Presentation is loading. Please wait.

Presentation is loading. Please wait.

Novell Account Management Overview and Futures Doug Anderson Product Manager David Condrey Engineering Manager

Published byEdwin Arnold Modified over 9 years ago

Similar presentations

Presentation on theme: "Novell Account Management Overview and Futures Doug Anderson Product Manager David Condrey Engineering Manager"— Presentation transcript:

1 Novell Account Management Overview and Futures Doug Anderson Product Manager danderson@novell.com David Condrey Engineering Manager dcondrey@novell.com Boyd Wilson Product Architect, bowilson@novell.com

2 © March 10, 2004 Novell Inc, Confidential & Proprietary 2 one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions. The one Net vision Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

3 © March 10, 2004 Novell Inc, Confidential & Proprietary 3 The one Net vision Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably. Novell Nsure ™ Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

4 © March 10, 2004 Novell Inc, Confidential & Proprietary 4 Agenda Covering the Basics Account Provisioning Across Heterogeneous Systems Password Management Across Heterogeneous Systems Component Location Summary

5 © March 10, 2004 Novell Inc, Confidential & Proprietary 5 What’s Up With NAM and IDM? Let’s clear this up now These are complementary products, not competing products Identity Manager is the family, and NAM is part of it NAM is going to go from cousin to brother

6 © March 10, 2004 Novell Inc, Confidential & Proprietary 6 How are Novell Account Management and Identity Manager Related? NAM has functionality not available in IDM2 (Fan-Out Drivers, Windows Standalone Mode, Authentication Redirection, Native Script Handling, password sync using standard eDir password) NAM also has limitations not found in IDM2 (Subscriber-Only, Different Architecture, Different Management Console)

7 © March 10, 2004 Novell Inc, Confidential & Proprietary 7 What’s the Mission? To make it easy for any Novell Account Management customer (and there are thousands), be it version 2.1 or 3.0, on any platform, to move forward, without losing any critical functionality, and, in fact, gaining significant functionality.

8 © March 10, 2004 Novell Inc, Confidential & Proprietary 8 But, for today... But for right now, let’s talk about how NAM works today, and how it will work in the future

9 Covering the Basics

10 © March 10, 2004 Novell Inc, Confidential & Proprietary 10 In The One Net World Management Storage Access Collaboration Ot he rs CORE SERVICES eDirectory ™ PLATFORM NetWar e Window s Solaris Linux AIX New OPERATING SYSTEMS Windows Solaris (Sparc & x86) OS/390 Others AIX HP-UX SOLUTIONS & APPLICATIONS Linux Free BSD Novell Account Management 3.0 Net Services Storage Collaboration AS/400

11 © March 10, 2004 Novell Inc, Confidential & Proprietary 11 Two Problems To Solve User Account Provisioning – How to automate the process of grants, management and revoking the right accounts to the right systems at the right time, and giving the administrators of those systems ultimate control over the provisioning process on their respective systems ? Password Management – How do you provide a mechanism where the user has the same password for all systems, no matter how he attaches to or uses those systems?

12 © March 10, 2004 Novell Inc, Confidential & Proprietary 12 One Product solves both problems Novell’s Account Management Solution solves both the Account Management and Password Management problems for a wide variety of Operating Systems. Builds on the scalability of eDirectory™, The cross-platform history of prior versions of Account Management and NDS® Authentication Services, The extensibility of DirXML®

13 © March 10, 2004 Novell Inc, Confidential & Proprietary 13 The Paradigm Users are provisioned into the Directory from an authoritative data source such as the company HR system. The Directory contains users and sets of users that form collaborative units. The Directory administrator(s) define rules that define which sets of users and groups are to be provisioned to which systems. When new users are added/removed in the Directory they are automatically added/removed from the appropriate external systems.

