Sun Identity Management & Open Directory Jennifer - - PowerPoint PPT Presentation

sun identity management open directory
SMART_READER_LITE
LIVE PREVIEW

Sun Identity Management & Open Directory Jennifer - - PowerPoint PPT Presentation

Jan 01, 2024 227 likes •558 views

Sun Identity Management & Open Directory Jennifer Walbank/Pascal Grosvenor, LDAP Guru from the server group :) & Berry Mak University of Technology,

slide-1
SLIDE 1
slide-2
SLIDE 2

XW11

Jennifer ¡Walbank/Pascal ¡Grosvenor, ¡LDAP ¡ Guru ¡from ¡the ¡server ¡group ¡:) ¡& ¡Berry ¡Mak

University ¡of ¡Technology, ¡Sydney

Sun ¡Identity ¡ Management ¡& ¡Open ¡ Directory

slide-3
SLIDE 3

XW11

  • Why?
  • Centralising systems
  • Desktop Architecture Project
  • Same sign on
  • How?
  • Design
  • Demonstration
  • Did we succeed?

Why and how?

slide-4
SLIDE 4

XW11

  • Only centralise what it makes sense to...
  • Authentication
  • Authorisation
  • Software updating
  • Proper housing of servers
  • bandwidth
  • backup
  • Providing a robust and sustainable computing

environment

Centralising Systems

slide-5
SLIDE 5

XW11

  • Project designed for Windows environment
  • provisioning of the centralised model
  • no Mac OSX planning
  • Birth of the MOE (would you believe Mac

Operating Environment) - quickly renamed Managed Operating Environment for Mac OSX in September last year.

Desktop Architecture Project

slide-6
SLIDE 6

XW11

  • Anywhere up to five different passwords

depending on what services you had access to

  • new Email project prompting the opportunity

to enable a consistent “UTS” username and password

  • Birth of Identity Management at UTS

Same Sign On

slide-7
SLIDE 7

XW11

  • the idea of account creation with a role

assigned that enables a userʼs access to services automatically, across what had been many incompatible systems.

  • AD
  • OD
  • at the time NDS
  • LDAP enabled
  • so why Sun?

Identity Management

slide-8
SLIDE 8

XW11

  • pre-coded connectors (eg CA and Novell)
  • require data cleansing at the source
  • pre-determined logical layout of the

underlying systems

  • Sun or even OpenLDAP
  • mutable - allows for us to code for each

instance as we need it - the scripting matches the data sources as well as the underlying existing layout - we were a train already on the tracks

Different types of IDM

slide-9
SLIDE 9

XW11

Staff: Accounts for Staff, or contractors in staff

positions

Students: For any type of student Alumni: *Alumni only receive an email forwarding

account, not access to the labs, and cannot use webmail.

General: Accounts created for systems, or

groups of people (i.e. accounts not for a particular person).

Current roles at UTS

slide-10
SLIDE 10

CASS NEO

OPEN DIRECTORY REPLICA (BLD1) OPEN DIRECTORY REPLICA (K'GAI) OPEN DIRECTORY REPLICA (DAB) OPEN DIRECTORY REPLICA (BLD10) PROVISION OF MANAGED OPERATING ENVIRONMENT

OTHER DIRECTORIES - ACTIVE, NDS, ENGINEERING ETC OPEN DIRECTORY MASTER (APPLE) LDAP DIRSYNC/ADMINTOOL

CLIENT CLIENT CLIENT CLIENT

slide-11
SLIDE 11

CASS NEO

OPEN DIRECTORY REPLICA (BLD1) OPEN DIRECTORY REPLICA (K'GAI) OPEN DIRECTORY REPLICA (DAB) OPEN DIRECTORY REPLICA (BLD10) PROVISION OF MANAGED OPERATING ENVIRONMENT

OTHER DIRECTORIES - ACTIVE, NDS, ENGINEERING ETC OPEN DIRECTORY MASTER (APPLE) LDAP DIRSYNC/ADMINTOOL

CLIENT CLIENT CLIENT CLIENT

slide-12
SLIDE 12

XW11

How ¡does ¡it ¡work ¡?

slide-13
SLIDE 13

CASS NEO

OPEN DIRECTORY REPLICA (BLD1) OPEN DIRECTORY REPLICA (K'GAI) OPEN DIRECTORY REPLICA (DAB) OPEN DIRECTORY REPLICA (BLD10) PROVISION OF MANAGED OPERATING ENVIRONMENT

OTHER DIRECTORIES - ACTIVE, NDS, ENGINEERING ETC OPEN DIRECTORY MASTER (APPLE) LDAP DIRSYNC/ADMINTOOL

CLIENT CLIENT CLIENT CLIENT

slide-14
SLIDE 14

CASS NEO

LDAP DIRSYNC/ADMINTOOL

slide-15
SLIDE 15

Data Sources

Dirsync automatically creates and maintains all accounts.

