living in ad times
play

Living in AD-times Using Open Standards with Microsoft - PowerPoint PPT Presentation

Apr 09, 2024 •176 likes •420 views

Living in AD-times Using Open Standards with Microsoft ActiveDirectory John Paschoud LSE Library with acknowledgements to Simon McLeish and Paul Gee 02-Mar-2005 EuroCAMP, Torino 1 Background UK JISC 7m AM programme Adoption of

  1. Living in AD-times Using Open Standards with Microsoft ActiveDirectory John Paschoud LSE Library with acknowledgements to Simon McLeish and Paul Gee 02-Mar-2005 EuroCAMP, Torino 1

  2. Background • UK JISC £7m AM programme • Adoption of Shibboleth as ‘Core Middleware’ for the Info Environment • Technology development projects (16) • ‘Early Adopters’ programmes – main scheme started 01-Mar-05 (yesterday) • Advantages & challenges of transition from Athens AM service 02-Mar-2005 EuroCAMP, Torino 2

  3. The SECURe Project • Part of first JISC Middleware programme • Followed-up initial evaluation of Shib, by LSE team, for JISC & UK community • Evaluated and added to practical resources to support adoption of: – Shibboleth ☺ – Campus certificate services � – Smartcards (abandoned) � 02-Mar-2005 EuroCAMP, Torino 3

  4. The problem • Shib IdP needs an Enterprise Directory as backend • Larger (richer?) UK universities have capacity (like US leads in I2 middleware activity) to deploy & support ED tools – ‘Spare’ staff – Skills & experience • …but many uni’s & colleges depend upon packaged, proprietary network AuthN • ActiveDirectory™ is the dominant product 02-Mar-2005 EuroCAMP, Torino 4

  5. LSE ED architecture [current] AD Updater (120sec latency) (MS-specific) AD network login users LSE Central db (only) (all users) Shib IdP MS-specific classes HS generic ‘MetaDirectory’ classes functions all sit behind ( Shib/SAML ) here Content-free unique person identifiers AA (mine is “124451”) 02-Mar-2005 EuroCAMP, Torino 5

  6. ActiveDirectory™ vs LDAP AD ‘generic’ LDAP • Designed primarily to • Not purpose-specific support Exchange™ services • Limited facilities for • Schema changes import of new schema simpler classes • Requires MS admin • Requires ‘Unix-based’ skills skills 02-Mar-2005 EuroCAMP, Torino 6

  7. The Decision Guide Based heavily on work by Simon McLeish of LSE • Existing institutional directory service? • Existing SSO authentication system? – using institutional directory to authenticate users? • AM needed for existing web application? – for institutional users only? – institutional and external users? • Existing AM authorisation system? • … 02-Mar-2005 EuroCAMP, Torino 7

  8. The AD Cookbook Based heavily on work by Paul Gee of LSE • Cautions (have a test system!) • Options for introducing eduPerson to AD • Changes in eduPerson class for AD • Installing the modified LDIF • Populating attributes in AD [see Cookbook detail] [no thanks, we’ll check it online later] 02-Mar-2005 EuroCAMP, Torino 8

  9. Options for introducing the eduPerson Schema into AD • Windows 2000 domain with Microsoft's inetOrgPerson class schema extensions installed • The domain in which you want to use the eduPerson class upgraded to Windows Server 2003 • Upgrading the Active Directory Forest to Windows Server 2003 02-Mar-2005 EuroCAMP, Torino 9

  10. Changes in eduPerson Class for AD • How & why the eduPerson class used with Active Directory differs from the class maintained by eduCause • eduPerson (Educause standard) is defined using RFC2252 LDIF syntax • AD only supports X500 LDIF syntax • No attribute equality-matching rules in X500 02-Mar-2005 EuroCAMP, Torino 10

