Technical Primer: Directories

63
Technical Primer: Directories Michael R. Gettes Principal Technologist Georgetown University [email protected] http://www.georgetown.edu/giia/internet2

description

Technical Primer: Directories. Michael R. Gettes Principal Technologist Georgetown University [email protected] http://www.georgetown.edu/giia/internet2. MACE-DIR. Keith Hazelton, Chair, Wisconsin eduPerson objectclass LDAP-Recipe Dir of Dirs for Higher Education (DoDHE) - PowerPoint PPT Presentation

Transcript of Technical Primer: Directories

Page 1: Technical Primer: Directories

Technical Primer: Directories

Michael R. GettesPrincipal TechnologistGeorgetown University

[email protected]://www.georgetown.edu/giia/internet2

Page 2: Technical Primer: Directories

2

MACE-DIR

Keith Hazelton, Chair, Wisconsin•eduPerson objectclass•LDAP-Recipe•Dir of Dirs for Higher Education (DoDHE)•Shibboleth project dir dependencies•Meta Directories – MetaMerge•Groups (Dynamic vs. Static; Management)•Afilliated Directories (Stitched, Data Link)•http://middleware.internet2.edu/directories

Page 3: Technical Primer: Directories

3

MACE-DIR:eduPerson 1.0 (1/22/01 release)

• MACE initiated (Internet2 + EDUCAUSE)

• Globally interesting useful attributes

• Get community buy-in, must use it also

eduPersonAffiliation (DoDHE), eduPersonPrincipalName (Shibboleth)

• “Less is more”, how to use standard objectclasses

• http://www.educause.edu/eduperson

Page 4: Technical Primer: Directories

4

eduPerson 1.5 object class

Included as part of the NSF Middleware Initiative (NMI) Release 1.0 announced today, May 7th

eduPerson 1.0 is the production version, 1.5 status is “released for public review” (RPR)

Next NMI release will include final 1.5 based on review period discussions

Page 5: Technical Primer: Directories

5

eduPerson 1.5 object class

Changes from 1.0:

• Introductory section added

• RFC2252 style definitions included for the eduPerson object class itself and for each of the eduPerson attributes.

• Notes on additional attributes from existing object classes, existing notes clarified, syntax and indexing recommendations updated.

Page 6: Technical Primer: Directories

6

eduPerson 1.5 object class

Two new attributes:

eduPersonPrimaryOrgUnitDN

eduPersonEntitlement• Simple case: value is the name of a contract for

licensed resource• http://xstor.com/contract1234• Values of eduPersonEntitlement can be URLs or

URNs

Page 7: Technical Primer: Directories

7

eduPerson 1.5 object class

eduPersonEntitlement• Values of eduPersonEntitlement can be URLs or

URNs– http://www.w3.org/Addressing/– RFC2396 Uniform Resource Identifiers– RFC2141 Uniform Resource Names

• URNs to allow federation of name creation without name clashes.– urn:mace:brown.edu:foo

[email protected] for information on URN registration

Page 8: Technical Primer: Directories

8

eduOrg 1.0

eduOrg 1.0 released as “Experimental” object class• Basic organizational info attributes from X.520

– Telecomm, postal, locale

• eduOrgHomePageURI• eduOrgIdentityAuthNPolicyURI• eduOrgLegalName• eduOrgSuperiorURI• eduOrgWhitePagesURI

Page 9: Technical Primer: Directories

9

LDAP-Recipe positioning and the NMI R1

•A special case document

•Pre-existed NMI and MACE document standards for format and naming.

•Will conform to NMI/MACE naming and future process for acceptance.

•Content??? Well, we shall see…

Page 10: Technical Primer: Directories

10

LDAP-RecipeVersion 1.5 (pre May 7, 2002)

•Directory Tree

•Schema (Design, upgrading, maint)

•AuthN (binding and pw mgmt)

•eduPerson attr discussion (select)

•Access Control

•Replication

•Name population

Page 11: Technical Primer: Directories

11

LDAP-RecipeVersion 2.0 (NMI R1 May 7, 2002)

•Groups, Groups, Groups• Static, Dynamic, app issues, builds on “NMI Groups Doc”

•E-Mail Routing considerations• Attribute firewalling, Sendmail, app issues

•eduPersonOrgDN and eduPerson{Primary}OrgUnitDN

• Original Intent for eduPerson 1.0 and Primary

•RDN Issues (a must read)