14 Account Provisioning Across Heterogeneous Systems

15 © March 10, 2004 Novell Inc, Confidential & Proprietary 15 NoveII Nsure ™ It’s about: Immediate Access –Instant On –Rapid time to productivity Security Confidence –Instant Off –Eliminate known and unknown exposures Real Cost Savings –Integrated, distributed identities –Reduced points of administration Because it’s all oneNet

16 © March 10, 2004 Novell Inc, Confidential & Proprietary 16 Digital Identities The key to delivering services, applications and access to employees - customized to their roles or individual needs

17 © March 10, 2004 Novell Inc, Confidential & Proprietary 17 Account Management Vision Accounts VMS HP-UX AS/400AIX MVS RACF, ACF2, Top Secret Linux Free-BSD NDSAD NT Domains Solaris On Sparc & Intel Tru64 LDAP Directory Authoritative Data Source

18 © March 10, 2004 Novell Inc, Confidential & Proprietary 18 Account Management Accounts VMS HP-UX AS/400AIX MVS RACF, ACF2, Top Secret Linux Free-BSD NDSAD NT Domains Solaris On Sparc & Intel Tru64 Account Managenment IDM2 Core Driver eDirectory ®

19 © March 10, 2004 Novell Inc, Confidential & Proprietary 19 Transaction Flow and Decision Points Target System 1. Idenity provisioning solutions like Novell Nsure allow management decisions to be made and polcies to be carried out based on information relevant to the Authoritative Data Source. 2. Administrators may manage identities from a centralized location using any tools that interact with the directory. 3. Platform administrators have the power to fully provision and manage users on their platform and can customize the application of each transaction. Authoritative Data Source eDirectory ®

20 © March 10, 2004 Novell Inc, Confidential & Proprietary 20 Account Provisioning to a Target By permitting a collaborative unit such as a container or a group to a target system, you automate the management of all users that may be associated with the collaborative unit in the future. OS/390 LPAR 1 AIX Mail Server Atlanta NT Domain AIX MVS RACF, ACF2, Top Secret NT Domains

21 © March 10, 2004 Novell Inc, Confidential & Proprietary 21 Account Provisioning to a Target Accounts and groups will be provisioned on the target operating systems and cleaned up when the last association with a platform object is removed. UNIX UIDs and GIDs can be auto-managed across sets of platform objects called “Platform Sets”. Unique usernames and appropriate mappings are ensured through a construct called a “Census”.

22 © March 10, 2004 Novell Inc, Confidential & Proprietary 22 Principal Components AS/400 Unix Other Windows 390 Core Driver(s) Fan Out Auditing UIDGID Mgmt Authentication Redirection Bi-directional Password Replication UP Support IDM2 Integration Requires fewer objects in eDirectory Platform Services eDirectory Novell DirXML

23 © March 10, 2004 Novell Inc, Confidential & Proprietary 23 AS/400 Unix Other Windows 390 Principal Components eDirectory Authentication Services API Platform Services System Intercept Platform Services Process User and Group Management Platform Receiver Scripts User Authentication Core Driver(s) Manager Services Object Services Audit Services Certificate Services Web Services (iManager Integration) Journal Services Auth Redirection (agent) SSL Novell DirXML

24 © March 10, 2004 Novell Inc, Confidential & Proprietary 24 Receiver Scripts Default Scripts will be delivered for each security system for each platform. May be modified or replaced by the customer. Target system administrators already know how to write scripts since the local scripting environment is used on each platform (REXX, Shell Script, Windows Script, etc) In many cases administrators already have scripts to perform operations on their local system and these can be plugged directly in.

25 © March 10, 2004 Novell Inc, Confidential & Proprietary 25 Adding Users To The Directory Authentication Services API eDirectory Novell DirXML Platform Services System Intercept Platform Services Process User Authentication User and Group Management Platform Receiver Scripts Core Driver(s) Manager Services Object Services Audit Services Certificate Services Web Services (iManager Integration) Journal Services Auth Redirection (agent) SSL 1. A new user is created in eDirectory 3. Object Services creates an E-user object in the Census, associates it to the proper Platform and passes this information on to Event Journal Services 4A. The Platform Receiver requests an Access Management Event from Event Journal Services pertaining to the Platform Set that this particular platform is associated with 4B. Event Journal Services reads the information for the object specified in the Access Management Event out of eDirectory and passes it on to the Platform Receiver 5. The Platform Receiver processes the Access Management Event through a suitable script (Add User) and passes it on the local user security system 6. Event Journal Services notifies Audit Services which records the actions taken in the Audit Log 2. The Core Driver sees the change

