d i r a u t h o r i z e d e n t i t i e s d i r e c t o r
play

- D I R - - A u t h o r i z e d E n t i t i e - PowerPoint PPT Presentation

Jun 12, 2023 •257 likes •421 views

F O S D E M 1 8 - - I d e n t i t y a n d A c c e s s M a n a g e m e n t d e v r o o m - D I R - - A u t h o r i z e d E n t i t i e s D i r e c t o r y f r o m

  1. F O S D E M ’ 1 8 - - I d e n t i t y a n d A c c e s s M a n a g e m e n t d e v r o o m Æ- D I R - - A u t h o r i z e d E n t i t i e s D i r e c t o r y f r o m p a r a n o i d u s e r m a n a g e m e n t t o s e c u r e s y s t e m m a n a g e m e n t STROEDER.COM - 1 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  2. P e r s o n a l i n f o M i c h a e l S t r ö d e r < m i c h a e l @s t r o e d e r . c o m > , s e l f - e m p l o y e d  I A M , P K I , e t c .  F r e e s o f t w a r e  Æ- D I R  O A T H - L D A P  w e b 2 l d a p  f o r m e r l y p y t h o n - l d a p  STROEDER.COM - 2 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  3. O b j e c t i v e s S t r i c t l y f o l l o w p r i n c i p l e s :  N e e d - t o - k n o w  L e a s t P r i v i l e g e  S e p a r a t i o n o f D u t i e s  A g i l e d a t a m a i n t e n a n c e b y c o n s e q u e n t d e l e g a t i o n o f  m a n a g e a b l e s m a l l a r e a s P r o v i d e m e a n i n g f u l a u d i t t r a i l s  S o l i d b a s e f o r c o m p l i a n c e c h e c k s  STROEDER.COM - 3 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  4. P a r a d i g ms E x p l i c i t i s b e t t e r t h a n i m p l i c i t  S e c u r e a u t h o r i z a t i o n r e q u i r e s s e c u r e a u t h e n t i c a t i o n  I n d i v i d u a l a u t h e n t i c a t i o n i n s t e a d o f s h a r e d c r e d e n t i a l s  A v o i d a l l - m i g h t y p r o x y r o l e s  A p e r s o n i s n o t a n u s e r a c c o u n t , a v o i d o r g - b a s e d a u t h z !  R o l e s e p a r a t i o n w i t h m u l t i p l e u s e r a c c o u n t s p e r p e r s o n  P e r s i s t e n t I D s ( n e v e r r e - u s e d ) f o r r e l i a b l e a u d i t t r a i l s  STROEDER.COM - 4 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  5. R o l e s Æ a d m i n s d e l e g a t e z o n e s , f i x b r o k e n e n t r i e s ,  b u t t h e y d o n o t m a i n t a i n z o n e s Æ a u d i t o r s m a y r e a d ( a l m o s t ) e v e r y t h i n g  Z o n e a d m i n s a r e t h e m a i n t a i n e r s d o i n g t h e d a i l y w o r k  Z o n e a u d i t o r s m a y r e a d a n y t h i n g w i t h i n a z o n e  S e t u p a d m i n s m a i n t a i n h o s t s / s e r v i c e s w i t h i n s e r v i c e g r o u p s  U s e r s m a y r e a d o w n e n t r i e s , s e e m e m b e r s o f o w n g r o u p s ,  c h a n g e o w n p a s s w o r d STROEDER.COM - 5 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  6. 2 - t i e r a r c h i t e c t u r e LDAPS Æ-DIR provider LDAPS, slapd LDAPI admin UI admin (web2ldap) workstation mdb custom web LDAPI password tool browser HTTPS self service LDAPI maintenance maintenance SSH client pgadmin maintenance tools tools tools Æ-DIR consumer Unixoid server DB server web server slapd SSH LDAPS Apache (syncrepl) sssd sudo-ldap postgresql httpd mdb LDAPS STROEDER.COM - 6 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  7. D i r e c t o r y I n f o r ma t i o n T r e e ( D I T ) ou=ae-dir aeRoot cn=people cn=pub cn=ae aeZone aeZone aeZone uniqueIdentifier=p23 departmentNumber=d42 cn=example cn=ae-users cn=sudo-defaults aePerson aeDept aeZone aeGroup aeSudoRule uid=foo1 cn=example-grp-1 