•Software reference (small, needs to grow)

Page 12: Technical Primer: Directories

12

MACE-DIR:Directory of Directoriesfor Higher Education

Web of Data vs. Web of People

Prototype: April, 2000 (by M. Gettes)

Highly scalable parallel searching• Interesting development/research problems• Configs, LDAP libraries, Human Interface

Realized the need to:• Promote eduPerson & common schema• Promote good directory design (recipe)

Work proceeding – Sun Microsystems Grant

http://middleware.internet2.edu/dodhe

Page 13: Technical Primer: Directories

13

MACE-DIR:DoDHE and LDAP Analyzer

Todd Piket, Michigan Tech (aka Mr. Pinkert)

Web based tool to empirically analyze a directory

eduPerson compliance

Indexing and naming

LDAP-Recipe guidance (good practice)

Beta: http://morpheus.dcs.it.mtu.edu/~tcpiket/dodhe

Page 14: Technical Primer: Directories

14

MACE-Dir Futures

•Technical Advisory Board

•eduOrg, eduPerson, edu???????

•Shibboleth and other related work

•Roles (RBAC)

•Group Implementations (Eileen Shepard, BC; Tom Barton, Memphis)

•Blue Pages

•LDAP-Recipe (next?)

•Affiliated Directories (Rob Banz, UMBC)

•pkiUser/pkiCa, Bridge CA, etc…

•Video Middleware (commObject{Uri} OCs)

•GRID interoperability

•Directory Policy

Page 15: Technical Primer: Directories

15

MACE-Dir Futures (continued)

EduOrg “blue page” entries

EduOrgUnit 1.0 object class and attributes

Affiliated directories scenarios• Identity management in Health Sciences• Assembling info on the fly• Data/Metadata bundles as units of exchange• Exploring with our Technical Advisory Board

Page 16: Technical Primer: Directories

16

MACE-SHIBBOLETH

Steven Carmody, Brown, Chair

A Biblical pass phrase – “password”• Get it right or “off with your head”• Inter-institutional Authentication/Authorization

• Web Authorization of Remote Sites with Local Credentials

• Authentication via WebISO• October, 2001 – Demo target• http://middleware.internet2.edu/shibboleth

Page 17: Technical Primer: Directories

17

VID-MIDVideo Middleware

Recently Formed

Authentication and Authorization of H.323 sessions.

Client to Client

Client to MCU

Directory enabled

How to find video enabled people?

What is necessary to describe video capabilities?

Will likely extend to IP Telephony and so on…

Page 18: Technical Primer: Directories

18

Technical Policy

PKI is1/3 Technical

and 2/3 Policy?

Page 19: Technical Primer: Directories

19

HEPKI

TAG – Technical Activities Group• Jim Jokl, Chair, Virginia• Mobility, Cert Profiles, PKI-Lite, etc, etc, lots of techno

PAG – Policy Activities Group• Default Chair, Ken Klingenstein, Colorado• Knee-deep in policy, HEBCA, Campus, Subs+RP

PKI Labs (AT&T)– Neal McBurnett, Avaya• Wisconsin-Madison & Dartmouth• Industry, Gov., Edu expert guidance

http://www.educause.edu/hepki

Page 20: Technical Primer: Directories

20

Bridge CA and Trust Paths

Verisign

CA-A CA-B

Bridge CA

CA-C CA-D

FedBridge CA

HE

Page 21: Technical Primer: Directories

21

UNIVERSITY

GeorgetownUniversity

NIH

Peer-to-peer

USA GovernmentFederal

BCA

DoD

NASA

Peer-to-peer

USAHigher Education

BCA

UNIVERSITY

. . .

UNIVERSITY

University ofWashington

Peer-to-peer

USA Health Care"Health Key"

BCA

NCHICA

Special Relationships

Peer-to-peer

EuropeanHigher Education

BCA

UNIVERSITY

University ofEdinburgh

UNIVERSITY

SpecialRelationships

MayoClinic

Page 22: Technical Primer: Directories

22

Bridge CAs

• Higher Education Bridge CA – FBCA peering

• We have a draft HEBCA CP (Net@EDU PKI WG) FBCA Compatible

• How many HEBCAs? (EDUCAUSE!)

• Do we really understand PKI implementations with respect to policy needs? (proxy certificates, relying party agreements, name constraints, FERPA, HIPAA, who eats who?)

