450 likes | 737 Vues
Directory Services Workshop. University of Colorado June 3, 2002. Agenda. 9-10 a.m. Overview 10-11 a.m. Registry Concepts 11 a.m.-noon Directory Structure Noon-1 p.m. Lunch & Campus Experiences 1-1:30 p.m. Server Environment 1:30-2 p.m. Security 2-2:30 p.m. Client Access
 
                
                E N D
Directory Services Workshop University of Colorado June 3, 2002
Agenda 9-10 a.m. Overview 10-11 a.m. Registry Concepts 11 a.m.-noon Directory Structure Noon-1 p.m. Lunch & Campus Experiences 1-1:30 p.m. Server Environment 1:30-2 p.m. Security 2-2:30 p.m. Client Access 2:30-3 p.m. Four-campus Implications
Introductory Remarks Dennis Maloney, Director, Information Technology ServicesUniversity of Colorado at Boulder
Project History – Goals & Status • Develop UCB Enterprise Directory • Initial phase implemented Nov. 5, 2001 • Create trusted, authoritative data source • ED blends SIS, HR and campus data using policies, business rules and process. • Useable by variety of apps and services • Built upon LDAP standards, maximizing use • Current uses: white pages, printed directory, calendar pilot, affiliation verification, radius pilot, mac lab authentication pilot
Project History – Goals & Status • Identity, data & relationship management • Logic applied based upon business rules • Identity verification via emplid, sid, ssn, previous sid, name, dob, gender. • Unique, permanent identifier assigned to each person. • Establish current/active affiliations, primary affiliation • Authentication • Framework established • Solution options being tested
High-level Description Core Team ucb/cusys Enterprise Directory 4-Campus Registry Business Rules Steering Team cusys Enterprise Directory Campus Experts SIS HR Uniquid
Registry Concepts • Registry/Directory and Data • Registry Database Design & Use
HR fac/staff; empID SIS student; SID FIS faculty; SSN Uniquid accounts; unix ID IDcard photos; ISO Telecom phone locn phone # Registry/Directory and Data • Distinct sources for distinct roles (students, employees, faculty, electronic accounts, etc.) • Unique identifiers for each system • Blending together to build a CU Person CU Person uuid
SIS Registry/ Directory (java) For Identity Matching: - Student ID, Previous ID - Name,Birth date, Gender • For Affiliation Logic, Authorization & Data Access • Enrollment Status, Withdraw Code, Expected Return • Fees Paid Indicator • Privacy Flag For Directory Publication - Name - Local Address and Telephone - Major(s), Minor(s), College(s) - Class Level Student Data
Student Affiliation • Enrollment status code = E • Withdraw code null • or Expected return date in the future • Type of student affiliation is based upon Academic Unit • Student (= “Student” affiliation) • Continuing Ed Credit Student (= “Student” affiliation) • Continuing Ed Non-Credit Student (= “Affiliate” affiliation) • Campus Affiliation based upon first character of AU
PSHR Registry/ Directory sql via db link For Identity Matching: - Employee Number, SSN - Name,Birth date, Gender For Employee and Job Selection - Job status - Employment end date For Directory Publication - Name - Campus Box and Campus Phone - JobDepartment(s), Home Department - Job ClassTitle(s) - Business Title(s) Faculty and Staff Data