cn=example-srvgrp cn=example-sudo cn=example-zone-admins cn=example-zone-auditors aeUser aeGroup aeSrvGroup aeSudoRule aeGroup aeGroup host=example-srv uid=system_example1 aeHost aeService cn=eth0 cn=bond0 aeNwDevice aeNwDevice STROEDER.COM - 7 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  8. C o mp l e t e E E R d i a g r a m aeDept aeVisibleGroups aeDisplayNameGroups memberOf oathHOTPParams oathParams member aeContact member aeMailGroup oathHOTPToken aePerson aeAuthcToken memberOf oathTOTPToken (child of) memberOf aeProxyFor aeSrvGroup pwdPolicySubentry memberOf aeService member aePerson aeUser aePerson aeVisibleSudoers aeHost aeSrvGroup aeSudoRule member pwdPolicySubentry aeDept sudoUser pwdPolicySubentry memberOf aeSetupGroups aeLocation pwdPolicy aeLogStoreGroups aeDept aeLoginGroups aeGroup member aeVisibleGroups aeDisplayNameGroups aeDept aeZoneAdmins pwdPolicySubentry aeNwDevice aeZoneAuditors aePasswordAdmins (child of) aeLocation aeNwDevice aeHost (child of) aeLocation aeSrvGroup aeLocation aeDept aeZone aeLocation STROEDER.COM - 8 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  9. A u t h z E E R d i a g r a m aeZone aeZoneAdmins aePerson aeZoneAuditors aePasswordAdmins aePerson aeSetupGroups aeVisibleSudoers aeLogStoreGroups member aeGroup aeSrvGroup aeSudoRule aeLoginGroups aeVisibleGroups aeUser aeDisplayNameGroups aeProxyFor sudoUser aeService (child of) or aeSrvGroup aeService aeHost aeNwDevice (child of) STROEDER.COM - 9 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  10. C l i e n t i n t e g r a t i o n C l i e n t s d e l i b e r a t e l y k e p t d u m b  S c h e m a d e r i v e d f r o m c o m m o n s t a n d a r d s :  N I S - L D A P  s u d o - l d a p ( a l w a y s ) s u d o H o s t : A L L  H y b r i d g r o u p s f o r R F C 2 3 0 7 / R F C 2 3 0 7 b i s c o m p a b i l i t y  S u p p o r t f o r h o s t s m a p ( e . g . w i t h n s s - p a m - l d a p d a k a n s l c d )  A b a n d o n n e t g r o u p m a p → m i g r a t e t o a e S r v G r o u p  STROEDER.COM - 1 0 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  11. S S H p r o x y w i t h a u t h z Æ-DIR admin consumer workstation slapd ssh <legacy-uid>@<target> ProxyCommand looked up for <target> in local config mdb SSH <ae-dir-uid>@<gateway-host> SSH proxy sshd pam_sss sssd nss_sss target system wrapper script LDAPS full shell sudo-ldap ( ForceCommand ) for GW admins TCP ssh nc <target>:22 (SSH tunnel) SSH key Authz Check query by ae-uid <ae-uid@target> ae_checkd STROEDER.COM - 1 1 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  12. O A T H - L D A P - - 2 - t i e r a r c h i t e c t u r e LDAPS OpenLDAP provider enrollment client slapd OTP validator IPC back-sock as overlay LDAPI LDAPI mdb web enrollment browser web app HTTPS forward password/OTP bind (LDAPS) OpenLDAP consumer slapd bind proxy IPC back-sock syncrepl as overlay (LDAPS) LDAP client LDAPI mdb LDAPS STROEDER.COM - 1 2 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  13. O A T H - L D A P - - e n r o l l me n t 1. request OTP token 2. add/personalize OTP token OTP User admin 6. hand-out 5. note pw#2 enrollment client, 7. get pw#1 OTP token and pw#2 OTP admin from e-mail workstation 8. insert OTP token enter pw#1 + pw#2 3. add/reset token entry 9. OTP token ID (through user pw#1 + pw#2 web application) workstation (LDAP simple bind) enrollment encrypted shared secret client fetch (LDAP modify) e-mail 4. send pw#1 via e-mail e-mail OpenLDAP server provider STROEDER.COM - 1 3 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