26 © March 10, 2004 Novell Inc, Confidential & Proprietary 26 Core Driver(s) Manager Services Object Services Audit Services Certificate Services Web Services (iManager Integration) Journal Services Auth Redirection (agent) Deleting Users From The Directory Authentication Services API Platform Services System Intercept eDirectory Novell DirXML Platform Services Process User Authentication User and Group Management Platform Receiver Scripts Event Listener SSL 1. A user is deleted in eDirectory 2. The Core Driver sees the change 4A. Object Services marks the E-user object in the Census inactive or removes the E-user object from the Census (according to configuration) 3. An Access Management Event is created and sent to Object Services 5. The Platform Receiver requests an Access Management Event from Event Journal Services pertaining to the Platform Set that this particular platform is associated with 7. Event Journal Services notifies Audit Services which records the actions taken in the Audit Log 6. The Platform Receiver processes the Access Management Event through a suitable script to delete or diasable the User and passes it on the local user security system 4B. Object Services changes the information on the Platform User Object accordingly

27 Password Management Across Heterogeneous Systems

28 © March 10, 2004 Novell Inc, Confidential & Proprietary 28 Target System Access Security SystemOperating System Browser Client/Server App FTP Terminal Emulator DB Front-End Terminal Controller Applications

29 © March 10, 2004 Novell Inc, Confidential & Proprietary 29 Password Synchronization In the strict sense, “synchronization” means that if a user changes his password on one system, the password is immediately pushed to the other system. But, to the end user, passwords are “synchronized” between systems if the user can use the same password on both systems. We can accomplish this end result in a number of ways.

30 © March 10, 2004 Novell Inc, Confidential & Proprietary 30 AM Password Management 3 Methods to Choose From 1. Re-Direction 2. Re-Direction with Local Sync 3. Replication (Event-Driven Sync) The architecture supports 3 Authentication methods for a given platform:

31 © March 10, 2004 Novell Inc, Confidential & Proprietary 31 Authentication Replication (Password Check/Change) eDirectory PWRedir OS 390 Applications RACF AM 3.0 Agent(s) eDir ID/ PW LDAP Y/N ID/ PW Y/N RACF DB If Local Sync Option Enabled Y

32 © March 10, 2004 Novell Inc, Confidential & Proprietary 32 Authentication Replication (Password Check/Change) eDirectory PWRedir OS 390 Applications RACF AM 3.0 Agent(s) RACF DB ID/PW Y/N

33 © March 10, 2004 Novell Inc, Confidential & Proprietary 33 Password Change and Sync Via Redirect OS 390 PWRedir RACF RACF DB HP UX PWRedir PAM UNIX DB eDirectory DirXML Password Change ID/P W

34 © March 10, 2004 Novell Inc, Confidential & Proprietary 34 ID/P W Password Change and Sync Via Redirect OS 390 PWRedir RACF RACF DB HP UX PWRedir PAM UNIX DB eDirectory DirXML Password Change ID/P W

35 © March 10, 2004 Novell Inc, Confidential & Proprietary 35 When Redirect Is Not An Option… Redirection is great technology, but you have to be able to intercept the following on the target system: 1. Password Check 2. Password Change …But we can’t intercept Check everywhere. However, we can intercept Change. And if we can intercept Change, then we can still use method 3 – Replication (Event-driven Sync)

36 © March 10, 2004 Novell Inc, Confidential & Proprietary 36 AM 3.x Core Driver(s) Authentication Replication (Event-Driven Password Sync) Windows Server Intercept Application Doma in eDirectory Password Change ID/PW Domain Controller

37 © March 10, 2004 Novell Inc, Confidential & Proprietary 37 Authentication Replication (Event-Driven Password Sync) AM 3.x Core Driver(s) Windows Server Intercept Domain Controller Application Doma in eDirectory Password Change AM 3.0 Account Provider (Manager) Platform Receiver (Method=Replicate) Target 1 SS Platform Receiver (Method=Replicate) Target 2 SS Platform Receiver (Method=Replicate) Target 3 SS ID/PW