Employee Affiliation • Appropriate employment status code • Appointment end date in the future • Type of employee affiliation is based upon Job Code • Faculty, Clinical Faculty, Research Faculty, Medical Resident, Fellowship/Trainee = “Faculty” • Student Faculty = “Student” and “Faculty” • Officer/Exempt Professional = “Officer/Professional” & “Staff” • Student Employee = “Affiliate” or “Employee” • Retiree = “Retiree” or “Affiliate” • Staff = “Staff” • Campus Affiliation based upon first character of department code
Campus-Specific Data or Systems Uniquid (Java) Account & Email data (person) ID Card ISO and jpeg Registry/ Directory Telecom Office building/room data FIS Faculty Research and Degree data
Registry “Self- Update” Registry/ Directory Sponsored Affiliates Entry Update only Identity Match & Reconciliation Logic • Data allowed: • - Nickname • - HomePage (…colorado.edu) • - Preferred contact • - Alternate contact • Fax • Cell Phone • Pager (phone) • Pager (text) • Activities • Areas of expertise Data edits: - Name - Identifier - Affiliation - Sponsor - Expiration Future Data Sources
Registry Schema (abbreviated) DIR_PERSON uuid ssn sid employeeNumber privacy dir_uid primaryAffiliation homeDepartment dob gender prev_sid sis_update hr_update uniquid_update self_update …address/phone/etc data… UCBEMAIL_ONLY cuMailUniq cuid mail emailHome emailRewrite DIR_COMMON_NAME DIR_EMAIL emailSeqNo uuid campus dir_uid mail_flag DIR_SURNAME DIR_GIVEN_NAME DIR_CAMPUS_SPECIFIC uuid campus ISO roomNumber physicalDeliveryOfficeName DIR_ORG_UNIT_DN DIR_AU_SPECIFIC uuid AU Term expectedReturn feesIndicator enrollment_status_code withdraw_code …academic info… DIR_DEGREE DIR_RESEARCH DIR_AFFILIATION AffiliationSeqNo uuid description eduPersonAffiliation campus sponsored_by expiration_date orgDN DIR_ACTIVITIES DIR_CERT DIR_JOB JobSeqNo uuid job_Code dept_ID title emplmnt_status_code emp_type_code reg_temp_code Affiliation Appoint_end_date DIR_PW DIR_EXCEPTION uuid sid ssn source DIR_SEEALSO DIR_PRIOR_NAME
Registry Schema - views create or replace view au_specific_view as select h.uuid,h.au,h.feesIndicator, h.college, h.affiliation, h.college2, h.primaryMajor1, h.primaryMajor2, h.primaryMinor, h.secondaryMajor1, h.secondaryMajor2, h.secondaryMinor, h.primaryMajor1Option, h.primaryMajor2Option, h.secondaryMajor1Option, h.secondaryMajor2Option, l1.college_desc, l2.college_desc "COLLEGE2_DESC", m1.major_desc "PRIMARYMAJOR1_DESC", m2.major_desc "PRIMARYMAJOR2_DESC", m3.major_desc "PRIMARYMINOR_DESC", m4.major_desc "SECONDARYMAJOR1_DESC", m5.major_desc "SECONDARYMAJOR2_DESC", m6.major_desc "SECONDARYMINOR_DESC", n1.major_option_desc "PRIMARYMAJOR1OPTION_DESC", n2.major_option_desc "PRIMARYMAJOR2OPTION_DESC", n3.major_option_desc "PRIMARYMAJOR3OPTION_DESC", n4.major_option_desc "PRIMARYMAJOR4OPTION_DESC", h.classlevel from dir_au_specific h, college_table l1, college_table l2, majors_table m1, majors_table m2, majors_table m3, majors_table m4, majors_table m5, majors_table m6, major_option_table n1, major_option_table n2, major_option_table n3, major_option_table n4 where l1.college_code (+) = h.college and l2.college_code (+) = h.college2 and m1.major_code (+) = h.primaryMajor1 and m2.major_code (+) = h.primaryMajor2 and m3.major_code (+) = h.primaryMinor and m4.major_code (+) = h.secondaryMajor1 and m5.major_code (+) = h.secondaryMajor2 and m6.major_code (+) = h.secondaryMinor and n1.major_option_code (+) = h.primaryMajor1Option and n2.major_option_code (+) = h.primaryMajor2Option and n3.major_option_code (+) = h.secondaryMajor1Option and n4.major_option_code (+) = h.secondaryMajor1Option and h.affiliation = 'Y' ;
