Identity Management in the Environment of Mendel University in Brno Milan Šorm.

Identity Managementin the Environment of

Mendel University in Brno

Milan Šorm

26. března 2007

SDI 2007, ZČU v Plzni 2

Contents

University in numbers Historical identity management Ideal solution University information system Current implemented situation Known problems Results Future ideas

26. března 2007


University in numbers

Medium-sized university 12 000 students 2 000 employees 2 000 other users in campus 4 faculties, 80 departments 5 000 prepared network connections 3 500 PCs 50 user servers

26. března 2007


Historical identity management

No centralized identity management No policy for

building servers interconnecting department networks accessing network environment creating accounts connection information services to netword

More than 20 admins Totally decentralized

26. března 2007


Ideal solution

One account credentials for one user Setup policy for connecting all PCs, servers and services to netword environment One place to define AAA for all services Minimize number of network admins Centralized storage for data and profiles Single sign on Maximum HA

26. března 2007


University information system

In last 7 year we reconstruct all small IT services and production ISs to one central complex information system with integrated data warehouse This information system can be source of all information about our users and their credentials, rights, roles etc. Unique source of informations

26. března 2007


University information system

Studyadministration

Science and research

eLearning

Manager

Technology

Personal management

Public informationportal

26. března 2007


University information

General object qualify principle We can describe any group of objects (users, computers, departments, segments, roles, rights etc.) and identify them by IDs We can put these groups to relations and prepare source of all AAA informations All of these informations are dynamic Example:

students and schedules

26. března 2007


Current implemented situation

Many meetings with server and service administrators and IT departments lead to setup one policy in

creating account (UIS based, algorithmized) setting groups, rights, quotas through Technology subsystem in UIS by power users (owners, specialists) accessing network and creating new services is maintained through central IT department

26. března 2007



University IS

Datawarehouse

Primary LDAP server

LDAP replicas

Services

26. března 2007



UIS prepare all data for identity management in central data warehouse (Oracle 10g) Application logic stored in DW (PL/SQL) create and update primary LDAP server (OpenLDAP) with all credentials LDAP push data to LDAP replicas All IT services are connected to one or more LDAP replicas for AAA services

26. března 2007



All faculty and university services are connected to this AAA infrastructure For accessing network you need:

registered computer through computer authorization in UIS Technology subsystem account in AAA infrastructure for accessing network (eduroam connector, dormitories net connector, public network access during conferences etc.)

26. března 2007



Consolidation of IT services centralized e-mail distributing system centralized file server services systém standardization of classrooms installations

UIS know for each user his personalized policy:

where user read e-mails desktop information fileserver connections …

26. března 2007



Classroom computers access central server farm for roaming Windows or Linux profile These profile has defined scripts for attaching other resources E-mail is passed through distribution server which run antispam and antivir and distribute e-mails to user favourite e-mail server Samba or AD solution Linux PAM solution

26. března 2007



Information about allowed classrooms is stored in LDAP and Samba/Linux classroom servers or stations use them for managing login process All other information (home directory, roaming profile, other resources) is accessed through dynamically created profile and scripts called from this profile

26. března 2007



Many other IT services access central LDAP

UIS web interface Catering service (Anete Kredit) Network accessing service (eduroam, Faro) VPN concentrator HelpDesk software Impromat copy centre Old e-learning services Services on faculties

26. března 2007


Known problems

Changing passwords (only through UIS) Two profiles (Linux, Windows) Absence of SAP connector Not all things are online (e.g. e-mail groups, destroying of accounts…) No implementation of single sign on Less security due to only one account credentials

26. března 2007


Results

One login, one password, one account system, no account administrator Only 2 central administrator on university Very popular for basic user Very popular for technology owners Many statistics information Only start point on long journey for mobile work at university

26. března 2007


Other results

Implemented also for our customers: Slovak Technical University (26 000 users) Technical University in Zvolen (6 000 users) Škoda Auto University (1 000 users, in progress)

Current situation: changed to central information systém activated primary LDAP generation first replicas installed some services connected

26. března 2007


Future ideas

Single sign on Mobile profile through VPN Adding printing profiles to LDAP User friendliness interface for administrators Using of virtual desktop infrastructure Using of some other identity tokens (cards, USB flash drives, tokens) Building PKI over this solution

26. března 2007


Thank for your attention.

Any questions?

Date post:	02-Jan-2016
Category:	Documents
Upload:	hubert-hines
View:	215 times
Download:	0 times

Identity Management in the Environment of Mendel University in Brno Milan Šorm.

Documents