• BCA seems to be the most promising perspective. Will each person be a BCA?

• Does ALL software (Client/Server) need to be changed?

• Mitretek announces new BCA deployment model 2/15/2001• Scalable & deployable

• Server plug-ins make client changes less likely

Page 23: Technical Primer: Directories

23

domainComponent (DC=) Naming

• Traditional X.500 naming:

cn=Michael R Gettes, ou=Server Group, ou=UIS, o=Georgetown University, c=US

• domainComponent (DC) naming:

uid=gettes,ou=People,dc=georgetown,dc=edu

• HEPKI is issuing guidance and advice on DC= naming

Page 24: Technical Primer: Directories

24

Attributes for PKI

Store them in a Certificate?• Attributes persist for life of Certificate• No need for Directory or other lookup

– The Certificate itself becomes the AuthZ control point

Store them in a Directory?• Very light-weight Certificates• Requires Directory Access• Long-term Certificate, Directory is AuthZ control point.

How many Certificates will we have?

Pseudonymous Certificates

Page 25: Technical Primer: Directories

25

David Wasley’s PKI Puzzle

Page 26: Technical Primer: Directories

We’re Building A

“Bridge Over The River PKI”

Page 27: Technical Primer: Directories

A word about “Portals”

Page 28: Technical Primer: Directories

28

Portals: Authentication

• Security is not easy

if it was, then everyone would be doing it.

• Applications MUST NOT handle authentication• Don’t assume you will have access to passwords at the portal

• The portal is YAA (yet another application)

but portals have web servers to do the dirty work

portals can trust the web server to authenticate

and pass “identity” on to the portal

Page 29: Technical Primer: Directories

29

Portals: Authorization

• Security is not easy

if it was, then everyone would be doing it.

• Applications should handle authorization

• The portal is YAA (yet another application)

Portals can decide access on their own by consulting

local and remote services to determine eligibility then

grant/deny based on response or otherwise by whim.

Page 30: Technical Primer: Directories

30

Portal Issues

Authentication

WebISO

Authorization

Groups

Roles

Directories, Shibboleth

Vendor Independent Techniques

Page 31: Technical Primer: Directories

Errata--ica

Page 32: Technical Primer: Directories

32

National Science FoundationNMI program

•$12 million over 3 years

•www.nsf-middleware.org

•Middleware Service Providors, Integrators, Distributors

•GRID (Globus)

•Internet2 + EDUCAUSE + SURA

•May 2002 – first set of deliverables from all parties

Page 33: Technical Primer: Directories

33

The Liberty Alliancewww.project-liberty.org

Sun Microsystems, American Express, United Airlines, Nokia, MasterCard, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT DoCoMo, Verisign, Schlumberger, Sony …

Initiated in September 2001.

Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service

Funny, doesn’t this stuff sound familiar?

Page 34: Technical Primer: Directories

Got Directory?

Page 35: Technical Primer: Directories

35

Techniques for Product Independence

Good/Evil – make use of cool features of your product.

• Does this make it more difficult or impossible to switch products later?

• Does this make you less interoperable? Standard?

• Does this limit your ability to leverage common solutions?

All the above applies to enabled apps as well.

Page 36: Technical Primer: Directories

36

Groups, Groups, Groups

Static vs. Dynamic (issues of large groups)• Static Scalability, performance, bandwidth

• Dynamic Manageability (search based, but search limits)

Is there something neutral?

Indexed Static Groups• MACE-DIR consideration (Todd Piket, MTU)

• Index unique/member

• The likely approach, IMHO, doesn’t inhibit dynamic stuff

Group Math

(& (group=faculty)(!(group=adjunct)) (member=DN) )

Page 37: Technical Primer: Directories

37

Roles

Is this an LDAP issue?• MIT roles DB – a roles registry

Are groups good enough for now?• Probably not, see next

Are your apps prepared for this? Maybe they need some service to consult? Will Shibboleth help here?

Vendors have proprietary solutions.

Page 38: Technical Primer: Directories

38

Stitching disparate directories

How to relate to distinct directories and their entries. Kjk@colorado & kjk@ViDe -- are they the same?

Locate someone in a large directory (DoDHE) and then switch to their video abilities

Suggestion: define new object of a “data source directory”. Associate it with a Cert. Send signature of all data elements for an object, store in same. This allows for digital trust/verification. Still working this out. Not much work in this space? (the affiliated dirs problem)

X.520 AttributeIntegrityInfo Attribute – will it suffice?

