1、Technical Primer: Directories,Michael R. Gettes Principal Technologist Georgetown University gettesGeorgetown.EDU http:/www.georgetown.edu/giia/internet2,2,MACE-DIR,Keith Hazelton, Chair, Wisconsin eduPerson objectclass LDAP-Recipe Dir of Dirs for Higher Education (DoDHE) Shibboleth project dir depe
2、ndencies Meta Directories MetaMerge Groups (Dynamic vs. Static; Management) Afilliated Directories (Stitched, Data Link) http:/middleware.internet2.edu/directories,3,MACE-DIR: eduPerson 1.0 (1/22/01 release),MACE initiated (Internet2 + EDUCAUSE)Globally interesting useful attributesGet community buy
3、-in, must use it also eduPersonAffiliation (DoDHE), eduPersonPrincipalName (Shibboleth)“Less is more”, how to use standard objectclasseshttp:/www.educause.edu/eduperson,4,eduPerson 1.5 object class,Included as part of the NSF Middleware Initiative (NMI) Release 1.0 announced today, May 7th eduPerson
4、 1.0 is the production version, 1.5 status is “released for public review” (RPR) Next NMI release will include final 1.5 based on review period discussions,5,eduPerson 1.5 object class,Changes from 1.0:Introductory section addedRFC2252 style definitions included for the eduPerson object class itself
5、 and for each of the eduPerson attributes.Notes on additional attributes from existing object classes, existing notes clarified, syntax and indexing recommendations updated.,6,eduPerson 1.5 object class,Two new attributes: eduPersonPrimaryOrgUnitDN eduPersonEntitlement Simple case: value is the name
6、 of a contract for licensed resource http:/ Values of eduPersonEntitlement can be URLs or URNs,7,eduPerson 1.5 object class,eduPersonEntitlement Values of eduPersonEntitlement can be URLs or URNs http:/www.w3.org/Addressing/ RFC2396 Uniform Resource Identifiers RFC2141 Uniform Resource Names URNs to
7、 allow federation of name creation without name clashes. urn:mace:brown.edu:foo mace-submitinternet2.edu for information on URN registration,8,eduOrg 1.0,eduOrg 1.0 released as “Experimental” object class Basic organizational info attributes from X.520 Telecomm, postal, locale eduOrgHomePageURI eduO
8、rgIdentityAuthNPolicyURI eduOrgLegalName eduOrgSuperiorURI eduOrgWhitePagesURI,9,LDAP-Recipe positioning and the NMI R1,A special case document Pre-existed NMI and MACE document standards for format and naming. Will conform to NMI/MACE naming and future process for acceptance. Content? Well, we shal
9、l see,10,LDAP-Recipe Version 1.5 (pre May 7, 2002),Directory Tree Schema (Design, upgrading, maint) AuthN (binding and pw mgmt) eduPerson attr discussion (select) Access Control Replication Name population,11,LDAP-Recipe Version 2.0 (NMI R1 May 7, 2002),Groups, Groups, Groups Static, Dynamic, app is
10、sues, builds on “NMI Groups Doc” E-Mail Routing considerations Attribute firewalling, Sendmail, app issues eduPersonOrgDN and eduPersonPrimaryOrgUnitDN Original Intent for eduPerson 1.0 and Primary RDN Issues (a must read) Software reference (small, needs to grow),12,MACE-DIR: Directory of Directori
11、es for Higher Education,Web of Data vs. Web of People Prototype: April, 2000 (by M. Gettes) Highly scalable parallel searching Interesting development/research problems Configs, LDAP libraries, Human Interface Realized the need to: Promote eduPerson & common schema Promote good directory design (rec
12、ipe) Work proceeding Sun Microsystems Grant http:/middleware.internet2.edu/dodhe,13,MACE-DIR: DoDHE and LDAP Analyzer,Todd Piket, Michigan Tech (aka Mr. Pinkert) Web based tool to empirically analyze a directoryeduPerson compliance Indexing and naming LDAP-Recipe guidance (good practice)Beta: http:/
