Using LDAPv3 for Directory-Enabled Applications & Networking
Fortress Open Source IAM on LDAPv3
-
Upload
ldapcon -
Category
Technology
-
view
1.666 -
download
1
description
Transcript of Fortress Open Source IAM on LDAPv3
![Page 1: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/1.jpg)
License CC-BY-SA 1
Fortress Open Source IAM on LDAPv3
Shawn McKinney
November 18, 2013
![Page 2: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/2.jpg)
Agenda
l Product Overview l Technical Introduction l RBAC SoD Demo l Commander l En Masse l Multitenancy l Next Steps l Wrap-up
2
License CC-BY-SA
![Page 3: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/3.jpg)
Product Overview
3
License CC-BY-SA
Fortress Core
ANSI RBAC SDK
Sentry RBAC Policy Enforcer
EnMasse RBAC Policy Server
Commander Web Administration
Perimeter Web Access Mgmt
Patroller Audit Monitoring
1 2
4 5
3
6
October 2011 October 2011 October 2012
October 2013 April 2014 October 2014
ROADMAP
![Page 4: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/4.jpg)
Fortress Introduction
l ANSI INCITS 359-2004 compliant IAM system l Policy Decision Points
l Java APIs (Fortress Core) l REST services (En Masse)
l Policy Administration Points l Java APIs (Fortress Core) l REST services (EnMasse) l RBAC Web Management (Commander)
l Privileged Identity Management
4
License CC-BY-SA
![Page 5: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/5.jpg)
Fortress Introduction (continued)
l Policy Enforcement Points l Sentry Java EE Platform Security l Sentry Other Platforms (in development)
l Audit Trail l Authentication – tracks who is accessing the
system l Authorization – tracks who did what, when and
where l Administration – tracks historical changes to the
data
5
License CC-BY-SA
![Page 6: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/6.jpg)
Fortress System Architecture
6
License CC-BY-SA
LDAPv3
OpenLDAP
Fortress Core APIs
Java App #2 HTTP/S
LDAPv3
Apache DS
Fortress LDAP HTTP
Applications
Legend
RBAC Accelerator
Other App HTTP/S
LDAPv3 Extended Ops
Java VM
Java VM
Any P
latform
O R
Either LDAP Server works
RBAC policy enforcement on any platform use accelerator
RBAC policy administration and interrogation use Standard LDAPv3 protocols
Fortress RBAC Enforcement APIs will also call accelerator
LDAPv3
![Page 7: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/7.jpg)
ANSI RBAC INCITS 359
1. RBAC0: Users, Roles, Perms, Sessions
2. RBAC1: Hierarchical Roles
3. RBAC2: Static Separation of Duties
4. RBAC3: Dynamic Separation of Duties
7
License CC-BY-SA
Demo this capability
![Page 8: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/8.jpg)
Dynamic Separation of Duties Demo
2
3
Role 1
Assignment
Role 2
Assignment
Role 3
Assignment
One and only one may be active
1
![Page 9: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/9.jpg)
Java Virtual Machine
Tomcat
Java EE Coarse-grained Security
Dynamic Separation of Duties Demo
Fortress RBAC Proxy
Fortress RBAC PDP
Users: • User1 is assigned to ROLE_TEST1,
ROLE_TEST2, and ROLE_TEST3 • User2 is assigned to ROLE_TEST2 • User3 is assigned to ROLE_TEST3 Permissions: • Page1.Button1 is granted to ROLE_TEST1 • Page1.Button2 is granted to ROLE_TEST1 • Page1.Button3 is granted to ROLE_TEST1 • Page2.Button1 is granted to ROLE_TEST2 • Page2.Button2 is granted to ROLE_TES2 • Page2.Button3 is granted to ROLE_TEST2 • Page3.Button1 is granted to ROLE_TEST3 • Page3.Button2 is granted to ROLE_TEST3 • Page3.Button3 is granted to ROLE_TEST3 Dynamic Separation of Duties: • Set of roles is [ROLE_TEST1,
ROLE_TEST2, ROLE_TEST3] • DSD Set Cardinality is 1 • Only one Role can be active in Session
Spring Page-level Security
Apache Wicket
Fortress RBAC PEP
Wicket Buttons
Wicket Links
Wicket Pages
Fine
Aut
hZ G
ranu
larit
y
Coarse
![Page 10: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/10.jpg)
Where to get RBAC Demo
l Source l https://github.com/shawnmckinney/fortressdemo1
l Tutorial & other ANSI RBAC write-ups l http://symas.com/ansi-rbac-intro/ l http://symas.com/rbac-security-enforcement-
inside-wicket/ l https://github.com/shawnmckinney/
fortressdemo1/blob/master/README.txt
10
License CC-BY-SA
![Page 11: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/11.jpg)
Commander Introduction
l RBAC Web Administration l Uses the Fortress Core APIs l Communicate via HTTP or LDAPv3 protocols l Secured by Fortress, Java EE and Spring l Full audit trail l Extensible – add new pages quickly l Uses Apache Wicket UI framework
11
License CC-BY-SA
![Page 12: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/12.jpg)
Commander System Architecture
12
License CC-BY-SA
Fortress Core APIs
Commander
HTTP/S
LDAPv3 HTTP/S
LDAPv3
OpenLDAP
LDAPv3
Apache DS
Fortress LDAP HTTP
Legend
O R
Fortress Core APIs
EnMasse
HTTP/S
LDAPv3
O R
Java VM
Java VM
Java VM
Commander can use either HTTP or LDAPv3 protocol
Either LDAP Server works
HTTP protocol aids in firewall traversals
![Page 13: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/13.jpg)
Commander Demo
l View RBAC demo audit trail l View RBAC management capabilities l Enable REST communication with En Masse l Run Commander Selenium automated test l View wireshark trace
13
License CC-BY-SA
![Page 14: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/14.jpg)
Where to get Commander
l Source l http://www.openldap.org/devel/gitweb.cgi?