  14. N e x t : S y s t e m ma n a g e me n t a e N w D e v i c e h a s t r i p l e ( F Q D N , I P , M A C )  N e t w o r k a c c e s s c o n t r o l ( 8 0 2 . 1 x )  O S d e p l o y m e n t ( P X E , D H C P , B O O T P )  E l i m i n a t e d y n a m i c h o s t n a m e u p d a t e s i n D N S  e a s y i n t e g r a t i o n o f o r s i m i l a r v i r t - i n s t a l l  a n s i b l e d y n a m i c i n v e n t o r y  X . 5 0 9 s e r v e r c e r t i f i c a t e s  STROEDER.COM - 1 4 - F O S D E M ‘ 1 8 / 2 0 1 8 - 0 2 - 0 3

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CiviCRM for Membership Associa?ons Lisa Rau/Ashma Shrestha Jason

CiviCRM for Membership Associa?ons Lisa Rau/Ashma Shrestha Jason

CiviCRM for Membership Associa?ons Lisa Rau/Ashma Shrestha Jason Bertolacci 3/25/12 www.ConfluenceCorp.com | @ConfluenceCorp 1 Outline Who Are WE?

602 views • 39 slides
Sharing a Git Repository on Tux Drexel University Software Engineering Research Group / 1

Sharing a Git Repository on Tux Drexel University Software Engineering Research Group / 1

Sharing a Git Repository on Tux Drexel University Software Engineering Research Group / 1 http://serg.cs.drexel.edu Group Repository Overview Slides 3 - 5 Group Leader Setup Slides 6 - 13 Group Member Setup

489 views • 20 slides
100+ full-time editors, event planners, community managers all devoted to your experience as a

100+ full-time editors, event planners, community managers all devoted to your experience as a

Helping you get the Helping you jump in most from your with member membership benefits 100+ full-time editors, event planners, community managers all devoted to your experience as a member of YEC 3 4 Your Member Dashboard 5 6 Pillars of

750 views • 37 slides
Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul

Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul

Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul Strackx raoul.strackx@cs.kuleuven.be @raoul_strackx imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium Hardwear.io, June 14 th , 2019

1.05k views • 81 slides
1 Directory &amp; File Structure code/filesys/ Holds implementation of both stub and

1 Directory &amp; File Structure code/filesys/ Holds implementation of both stub and

Nachos Tutorial Courtesy: University of Waterloo Outline Directory &amp; File Structure Threads &amp; Synchronization Unix vs. Kernel vs. User Programs MIPS Simulator &amp; Nachos Address Spaces &amp; Executables

228 views • 10 slides
Part III Synchronization A bit of C++ and Thr hrea eadM dMen entor or I dont know what the

Part III Synchronization A bit of C++ and Thr hrea eadM dMen entor or I dont know what the

Part III Synchronization A bit of C++ and Thr hrea eadM dMen entor or I dont know what the programming language of the year 2000 will look like, but I know it will be called FORTRAN. 1 Fall 2015 Charles Anthony Richard Hoare iostream

1.04k views • 52 slides
Overview Jeff Jaffe THE WORLD WIDE WEB CONSORTIUM Lead Web to its Full Potential 385

Overview Jeff Jaffe THE WORLD WIDE WEB CONSORTIUM Lead Web to its Full Potential 385

Overview Jeff Jaffe THE WORLD WIDE WEB CONSORTIUM Lead Web to its Full Potential 385 Members (85 Full Members) Web ecosystem: users, developers, browsers, etc. 70 staff in US (MIT), China (Beihang), France (ERCIM) and Japan

