AAI@EduHr (From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce...
-
Upload
lucas-robertson -
Category
Documents
-
view
222 -
download
1
Transcript of AAI@EduHr (From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce...
AAI@EduHr(From Radius Hierarchy to AAI)
Miroslav Milinović Miroslav Milinović University Computing Centre - SrceUniversity Computing Centre - Srce
EuroCAMPLjubljana, March 2006
EuroCAMP, Ljubljana 2006: 2/23
Contents
History hrEdu radius/LDAP hierarchy AAI@EduHr project hrEdu schemas AOSI (adding AAI flavour) AAI@EduHr today Future development (PKI@EduHr?)
EuroCAMP, Ljubljana 2006: 3/23
History
Directories and directory services http://ds.carnet.hr Netfind, Whois++, X.500 LDAP killer application needed
Network access AAA for dial-up access introducing radius instead of tacacs+
(highly) distributed user community 200 member institutions
(variable size of institution and amount of ICT resources) expert knowledge is not equaly distributed/available
EuroCAMP, Ljubljana 2006: 4/23
We started with ...
(hrEdu) radius/LDAP hierarchy limited function, primarily for dial-up access LDAP schema development started AAI foreseen as a long-term goal / dial-up as a killer
application for LDAP deployment
fully operational radius/LDAP hierarchy since Feb. 2003 eduroam member since the very begining
EuroCAMP, Ljubljana 2006: 5/23
hrEdu radius/LDAP hierarchy
≈ 200 (170) Home orgs
≈ 180000 users
SW: FreeRadius & OpenLDAP
Dial-up access (CMU)
ID: user.realm
(Lucent Navis) proxy radius server(s)
central LDAP server for backup
Home Org X
Radiusserver
LDAP server
Radiusserver
Radiusserver
LDAP server LDAP server
Network
Home Org ZHome Org YHome org X
Radius proxy service
user
resource
EuroCAMP, Ljubljana 2006: 6/23
Missusing the radius attributes
Use of radius in AA(A) process: AuthN AuthZ = AuthN + “few simple attributes”
We use: Connect-Info hrEduPersonExpireDate Class hrEduPersonUniqueID (hrEduPersonUniqueNumber) Configuration-Token hrEduPersonPrimaryAffiliation
but actually ... not good enough
EuroCAMP, Ljubljana 2006: 7/23
Project AAI@EduHr
raising demands (network access & applications) Radius/LDAP hierarchy is not good enough project started in May 2004 main goals:
define HrEdu schema(s) set up IdPs Set up the AAI for EduHr
• Shibboleth was found as too complex
• idea: add AAI flavour to the existing radius/LDAP infrastructure
• http://www.aaiedu.hr/
EuroCAMP, Ljubljana 2006: 8/23
hrEdu hierarchy evolved
≈ 200 (170) Home orgs
≈ 180000 users
SW: FreeRadius & OpenLDAP
Dial-up access (CMU)
StuDOM (8149 “student beds” connected)
Wireless/wired access (Srce, CARNet, ...)
eduroam (http://www.eduroam.org)
UNIX/Linux PAM
(ID: user.realm)
(Lucent Navis) proxy radius server(s)
(central LDAP server for backup)
Home Org X
Radiusserver
LDAP server
Radiusserver
Radiusserver
LDAP server LDAP server
Network
Home Org ZHome Org YHome org X
(radius) proxy service
user
resource
EuroCAMP, Ljubljana 2006: 9/23
hrEdu schemas
hrEduPerson HrEduOrg
registry: http://schema.aaiedu.hr
transition/migration from earlier versions all LDAPs at the same version since Feb. 2006
more work to do: harmonisation (with SCHAC, ...)
EuroCAMP, Ljubljana 2006: 10/23
AOSI – adding AAI flavour
AOSI is: an application for maintaing the content of the LDAP directory an access tool for LDAP (e.g. local AAI component)
AOSI has two parts: web service (core AOSI) client application (“only” proof of concept; any other client can be
used localy)
FWS/HLS = central (AOSI) service
AOSI “ShibLite”
EuroCAMP, Ljubljana 2006: 11/23
Home org
AOSI System
LDAP dir.