38 © March 10, 2004 Novell Inc, Confidential & Proprietary 38 AM 3.0 Agent(s) Authentication Replication (Event-Driven Password Sync) Windows Server Intercept Domain Controller Application Doma in eDirectory DirXML AM Driver Password Change AM 3.x Account Provider (Core Driver) Platform Receiver (Method=Replicate) Target 1 SS Platform Receiver (Method=Replicate) Target 2 SS Platform Receiver (Method=Replicate) Target 3 SS

39 Component Location

40 © March 10, 2004 Novell Inc, Confidential & Proprietary 40 Component Location (Core Driver) The Core Driver now includes all the functionality of the former Event Listener, Manager and Agents. A Core Driver must be installed on the server(s) where replicas of the provisioned users and ASAM System container reside. The Core Driver uses a mix of DirXML and LDAP calls to accomplish its mission You can install more than one Core Driver for redundancy, when you upgrade upgrade the Manager first, then the agents all to Core Drivers

41 © March 10, 2004 Novell Inc, Confidential & Proprietary 41 eDirectory Novell DirXML Core Driver Manager Services Object Services Audit Services Certificate Services Web Services Journal Services Agent Services DirXML LDAP/SSL Core Driver Communications Installed on the Same System

42 © March 10, 2004 Novell Inc, Confidential & Proprietary 42 Multiple Core Drivers eDirectory Novell DirXML eDirectory Novell DirXML Multiple Core Drivers can watch for events in different or the same replica rings. DirXML LDAP/SSL DirXML LDAP/SSL Core Driver Manager Services Object Services Audit Services Certificate Services Web Services Journal Services Agent Services Core Driver Manager Services Object Services Audit Services Certificate Services Web Services Journal Services Agent Services

43 © March 10, 2004 Novell Inc, Confidential & Proprietary 43 Component Location (Platform Services) Platform Services run on the target system. Delivery and Installation based on the Native Platform.

44 © March 10, 2004 Novell Inc, Confidential & Proprietary 44 Core Driver(s) eDirectory Novell DirXML Platform Services – OS/390 LDAP RACF DB API Interf ace Starte d Task PassChe ck Exit PassCha nge Exit RACF APP 1 APP 2 APP 3 APP N

45 Futures

46 © March 10, 2004 Novell Inc, Confidential & Proprietary 46 Facts The same engineering team now develops and supports the Account Management and NIS Driver deliveries in the UNIX solution space. There are fits for each solution today. NIS driver is good if UNIX is authoritative for account creations. NAM is good if you have lots of systems to connect or if you have not enabled Universal Password. Account Management and Identity Management are converging using a multiple phase approach.

47 © March 10, 2004 Novell Inc, Confidential & Proprietary 47 IDM/NAM Convergence This does NOT mean simply that Account Management is going away and being converted to drivers. Convergence requires new functionality in the current IDM Engine and management infrastructure as well as a change in current NAM management methodologies. This will open up new possibilities for managing how drivers work. This will allow for a common management and customization infrastructure. Migrations from current DirXML/Identity Manager drivers and NAM implementations will be made seamless. No need to wait to deploy!

48 Roadmap Time Sensitive Information

49 © March 10, 2004 Novell Inc, Confidential & Proprietary 49

50 General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

Download ppt "Novell Account Management Overview and Futures Doug Anderson Product Manager David Condrey Engineering Manager"

Similar presentations

Reduce Cost & Complexity Partner logo here Presenters Name (16pt) Presenters Title (14pt) Company/e-mail (14pt) Manage and Deploy Applications using Virtualization.

Reduce Cost & Complexity Partner logo here Presenters Name (16pt) Presenters Title (14pt) Company/ (14pt) Manage and Deploy Applications using Virtualization.
Nsure ™ Audit Essentials Rick Meredith Software Engineer Novell, Inc. Jaime Brimhall Software Engineer Novell, Inc.

Nsure ™ Audit Essentials Rick Meredith Software Engineer Novell, Inc. Jaime Brimhall Software Engineer Novell, Inc.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
How to Successfully Cluster GroupWise Gregg A. Hinchman Consultant, Hinchman Consulting Ed Hanley Senior Consultant, Novell.