  11. Changes in eduPerson Class for AD - Example eduPersonScopedAffiliation (RFC2252) attributetypes: ( 1.3.6.1.4.1.5923.1.1.1.9 NAME 'eduPersonScopedAffiliation' DESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) eduPersonScopedAffiliation ( X500 ) dn:CN=eduPersonScopedAffiliation,CN=Schema,CN=Configuration,DC=lse,DC=ac,DC=uk changetype: add objectClass: attributeSchema name: eduPersonScopedAffiliation description: eduPerson per Internet2 and EDUCAUSE attributeID: 1.3.6.1.4.1.5923.1.1.1.9 attributeSyntax: 2.5.5.12 oMSyntax: 64 systemOnly: FALSE isSingleValued:TRUE 02-Mar-2005 EuroCAMP, Torino 11

  12. Installing the modified LDIF Try it all on your test system first! 1. Add yourself to Schema Admin group 2. Locate domain controller with Schema Master FSMO 3. Register schmmgmt.dll (creates snap-in) 4. Run ldifde 5. Check that eduPerson class & attributes are in place (using snap-in) 6. Retreat from Schema Admin group 02-Mar-2005 EuroCAMP, Torino 12

  13. Populating attributes in AD • LSE ActiveDirectory Updater – Sun Java2; using JDBC, JNDI APIs – Uses ‘LSE Central’ (rdb) as datasource – Queue of required updates – entries created by db triggers – UpdaterMapping class – transforms to required AD attribute values – Queue-processing frequency configurable (currently 120secs) – Latency of AD replication to all servers must also be allowed for (typically >120secs) 02-Mar-2005 EuroCAMP, Torino 13

  14. How to use these resources http://www.angel.ac.uk/SECURe/deliverables/documentation/ • Evaluate your own (institution’s) situation first • …then check you’ve consulted all interested parties: – Library – Learning-technologists – Network infrastructure support • All our documentation is Creative Commons licensed – Attribute, ShareAlike, NonCommercial – …so please use them to make something better! 02-Mar-2005 EuroCAMP, Torino 14

  15. Where LSE is now • InQueue Fed for testing – Jstor; • ‘peer-to-peer’ Shib with Columbia U (NY) – Access to anthropology teaching resources in JISC-NSF DART Project • SDSS (Edina) Fed – Ed Media OnLine; • Athens (Eduserv) Fed – Will test Shib-Athens interop. • ShibboLEAP JISC ‘Early Adopters’ project – LSE + 6 other London Uni colleges as IdPs – Eprints.org servers as ResourceProviders 02-Mar-2005 EuroCAMP, Torino 15

  16. Using Shib on a larger scale • LSE AD covers all users with network login BUT… • Users unknown to AD: – External Library users: have Library system login – Alumni: an important (rich!) group to offer some ‘privileged’ resource access to – (some) short-course students – Visiting academics (Bill Clinton, etc, etc) • … This precludes LSE using Shib (and AD) for AM to significant services, such as Library system 02-Mar-2005 EuroCAMP, Torino 16

  17. LSE ED architecture [current] AD Updater (120sec latency) (MS-specific) AD network login users LSE Central db (only) (all users) Shib IdP MS-specific classes HS generic classes ( Shib/SAML ) AD as sole backend to Shib IdP AA • Uneasy cohabitation of LDAP schema classes • IdP only serves users with network logins 02-Mar-2005 EuroCAMP, Torino 17

  18. What LSE will do next (probably) • Use an alternative (probably Oracle) LDAP product in Enterprise Directory role • Network users (most staff & students) would resist removal of direct Windows password-change ability • Considering 4 possible options… 02-Mar-2005 EuroCAMP, Torino 18

  19. LSE ED architecture [option 1] AD Updater (120sec latency) (MS-specific) AD all users LSE Central db (all users) Shib IdP MS-specific classes HS generic classes ( Shib/SAML ) AD as sole backend to Shib IdP AA • Uneasy cohabitation of LDAP schema classes • Dependant on inclusion of users without network login in AD 02-Mar-2005 EuroCAMP, Torino 19

  20. LSE ED architecture [option 2] AD Updater (120sec latency) (MS-specific) AD network login users LSE Central db (only) password (all users) Shib IdP propagation MS-specific HS classes Oracle LDAP ( Shib/SAML ) all users LDAP as sole backend to Shib IdP generic AA • Requires secure propagation of classes password-changes from AD to LDAP (But, this is the model chosen by most US MACE-DIR pilots using AD) 02-Mar-2005 EuroCAMP, Torino 20

