NMI-EDIT CAMP Synopsis, ISCSI Storage Solution, Linux Blade Cluster, And Current State Of NetID

By Jonathan Higgins

Presentation Template available from Microsoft

The Identity Management System

NMI-EDIT CAMP Synopsis

• Directory Workshop covering directory implementation steps, architectures, person registries, and operational issues.

• Basics for implementing an Identity Management System.

What is Identity Management?

• Identity Management is an abstract for a system that manages: Identification, Authentication, and Authorization.

• Identification is the act of pre-assigning a unique namespace (a username) to an individual.

• Authentication binds a person with an Identity

• Authorization is the act of ensuring that a person is afforded access only to services and data required to support allowed tasks.

The Big Picture

Growing Pains and Silos vs. Suites

• Why are we doing this?• Impending Growth of student, faculty, and staff

population• Scalability

• Silos: authentication, authorization and application are all self contained and individually administrated.

• Integrated Suites: Set of applications that authenticate and authorize from a central service for multiple applications.

What Are We Doing?

• NetID project ongoing since 9/2002

• OpenLDAP and Kerberos completed 5/2003

• Active Directory integration synchronized with OpenLDAP and trusted by Kerberos 2/2004

• Negotiation of data to provide individual affiliations for dynamic groups in progress.

• Blade Technology and new resources.

• ISCSI storage solution for remote data storage in progress.

The State of NetID

• 3rd semester in production, and working as intended.

• New attributes are on the way.

• Dynamic groups based on affiliations

• Password Expiration notification system

Groups

• Students, Future Students, Undergraduate, Graduate, Staff, Faculty, Employees, Visitors, Temp Employees, Student Assistants, Alumni, and Retired

• Groups that will exist before this Fall include: Department based groups, Degree of Study groups, College based groups, and Courses.

• What other groups do you think we may need?

Linux Blade Cluster

• This project is ongoing and dependant on the ISCSI storage solution.

• The MTA project will provide a single mail exchange for the @Kennesaw.edu domain. The MTA will include Spam control and Virus scanning.

• Public Visible LDAP replica (FERPA controls will be in place for students)

ISCSI Storage Array?

• A procedure will be available to acquire disk space.

• As a system administrator you just need to know that ISCSI provides a block level network device, not a file IO share.

How does the ISCSI Storage System work?• Client Systems

• OS Layer

• Physical Layer

What Still Needs To Be Done?

• Upgrade NetID and Administration Tools to include:• Modify schema and add attributes as needed• Modify RDN for user objects to free the uid attribute

to allow multi-values or aliases• Add Radius for wireless authentication• Add Account Locking/Deletion

• Pursue Campus buy-in to NetID though identifying services and providing documentation for integration.

• And more…

What can we expect in the future?

• Solution for guest computing may be Sponsorship? An idea introduced at the CAMP.

• Individual account holders would be responsible for the sponsorship and creation of an account.

• The new account would have no more access than the sponsor.

• Access control would be monitored by the sponsor.

• Possible solution to guest computing issues, parental access to their students resources, and other.

What else can we expect?

• Inter-Institutional Applications

• Shibboleth, a Web-based inter-organizational authorization system, leverages attribute repositories such as directories and the larger identity management infrastructure to service inter-institutional applications and resource sharing.

• Authentication for students from another trusted university to applications and services hosted here at Kennesaw and vice-versa.

Any Questions?

• Feel free to ask anything, except topics that do not concern KSU.