13、morpheus.dcs.it.mtu.edu/tcpiket/dodhe,14,MACE-Dir Futures,Technical Advisory Board eduOrg, eduPerson, edu? Shibboleth and other related work Roles (RBAC) Group Implementations (Eileen Shepard, BC; Tom Barton, Memphis) Blue Pages LDAP-Recipe (next?) Affiliated Directories (Rob Banz, UMBC) pkiUser/pki
14、Ca, Bridge CA, etc Video Middleware (commObjectUri OCs) GRID interoperability Directory Policy,15,MACE-Dir Futures (continued),EduOrg “blue page” entriesEduOrgUnit 1.0 object class and attributesAffiliated directories scenarios Identity management in Health Sciences Assembling info on the fly Data/M
15、etadata bundles as units of exchange Exploring with our Technical Advisory Board,16,MACE-SHIBBOLETH,Steven Carmody, Brown, Chair A Biblical pass phrase “password” Get it right or “off with your head” Inter-institutional Authentication/Authorization Web Authorization of Remote Sites with Local Creden
16、tials Authentication via WebISO October, 2001 Demo target http:/middleware.internet2.edu/shibboleth,May, 2002,17,VID-MID Video Middleware,Recently FormedAuthentication and Authorization of H.323 sessions.Client to ClientClient to MCUDirectory enabledHow to find video enabled people?What is necessary
17、 to describe video capabilities?Will likely extend to IP Telephony and so on,18,Technical,Policy,PKI is 1/3 Technical and 2/3 Policy?,19,HEPKI,TAG Technical Activities Group Jim Jokl, Chair, Virginia Mobility, Cert Profiles, PKI-Lite, etc, etc, lots of techno PAG Policy Activities Group Default Chai
18、r, Ken Klingenstein, Colorado Knee-deep in policy, HEBCA, Campus, Subs+RP PKI Labs (AT&T) Neal McBurnett, Avaya Wisconsin-Madison & Dartmouth Industry, Gov., Edu expert guidance http:/www.educause.edu/hepki,20,Bridge CA and Trust Paths,Verisign,Bridge CA,Bridge CA,HE,Policy & Namespace,21,22,Bridge
19、CAs,Higher Education Bridge CA FBCA peeringWe have a draft HEBCA CP (NetEDU PKI WG) FBCA CompatibleHow many HEBCAs? (EDUCAUSE!)Do we really understand PKI implementations with respect to policy needs? (proxy certificates, relying party agreements, name constraints, FERPA, HIPAA, who eats who?)BCA se
20、ems to be the most promising perspective. Will each person be a BCA?Does ALL software (Client/Server) need to be changed?Mitretek announces new BCA deployment model 2/15/2001 Scalable & deployable Server plug-ins make client changes less likely,23,domainComponent (DC=) Naming,Traditional X.500 namin
21、g: cn=Michael R Gettes, ou=Server Group, ou=UIS, o=Georgetown University, c=USdomainComponent (DC) naming: uid=gettes,ou=People,dc=georgetown,dc=eduHEPKI is issuing guidance and advice on DC= naming,24,Attributes for PKI,Store them in a Certificate? Attributes persist for life of Certificate No need
22、 for Directory or other lookup The Certificate itself becomes the AuthZ control point Store them in a Directory? Very light-weight Certificates Requires Directory Access Long-term Certificate, Directory is AuthZ control point. How many Certificates will we have? Pseudonymous Certificates,25,David Wa
23、sleys PKI Puzzle,Were Building A “Bridge Over The River PKI”,A word about “Portals”,28,Portals: Authentication,Security is not easyif it was, then everyone would be doing it. Applications MUST NOT handle authentication Dont assume you will have access to passwords at the portalThe portal is YAA (yet
24、 another application)but portals have web servers to do the dirty workportals can trust the web server to authenticateand pass “identity” on to the portal,29,Portals: Authorization,Security is not easyif it was, then everyone would be doing it. Applications should handle authorizationThe portal is Y
25、AA (yet another application)Portals can decide access on their own by consultinglocal and remote services to determine eligibility thengrant/deny based on response or otherwise by whim.,30,Portal Issues,AuthenticationWebISO AuthorizationGroupsRolesDirectories, Shibboleth Vendor Independent Technique