Dirsync CASS (Student Admin) Insearch Admintool Neo (HR) CADS (Switchboard)

slide-16
SLIDE 16

Account Lifecycle

Typical account states and movements

Extended “Active Until” Stray Account Creation Active Expired Deleted

slide-17
SLIDE 17

XW11

  • Dirsync is a set of custom written Perl

modules and scripts that connects Sun LDAP with all the other systems

  • Updates from data sources are recorded to

Sun LDAP by Dirsync

  • Dirsync then writes from Sun LDAP to other

directory systems (eg. Active Directory, OS X Open Directory)

Dirsync

slide-18
SLIDE 18

XW11

  • Web-based interface to examine and modify

accounts within UTSʼ authentication and mail systems

  • Front end to Dirsync
  • Restricted use - IT staff only

Admintool

slide-19
SLIDE 19

XW11

Admintool Menus

Account :

  • Search
  • Details
  • Create
  • Extend/ Expire
  • Change Password
  • Directory Listing
  • Rename
  • Lock/ Unlock
  • Owned Accounts

Email :

  • Aliases
  • Vacation
  • Forwarding
  • Broadcast
slide-20
SLIDE 20

CASS NEO

OTHER DIRECTORIES - ACTIVE, NDS, ENGINEERING ETC OPEN DIRECTORY MASTER (APPLE) LDAP DIRSYNC/ADMINTOOL

slide-21
SLIDE 21

XW11

  • Dirsync takes record/ object attributes from

Sun LDAP and matches them to corresponding attributes in OD

  • Most record attributes are added to OD using

standard LDAP commands

  • Main exception - user passwords

Dirsync & Open Directory

slide-22
SLIDE 22

XW11

  • OD stores user passwords in a separate

secure database to the OS X serverʼs LDAP database

  • Single purpose account and shell script

developed to interact with OD password server

  • Dirsync sends a remote SSH command to

ODM to trigger password change in password server database

OD Password Server

slide-23
SLIDE 23

XW11

  • Secure LDAP (using SSL) for

communications between Dirsync and OD master

  • Login window and SSH access to ODM

restricted to only a few accounts

  • Customised Firewall rules
  • Physical security

OD Master security

slide-24
SLIDE 24

CASS NEO

OPEN DIRECTORY REPLICA (BLD1) OPEN DIRECTORY REPLICA (K'GAI) OPEN DIRECTORY REPLICA (DAB) OPEN DIRECTORY REPLICA (BLD10) PROVISION OF MANAGED OPERATING ENVIRONMENT

OTHER DIRECTORIES - ACTIVE, NDS, ENGINEERING ETC OPEN DIRECTORY MASTER (APPLE) LDAP DIRSYNC/ADMINTOOL

slide-25
SLIDE 25

XW11

  • Five OD replicas distributed across uni -

share traffic load, redundancy

  • OD system uses Appleʼs own secured

method for replicating data between ODM and replicas

  • Replicas also have Firewalls configured
  • OD servers do not run any other services

OD Master and replicas

slide-26
SLIDE 26

XW11

  • IT managers of each faculty/ area have

directory administrator access to OD (but not server admin access to OD master)

  • Collegial work approach and knowledge

sharing

  • Logs record access, no problems to date :-)

Authorisation/ Workgroup Mgt

slide-27
SLIDE 27

CASS NEO

NETRESTORE SOFTWARE UPDATE SERVER (APPLE) ARD/ Deploystudio/ Casper

OPEN DIRECTORY REPLICA (BLD1) OPEN DIRECTORY REPLICA (K'GAI) OPEN DIRECTORY REPLICA (DAB) OPEN DIRECTORY REPLICA (BLD10) PROVISION OF MANAGED OPERATING ENVIRONMENT

OTHER DIRECTORIES - ACTIVE, NDS, ENGINEERING ETC OPEN DIRECTORY MASTER (APPLE) LDAP DIRSYNC/ADMINTOOL

CLIENT CLIENT CLIENT CLIENT

slide-28
SLIDE 28

XW11

  • Apple Netrestore and DeployStudio Server
  • Centralised Software Update Server - access

managed thru Workgroup Manager

  • Apple Remote Desktop
  • Working on base SOE for all macs at UTS

Managed Operating Environment

slide-29
SLIDE 29

XW11

Much ¡more ¡fun ¡to ¡watch ¡than ¡talk ¡about ¡:)

Demonstration

slide-30
SLIDE 30

XW11

Is ¡this ¡the ¡end?

slide-31
SLIDE 31

XW11

Questions ¡???