AOSI-WS
AOSI Client
AAI@EduHr
Schema (XML)
Codes, ... (XML)
Data (XML)User access
Administrator access
EuroCAMP, Ljubljana 2006: 12/23
Home org
AOSI System (2)
LDAP dir.
AOSI-WS
AOSI Client
AAI@EduHr
Schema (XML)
Codes, ... (XML)
Data (XML)
PHP.NetJava
EuroCAMP, Ljubljana 2006: 13/23
Organization A
Application
AAI@EduHr
Federation WS
FWS in AAI@EduHr
Organization B
AOSI
Directory
“routing” information
user@realm
EuroCAMP, Ljubljana 2006: 14/23
Organization A
Application
AAI@EduHr
Federation WS
HLS in AAI@EduHr
Organization B
AOSI
Directory
“routing” information
user@realm
EuroCAMP, Ljubljana 2006: 15/23
AOSI WS and FWS Currently based on Perl; FWS to be implemented in Java Local AOSI WS:
Local service is described in http://ldaphost.homeorg.hr/aosi/aosi.wsdl Generally runs at https://ldaphost.homeorg.hr:1443/AOSI
Client platforms working with service: Perl PHP .Net Java
FWS/HLS: Based on AOSI http://www.aaiedu.hr/fws/fws.wsdl
Documentation: http://www.aaiedu.hr/aosi/aosi_wsdl.html http://www.aaiedu.hr/fws/fws_wsdl.html
EuroCAMP, Ljubljana 2006: 16/23
Resource
Entry Point
AAI Compone
nt
AAI@EduHr today
Central AAI@EduHrServices
(proxy, FWS/HLS...)
Central AAI@EduHrServices
(proxy, FWS/HLS...)
User: uid@realm.
hrHome Org
AAI Compone
nt
Directory
197 (166) Home orgs
FreeRadius
AOSI WS
Open LDAP
EuroCAMP, Ljubljana 2006: 17/23
AAI@EduHr in real life
in full operation since Feb. 2006
basic monitoring (http://www.aaiedu.hr/status_li.php)
197 Home organisations (IdPs)
number of services: Network access: dial-up, wireless & wired (eduroam, 802.1x) www.eduroam.hr (fully operational by the end of April) Application access: Web-based aplications, WebCT, Moodle, ...
EuroCAMP, Ljubljana 2006: 18/23
PAP to EAP/TTLS Bridge
Improving security
multithreaded UDP server
based on TinyRadius Radius server API, (http://tinyradius.sourceforge.net/) and eapol_test (http://hostap.epitest.fi/)
works on Linux (we still work on Solaris version)
EuroCAMP, Ljubljana 2006: 19/23
PAP EAP/TTLS
Radiusserver
LDAP server
Home Org
NAS BridgeRadiusproxy
PAP
Radius(PAP)
Radius
(EAP /TTLS)
Converts PAP to EAP/TTLS and back
EuroCAMP, Ljubljana 2006: 20/23
An example: CARNet mobile service
RADIUS serverMobile CARNet radius server
CARNet
AAI@EduHr
radius proxy
XYZ
APNMobile AAA DB
LDAP dir.
XYZ client
Mobile CARNet AAA Home org.
EuroCAMP, Ljubljana 2006: 21/23
An example: CARNet mobile service (2)
RADIUS serverMobile CARNet radius server
CARNet
AAI@EduHr
radius proxy FWS/HLS
Mobile AAA DB
LDAP dir.
HTTP client
Mobile CARNet AAA Home org.
Mobile CARNet Web
EuroCAMP, Ljubljana 2006: 22/23
Future work become a “real” federation (policies, policies, ...) central (vs. local) login page in production resource registry (based on SWITCH solution) certficates for services from TERENA SCS (provided by CARNet) improved monitoring
start “speaking” SAML Add ARP functionality to AOSI “Shib gateway” in production interoperate with eduGAIN
SSO PKI@EduHr? (SX project)