Technical Primer: Directories

transcript

Michael R. GettesPrincipal TechnologistGeorgetown University

gettes@Georgetown.EDUhttp://www.georgetown.edu/giia/internet2

MACE-DIR

Keith Hazelton, Chair, Wisconsin•eduPerson objectclass•LDAP-Recipe•Dir of Dirs for Higher Education (DoDHE)•Shibboleth project dir dependencies•Meta Directories – MetaMerge•Groups (Dynamic vs. Static; Management)•Afilliated Directories (Stitched, Data Link)•http://middleware.internet2.edu/directories

MACE-DIR:eduPerson 1.0 (1/22/01 release)

• MACE initiated (Internet2 + EDUCAUSE)

• Globally interesting useful attributes

• Get community buy-in, must use it also

eduPersonAffiliation (DoDHE), eduPersonPrincipalName (Shibboleth)

• “Less is more”, how to use standard objectclasses

• http://www.educause.edu/eduperson

eduPerson 1.5 object class

Included as part of the NSF Middleware Initiative (NMI) Release 1.0 announced today, May 7th

eduPerson 1.0 is the production version, 1.5 status is “released for public review” (RPR)

Next NMI release will include final 1.5 based on review period discussions

Changes from 1.0:

• Introductory section added

• RFC2252 style definitions included for the eduPerson object class itself and for each of the eduPerson attributes.

• Notes on additional attributes from existing object classes, existing notes clarified, syntax and indexing recommendations updated.

Two new attributes:

eduPersonPrimaryOrgUnitDN

eduPersonEntitlement• Simple case: value is the name of a contract for

licensed resource• http://xstor.com/contract1234• Values of eduPersonEntitlement can be URLs or

eduPersonEntitlement• Values of eduPersonEntitlement can be URLs or

URNs– http://www.w3.org/Addressing/– RFC2396 Uniform Resource Identifiers– RFC2141 Uniform Resource Names

• URNs to allow federation of name creation without name clashes.– urn:mace:brown.edu:foo

• mace-submit@internet2.edu for information on URN registration

eduOrg 1.0

eduOrg 1.0 released as “Experimental” object class• Basic organizational info attributes from X.520

– Telecomm, postal, locale

• eduOrgHomePageURI• eduOrgIdentityAuthNPolicyURI• eduOrgLegalName• eduOrgSuperiorURI• eduOrgWhitePagesURI

LDAP-Recipe positioning and the NMI R1

•A special case document

•Pre-existed NMI and MACE document standards for format and naming.

•Will conform to NMI/MACE naming and future process for acceptance.

•Content??? Well, we shall see…

LDAP-RecipeVersion 1.5 (pre May 7, 2002)

•Directory Tree

•Schema (Design, upgrading, maint)

•AuthN (binding and pw mgmt)

•eduPerson attr discussion (select)

•Access Control

•Replication

•Name population

LDAP-RecipeVersion 2.0 (NMI R1 May 7, 2002)

•Groups, Groups, Groups• Static, Dynamic, app issues, builds on “NMI Groups Doc”

•E-Mail Routing considerations• Attribute firewalling, Sendmail, app issues

•eduPersonOrgDN and eduPerson{Primary}OrgUnitDN

• Original Intent for eduPerson 1.0 and Primary

•RDN Issues (a must read)

•Software reference (small, needs to grow)

MACE-DIR:Directory of Directoriesfor Higher Education

Web of Data vs. Web of People

Prototype: April, 2000 (by M. Gettes)

Highly scalable parallel searching• Interesting development/research problems• Configs, LDAP libraries, Human Interface

Realized the need to:• Promote eduPerson & common schema• Promote good directory design (recipe)

Work proceeding – Sun Microsystems Grant

http://middleware.internet2.edu/dodhe

MACE-DIR:DoDHE and LDAP Analyzer

Todd Piket, Michigan Tech (aka Mr. Pinkert)

Web based tool to empirically analyze a directory

eduPerson compliance

Indexing and naming

LDAP-Recipe guidance (good practice)

Beta: http://morpheus.dcs.it.mtu.edu/~tcpiket/dodhe

MACE-Dir Futures

•Technical Advisory Board

•eduOrg, eduPerson, edu???????

•Shibboleth and other related work

•Roles (RBAC)

•Group Implementations (Eileen Shepard, BC; Tom Barton, Memphis)

•Blue Pages

•LDAP-Recipe (next?)

