Living in AD-times Using Open Standards with Microsoft - - PowerPoint PPT Presentation

living in ad times
SMART_READER_LITE
LIVE PREVIEW

Living in AD-times Using Open Standards with Microsoft - - PowerPoint PPT Presentation

Apr 09, 2024 176 likes •426 views

Living in AD-times Using Open Standards with Microsoft ActiveDirectory John Paschoud LSE Library with acknowledgements to Simon McLeish and Paul Gee 02-Mar-2005 EuroCAMP, Torino 1 Background UK JISC 7m AM programme Adoption of

slide-1
SLIDE 1

02-Mar-2005 EuroCAMP, Torino 1

Living in AD-times

Using Open Standards with Microsoft ActiveDirectory

John Paschoud LSE Library

with acknowledgements to Simon McLeish and Paul Gee

slide-2
SLIDE 2

02-Mar-2005 EuroCAMP, Torino 2

Background

  • UK JISC £7m AM programme
  • Adoption of Shibboleth as ‘Core

Middleware’ for the Info Environment

  • Technology development projects (16)
  • ‘Early Adopters’ programmes – main

scheme started 01-Mar-05 (yesterday)

  • Advantages & challenges of transition

from Athens AM service

slide-3
SLIDE 3

02-Mar-2005 EuroCAMP, Torino 3

The SECURe Project

  • Part of first JISC Middleware programme
  • Followed-up initial evaluation of Shib, by

LSE team, for JISC & UK community

  • Evaluated and added to practical

resources to support adoption of:

– Shibboleth ☺ – Campus certificate services – Smartcards (abandoned)

slide-4
SLIDE 4

02-Mar-2005 EuroCAMP, Torino 4

The problem

  • Shib IdP needs an Enterprise Directory as

backend

  • Larger (richer?) UK universities have capacity

(like US leads in I2 middleware activity) to deploy & support ED tools

– ‘Spare’ staff – Skills & experience

  • …but many uni’s & colleges depend upon

packaged, proprietary network AuthN

  • ActiveDirectory™ is the dominant product
slide-5
SLIDE 5

02-Mar-2005 EuroCAMP, Torino 5

LSE ED architecture [current]

AD

(MS-specific)

LSE Central db (all users) AD Updater (120sec latency) (Shib/SAML) Shib IdP HS AA network login users (only) generic classes MS-specific classes ‘MetaDirectory’ functions all sit behind here Content-free unique person identifiers (mine is “124451”)

slide-6
SLIDE 6

02-Mar-2005 EuroCAMP, Torino 6

ActiveDirectory™ vs LDAP

AD

  • Designed primarily to

support Exchange™ services

  • Limited facilities for

import of new schema classes

  • Requires MS admin

skills ‘generic’ LDAP

  • Not purpose-specific
  • Schema changes

simpler

  • Requires ‘Unix-based’

skills

slide-7
SLIDE 7

02-Mar-2005 EuroCAMP, Torino 7

The Decision Guide

Based heavily on work by Simon McLeish of LSE

  • Existing institutional directory service?
  • Existing SSO authentication system?

– using institutional directory to authenticate users?

  • AM needed for existing web application?

– for institutional users only? – institutional and external users?

  • Existing AM authorisation system?
slide-8
SLIDE 8

02-Mar-2005 EuroCAMP, Torino 8

The AD Cookbook

  • Cautions (have a test system!)
  • Options for introducing eduPerson to AD
  • Changes in eduPerson class for AD
  • Installing the modified LDIF
  • Populating attributes in AD

[see Cookbook detail] [no thanks, we’ll check it online later]

Based heavily on work by Paul Gee of LSE

slide-9
SLIDE 9

02-Mar-2005 EuroCAMP, Torino 9

Options for introducing the eduPerson Schema into AD

  • Windows 2000 domain with Microsoft's

inetOrgPerson class schema extensions installed

  • The domain in which you want to use the

eduPerson class upgraded to Windows Server 2003

  • Upgrading the Active Directory Forest to

Windows Server 2003

slide-10
SLIDE 10

02-Mar-2005 EuroCAMP, Torino 10

Changes in eduPerson Class for AD

  • How & why the eduPerson class used with

Active Directory differs from the class maintained by eduCause

  • eduPerson (Educause standard) is defined

using RFC2252 LDIF syntax

  • AD only supports X500 LDIF syntax
  • No attribute equality-matching rules in

X500

slide-11
SLIDE 11

02-Mar-2005 EuroCAMP, Torino 11

Changes in eduPerson Class for AD - Example

eduPersonScopedAffiliation (RFC2252) attributetypes: ( 1.3.6.1.4.1.5923.1.1.1.9 NAME 'eduPersonScopedAffiliation' DESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) eduPersonScopedAffiliation

(X500)

dn:CN=eduPersonScopedAffiliation,CN=Schema,CN=Configuration,DC=lse,DC=ac,DC=uk changetype: add

  • bjectClass: attributeSchema

name: eduPersonScopedAffiliation description: eduPerson per Internet2 and EDUCAUSE attributeID: 1.3.6.1.4.1.5923.1.1.1.9 attributeSyntax: 2.5.5.12

  • MSyntax: 64

systemOnly: FALSE isSingleValued:TRUE

slide-12
SLIDE 12

02-Mar-2005 EuroCAMP, Torino 12

Installing the modified LDIF

Try it all on your test system first!

