Living in AD-times Using Open Standards with Microsoft ActiveDirectory John Paschoud LSE Library with acknowledgements to Simon McLeish and Paul Gee 02-Mar-2005 EuroCAMP, Torino 1
Background • UK JISC £7m AM programme • Adoption of Shibboleth as ‘Core Middleware’ for the Info Environment • Technology development projects (16) • ‘Early Adopters’ programmes – main scheme started 01-Mar-05 (yesterday) • Advantages & challenges of transition from Athens AM service 02-Mar-2005 EuroCAMP, Torino 2
The SECURe Project • Part of first JISC Middleware programme • Followed-up initial evaluation of Shib, by LSE team, for JISC & UK community • Evaluated and added to practical resources to support adoption of: – Shibboleth ☺ – Campus certificate services � – Smartcards (abandoned) � 02-Mar-2005 EuroCAMP, Torino 3
The problem • Shib IdP needs an Enterprise Directory as backend • Larger (richer?) UK universities have capacity (like US leads in I2 middleware activity) to deploy & support ED tools – ‘Spare’ staff – Skills & experience • …but many uni’s & colleges depend upon packaged, proprietary network AuthN • ActiveDirectory™ is the dominant product 02-Mar-2005 EuroCAMP, Torino 4
LSE ED architecture [current] AD Updater (120sec latency) (MS-specific) AD network login users LSE Central db (only) (all users) Shib IdP MS-specific classes HS generic ‘MetaDirectory’ classes functions all sit behind ( Shib/SAML ) here Content-free unique person identifiers AA (mine is “124451”) 02-Mar-2005 EuroCAMP, Torino 5
ActiveDirectory™ vs LDAP AD ‘generic’ LDAP • Designed primarily to • Not purpose-specific support Exchange™ services • Limited facilities for • Schema changes import of new schema simpler classes • Requires MS admin • Requires ‘Unix-based’ skills skills 02-Mar-2005 EuroCAMP, Torino 6
The Decision Guide Based heavily on work by Simon McLeish of LSE • Existing institutional directory service? • Existing SSO authentication system? – using institutional directory to authenticate users? • AM needed for existing web application? – for institutional users only? – institutional and external users? • Existing AM authorisation system? • … 02-Mar-2005 EuroCAMP, Torino 7
The AD Cookbook Based heavily on work by Paul Gee of LSE • Cautions (have a test system!) • Options for introducing eduPerson to AD • Changes in eduPerson class for AD • Installing the modified LDIF • Populating attributes in AD [see Cookbook detail] [no thanks, we’ll check it online later] 02-Mar-2005 EuroCAMP, Torino 8
Options for introducing the eduPerson Schema into AD • Windows 2000 domain with Microsoft's inetOrgPerson class schema extensions installed • The domain in which you want to use the eduPerson class upgraded to Windows Server 2003 • Upgrading the Active Directory Forest to Windows Server 2003 02-Mar-2005 EuroCAMP, Torino 9
Changes in eduPerson Class for AD • How & why the eduPerson class used with Active Directory differs from the class maintained by eduCause • eduPerson (Educause standard) is defined using RFC2252 LDIF syntax • AD only supports X500 LDIF syntax • No attribute equality-matching rules in X500 02-Mar-2005 EuroCAMP, Torino 10
Changes in eduPerson Class for AD - Example eduPersonScopedAffiliation (RFC2252) attributetypes: ( 1.3.6.1.4.1.5923.1.1.1.9 NAME 'eduPersonScopedAffiliation' DESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) eduPersonScopedAffiliation ( X500 ) dn:CN=eduPersonScopedAffiliation,CN=Schema,CN=Configuration,DC=lse,DC=ac,DC=uk changetype: add objectClass: attributeSchema name: eduPersonScopedAffiliation description: eduPerson per Internet2 and EDUCAUSE attributeID: 1.3.6.1.4.1.5923.1.1.1.9 attributeSyntax: 2.5.5.12 oMSyntax: 64 systemOnly: FALSE isSingleValued:TRUE 02-Mar-2005 EuroCAMP, Torino 11
Installing the modified LDIF Try it all on your test system first! 1. Add yourself to Schema Admin group 2. Locate domain controller with Schema Master FSMO 3. Register schmmgmt.dll (creates snap-in) 4. Run ldifde 5. Check that eduPerson class & attributes are in place (using snap-in) 6. Retreat from Schema Admin group 02-Mar-2005 EuroCAMP, Torino 12