Directory Structure • Directory Objects: eduPerson, cuEduPerson, coloradoPerson • Console demo • Metamerge demo
Directory Objects organizational Person person cn description seeAlso sn telephoneNumber userPassword cuEduPerson facsimileTelephoneNumber ou physicalDeliveryOfficeName postalAddress street, st, postsalCode, l postOfficeBox preferredDeliveryMethod title coloradoPerson uuid au activities & research alternateContact campus degreeInstitution & Yr employmentStartDate Expertise feesIndicator highestDegree homeDepartment ISO major, minor, class Privacy SID, SSN Macgridnumber Machomelocpath Machomedir inetOrgPerson eduPerson o & departmentNumber displayName, givenName employeeNumber employeeType homePhone,homePostalAddress jpegPhoto & labeledURI mail, uid mobile & pager roomNumber userCertificate cusysPerson affiliation jobClassification nickName orgDN orgUnitDN primaryAffiliation principalName schoolCollegeName Identifiers…
Sample Directory Entry dn: uuid=100056249, ou=people, dc=colorado, dc=edu cn: Roberto Roybal sn: Roybal givenname: Roberto postaladdress: 455 UCB objectclass: top objectclass: person objectclass: organizationalperson
Lunch! • Eat! Drink! • Share your experiences!
Server Environment • Hardware • iPlanet Directory Server • Enterprise Directory Architecture (Directory Instances – configuration, replication, ssl, subnets)
Server Environment Development Production Failover
Security • ACLs • Privacy • Directory and Security Initiatives
Privacy • FERPA constraints • Privacy-enabled students • Public vs. private student data • Public vs. private employee data • Who can see what?
ACLs • Where and/or what is the resource to be accessed? • How can the resource be accessed? • Who can and/or when can a resource be accessed? From iPlanet Learning Solutions: iPlanet Directory Services: Analysis and Planning 5.0
ACLs • Anonymous ACL example: (targetattr=“homePostalAddress||homephone”) (target=“ldap:///ou=people,dc=colorado,dc=edu”) (targetfilter!=“(|(&(edupersonprimaryaffiliation= Student) (cuedupersonprivacy=*)) (!edupersonprimaryaffiliation=Student)) (edupersonprimaryaffiliation=Affiliate) (cuedupersonprivacy=D))”) (version 3.0; acl “anonymous-student homeinfo”; allow (read,compare,search) userdn=“ldap:///anyone”;)
ACLs • Read-all ACL example: (targetattr=“*”) (target != “ldap:///*,ou=special,dc=colorado,dc=edu”) (version 3.0; acl “powerusers-read”; allow (read,compare,search) groupdn=“ldap:///cn=Readall,ou=groups,ou=special,dc=colorado,dc=edu”;)
UCB’s Kerberos and the Directory • Solutions considered… • Synchronize Passwords • Migrate to “Heimdal” Kerberos • Simple Authentication and Security Layer (SASL) • Pre-Operation Directory Plug-in • The winner is …
Lessons learned and next steps • App must be able to lookup DN (our DN is not the username)(i.e., cuedupersonuuid=100056463,ou=People,dc=Colorado,dc=edu vs. jonesdr • Plugin API compatibility issues with iPlanet Directory version changes. • 5.1 plugin retrieves & caches both kerberos ticket-granting-ticket and host ticket.