26、s,Errata-ica,32,National Science Foundation NMI program,$12 million over 3 years www.nsf-middleware.org Middleware Service Providors, Integrators, Distributors GRID (Globus) Internet2 + EDUCAUSE + SURA May 2002 first set of deliverables from all parties,33,The Liberty Alliance www.project-liberty.or
27、g,Sun Microsystems, American Express, United Airlines, Nokia, MasterCard, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT DoCoMo, Verisign, Schlumberger, Sony Initiated in September 2001.Protect Privacy, Federated Administration, Interoperability, Standards ba
28、sed but requires new technology, hard problems to solve, a Network Identity ServiceFunny, doesnt this stuff sound familiar?,Got Directory?,35,Techniques for Product Independence,Good/Evil make use of cool features of your product. Does this make it more difficult or impossible to switch products lat
29、er? Does this make you less interoperable? Standard? Does this limit your ability to leverage common solutions? All the above applies to enabled apps as well.,36,Groups, Groups, Groups,Static vs. Dynamic (issues of large groups) Static Scalability, performance, bandwidth Dynamic Manageability (searc
30、h based, but search limits) Is there something neutral? Indexed Static Groups MACE-DIR consideration (Todd Piket, MTU) Index unique/member The likely approach, IMHO, doesnt inhibit dynamic stuffGroup Math (& (group=faculty)(!(group=adjunct) (member=DN) ),37,Roles,Is this an LDAP issue? MIT roles DB
31、a roles registry Are groups good enough for now? Probably not, see next Are your apps prepared for this? Maybe they need some service to consult? Will Shibboleth help here? Vendors have proprietary solutions.,38,Stitching disparate directories,How to relate to distinct directories and their entries.
32、 Kjkcolorado & kjkViDe - are they the same?Locate someone in a large directory (DoDHE) and then switch to their video abilitiesSuggestion: define new object of a “data source directory”. Associate it with a Cert. Send signature of all data elements for an object, store in same. This allows for digit
33、al trust/verification. Still working this out. Not much work in this space? (the affiliated dirs problem) X.520 AttributeIntegrityInfo Attribute will it suffice?,39,A Campus Directory Architecture,metadirectory,enterprise directory,directory database,departmental directories,OS directories (MS, Nove
34、ll, etc),border directory,registries,source systems,Enterprise applications dir,Middleware 201 Directories Configuration & Operations,Michael R. Gettes Principal Technologist Georgetown University GettesGeorgetown.EDU,41,How Deep?,Background Site Profile - configurationApplicationsGeneral Operationa
35、l ControlsSchemaAccess ListsReplicationRelated DirectoriesLDAP-Recipe http:/middleware.internet2.edu,42,Site Profile dc=georgetown,dc=edu,Netscape/iPlanet DS version 4.16 2 Sun E250 dual cpu, 512MB RAM 105,000 DNs (25K campus, others = alums + etc) Directory + apps implemented in 7 months Distinguis
36、hed names: uid=x,ou=people DC rap, “Boom shacka lacka” Does UUID in DN really work? NSDS pre-op plugin (by gettesPrinceton.EDU) Authentication over SSL; Required Can do Kerberos perf problems to resolve 1 supplier, 4 consumers,43,Authentication: Overall Plan Georgetown,Currently, Server-Side PKI sel
37、f-signed Best of all 3 worlds LDAP + Kerberos + PKI LDAP Authentication performs Kerberos Authentication out the backend. Jan. 2001 to finish iPlanet plug-in. Credential Caching handled by Directory. Cooperative effort Georgetown, GATech, Michigan All directory authentications SSL protected. Enforce
