Web Services Members Troy Tony Ellen Vincent. Web Services What is it Why is it useful What have been solved Demo Alternative technologies Question.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Chapter 13 Embedded Systems

Chapter 13 Embedded Systems
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Nikolay Tomitov Technical Trainer SoftAcad.bg.  What are Amazon Web services (AWS) ?  What’s cool when developing with AWS ?  Architecture of AWS 

Nikolay Tomitov Technical Trainer SoftAcad.bg.  What are Amazon Web services (AWS) ?  What’s cool when developing with AWS ?  Architecture of AWS 
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Understanding Active Directory

Understanding Active Directory
David Besemer, CTO On Demand Data Integration with Data Virtualization.

David Besemer, CTO On Demand Data Integration with Data Virtualization.
Understanding Active Directory

Understanding Active Directory
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 11 Slide 1 Architectural Design.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 11 Slide 1 Architectural Design.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.

Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.
The GPAA RFP to implement Enterprise Data Management 1 GPAA15/2015.

The GPAA RFP to implement Enterprise Data Management 1 GPAA15/2015.
Monitoring Latency Sensitive Enterprise Applications on the Cloud Shankar Narayanan Ashiwan Sivakumar.

Monitoring Latency Sensitive Enterprise Applications on the Cloud Shankar Narayanan Ashiwan Sivakumar.
Administrative Technology Services: Enterprise Applications

Administrative Technology Services: Enterprise Applications

Similar presentations

Ads by Google