Directory’s Role in Security • Directory Enabled Applications • Authentication • Authorization • Network Security & Radius
Client Access • White Pages architecture • Unix command line lookup • Address Book mappings • LDAP Browser
White Pages Architecture Apache web server with mod_jk.so plugin module Desktop client web browser (1) (6) HTTP request (5) AJP 1.3 on port 8009 (Apache-Java Protocol) (2) Tomcat servlet engine running under Java JDK 1.3 Directory Cocoon publishing framework or other Java servlet using XML/XSL & JNDI JNDI LDAP query (4) (3) anonymous LDAP query Desktop email client(Outlook, Netscape, Eudora)or other LDAP client
White Pages – xml example (part 1) <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <page> <cnfull>marangak</cnfull> <campus> * </campus> <affiliation> * </affiliation> <ldapsearch>
White Pages – xml example (part 2) <searchresult id="cuEduPersonUUID=100038089"> <displayname>Andrew Marangakis</displayname> <givenname>ANDREW</givenname> <cuedupersonemailhome>marangak@spot.Colorado.EDU</cuedupersonemailhome> <cuedupersoncampus>Boulder Campus</cuedupersoncampus> <objectclass>top</objectclass> <objectclass>person</objectclass> <objectclass>organizationalperson</objectclass> <objectclass>inetorgperson</objectclass> <objectclass>eduPerson</objectclass> <objectclass>cuEduPerson</objectclass> <cuedupersonhomedepartment>ITS-Administration</cuedupersonhomedepartment> <edupersonaffiliation>Staff</edupersonaffiliation> <edupersonaffiliation>Employee</edupersonaffiliation> <ou>ITS-Administration</ou> <mail>Andrew.Marangakis@Colorado.EDU</mail> <cn>Marangakis,Andrew</cn> <cn>Andrew Marangakis</cn> <cn>Marangakis Andrew</cn> <telephonenumber>303 492 0527</telephonenumber> <cuedupersonclass>UNCLASSIFIED NON-CREDIT CE</cuedupersonclass> <cuedupersonuuid>100038089</cuedupersonuuid> <postaladdress>455 UCB</postaladdress> <description>Staff</description> <sn>MARANGAKIS</sn> <edupersonprimaryaffiliation>Staff</edupersonprimaryaffiliation> <cuedupersonjobclassification>IT Professional III</cuedupersonjobclassification> <title>IT Professional III</title>
Client Access – Unix Command Line ldapsearch -h directory.colorado.edu -b "dc=Colorado, dc=EDU" "cn=*${1}*" displayname telephonenumber cuedupersonschoolcollegename cuedupersonprimarymajor1 cuedupersonclass title description cuedupersonhomedepartmen postaladdres homepostaladdress homephone mail cuedupersonemailhome | grep -v cuEduPersonUUID | awk -F= '{print $2}'
Client Access – Address Books • Eudora – Tools/Directory Services • LDAP Database: directory.colorado.edu • Search base: dc=colorado,dc=edu • Attributes: can specify name and heading • Netscape – Address Book/File/New Directory • LDAP Server: directory.colorado.edu • Search Root: dc=colorado,dc=edu • Outlook – Address Book/Internet Accounts Directory Service wizard • UCB Address Book instructions: http://www.colorado.edu/its/docs/usingemail.html
Client Access – LDAP Browser • demo
Four Campus Implications • Commonalities • Campus-specificities • People • Data sources • Data • Policies • Infrastructure applicable to University and Campuses
MacOS AuthN Radius concept Calendar pilot AuthN testing White Pages Send Mail Email Addresses Affiliation Check Printed Directory ucb Directory cusys Directory Campus- specific Uniquid Registry Identity Recon. Directory Build cu.edu (concept) Common Infrastructure Recon report University-wide HR SIS Directory Structure Today
Project Contacts • Dennis Maloney, Director of ITSDennis.Maloney@colorado.edu • Bob Fryberger, IT ArchitectRobert.Fryberger@colorado.edu • Paula Vaughan, Project Manager Paula.Vaughan@colorado.edu • Melinda Jones, Directory ManagerMelinda.Jones@colorado.edu • Enterprise Directory Project Web Pagehttp://www.Colorado.EDU/committees/DirectoryServices/or from the UCB - ITS home page (“About ITS” ž“Projects & Initiatives” ž “Architecture and Infrastructure Initiatives”)