1. Middleware 201.5 Directories Application Specific Issues Michael R. Gettes Principal Technologist Georgetown University Gettes@Georgetown.EDU Copyright Michael Gettes 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. 2 Site Profile dc=georgetown,dc=edu Netscape/iPlanet DS version 4.16 2 Sun E250 dual cpu, 512MB RAM 105,000 DNs (25K campus, others = alums + etc) Directory + apps implemented in 7 months Distinguished names: uid=x,ou=people DC rap, “Boom shacka lacka” Does UUID in DN really work? NSDS pre-op plugin (by gettes@Princeton.EDU) Authentication over SSL; Required Can do Kerberos – perf problems to resolve 1 supplier, 4 consumers

3. 3 Authentication: Overall Plan @ Georgetown Currently, Server-Side PKI self-signed Best of all 3 worlds LDAP + Kerberos + PKI –LDAP Authentication performs Kerberos Authentication out the backend. Jan. 2001 to finish iPlanet plug-in. Credential Caching handled by Directory. Cooperative effort – Georgetown, GATech, Michigan –All directory authentications SSL protected. Enforced with necessary exceptions Use Kerberos for Win2K Services and to derive X.509 Client Certificates One Userid/Password (single-signon vs. FSO)

4. 4 Applications Mail routing with Sendmail 8.12 (lists also) Netscape messaging server v 4.15 (IMAP) WebMail profile stored in LDAP Apache server for Netscape roaming (no SSL) Apache & Netscape enterprise web servers Blackboard CourseInfo Enterprise 5.5.1 Whitepages: Directory Server GateWay DSGW DSGW for priv’d access and maintenance

5. 5 Applications (Continued) Remote access with RADIUS (funk). No SSL (3/2000); proper LDAP binds (fix 8/2000) Authenticates and authorizes for dial-up, DSL and VPN services using RADIUS called-id. We want to use this for other access control such as Oracle

6. 6 RADIUS server RADIUS + LDAP NAS (terminal server) Dialup Users User calls 202-555-1110 CalledId from NAS is mapped to guRadProf Directory Server Netid = gettes guRadProf = 2025550001 guRadProf = 2025551110 guRadProf = OracleFin LDAP Filter is: guRadProf = 2025551110 + NetID = gettes

7. 7 Applications (Continued) Alumni services (HoyasOnline). External vendor in Dallas, TX (PCI). They authenticate back to home directories. Apache used to authenticate and proxy to backend IIS server. Email Forwarding for Life

8. 8 NET ID TMS HRIS SIS Alumni LDAP Master Client Browser WWW hoyasonline Content PCI (Dallas) Vendor-provided services Other local hosts GU provided self- service applications LDAP Replica OS/390 HoyasOnline Architecture Gratuitous Architectural Graphic (GAG) Way Down In Texas

9. 9 Applications (Continued) Access+ Georgetown developed Web interface to legacy systems using Unix front- end to custom made mainframe tasks. Many institutions have re-invented this wheel. LDAP authentication, mainframe doesn’t yet do SSL. Always exceptions to rules. Student, Faculty, Staff, Directory/Telephone Access+ Services. This technique keeps mainframe alive. (good or bad?)

10. 10 Applications (Continued) Specialized support apps Self service mail routing Help Desk: mail routing, password resets, quota management via DSGW Change password web page Person registry populates LDAP people data, currently MVS (mainframe) based. PerLDAP used quite a bit – very powerful! (make sure version >= 1.4) Now moving to Net::LDAP

11. 11 Applications (Continued) Georgetown Netscape Communicator Client Customization Kit (CCK).CCK Configured for central IMAP/SSL and directory services. Handles versions of profiles. Poor man’s MCD Future: more apps! Host DB, Kerberos integration, win2k/ad integration?, Oracle RADIUS integration, Automatic lists, Dynamic/static Groups, Top-Secret, Bb – further integration.

12. 12 General Ops Controls (cont…) Anonymous access allowed Needed for email clients Anonymous access is good if you resolve FERPA and other data access issues.

13. 13 Access Lists Design & Maintenance Access lists: design & maintenance Buckley(FERPA) protection & services Priv’d users and services userPassword & SSN Maintained by file using ldapmodifyfile Working on large group controls at GU Groups vs. Roles Likely easy to populate, hard to design & implement

14. 14 Replication Application/user performance Failover, user and app service Impact of DC= naming (replica init) Fixed in 4.13 and iDS 5.0 Monitoring: web page and notification Dumper replica – periodic LDIF dumps Backups? We don’t need no stinkin’ backups! Vendor Specific No good solution for backups (iPlanet) IBM uses DB2 under the covers Novell?

15. 15 Replication (Continued) Application/users config for mult servers Deterministic operations vs random Failover works for online repairs Config servers are replicated also 10 to 1 SRA/CRA ratio recommended Cannot cascade with DC= (iPlanet) Cascading is scary to me

16. 16 Normal Ops Replica Structure MASTER DUMPER WHITEPAGES MAILHOST POSTOFFICE NetID Registry Web Servers Users Failure Ops

17. 17 Buyer Beware LDAP is LDAP is LDAP – yeah, right! “Sure! We support LDAP!” What does that mean? Contract for functionality and performance Include your Directory/Security Champion!!! Verify with other schools – so easy, rarely done. Beware of products that specify Dir Servers Get vendor to document product requirements and behavior. You paid for it!

18. 18 Microsoft Win2K Integration Project Pismere http://web.mit.edu/pismere MIT, CMU, Michigan, Stanford, Colorado, etc… One way trust from MIT KDC to Win2K KDC The devil we know Metamerge can play an important role Handle DHCP/DNS as your site wishes

19. 19 Win2K & Enterprise Integration W2K Kerb AuthN Ent Kerb AuthN W2K Active Directory Enterprise Directory 1 2 3 One-way X-realm Trust Identity mgmt Meta-Dir Function MetaMerge?