  21. LSE ED architecture [option 3] AD Updater (120sec latency) (MS-specific) AD network login users LSE Central db [1: try AuthN] (only) (all users) Shib IdP AuthBroker MS-specific HS classes Oracle LDAP [2: try AuthN] ( Shib/SAML ) [3: get role attribs] all users Split user AuthN between AD and generic AA LDAP classes • Requires AuthBroker m’ware to emulate a single AuthN & directory service to IdP • Possible time penalty (waiting for 1 st 02-Mar-2005 EuroCAMP, Torino 21 failed AuthN)

  22. LSE ED architecture [option 4] AD Updater (120sec latency) (MS-specific) AD all users LSE Central db [1: try AuthN] (all users) Shib IdP AuthBroker MS-specific HS classes Oracle LDAP ( Shib/SAML ) [2: get role attribs] all users Split classes between AD and LDAP generic AA • Requires AuthBroker m’ware to classes emulate a single AuthN & directory service to IdP • Dependant on inclusion of users without network login in AD 02-Mar-2005 EuroCAMP, Torino 22

  23. (more) Discussion? BUT: • I’m an architect - not a plumber! - and not an expert on AD! j.paschoud@lse.ac.uk AND: • It’s lunch-time! LSE: http://www.lse.ac.uk/ SECURe: http://www.angel.ac.uk/SECURe/ AD Cookbook: http://www.angel.ac.uk/SECURe/ deliverables/documentation/adconfig.html 02-Mar-2005 EuroCAMP, Torino 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Setting the Standard for Residential Living As a Tampa Bay Times Top Workplace, Valet

1 Setting the Standard for Residential Living As a Tampa Bay Times Top Workplace, Valet

1 Setting the Standard for Residential Living As a Tampa Bay Times Top Workplace, Valet Living has been setting the standard for doorstep collection and recycling since 1995. Servicing over a million apartment homes across 39

379 views • 17 slides
Kwantlen Polytechnic University Thursday February 10,2017 Were living in exponential times Did

Kwantlen Polytechnic University Thursday February 10,2017 Were living in exponential times Did

Jerry Whitehead Kwantlen Polytechnic University Thursday February 10,2017 Were living in exponential times Did you know? Number of internet devices 1984 = 1 thousand 1992 = 1 million 2008 = 1 billion

826 views • 78 slides
101 PRESENTATION SCRIPT Speaking Notes from Living Well Now: Practice this script at least 5 times

101 PRESENTATION SCRIPT Speaking Notes from Living Well Now: Practice this script at least 5 times

101 PRESENTATION SCRIPT Speaking Notes from Living Well Now: Practice this script at least 5 times to make it sound like YOU! Add your stories and testimonials from others-2 stories per product at most. (Compliant descriptions can be found in the

300 views • 13 slides
The Recovery Hub Staffordshire How Can We Help? Living with a mental health condition can be

The Recovery Hub Staffordshire How Can We Help? Living with a mental health condition can be

The Recovery Hub Staffordshire How Can We Help? Living with a mental health condition can be overwhelming at times. The Recovery Hub is here to help you break down the barriers preventing you from living a fulfilled and independent life. Once

298 views • 11 slides
Ancestors during Times of War Elizabeth Burnes The Federal government created documentation of

Ancestors during Times of War Elizabeth Burnes The Federal government created documentation of

Friend or Foe?: Documenting Alien Ancestors during Times of War Elizabeth Burnes The Federal government created documentation of aliens, immigrants living in the United States who were not naturalized, during times of war in the 19th and 20th

779 views • 46 slides
TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT?

TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT?

TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT? New from 2019: all children in year 4 will sit an online times table test. Times Tables knowledge and recall underpin so many different areas of

526 views • 25 slides
Living a Positive Life in Challenging Times Sonya Corbin Dwyer, Ph.D. Positive Psychology

Living a Positive Life in Challenging Times Sonya Corbin Dwyer, Ph.D. Positive Psychology

Living a Positive Life in Challenging Times Sonya Corbin Dwyer, Ph.D. Positive Psychology Promotes the best in human behaviour Promotes the understanding of healthy human functioning Positive emotions seem to help restore or preserve

366 views • 24 slides
Budget 2011 Paul Dalziel Professor of Economics AERU, Lincoln University Introduction I

Budget 2011 Paul Dalziel Professor of Economics AERU, Lincoln University Introduction I

Budget 2011 Paul Dalziel Professor of Economics AERU, Lincoln University Introduction I make six points in this opening comment. We are living in hard times. We know why times are hard. We know how to cope with hard times.

742 views • 23 slides
Leading in Crisis: The Best of Times, The Worst of Times Dr. Kevin Nourse Leap Advocates

Leading in Crisis: The Best of Times, The Worst of Times Dr. Kevin Nourse Leap Advocates

Leading in Crisis: The Best of Times, The Worst of Times Dr. Kevin Nourse Leap Advocates American Association of Port Authorities Executive Management Conference May 2010 Best of Times, Worst of Times? Significant challenges exist today for

744 views • 57 slides
Living Well When Living Longer HIV and Rehabilita5on

Living Well When Living Longer HIV and Rehabilita5on

Living Well When Living Longer HIV and Rehabilita5on #RehabHIV European AIDS Clinical Society (EACS) Friday October 23 2015, 16:30-18:00hrs Barcelona,

700 views • 52 slides
THE FUTURE OF URBAN LIVING New forms of work, planning for the unknown in Amsterdam The

THE FUTURE OF URBAN LIVING New forms of work, planning for the unknown in Amsterdam The

International Miranda Schut ISOCARP CONFERENCE 2016 13 September 2016 Track 4: Urban Planning and Policy Making in Times of Uncertainty, Fragility & Insecurity THE FUTURE OF URBAN LIVING New forms of work, planning for the unknown in

418 views • 22 slides
RIS RISK & OPPORTUNITIES KAMALASEN CHETTY, SOUTH AFRICA 09 MAY 2020 WE ARE LIVING

RIS RISK & OPPORTUNITIES KAMALASEN CHETTY, SOUTH AFRICA 09 MAY 2020 WE ARE LIVING

RIS RISK & OPPORTUNITIES KAMALASEN CHETTY, SOUTH AFRICA 09 MAY 2020 WE ARE LIVING THROUGH UNPRECEDENTED TIMES ARE WE REALLY 4mil 3mil 50mil DEATHS DUE TO DEATHS DUE TO HUNGER CANCER BIRTHS 600k 850k

307 views • 10 slides
TERRAIN SDP Soundproof System for waste water drainage We are living in a always NOISE =

TERRAIN SDP Soundproof System for waste water drainage We are living in a always NOISE =

TERRAIN SDP Soundproof System for waste water drainage We are living in a always NOISE = STRESS = ILLNESS more hectically times. People are looking for comfort, quietness and recreation in their own for walls. In one word; people want

462 views • 20 slides
Computational Methods in Systems Biology The hottest scientific frontier of our times Many

Computational Methods in Systems Biology The hottest scientific frontier of our times Many

What is Biology? A branch of knowledge that deals with living organisms and vital processes Computational Methods in Systems Biology The hottest scientific frontier of our times Many great processes have been figured out

295 views • 18 slides
Disaster Management : Bangladesh Perspective Floods Asia and Pacific is the world s most

Disaster Management : Bangladesh Perspective Floods Asia and Pacific is the world s most

Disaster Management : Bangladesh Perspective Floods Asia and Pacific is the world s most disaster- prone region A person living in the region is 4 times riskier than those in Africa and 25 times than in Europe or North America. Context

574 views • 31 slides
SAY HELLO BEFORE YOU TELL ME OFF! Jules Daulby Vulnerable to exclusions FSM 4 times more

SAY HELLO BEFORE YOU TELL ME OFF! Jules Daulby Vulnerable to exclusions FSM 4 times more