How to Successfully Cluster GroupWise Gregg A. Hinchman Consultant, Hinchman Consulting Ed Hanley Senior Consultant, Novell.
SAN Design Considerations Hylton Leigh Senior Consultant Novell Consulting, UK Stuart Thompson Senior Consultant Novell Consulting, UK.

SAN Design Considerations Hylton Leigh Senior Consultant Novell Consulting, UK Stuart Thompson Senior Consultant Novell Consulting, UK.
Richard D. Jones Product Manager, Storage Services Novell ® iSCSI Building Affordable SAN Solutions.

Richard D. Jones Product Manager, Storage Services Novell ® iSCSI Building Affordable SAN Solutions.
How to Implement a Cluster of Clusters Atiq Adamjee Senior Architect Novell, Inc. Brad Rupp Software Engineer Novell, Inc.

How to Implement a Cluster of Clusters Atiq Adamjee Senior Architect Novell, Inc. Brad Rupp Software Engineer Novell, Inc.
Password Management Bill Street, Nathan Jensen, Mike Simpson, Will Peterson Identity Management Engineering.

Password Management Bill Street, Nathan Jensen, Mike Simpson, Will Peterson Identity Management Engineering.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
Upgrading to Novell ® SecureLogin 3.5 Rod Tietjen,

Upgrading to Novell ® SecureLogin 3.5 Rod Tietjen,
Developing for Novell ® Nsure ™ SecureLogin Gordon Mathis Senior Software Engineer, Novell Inc.

Developing for Novell ® Nsure ™ SecureLogin Gordon Mathis Senior Software Engineer, Novell Inc.
DIR-835A1 Wireless N750 Dual-Band Router Wireless & Router Product Div. July 2011 D-Link WRPD.

DIR-835A1 Wireless N750 Dual-Band Router Wireless & Router Product Div. July 2011 D-Link WRPD.
August 20, 2006 Delivering Low Latency With IB SUSE ® Linux Enterprise Real Time Moiz Kohari Suse Labs Director Real-Time Systems.

August 20, 2006 Delivering Low Latency With IB SUSE ® Linux Enterprise Real Time Moiz Kohari Suse Labs Director Real-Time Systems.
Document Management with GroupWise ® Gregg Hinchman Consultant Hinchman Consulting Jerry Winkel Novell Escalation Engineer.

Document Management with GroupWise ® Gregg Hinchman Consultant Hinchman Consulting Jerry Winkel Novell Escalation Engineer.
Nsure ™ Audit: Instrumenting Custom Applications Rick Meredith Jason Arrington Nsure Audit Engineering Novell, Inc.

Nsure ™ Audit: Instrumenting Custom Applications Rick Meredith Jason Arrington Nsure Audit Engineering Novell, Inc.
Configuring Novell Account Management with Identity Manager for Linux and UNIX Doug Anderson Product Manager Boyd Wilson Product Architect,

Configuring Novell Account Management with Identity Manager for Linux and UNIX Doug Anderson Product Manager Boyd Wilson Product Architect,
Implementing the DirXML ® Starter Pack on NetWare ® 6.5 Richard Moore, Novell DirXML Engineering Stuart Mansell, Novell Consulting.

Implementing the DirXML ® Starter Pack on NetWare ® 6.5 Richard Moore, Novell DirXML Engineering Stuart Mansell, Novell Consulting.
Implementing Novell iChain ® at the City of Los Angeles Adam Loughran Senior Systems Engineer, Novell Robert Gillette IS Development Manager, City of Los.

Implementing Novell iChain ® at the City of Los Angeles Adam Loughran Senior Systems Engineer, Novell Robert Gillette IS Development Manager, City of Los.
Benefits of a SUSE ® Subscription Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/Email (14pt)

Benefits of a SUSE ® Subscription Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)
Configuring Identity Manager 2 (formerly DirXML ® ) for JDBC (w/DirXML) Jason Elsberry Software Engineer

Configuring Identity Manager 2 (formerly DirXML ® ) for JDBC (w/DirXML) Jason Elsberry Software Engineer

Similar presentations

Ads by Google