1 / 29

Got Directory?

Explore the architecture and interoperable data of campus directories, covering topics such as directory tree, access control, attribute firewalls, group management, and more. Also learn about the integration of video into enterprise and the importance of directory enabling.

crystalallen
Télécharger la présentation

Got Directory?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Got Directory? January 28, 2004 TIP2004

  2. A Campus Directory Architecture border directory metadirectory Enterprise applications dir enterprise directory departmental directories OS directories (MS, Novell, etc) directory database registries source systems

  3. eduPerson • Schema for US Higher Education • Low hanging fruit, interoperable data • Easy stuff that we can all agree is true • LocalEduPerson -- local stuff local prob • International efforts under way • US Person? Will the Feds listen to us? • eduOrg continues to be developed • http://middleware.internet2.edu

  4. LDAP-Recipe • A hitchhiker’s guide to LDAP in H.E. • A user’s perspective (a discussion, not a manual) of how to deploy directories. Covering: • Directory Tree, Access Control, Attribute Firewalls, Group Management, How all the name attributes work, Authentication, Schema Management and Design, RDN issues that most don’t know about, Considerations for directory enabled E-mail routing, Software reference, Replication • eduPerson discussion (read recipe as well as eduPerson specification)

  5. Video Middleware (VID-MID) • Post 9/11/2001 • Video on the Internet is how people will communicate due to US Airline Industry impact • Video and middleware folks get together • Video is largely a human managed process • How to integrate video into enterprise? • Directory enabling versus directory slurping • CommObject is born and H.350 results

  6. domainComponent (DC=) Naming • Traditional X.500 naming: dn: cn=Michael R Gettes, ou=Server Group, ou=OIT, o=Duke University, c=US • domainComponent (DC) naming: dn: uid=gettes,ou=People,dc=duke,dc=edu Problems with Cisco and others in the past, fixed (mostly) HEPKI has issued guidance and advice on DC= naming

  7. Group Toolset Architecture

  8. CalledId from NAS is mapped to guRadProf User calls 202-555-1110 RADIUS server NAS (terminal server) LDAP Filter is: guRadProf = 2025551110 + NetID = gettes Dialup Users Netid = gettes guRadProf = 2025550001 guRadProf = 2025551110 guRadProf = OracleFin Directory Server RADIUS + LDAP

  9. LDAP Analyzer • Todd Piket, Michigan Tech • Web based tool to empirically analyze a directory • eduPerson compliance • Indexing and naming • LDAP-Recipe guidance (good practice) • H.350 compliance • eduOrg compliance http://middleware.internet2.edu/dir/

  10. What’s up in Directory Land? • Directory Architecture + • eduPerson + • eduOrg • Local Schema (localEduPerson) • Non-eduPerson Persons (international efforts) • usPerson? Working the Feds • LDAP-Recipe + • Group Management + • Video Middleware + • H.350 for Video Infrastructure

  11. Directory Land (continued) • DC naming + • RADIUS Integration + • LDAP Analyzer + • Medical Middleware • MACE-CourseID • Authorization work (the holy grail)

  12. LDAP: Buyer Beware!!! • LDAP is LDAP is LDAP – yeah, right! • “Sure! We support LDAP!” What does that mean? • Contract for functionality and performance • Include your Directory/Security Champion!!! • Verify with other schools – so easy, rarely done. • Beware of products that specify Dir Servers • Get vendor to document product requirements and behavior. You paid for it!