Page 39: Technical Primer: Directories

39

A Campus Directory Architecture

metadirectory

enterprisedirectory

directorydatabase

departmentaldirectories

OS directories(MS, Novell, etc)

borderdirectory

registries sourcesystems

Enterpriseapplications dir

Page 40: Technical Primer: Directories

Middleware 201Directories

Configuration & Operations

Michael R. Gettes

Principal Technologist

Georgetown University

[email protected]

Page 41: Technical Primer: Directories

41

How Deep?

Background

Site Profile - configuration

Applications

General Operational Controls

Schema

Access Lists

Replication

Related Directories

LDAP-Recipe – http://middleware.internet2.edu

Page 42: Technical Primer: Directories

42

Site Profiledc=georgetown,dc=edu

Netscape/iPlanet DS version 4.16• 2 Sun E250 dual cpu, 512MB RAM

105,000 DNs (25K campus, others = alums + etc)

Directory + apps implemented in 7 months

Distinguished names: uid=x,ou=people• DC rap, “Boom shacka lacka”• Does UUID in DN really work?

NSDS pre-op plugin (by [email protected])• Authentication over SSL; Required• Can do Kerberos – perf problems to resolve

1 supplier, 4 consumers

Page 43: Technical Primer: Directories

43

Authentication:Overall Plan @ Georgetown

Currently, Server-Side PKI self-signed

Best of all 3 worlds• LDAP + Kerberos + PKI

– LDAP Authentication performs Kerberos Authentication out the backend. Jan. 2001 to finish iPlanet plug-in.

• Credential Caching handled by Directory.• Cooperative effort – Georgetown, GATech, Michigan

– All directory authentications SSL protected. Enforced with necessary exceptions

• Use Kerberos for Win2K Services and to derive X.509 Client Certificates

• One Userid/Password (single-signon vs. FSO)

Page 44: Technical Primer: Directories

44

Applications

Mail routing with Sendmail 8.12 (lists also)

Netscape messaging server v 4.15 (IMAP)• WebMail profile stored in LDAP

Apache server for Netscape roaming (no SSL)

Apache & Netscape enterprise web servers

Blackboard CourseInfo Enterprise 5.5.1

Whitepages: Directory Server GateWay

DSGW for priv’d access and maintenance

Page 45: Technical Primer: Directories

45

Applications (Continued)

Remote access with RADIUS (funk).• No SSL (3/2000); proper LDAP

binds (fix 8/2000)• Authenticates and authorizes for

dial-up, DSL and VPN services using RADIUS called-id.

• We want to use this for other access control such as Oracle

Page 46: Technical Primer: Directories

46

RADIUS server

RADIUS + LDAP

NAS(terminal server)

DialupUsers

User calls202-555-1110

CalledId from NAS is mapped to guRadProf

DirectoryServer

Netid = gettesguRadProf = 2025550001guRadProf = 2025551110guRadProf = OracleFin

LDAP Filter is:guRadProf = 2025551110+ NetID = gettes

Page 47: Technical Primer: Directories

47

Applications (Continued)

Alumni services (HoyasOnline).• External vendor in Dallas, TX (PCI).• They authenticate back to home

directories. Apache used to authenticate and proxy to backend IIS server.

• Email Forwarding for Life

Page 48: Technical Primer: Directories

48

NET ID

TMS

HRIS

SIS

Alumni

LDAP Master

Client Browser

WWW

hoyasonline Content

PCI (Dallas)

Vendor-provided services

Other local hostsGU provided self-serviceapplications

LDAP Replica

OS/390

HoyasOnline Architecture

Gratuitous Architectural Graphic (GAG)

WayDownIn Texas

Page 49: Technical Primer: Directories

49

Applications (Continued)

Access+• Georgetown developed• Web interface to legacy systems using Unix front-

end to custom made mainframe tasks. Many institutions have re-invented this wheel.

• LDAP authentication, mainframe doesn’t yet do SSL. Always exceptions to rules.

• Student, Faculty, Staff, Directory/Telephone Access+ Services. This technique keeps mainframe alive. (good or bad?)

Page 50: Technical Primer: Directories

50

Applications (Continued)

Specialized support apps• Self service mail routing• Help Desk: mail routing, password resets,

quota management via DSGW• Change password web page

Person registry populates LDAP people data, currently MVS (mainframe) based.