435 views • 15 slides
ASX Small and Mid-Cap Conference 2020. September 2020 1 Disclaimer This presentatjon

ASX Small and Mid-Cap Conference 2020. September 2020 1 Disclaimer This presentatjon

ASX Small and Mid-Cap Conference 2020. September 2020 1 Disclaimer This presentatjon (Presentatjon) has been This Presentatjon is for informatjon purposes This Presentatjon contains certain forward- Forward-looking statements are not

414 views • 13 slides
FOR MY BUSINESS Arizona Marketing Association RAINSTAR CAPITAL Managing Director 1. Over 35

FOR MY BUSINESS Arizona Marketing Association RAINSTAR CAPITAL Managing Director 1. Over 35

WHERE IS THE MONEY FOR MY BUSINESS Arizona Marketing Association RAINSTAR CAPITAL Managing Director 1. Over 35 years experience in public accounting, private industry &amp; business consulting 2. Successfully negotiated in excess of $30

364 views • 10 slides
Index 1) My Mobile Money Logo 2) What is My Mobile Money A) Youtube Video B) Downloadable App C) Is

Index 1) My Mobile Money Logo 2) What is My Mobile Money A) Youtube Video B) Downloadable App C) Is

Index 1) My Mobile Money Logo 2) What is My Mobile Money A) Youtube Video B) Downloadable App C) Is it safe? 3) How to Use It? A) Gettjng Started a) Sign Up b) Sign Up Contjnued B) Navigatjng through the app a) Homepage b) Main Menu 1b) Home - Card

966 views • 30 slides
Ready for Prime Time! By Steve Klebe, VP of BD &amp; Strategy Steve.klebe@billtomobile.com

Ready for Prime Time! By Steve Klebe, VP of BD &amp; Strategy Steve.klebe@billtomobile.com

Carrier Billing 2.0, Ready for Prime Time! By Steve Klebe, VP of BD &amp; Strategy Steve.klebe@billtomobile.com 650-823-5245 (mobile) Agenda Session Outline BilltoMobile Overview The Korean Example Carrier Billing 1.0 vs. 2.0 Why Now, Why

385 views • 17 slides
Modeling Highly Heterogeneous (Large) Data Sets: Towards a Billion Models Robert Grossman

Modeling Highly Heterogeneous (Large) Data Sets: Towards a Billion Models Robert Grossman

Modeling Highly Heterogeneous (Large) Data Sets: Towards a Billion Models Robert Grossman University of Illinois at Chicago &amp; Open Data Group Traditional Statistics One small data set A few attributes Vector-valued data Data

453 views • 18 slides
Cryptography Prof. Dr. Werner Schindler Adjunct Professor Federal civil servant at (au

Cryptography Prof. Dr. Werner Schindler Adjunct Professor Federal civil servant at (au

Cryptography Prof. Dr. Werner Schindler Adjunct Professor Federal civil servant at (au erplanm iger Professor) Bundesamt f r Sicherheit in der at Darmstadt University of Informationstechnik (BSI) Technology Bonn B-IT, winter 2006

378 views • 15 slides
Webinar 24 th June 2020 Agenda Introduction School Payments Systems and National Framework

Webinar 24 th June 2020 Agenda Introduction School Payments Systems and National Framework

School Payments Systems Webinar 24 th June 2020 Agenda Introduction School Payments Systems and National Framework Selecting a Supplier - School Payments System Recording Income in Surf accounts Reconciling the Merchant Card

468 views • 36 slides
Investor Session Focus on October 19, 2009 Investor Session Tim Thompson Tim Thompson

Investor Session Focus on October 19, 2009 Investor Session Tim Thompson Tim Thompson

Investor Session Focus on October 19, 2009 Investor Session Tim Thompson Tim Thompson Introduction Introduction 2 Caution regarding forward-looking statements From time to time, the Bank makes written and oral forward-looking statements,