  13. Higher Education Bridge Certification Authorityand USHERStatus Update Michael R Gettes Duke University January 2004, TIP2004

  14. PKI is 1/3 Technical and 2/3 Policy? Policy Technical

  15. A community-based CA:The (slow) rise of the house of Usher (The CA former known as CREN)

  16. Usher-Level 1 • Modeled after Federal Citizen and Commerce CP/CPS (www.cio.gov/fpkipa/documents/citizen_commerce_cpv1.pdf) • Issues only institutional certs • Those certs can be used for any purposes • CP will place few constraints on campus operations • User identification and key management • Campus CA/RA activities • Will be operated itself at high levels of confidence • Will recommend a profile for campus use • Good for building local expertise, insuring some consistency in approaches among campuses, and may be suitable for many campus needs and some inter-campus uses • Will not work for signing federal grants, etc… • Operational soon

  17. Usher - Level 2 • Modeled after FBCA Basic level CP • Issues only institutional certs • Those certs can be used for most purposes • CP will place more constraints on campus operations • User identification and key management • Campus CA/RA activities • Will be operated itself at high levels of confidence • Will recommend a profile for campus use • Good for many campus needs, many inter-campus uses, and many workings with the federal government • Will peer at the HEBCA • Detailed planning now starting; stand up sometime mid-next year

  18. +/- of Usher • Pluses • Pricing and lack of usage constraints on campus roots • Strong institutional I/A – external and for subdomains • Community-consistent • ??? • Negatives • Not easily in browsers • Uncharted peering with feds, commercials, etc • Places more emphasis on running your own campus CA. • ??

  19. What’s a Bridge anyway? Traditional PKI With Root CA Pre-Existing?

  20. Board of Instantiation and Development (BID) • Clair Goldsmith, Chair, UT System • Augustson (PSU), Klingenstein (Internet2), Levine (Dartmouth), Wasley (UCOP), Hazelton (Wisconsin-Madison), Brentrup (Dartmouth), Gettes (Duke), Jokl (Virginia) • EDUCAUSE: Luker, Worona Staff: Faut • Purpose is to instantiate a HE Bridge, organization and policy structures by November, 2003 (or sometime around that point -- okay, so we are running a tad behind schedule, sosu-us) • Foster Deployment and Development of Bridged PKI • Supported by EDUCAUSE

  21. HEPKI Council • Jack McCredie, Chair • Michael Baer, Sr VP ACE • Rich Guida, Johnson & Johnson • Mark Luker, EDUCAUSE • Mark Olson, EVP of NACUBO • Dave Smallen, CIO @ Hamilton College • Nancy Tribbensee, Counsel @ ASU • Not operational, policy and oversight • Will approve the creation of the HEBCA Policy Authority • Charged with Higher Education direction and strategy for PKI initiatives, not just Bridge • Supported by EDUCAUSE

  22. HEPKI National PKI

  23. Current Status: January, 2004 • Charter • HEBCA Certificate Policy (brother Wasley) • Will develop CPS from this policy • Dartmouth College • Contracted to implement HEBCA in 12/03 • EDUCAUSE funded • Received AEG from Sun Microsystems ($50K) • Equipment ordered and received • Signing Hardware -- not yet. • Working software agreement with RSA as first CA in bridge • Maybe even further deal with Higher Ed for CA services & s/w • Begin process of cross-certification with US Gov • Recommending to PKI Council to create the HEBCA Policy Authority

  24. EDUCAUSE/NIH Interoperability Project • December 2003, NIH demonstrated the latest ability to submit doubly digitally signed documents to a web site that is validated using Bridge PKI. UCOP, Wisconsin, Dartmouth, UT Health Science Center (Barry Ribbeck) • Directory Infrastructure at Duke :-) • General doc submission facility -- freely available -- cool stuff.

  25. National PKI • Levels of Assurance / HE CP • Get mapped all the way down, the key to interop • Business/Marketing: Separate Prob • Policy Authorities likely to merge • HEPKI umbrella should be org structure for all PKI activities in HE

  26. Global? Trust Diagram (TWD)

  27. Sample InterFederation

  28. Shib/PKI Inter-Federations This model demonstrates the similarities of the PKI communities and Shib Federations. This does not mean that Shib == PKI, just that we can leverage the trust infra of a global PKI to maybe solve some larger inter-federation issues of other techno / policy spaces in a common fashion.

More Related