  • 1. Add yourself to Schema Admin group
  • 2. Locate domain controller with Schema Master

FSMO

  • 3. Register schmmgmt.dll (creates snap-in)
  • 4. Run ldifde
  • 5. Check that eduPerson class & attributes are in

place (using snap-in)

  • 6. Retreat from Schema Admin group
slide-13
SLIDE 13

02-Mar-2005 EuroCAMP, Torino 13

Populating attributes in AD

  • LSE ActiveDirectory Updater

– Sun Java2; using JDBC, JNDI APIs – Uses ‘LSE Central’ (rdb) as datasource – Queue of required updates – entries created by db triggers – UpdaterMapping class – transforms to required AD attribute values – Queue-processing frequency configurable (currently 120secs) – Latency of AD replication to all servers must also be allowed for (typically >120secs)

slide-14
SLIDE 14

02-Mar-2005 EuroCAMP, Torino 14

How to use these resources

http://www.angel.ac.uk/SECURe/deliverables/documentation/

  • Evaluate your own (institution’s) situation first
  • …then check you’ve consulted all interested parties:

– Library – Learning-technologists – Network infrastructure support

  • All our documentation is

Creative Commons licensed

– Attribute, ShareAlike, NonCommercial – …so please use them to make something better!

slide-15
SLIDE 15

02-Mar-2005 EuroCAMP, Torino 15

Where LSE is now

  • InQueue Fed for testing

– Jstor;

  • ‘peer-to-peer’ Shib with Columbia U (NY)

– Access to anthropology teaching resources in JISC-NSF DART Project

  • SDSS (Edina) Fed

– Ed Media OnLine;

  • Athens (Eduserv) Fed

– Will test Shib-Athens interop.

  • ShibboLEAP JISC ‘Early Adopters’ project

– LSE + 6 other London Uni colleges as IdPs – Eprints.org servers as ResourceProviders

slide-16
SLIDE 16

02-Mar-2005 EuroCAMP, Torino 16

Using Shib on a larger scale

  • LSE AD covers all users with network login

BUT…

  • Users unknown to AD:

– External Library users: have Library system login – Alumni: an important (rich!) group to offer some ‘privileged’ resource access to – (some) short-course students – Visiting academics (Bill Clinton, etc, etc)

  • … This precludes LSE using Shib (and AD) for AM to

significant services, such as Library system

slide-17
SLIDE 17

02-Mar-2005 EuroCAMP, Torino 17

LSE ED architecture [current]

AD

(MS-specific)

LSE Central db (all users) AD Updater (120sec latency) (Shib/SAML) Shib IdP HS AA network login users (only) generic classes MS-specific classes

AD as sole backend to Shib IdP

  • Uneasy cohabitation of LDAP schema

classes

  • IdP only serves users with network

logins

slide-18
SLIDE 18

02-Mar-2005 EuroCAMP, Torino 18

What LSE will do next

(probably)

  • Use an alternative (probably Oracle) LDAP

product in Enterprise Directory role

  • Network users (most staff & students)

would resist removal of direct Windows password-change ability

  • Considering 4 possible options…
slide-19
SLIDE 19

02-Mar-2005 EuroCAMP, Torino 19

LSE ED architecture [option 1]

AD

(MS-specific)

LSE Central db (all users) AD Updater (120sec latency) (Shib/SAML) Shib IdP HS AA all users generic classes MS-specific classes

AD as sole backend to Shib IdP

  • Uneasy cohabitation of LDAP schema

classes

  • Dependant on inclusion of users

without network login in AD

slide-20
SLIDE 20

02-Mar-2005 EuroCAMP, Torino 20

LSE ED architecture [option 2]

AD

(MS-specific)

LSE Central db (all users) Oracle LDAP AD Updater (120sec latency) (Shib/SAML) Shib IdP HS AA network login users (only) password propagation generic classes all users MS-specific classes

LDAP as sole backend to Shib IdP

  • Requires secure propagation of

password-changes from AD to LDAP (But, this is the model chosen by most US MACE-DIR pilots using AD)

slide-21
SLIDE 21

02-Mar-2005 EuroCAMP, Torino 21

LSE ED architecture [option 3]

AD

(MS-specific)

LSE Central db (all users) Oracle LDAP AD Updater (120sec latency) (Shib/SAML) Shib IdP HS AA network login users (only) generic classes all users MS-specific classes

Split user AuthN between AD and LDAP

  • Requires AuthBroker m’ware to

emulate a single AuthN & directory service to IdP

  • Possible time penalty (waiting for 1st

failed AuthN)

AuthBroker [1: try AuthN] [2: try AuthN] [3: get role attribs]

slide-22
SLIDE 22

02-Mar-2005 EuroCAMP, Torino 22

LSE ED architecture [option 4]

AD

(MS-specific)

LSE Central db (all users) Oracle LDAP AD Updater (120sec latency) (Shib/SAML) Shib IdP HS AA all users generic classes all users MS-specific classes

Split classes between AD and LDAP

  • Requires AuthBroker m’ware to

emulate a single AuthN & directory service to IdP

  • Dependant on inclusion of users

without network login in AD

AuthBroker [1: try AuthN] [2: get role attribs]

slide-23
SLIDE 23

02-Mar-2005 EuroCAMP, Torino 23

(more) Discussion?

BUT:

  • I’m an architect - not a plumber!
  • and not an expert on AD!

j.paschoud@lse.ac.uk AND:

  • It’s lunch-time!

LSE: http://www.lse.ac.uk/ SECURe: http://www.angel.ac.uk/SECURe/ AD Cookbook: http://www.angel.ac.uk/SECURe/ deliverables/documentation/adconfig.html