p=openldap-fortress-commander.git;a=summary
l Quickstart l http://iamfortress.org/download
l Maven l http://search.maven.org/#search%7Cga
%7C1%7Ccommander
14
License CC-BY-SA
![Page 15: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/15.jpg)
En Masse Introduction
l RBAC Policy Server l Firewall Friendly l 120+ RESTful services l Multitenant process and services l Secured using Fortress RBAC enforcement l Binds directly to Fortress entity model l Uses Fortress Core to communicate LDAPv3 l Uses Apache CXF for RESTful processing
15
License CC-BY-SA
![Page 16: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/16.jpg)
En Masse System Architecture
16
License CC-BY-SA
LDAPv3
OpenLDAP
Fortress Core APIs
Java App HTTP/S
HTTP/S
LDAPv3
Apache DS
Fortress LDAP HTTP
Applications
Legend
Java VM
Java VM
Fortress Core APIs
EnMasse
HTTP/S
LDAPv3
Java VM
REST
Other App HTTP/S
HTTP/S
Any P
latform
O R
Either LDAP Server works
Apps may use any REST lib or Fortress APIs to connect with En Masse
HTTP protocol less efficient than LDAP but aids in firewall traversals
![Page 17: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/17.jpg)
Where to get En Masse
l Source l http://www.openldap.org/devel/gitweb.cgi?
p=openldap-fortress-enmasse.git;a=summary l Quickstart
l http://iamfortress.org/download l Maven
l http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22enmasse%22
17
License CC-BY-SA
![Page 18: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/18.jpg)
Introduction
18
License CC-BY-SA
![Page 19: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/19.jpg)
Multitenant LDAP Data Structure
l Leverage LDAP's natural affinity to partition data by client organization.
l Each tenant has its own complete copy of DIT segregated by organizational unit
l Reduced cost due to fewer servers to maintain
19
License CC-BY-SA
![Page 20: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/20.jpg)
Multitenant Programming Model
l Client’s id is passed to Fortress in factory initialization
l Lifecycle of ‘Manager’ object processes data on behalf of the client id passed during initialization l AnyMgr:
l createInstance(tenantId);
20
License CC-BY-SA
// Instantiate the AccessMgr implementation. AccessMgr accessMgr = AccessMgrFactory.createInstance( “Client123” );
![Page 21: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/21.jpg)
Multitenant Demo
l Load demo users Client 1, 2 & 3 l Run test-full Client 1, 2 & 3
21
License CC-BY-SA
![Page 22: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/22.jpg)
Where to get Fortress Multitenancy
l Source l http://www.openldap.org/devel/gitweb.cgi?
p=openldap-fortress-core.git;a=summary l Binaries <dependency>
<groupId>us.joshuatreesoftware</groupId>
<artifactId>fortress</artifactId>
<version>RC-1.0-33</version>
</dependency>
22
License CC-BY-SA
![Page 23: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/23.jpg)
Next Steps
l RBAC Accelerator l OpenLDAP overlay l RBAC Policy Decision Point
l Web Access Management/SSO l RBAC Policy-Enhance Standard (RPE)
l INCITS 494-2011 l Support for dynamic attributes
l Attribute-based Access Control (ABAC) l Maybe
23
License CC-BY-SA
![Page 24: Fortress Open Source IAM on LDAPv3](https://reader036.fdocuments.us/reader036/viewer/2022081413/546c2d89af795953298b4dde/html5/thumbnails/24.jpg)
License CC-BY-SA 24
Thanks!