38、d with necessary exceptions Use Kerberos for Win2K Services and to derive X.509 Client Certificates One Userid/Password (single-signon vs. FSO),44,Applications,Mail routing with Sendmail 8.12 (lists also) Netscape messaging server v 4.15 (IMAP) WebMail profile stored in LDAP Apache server for Netsca
39、pe roaming (no SSL) Apache & Netscape enterprise web servers Blackboard CourseInfo Enterprise 5.5.1 Whitepages: Directory Server GateWay DSGW for privd access and maintenance,45,Applications (Continued),Remote access with RADIUS (funk). No SSL (3/2000); proper LDAP binds (fix 8/2000) Authenticates a
40、nd authorizes for dial-up, DSL and VPN services using RADIUS called-id. We want to use this for other access control such as Oracle,46,RADIUS + LDAP,47,Applications (Continued),Alumni services (HoyasOnline). External vendor in Dallas, TX (PCI). They authenticate back to home directories. Apache used
41、 to authenticate and proxy to backend IIS server. Email Forwarding for Life,48,NET ID,TMS,HRIS,SIS,Alumni,LDAP Master,Client Browser,WWW hoyasonline Content,PCI (Dallas) Vendor-provided services,Other local hosts GU provided self-service applications,LDAP Replica,OS/390,HoyasOnline Architecture,Grat
42、uitous Architectural Graphic (GAG),Way Down In Texas,49,Applications (Continued),Access+ Georgetown developed Web interface to legacy systems using Unix front-end to custom made mainframe tasks. Many institutions have re-invented this wheel. LDAP authentication, mainframe doesnt yet do SSL. Always e
43、xceptions to rules. Student, Faculty, Staff, Directory/Telephone Access+ Services. This technique keeps mainframe alive. (good or bad?),50,Applications (Continued),Specialized support apps Self service mail routing Help Desk: mail routing, password resets, quota management via DSGW Change password w
44、eb page Person registry populates LDAP people data, currently MVS (mainframe) based. PerLDAP used quite a bit very powerful! (make sure version = 1.4)Now moving to Net:LDAP,51,Applications (Continued),Georgetown Netscape Communicator Client Customization Kit (CCK). Configured for central IMAP/SSL an
45、d directory services. Handles versions of profiles. Poor mans MCD Future: more apps! Host DB, Kerberos integration, win2k/ad integration?, Oracle RADIUS integration, Automatic lists, Dynamic/static Groups, Top-Secret, Bb further integration.,52,General Operational Controls,Size limit trolling (300 o
46、r 20 entries?) Lookthru limit (set very low) Limit 3 processors for now, MP issues still! (v4) 100MB footprint, about 8000 DNs in cache Your mileage will vary follow cache guidelines documented by iPlanet. 24x7 operations What can users change? (Very little) No write intensive applications,53,Genera
47、l Ops Controls (cont),Anonymous access allowed Needed for email clients Anonymous access is good if you resolve FERPA and other data access issues.,54,Schema: Design & Maint,Unified namespace: there can be only one! Schema design and maintenance Space/time tradeoffs on indexing Eduperson 1.0 vs. guP
48、erson guRestrict, guEmailBox, guAffil, guPrimAfil guPWTimebomb, guRadProf, guType, guSSN Relationships (guref) Maintained by ldif file using ldapmodify,55,Access Lists Design & Maintenance,Access lists: design & maintenance Buckley(FERPA) protection & services Privd users and services userPassword &
49、 SSNMaintained by file using ldapmodifyWorking on large group controls at GU Groups vs. Roles Likely easy to populate, hard to design & implement,56,Replication,Application/user performance Failover, user and app service Impact of DC= naming (replica init) Fixed in 4.13 and iDS 5.0 Monitoring: web page and notification Dumper replica periodic LDIF dumps Backups? We dont need no stinkin backups! Vendor Specific No good solution for backups (iPlanet) IBM uses DB2 under the covers Novell?,