SAY HELLO BEFORE YOU TELL ME OFF! Jules Daulby Vulnerable to exclusions FSM 4 times more likely Black Caribbean 4 times more likely Travelling community (Roma) SEND 7 times more likely (SEMH x19 more likely) Boys

711 views • 38 slides
Voice over the Internet (the basics) Outline Basics about voice encoding Packetization

Voice over the Internet (the basics) Outline Basics about voice encoding Packetization

Voice over the Internet (the basics) Outline Basics about voice encoding Packetization trade-offs Architecture of basic VoIP tool Playback buffer (jitter buffer) Adaptive playback buffers? How to deal with packet losses and

409 views • 30 slides
Multimedia Communications Spring 2006-07 Advances in the Transport Layer (RTP) Shahab Baqai

Multimedia Communications Spring 2006-07 Advances in the Transport Layer (RTP) Shahab Baqai

CS 584 / CMPE 584 Multimedia Communications Spring 2006-07 Advances in the Transport Layer (RTP) Shahab Baqai LUMS Outline Why RTP? RTP Features RTP Packet RTCP RTCP Reports Jitter Estimation 2 RTP provide

1.26k views • 68 slides
Memory Hierarchy Optimizations with Compilers/Software Jaejin Lee Advanced Compiler Research

Memory Hierarchy Optimizations with Compilers/Software Jaejin Lee Advanced Compiler Research

Memory Hierarchy Optimizations with Compilers/Software Jaejin Lee Advanced Compiler Research Laboratory School of Computer Science and Engineering Seoul National University jlee@cse.snu.ac.kr http://aces.snu.ac.kr/~jlee Advanced Compiler

694 views • 23 slides
Multimedia Conferencing A cura di: Ing. Alessandro Amirante Ing. Tobia Castaldi Ing. Lorenzo

Multimedia Conferencing A cura di: Ing. Alessandro Amirante Ing. Tobia Castaldi Ing. Lorenzo

Multimedia Conferencing A cura di: Ing. Alessandro Amirante Ing. Tobia Castaldi Ing. Lorenzo Miniero Corso di Applicazioni Telematiche A.A. 2006-07 Lezione n.16 Prof. Roberto Canonico Universit degli Studi di Napoli Federico II

394 views • 22 slides
Client-Side IPv6 Measurement Geoff Huston APNIC Labs How to measure millions of end devices for

Client-Side IPv6 Measurement Geoff Huston APNIC Labs How to measure millions of end devices for

Client-Side IPv6 Measurement Geoff Huston APNIC Labs How to measure millions of end devices for their IPv6 capability? How to measure millions of end devices for their IPv6 capability? Be How to measure millions of end devices for their

670 views • 33 slides
Parameter Server Marco Serafini COMPSCI 532 Lecture 19 Machine Learning Wide array of

Parameter Server Marco Serafini COMPSCI 532 Lecture 19 Machine Learning Wide array of

Parameter Server Marco Serafini COMPSCI 532 Lecture 19 Machine Learning Wide array of problems and algorithms Classification Given labeled data points, predict label of new data point Regression Learn a function from

813 views • 30 slides
Unintrusive Customization Techniques for Web Advertising Marc Langheinrich Atsuyoshi Nakamura

Unintrusive Customization Techniques for Web Advertising Marc Langheinrich Atsuyoshi Nakamura

Unintrusive Customization Techniques for Web Advertising Marc Langheinrich Atsuyoshi Nakamura Naoki Abe Tomonari Kamba Yoshiyuki Koseki NEC Corporation, C&C Media Research Laboratories, Japan Overview Introduction Ad targeting

451 views • 33 slides
Firewall Configuration 1. As a first step, check to see if the Splunk universal forwarder is

Firewall Configuration 1. As a first step, check to see if the Splunk universal forwarder is

Firewall Configuration 1. As a first step, check to see if the Splunk universal forwarder is sending its internal logs to the Splunk indexer. This takes place by default with all Splunk forwarder installations, and will prevent you from going

364 views • 9 slides

More recommend