PerLDAP used quite a bit – very powerful! (make sure version >= 1.4)

Now moving to Net::LDAP

Page 51: Technical Primer: Directories

51

Applications (Continued)

Georgetown Netscape Communicator Client Customization Kit (CCK).• Configured for central IMAP/SSL and

directory services.• Handles versions of profiles. Poor man’s

MCD

Future: more apps! Host DB, Kerberos integration, win2k/ad integration?, Oracle RADIUS integration, Automatic lists, Dynamic/static Groups, Top-Secret, Bb – further integration.

Page 52: Technical Primer: Directories

52

General Operational Controls

Size limit trolling (300 or 20 entries?)

Lookthru limit (set very low)

Limit 3 processors for now, MP issues still! (v4)

100MB footprint, about 8000 DNs in cache• Your mileage will vary – follow cache

guidelines documented by iPlanet.

24x7 operations

What can users change?? (Very little)

No write intensive applications

Page 53: Technical Primer: Directories

53

General Ops Controls (cont…)

Anonymous access allowed

•Needed for email clients

•Anonymous access is good if you resolve FERPA and other data access issues.

Page 54: Technical Primer: Directories

54

Schema: Design & Maint

Unified namespace: there can be only one!

Schema design and maintenance• Space/time tradeoffs on indexing• Eduperson 1.0 vs. guPerson• guRestrict, guEmailBox, guAffil, guPrimAfil• guPWTimebomb, guRadProf, guType,

guSSN• Relationships (guref)

Maintained by ldif file using ldapmodify

Page 55: Technical Primer: Directories

55

Access ListsDesign & Maintenance

Access lists: design & maintenance• Buckley(FERPA) protection & services• Priv’d users and services• userPassword & SSN

Maintained by file using ldapmodify

Working on large group controls at GU• Groups vs. Roles• Likely easy to populate, hard to design & implement

Page 56: Technical Primer: Directories

56

Replication

Application/user performance

Failover, user and app service

Impact of DC= naming (replica init)• Fixed in 4.13 and iDS 5.0

Monitoring: web page and notification

Dumper replica – periodic LDIF dumps

Backups? We don’t need no stinkin’ backups!• Vendor Specific• No good solution for backups (iPlanet)• IBM uses DB2 under the covers• Novell?

Page 57: Technical Primer: Directories

57

Replication (Continued)

Application/users config for mult servers

Deterministic operations vs random

Failover works for online repairs

Config servers are replicated also

10 to 1 SRA/CRA ratio recommended

Cannot cascade with DC= (iPlanet)• Cascading is scary to me

Page 58: Technical Primer: Directories

58

Normal Ops

Replica Structure

MASTER

DUMPER

WHITEPAGES MAILHOST

POSTOFFICE

NetID RegistryWeb Servers

Users

Users

Failure Ops

Page 59: Technical Primer: Directories

59

Netscape Console

• Java program (FAT client).

• Used to create, configure and monitor Netscape servers.

• Preferred the web page paradigm of the version 3 products.

• Has enough bugs that it is only used by server admins, not for mere mortals.

• Demo??? (nope)

Page 60: Technical Primer: Directories

60

Other Directories

Novell – GU abandoning GroupWise.

Active directory??? Ugh!!!•Static Groups Only•Strict Tree Structure for Group Policy•No plans for MS to change this…

Page 61: Technical Primer: Directories

61

Buyer Beware

• LDAP is LDAP is LDAP – yeah, right!

• “Sure! We support LDAP!” What does that mean?

• Contract for functionality and performance

• Include your Directory/Security Champion!!!

• Verify with other schools – so easy, rarely done.

• Beware of products that specify Dir Servers

• Get vendor to document product requirements and behavior. You paid for it!

Page 62: Technical Primer: Directories

62

Microsoft Win2K Integration

Project Pismere

http://web.mit.edu/pismere

MIT, CMU, Michigan, Stanford, Colorado, etc…

One way trust from MIT KDC to Win2K KDC

The devil we know

Metamerge can play an important role

Handle DHCP/DNS as your site wishes

Page 63: Technical Primer: Directories

63

Win2K & Enterprise Integration

W2K KerbAuthN Ent Kerb

AuthN

W2K ActiveDirectory

EnterpriseDirectory

1

2

3

One-way X-realm TrustIdentity mgmt

Meta-Dir FunctionMetaMerge?