•Affiliated Directories (Rob Banz, UMBC)

•pkiUser/pkiCa, Bridge CA, etc…

•Video Middleware (commObject{Uri} OCs)

•GRID interoperability

•Directory Policy

MACE-Dir Futures (continued)

EduOrg “blue page” entries

EduOrgUnit 1.0 object class and attributes

Affiliated directories scenarios• Identity management in Health Sciences• Assembling info on the fly• Data/Metadata bundles as units of exchange• Exploring with our Technical Advisory Board

MACE-SHIBBOLETH

Steven Carmody, Brown, Chair

A Biblical pass phrase – “password”• Get it right or “off with your head”• Inter-institutional Authentication/Authorization

• Web Authorization of Remote Sites with Local Credentials

• Authentication via WebISO• October, 2001 – Demo target• http://middleware.internet2.edu/shibboleth

VID-MIDVideo Middleware

Recently Formed

Authentication and Authorization of H.323 sessions.

Client to Client

Client to MCU

Directory enabled

How to find video enabled people?

What is necessary to describe video capabilities?

Will likely extend to IP Telephony and so on…

Technical Policy

PKI is1/3 Technical

and 2/3 Policy?

TAG – Technical Activities Group• Jim Jokl, Chair, Virginia• Mobility, Cert Profiles, PKI-Lite, etc, etc, lots of techno

PAG – Policy Activities Group• Default Chair, Ken Klingenstein, Colorado• Knee-deep in policy, HEBCA, Campus, Subs+RP

PKI Labs (AT&T)– Neal McBurnett, Avaya• Wisconsin-Madison & Dartmouth• Industry, Gov., Edu expert guidance

http://www.educause.edu/hepki

Bridge CA and Trust Paths

Verisign

CA-A CA-B

Bridge CA

CA-C CA-D

FedBridge CA

UNIVERSITY

GeorgetownUniversity

Peer-to-peer

USA GovernmentFederal

Peer-to-peer

USAHigher Education

UNIVERSITY

University ofWashington

Peer-to-peer

USA Health Care"Health Key"

NCHICA

Special Relationships

Peer-to-peer

EuropeanHigher Education

UNIVERSITY

University ofEdinburgh

UNIVERSITY

SpecialRelationships

MayoClinic

Bridge CAs

• Higher Education Bridge CA – FBCA peering

• We have a draft HEBCA CP (Net@EDU PKI WG) FBCA Compatible

• How many HEBCAs? (EDUCAUSE!)

• Do we really understand PKI implementations with respect to policy needs? (proxy certificates, relying party agreements, name constraints, FERPA, HIPAA, who eats who?)

• BCA seems to be the most promising perspective. Will each person be a BCA?

• Does ALL software (Client/Server) need to be changed?

• Mitretek announces new BCA deployment model 2/15/2001• Scalable & deployable

• Server plug-ins make client changes less likely

domainComponent (DC=) Naming

• Traditional X.500 naming:

cn=Michael R Gettes, ou=Server Group, ou=UIS, o=Georgetown University, c=US

• domainComponent (DC) naming:

uid=gettes,ou=People,dc=georgetown,dc=edu

• HEPKI is issuing guidance and advice on DC= naming

Attributes for PKI

Store them in a Certificate?• Attributes persist for life of Certificate• No need for Directory or other lookup

– The Certificate itself becomes the AuthZ control point

Store them in a Directory?• Very light-weight Certificates• Requires Directory Access• Long-term Certificate, Directory is AuthZ control point.

How many Certificates will we have?

Pseudonymous Certificates

David Wasley’s PKI Puzzle

We’re Building A

“Bridge Over The River PKI”

A word about “Portals”

Portals: Authentication

• Security is not easy

if it was, then everyone would be doing it.

• Applications MUST NOT handle authentication• Don’t assume you will have access to passwords at the portal

• The portal is YAA (yet another application)

but portals have web servers to do the dirty work

portals can trust the web server to authenticate

and pass “identity” on to the portal

Portals: Authorization

• Security is not easy

if it was, then everyone would be doing it.

• Applications should handle authorization

• The portal is YAA (yet another application)

Portals can decide access on their own by consulting

local and remote services to determine eligibility then

grant/deny based on response or otherwise by whim.

Portal Issues

Authentication

WebISO

Authorization

Groups

Directories, Shibboleth

Vendor Independent Techniques

Errata--ica

National Science FoundationNMI program

•$12 million over 3 years

•www.nsf-middleware.org

•Middleware Service Providors, Integrators, Distributors

•GRID (Globus)

•Internet2 + EDUCAUSE + SURA

•May 2002 – first set of deliverables from all parties

The Liberty Alliancewww.project-liberty.org

Sun Microsystems, American Express, United Airlines, Nokia, MasterCard, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT DoCoMo, Verisign, Schlumberger, Sony …

Initiated in September 2001.

Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service

Funny, doesn’t this stuff sound familiar?

Got Directory?

Techniques for Product Independence

Good/Evil – make use of cool features of your product.

• Does this make it more difficult or impossible to switch products later?

• Does this make you less interoperable? Standard?

• Does this limit your ability to leverage common solutions?

All the above applies to enabled apps as well.

Groups, Groups, Groups

Static vs. Dynamic (issues of large groups)• Static Scalability, performance, bandwidth

• Dynamic Manageability (search based, but search limits)

Is there something neutral?

Indexed Static Groups• MACE-DIR consideration (Todd Piket, MTU)

• Index unique/member

• The likely approach, IMHO, doesn’t inhibit dynamic stuff

Group Math

(& (group=faculty)(!(group=adjunct)) (member=DN) )

Is this an LDAP issue?• MIT roles DB – a roles registry

Are groups good enough for now?• Probably not, see next

Are your apps prepared for this? Maybe they need some service to consult? Will Shibboleth help here?

Vendors have proprietary solutions.

Stitching disparate directories

How to relate to distinct directories and their entries. Kjk@colorado & kjk@ViDe -- are they the same?

Locate someone in a large directory (DoDHE) and then switch to their video abilities

Suggestion: define new object of a “data source directory”. Associate it with a Cert. Send signature of all data elements for an object, store in same. This allows for digital trust/verification. Still working this out. Not much work in this space? (the affiliated dirs problem)

X.520 AttributeIntegrityInfo Attribute – will it suffice?

A Campus Directory Architecture

metadirectory

enterprisedirectory

directorydatabase

departmentaldirectories

OS directories(MS, Novell, etc)

borderdirectory

registries sourcesystems

Enterpriseapplications dir

Middleware 201Directories

Configuration & Operations

Michael R. Gettes

Principal Technologist

Georgetown University

Gettes@Georgetown.EDU

How Deep?

Background

Site Profile - configuration

Applications

General Operational Controls

Schema

Access Lists

Replication

Related Directories

LDAP-Recipe – http://middleware.internet2.edu

Site Profiledc=georgetown,dc=edu

Netscape/iPlanet DS version 4.16• 2 Sun E250 dual cpu, 512MB RAM

105,000 DNs (25K campus, others = alums + etc)

Directory + apps implemented in 7 months

Distinguished names: uid=x,ou=people• DC rap, “Boom shacka lacka”• Does UUID in DN really work?

NSDS pre-op plugin (by gettes@Princeton.EDU)• Authentication over SSL; Required• Can do Kerberos – perf problems to resolve

1 supplier, 4 consumers

Authentication:Overall Plan @ Georgetown

Currently, Server-Side PKI self-signed

Best of all 3 worlds• LDAP + Kerberos + PKI

– LDAP Authentication performs Kerberos Authentication out the backend. Jan. 2001 to finish iPlanet plug-in.

• Credential Caching handled by Directory.• Cooperative effort – Georgetown, GATech, Michigan

– All directory authentications SSL protected. Enforced with necessary exceptions

• Use Kerberos for Win2K Services and to derive X.509 Client Certificates

• One Userid/Password (single-signon vs. FSO)

Applications

Mail routing with Sendmail 8.12 (lists also)

Netscape messaging server v 4.15 (IMAP)• WebMail profile stored in LDAP

Apache server for Netscape roaming (no SSL)

Apache & Netscape enterprise web servers

Blackboard CourseInfo Enterprise 5.5.1

Whitepages: Directory Server GateWay

DSGW for priv’d access and maintenance

Applications (Continued)

Remote access with RADIUS (funk).• No SSL (3/2000); proper LDAP

binds (fix 8/2000)• Authenticates and authorizes for

dial-up, DSL and VPN services using RADIUS called-id.

• We want to use this for other access control such as Oracle

RADIUS server

RADIUS + LDAP

NAS(terminal server)

DialupUsers

User calls202-555-1110

CalledId from NAS is mapped to guRadProf

DirectoryServer

Netid = gettesguRadProf = 2025550001guRadProf = 2025551110guRadProf = OracleFin

LDAP Filter is:guRadProf = 2025551110+ NetID = gettes

Alumni services (HoyasOnline).• External vendor in Dallas, TX (PCI).• They authenticate back to home

directories. Apache used to authenticate and proxy to backend IIS server.