Populating attributes in AD • LSE ActiveDirectory Updater – Sun Java2; using JDBC, JNDI APIs – Uses ‘LSE Central’ (rdb) as datasource – Queue of required updates – entries created by db triggers – UpdaterMapping class – transforms to required AD attribute values – Queue-processing frequency configurable (currently 120secs) – Latency of AD replication to all servers must also be allowed for (typically >120secs) 02-Mar-2005 EuroCAMP, Torino 13
How to use these resources http://www.angel.ac.uk/SECURe/deliverables/documentation/ • Evaluate your own (institution’s) situation first • …then check you’ve consulted all interested parties: – Library – Learning-technologists – Network infrastructure support • All our documentation is Creative Commons licensed – Attribute, ShareAlike, NonCommercial – …so please use them to make something better! 02-Mar-2005 EuroCAMP, Torino 14
Where LSE is now • InQueue Fed for testing – Jstor; • ‘peer-to-peer’ Shib with Columbia U (NY) – Access to anthropology teaching resources in JISC-NSF DART Project • SDSS (Edina) Fed – Ed Media OnLine; • Athens (Eduserv) Fed – Will test Shib-Athens interop. • ShibboLEAP JISC ‘Early Adopters’ project – LSE + 6 other London Uni colleges as IdPs – Eprints.org servers as ResourceProviders 02-Mar-2005 EuroCAMP, Torino 15
Using Shib on a larger scale • LSE AD covers all users with network login BUT… • Users unknown to AD: – External Library users: have Library system login – Alumni: an important (rich!) group to offer some ‘privileged’ resource access to – (some) short-course students – Visiting academics (Bill Clinton, etc, etc) • … This precludes LSE using Shib (and AD) for AM to significant services, such as Library system 02-Mar-2005 EuroCAMP, Torino 16
LSE ED architecture [current] AD Updater (120sec latency) (MS-specific) AD network login users LSE Central db (only) (all users) Shib IdP MS-specific classes HS generic classes ( Shib/SAML ) AD as sole backend to Shib IdP AA • Uneasy cohabitation of LDAP schema classes • IdP only serves users with network logins 02-Mar-2005 EuroCAMP, Torino 17
What LSE will do next (probably) • Use an alternative (probably Oracle) LDAP product in Enterprise Directory role • Network users (most staff & students) would resist removal of direct Windows password-change ability • Considering 4 possible options… 02-Mar-2005 EuroCAMP, Torino 18
LSE ED architecture [option 1] AD Updater (120sec latency) (MS-specific) AD all users LSE Central db (all users) Shib IdP MS-specific classes HS generic classes ( Shib/SAML ) AD as sole backend to Shib IdP AA • Uneasy cohabitation of LDAP schema classes • Dependant on inclusion of users without network login in AD 02-Mar-2005 EuroCAMP, Torino 19
LSE ED architecture [option 2] AD Updater (120sec latency) (MS-specific) AD network login users LSE Central db (only) password (all users) Shib IdP propagation MS-specific HS classes Oracle LDAP ( Shib/SAML ) all users LDAP as sole backend to Shib IdP generic AA • Requires secure propagation of classes password-changes from AD to LDAP (But, this is the model chosen by most US MACE-DIR pilots using AD) 02-Mar-2005 EuroCAMP, Torino 20
LSE ED architecture [option 3] AD Updater (120sec latency) (MS-specific) AD network login users LSE Central db [1: try AuthN] (only) (all users) Shib IdP AuthBroker MS-specific HS classes Oracle LDAP [2: try AuthN] ( Shib/SAML ) [3: get role attribs] all users Split user AuthN between AD and generic AA LDAP classes • Requires AuthBroker m’ware to emulate a single AuthN & directory service to IdP • Possible time penalty (waiting for 1 st 02-Mar-2005 EuroCAMP, Torino 21 failed AuthN)
LSE ED architecture [option 4] AD Updater (120sec latency) (MS-specific) AD all users LSE Central db [1: try AuthN] (all users) Shib IdP AuthBroker MS-specific HS classes Oracle LDAP ( Shib/SAML ) [2: get role attribs] all users Split classes between AD and LDAP generic AA • Requires AuthBroker m’ware to classes emulate a single AuthN & directory service to IdP • Dependant on inclusion of users without network login in AD 02-Mar-2005 EuroCAMP, Torino 22
(more) Discussion? BUT: • I’m an architect - not a plumber! - and not an expert on AD! j.paschoud@lse.ac.uk AND: • It’s lunch-time! LSE: http://www.lse.ac.uk/ SECURe: http://www.angel.ac.uk/SECURe/ AD Cookbook: http://www.angel.ac.uk/SECURe/ deliverables/documentation/adconfig.html 02-Mar-2005 EuroCAMP, Torino 23
Recommend
More recommend