619 views • 51 slides
MicroCash: Practical Concurrent Processing of Micropayments Ghada Almashaqbeh 1 , Allison Bishop 2

MicroCash: Practical Concurrent Processing of Micropayments Ghada Almashaqbeh 1 , Allison Bishop 2

MicroCash: Practical Concurrent Processing of Micropayments Ghada Almashaqbeh 1 , Allison Bishop 2 , Justin Cappos 3 1 CacheCash, 2 Columbia and Proof Trading, 3 NYU Financial Crypto, Malaysia, 2020 Customer Merchant 2 Customer Merchant 3

462 views • 27 slides
Divergent Costs &amp; Growth Lessons from Californias Intermodal Seaports Energy Foundation

Divergent Costs &amp; Growth Lessons from Californias Intermodal Seaports Energy Foundation

Divergent Costs &amp; Growth Lessons from Californias Intermodal Seaports Energy Foundation China Webinar January 22, 2018 Mike Jacob Vice President &amp; General Counsel Oakland, CA U.S. Seaport Infrastructure Requires Local,

537 views • 29 slides
Regulating Transportation Network Companies: Fourth level Fifth level Should Uber and

Regulating Transportation Network Companies: Fourth level Fifth level Should Uber and

Click to edit Master text styles Second level Third level Regulating Transportation Network Companies: Fourth level Fifth level Should Uber and Lyft Set Their Own Rules? Sen Li , Hamidreza Tavafoghi, Kameshwar Poolla and

501 views • 36 slides
Priority Technology Holdings, Inc. Slides Supplementing First Quarter 2019 Earnings Call Total

Priority Technology Holdings, Inc. Slides Supplementing First Quarter 2019 Earnings Call Total

Priority Technology Holdings, Inc. Slides Supplementing First Quarter 2019 Earnings Call Total Merchant Bankcard Processing Dollar Value First quarter 2019, compared with first quarter 2018 merchant bankcard processing dollar value grew 8.8% to

524 views • 16 slides
Introduction to Municipal Bonds A. Reid Cavnar Senior Vice President

Introduction to Municipal Bonds A. Reid Cavnar Senior Vice President

2011 Fall Leadership Summit Marriott, Columbia, South Carolina September 27-28, 2011 Introduction to Municipal Bonds A. Reid Cavnar Senior Vice President Reid.cavnar@merchantcapital.com This document has been prepared by Merchant Capital, LLC

286 views • 10 slides
Message Passing and Node Classification Prof. Srijan Kumar 1 Srijan Kumar, Georgia Tech,

Message Passing and Node Classification Prof. Srijan Kumar 1 Srijan Kumar, Georgia Tech,

CSE 6240: Web Search and Text Mining. Spring 2020 Message Passing and Node Classification Prof. Srijan Kumar 1 Srijan Kumar, Georgia Tech, CSE6240 Spring 2020: Web Search and Text Mining Outline Main question today: Given a network with

909 views • 76 slides
Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich,

Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich,

Introduction Classical secure channel Quantum secure channel Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich, Switzerland Dept. of Computer Science, ETH Zurich, Switzerland EUROCRYPT 2017, Paris, 4 May

717 views • 54 slides
CASCO N 2002 CASCO N 2002 Outline Basic Concepts API Architecture API Programming

CASCO N 2002 CASCO N 2002 Outline Basic Concepts API Architecture API Programming

Introduction to Messaging using JMS Evan Mamas emamas@ca.ibm.com IBM Toronto Lab CASCO N 2002 CASCO N 2002 Outline Basic Concepts API Architecture API Programming Model Advanced features Integration with J2EE Simple

784 views • 14 slides
Messaging is not just for investment banks! (+ web is not the only way) Gojko Adzic

Messaging is not just for investment banks! (+ web is not the only way) Gojko Adzic

Messaging is not just for investment banks! (+ web is not the only way) Gojko Adzic http://gojko.net gojko@gojko.com twitter.com/gojkoadzic Web is now ubiquitous ... we use it to display content, to share data, for remote procedure calls,

887 views • 53 slides

More recommend