Managing OpenAFS users with OpenIDM
-
Upload
manfred-furuholmen -
Category
Technology
-
view
1.087 -
download
3
description
Transcript of Managing OpenAFS users with OpenIDM
![Page 1: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/1.jpg)
October 2011
Identity Management
![Page 2: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/2.jpg)
2
Agenda
q Problem
q Identity Management
q OpenIdM q AFS Integration
![Page 3: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/3.jpg)
3
Identities
Many Accounts and Identities: afs: [email protected] Krb5: manfred/[email protected] Krb5:[email protected] AD : fabriziom Unix:manfred …
![Page 4: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/4.jpg)
4
System Identities
![Page 5: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/5.jpg)
5
Identities
User Remember password and Account
System administration Account distribution Permission Audi
![Page 6: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/6.jpg)
6
Identity Management
Wikipedia “Identity management (or ID management, or simply IdM) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an organization) and controlling access to the resources in that system by placing restrictions on the established identities of the individuals…”
![Page 7: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/7.jpg)
7
IDM IdM covers many areas q Identity management system (identification, permission, .. )
q Legal – Deals with legislation data protection
q Police – Deals with identity theft
q Social and humanity – Deals with issues such as privacy
q Security – Manages elements such as access control
q Organizations – Hierarchies and divisions of access
![Page 8: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/8.jpg)
8
IDM
IdM is not a Software, it is a Project
![Page 9: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/9.jpg)
9
Overview
![Page 10: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/10.jpg)
10
OpenIDM
OpenIDM is an identity management solution based on open standards “In addition to being open source, OpenIDM offers high flexibility in business process handling and compliance. A flexible user interface combined with a robust workflow engine make OpenIDM ready for any identity management project…”
![Page 11: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/11.jpg)
11
Architecture
![Page 12: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/12.jpg)
12
Architecture Core Services Object Model Artifacts handled by OpenIDM are Java object representations of the JavaScript object model as defined by JSON. Managed Objects A managed object is an object that represents the identity-related data managed by OpenIDM. System Objects System objects are a pluggable representation of objects on external systems. There is a default implementation for the OpenICF framework which allows any connector object to be represented as a system object. Mappings The mappings define the policies between source and target objects and their attributes during synchronization and reconciliation. Mappings may also define triggers for validation, customization filtering, and transformation of the source and target objects. Synchronization and Reconciliation Reconciliation provides for on-demand, or scheduled comparison of resources between the OpenIDM managed object repository and source or target systems.
![Page 13: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/13.jpg)
13
Architecture Infrastructure Modules Scheduler The scheduler is a cron like scheduling component implemented using the to schedule regular synchronizations and reconciliations Script Engine The script engine is a pluggable module that provides the triggers and plugin points for OpenIDM. Audit Logging Auditing logs all relevant system activity to the configured log stores. This includes the data from reconciliation as a basis for reporting, as well as detailed activity logs to capture operations on the internal (managed) and external (system) objects. Repository The repository provides a common abstraction for a pluggable persistence layer. Plugged in repositories could be NoSQL, relational databases, LDAP, or even flat files. The repository API operates with a JSON-based object model with RESTful principles consistent with the other OpenIDM services.
![Page 14: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/14.jpg)
14
Architecture
![Page 15: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/15.jpg)
15
OpenIDM
Target Mapper System Obj
Internal db
$ curl -X PUT -d '{"name":"joe","firstname":"joe","lastname":"smith","email":"[email protected]"}' http://localhost:8080/openidm/managed/user/joe
Trigger
Source System Obj
Scheduler
![Page 16: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/16.jpg)
16
OpenIDM
{ "name": string, "source": string, "target": string, "validSource": script object, "validTarget": script object, "correlationQuery": script object, "properties": [ property object, … ], "policies": [ policy object, … ], "onCreate": script object, "onUpdate": script object }
Mapper Object
POST /openidm/system/xml/account/jsmith?action=sync …
Rest
![Page 17: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/17.jpg)
17
OpenIDM
{ "name" : "systemADAccounts_managedUser”, "source" : "system/ad/account”, "target" : "managed/user”, "properties" : [ { "source" : "sAMAccountName”, "target" : "name” },
{ "source" : "sn”, "target" : "lastname” }, { "source" : "givenName”, "target" : "firstname” } ] },
{ "name" : "managedUser_systemPtsAccounts”, "source" : "managed/user”, "target" : "system/pts/account”, "properties" : [
{ "source" : "name", "target" : "name" }, { "source" : "_id", "target" : ”aid" },
], "policies" : [
{ "situation" : "CONFIRMED", "action" : "UPDATE" }, { "situation" : "FOUND", "action" : "UPDATE" }, { "situation" : "ABSENT", "action" : "CREATE" }, { "situation" : "AMBIGUOUS", "action" : "EXCEPTION" }, { "situation" : "MISSING", "action" : "UNLINK" }, { "situation" : "UNQUALIFIED", "action" : "DELETE" }, { "situation" : "UNASSIGNED", "action" : "DELETE" }
] }
![Page 18: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/18.jpg)
18
OpenIDM
{ "account" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "__ACCOUNT__", "type" : "object", "nativeType" : "__ACCOUNT__", "properties" : { "name" : { "type" : "string", "nativeName" : "__NAME__", "nativeType" : "JAVA_TYPE_PRIMITIVE_LONG", "flags" : [ "NOT_CREATABLE", "NOT_UPDATEABLE", "NOT_READABLE", "NOT_RETURNED_BY_DEFAULT" ] }, ...
![Page 19: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/19.jpg)
19
Integration
PTS integration Operation q User operation q Group Operation Connection q OpenICF custom connector q Command Line q Sync/reconciliation from file
![Page 20: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/20.jpg)
20
Integration 1
OpenIDM
PTS LDAP AD APPS
Rest Interface
Internal Protocol/ Application Protocol Internal db
$ curl -X PUT -d '{"name":"joe","firstname":"joe","lastname":"smith","email":"[email protected]"}' http://localhost:8080/openidm/managed/user/joe
OpenAM
![Page 21: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/21.jpg)
21
Integration 2
OpenIDM
PTS LDAP
AD
APPS
Rest Interface
Internal Protocol/ Application Protocol
Internal Protocol/ Application Protocol
Internal db
![Page 22: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/22.jpg)
22
Integration
IDM is not IAM !!! IAM main components: q Authentication q Authorization, q User Management q Central User Repository
![Page 23: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/23.jpg)
23
IDM
q Know who everyone is in the organisation
q Accurate and consistent people data in all systems
q Single source of data input/storage
q Lower maintenance costs in each application
q Consistency of data across many applications
q People only get access to those systems they need
q Audit
![Page 24: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/24.jpg)
24
Conclusion
Advantages • Open • Flexible • Support/Community
Disadvantages • Still beta • Documentation
![Page 25: Managing OpenAFS users with OpenIDM](https://reader033.fdocuments.us/reader033/viewer/2022051400/54c3841f4a7959e8468b4625/html5/thumbnails/25.jpg)
25
Integration
OpenIDM Summit November 8th 2011, Darmstadt Germany