• Email Forwarding for Life

NET ID

Alumni

LDAP Master

Client Browser

hoyasonline Content

PCI (Dallas)

Vendor-provided services

Other local hostsGU provided self-serviceapplications

LDAP Replica

OS/390

HoyasOnline Architecture

Gratuitous Architectural Graphic (GAG)

WayDownIn Texas

Access+• Georgetown developed• Web interface to legacy systems using Unix front-

end to custom made mainframe tasks. Many institutions have re-invented this wheel.

• LDAP authentication, mainframe doesn’t yet do SSL. Always exceptions to rules.

• Student, Faculty, Staff, Directory/Telephone Access+ Services. This technique keeps mainframe alive. (good or bad?)

Specialized support apps• Self service mail routing• Help Desk: mail routing, password resets,

quota management via DSGW• Change password web page

Person registry populates LDAP people data, currently MVS (mainframe) based.

PerLDAP used quite a bit – very powerful! (make sure version >= 1.4)

Now moving to Net::LDAP

Georgetown Netscape Communicator Client Customization Kit (CCK).• Configured for central IMAP/SSL and

directory services.• Handles versions of profiles. Poor man’s

Future: more apps! Host DB, Kerberos integration, win2k/ad integration?, Oracle RADIUS integration, Automatic lists, Dynamic/static Groups, Top-Secret, Bb – further integration.

General Operational Controls

Size limit trolling (300 or 20 entries?)

Lookthru limit (set very low)

Limit 3 processors for now, MP issues still! (v4)

100MB footprint, about 8000 DNs in cache• Your mileage will vary – follow cache

guidelines documented by iPlanet.

24x7 operations

What can users change?? (Very little)

No write intensive applications

General Ops Controls (cont…)

Anonymous access allowed

•Needed for email clients

•Anonymous access is good if you resolve FERPA and other data access issues.

Schema: Design & Maint

Unified namespace: there can be only one!

Schema design and maintenance• Space/time tradeoffs on indexing• Eduperson 1.0 vs. guPerson• guRestrict, guEmailBox, guAffil, guPrimAfil• guPWTimebomb, guRadProf, guType,

guSSN• Relationships (guref)

Maintained by ldif file using ldapmodify

Access ListsDesign & Maintenance

Access lists: design & maintenance• Buckley(FERPA) protection & services• Priv’d users and services• userPassword & SSN

Maintained by file using ldapmodify

Working on large group controls at GU• Groups vs. Roles• Likely easy to populate, hard to design & implement

Replication

Application/user performance

Failover, user and app service

Impact of DC= naming (replica init)• Fixed in 4.13 and iDS 5.0

Monitoring: web page and notification

Dumper replica – periodic LDIF dumps

Backups? We don’t need no stinkin’ backups!• Vendor Specific• No good solution for backups (iPlanet)• IBM uses DB2 under the covers• Novell?

Replication (Continued)

Application/users config for mult servers

Deterministic operations vs random

Failover works for online repairs

Config servers are replicated also

10 to 1 SRA/CRA ratio recommended

Cannot cascade with DC= (iPlanet)• Cascading is scary to me

Normal Ops

Replica Structure

MASTER

DUMPER

WHITEPAGES MAILHOST

POSTOFFICE

NetID RegistryWeb Servers

Failure Ops

Netscape Console

• Java program (FAT client).

• Used to create, configure and monitor Netscape servers.

• Preferred the web page paradigm of the version 3 products.

• Has enough bugs that it is only used by server admins, not for mere mortals.

• Demo??? (nope)

Other Directories

Novell – GU abandoning GroupWise.

Active directory??? Ugh!!!•Static Groups Only•Strict Tree Structure for Group Policy•No plans for MS to change this…

Buyer Beware

• LDAP is LDAP is LDAP – yeah, right!

• “Sure! We support LDAP!” What does that mean?

• Contract for functionality and performance

• Include your Directory/Security Champion!!!

• Verify with other schools – so easy, rarely done.

• Beware of products that specify Dir Servers

• Get vendor to document product requirements and behavior. You paid for it!

Microsoft Win2K Integration

Project Pismere

http://web.mit.edu/pismere

MIT, CMU, Michigan, Stanford, Colorado, etc…

One way trust from MIT KDC to Win2K KDC

The devil we know

Metamerge can play an important role

Handle DHCP/DNS as your site wishes

Win2K & Enterprise Integration

W2K KerbAuthN Ent Kerb

W2K ActiveDirectory

EnterpriseDirectory

One-way X-realm TrustIdentity mgmt

Meta-Dir FunctionMetaMerge?

Technical Primer: Directories

Documents