ldap user database marina vermezović academic network of serbia skopje 15.09.2011
TRANSCRIPT
![Page 1: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/1.jpg)
LDAP user database
Marina VermezovićAcademic Network of Serbia
Skopje 15.09.2011.
![Page 2: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/2.jpg)
What is it all about?
Services/resourcesto access the network – wireless, VPNweb services – e-learning, e-library, student portal
- who are you ?
– what can you do ? - Authentication and authorization
infrastructure makes access to protected services easier
Akademska mreža Srbijewww.amres.ac.rs
AAI
Authenticati
on Authorization
2
![Page 3: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/3.jpg)
Without AAI
Akademska mreža Srbijewww.amres.ac.rs
wireless
Faculty A
Service Providers
Library B
Service Providers
Auth Autz
videoconferenceAuth Autz
e-learningAuth Autz
Student servicesAuth Autz
wirelessAuth Autz
e-booksAuth Autz
3
![Page 4: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/4.jpg)
With AAI
Akademska mreža Srbijewww.amres.ac.rs
Faculty A
Identity Management
wireless
Identity provider
Service Providers
videoconference
e-learning
Student services
Auth
Library
wireless
Service Providers
e-books
AutzAutz
AutzAutz
AutzAutz
AutzAutz
AutzAutz
AutzAutz
4
![Page 5: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/5.jpg)
Akademska mreža Srbijewww.amres.ac.rs
High level AAI diagram
IdP
Radius
User databas
e
SAML
ntw SP
Radius
NAS
web SP
SAML
Web resurs
eduroamVPN
Wiki pages
Basics for development of all services that needs local and inter-institutional AutH and AutZ
Circle of Trust
Federation
5
![Page 6: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/6.jpg)
What is digital user identity ?
Set of data (attributes) about a user:
Personal user data
Data regarding affiliation to institution
Credentials used for authentication
Data that uniquely identifies a person
User roles and privileges
Akademska mreža Srbijewww.amres.ac.rs
name, surname date of birthnational identification numbercontact information: mail, address, phone
name of institution affiliation (student, employee, guest) designation (for employees) type of studies (for students) local identification number contact information: mail, address, phone
username/password certificateperson identifying : [email protected] person identifying
6
![Page 7: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/7.jpg)
LDAP user database
Akademska mreža Srbijewww.amres.ac.rs
![Page 8: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/8.jpg)
Which database to use for storing user IDs?
Basicaly you can choose any:
Relational: MySQL, ORACLE, Postgre SQL
Hierarchy: openLDAP, Active Directory
But.. there are some advantages
Akademska mreža Srbijewww.amres.ac.rs
8
![Page 9: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/9.jpg)
Akademska mreža Srbijewww.amres.ac.rs
Directories – made for storing user IDs ?
Relational Databases vs Directories
Schema
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
Relational Databases
Directories
No standard schema for tables and data fields
International standards to describe persons and organizations
9
![Page 10: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/10.jpg)
Akademska mreža Srbijewww.amres.ac.rs
Relational Databases vs Directories
SchemaOrganizationOne logical entity can
be stored in multiple tables
One logical entity =One entry in DIT
Directories – made for storing user IDs ?
Relational Databases
Directories
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
10
![Page 11: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/11.jpg)
Akademska mreža Srbijewww.amres.ac.rs
Relational Databases vs Directories
SchemaOrganzation
Multivalue data
Mandates new table, or fixed number of multiple data fields
Native support for multivalue attributes
Directories – made for storing user IDs ?
Relational Databases
Directories
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
11
![Page 12: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/12.jpg)
Akademska mreža Srbijewww.amres.ac.rs
Baza korisnika – zašto LDAP?
Relational Databases vs Directories
SchemaOrganzation
Multivalue data Flexibility
Changes in data fields can require big effort
Granular modification of schema.
Easy to add attributes
Relational Databases
Directories
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
12
![Page 13: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/13.jpg)
Akademska mreža Srbijewww.amres.ac.rs
Relational Databases vs Directories
SchemaOrganzation
Multivalue data Flexibility
Access
No standard protocol for access via network
Defines protocol to access via network -LDAP
Directories – made for storing user IDs ?
Relational Databases
Directories
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
13
![Page 14: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/14.jpg)
Akademska mreža Srbijewww.amres.ac.rs
Relational Databases vs Directories
SchemaOrganzation
Multivalue data Flexibility
AccessOptimization
Optimised for reading
Directories – made for storing user IDs ?
Relational Databases
Directories
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
14
![Page 15: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/15.jpg)
LDAP dictionary
![Page 16: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/16.jpg)
LDAP dictionary reveled
Akademska mreža Srbijewww.amres.ac.rs
Data Information Tree - term for structure data is organized in - uses hierarchy manner (tree - like) 16
![Page 17: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/17.jpg)
LDAP dictionary reveled
Akademska mreža Srbijewww.amres.ac.rs
Entry- Single input in directory tree which describes one object
Organization
Person
Organizational Unit
17
![Page 18: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/18.jpg)
LDAP dictionary reveled
Akademska mreža Srbijewww.amres.ac.rs
Attribute - Attribute Name – Attribute Value pair contained in the entry- Can be
- univalued or multivalued 18
![Page 19: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/19.jpg)
LDAP dictionary reveled
Akademska mreža Srbijewww.amres.ac.rs
objectClass - logical group of attributes - entry has assigned one or more objectClasses – must have exactly one structural ! - attributes can be optional or mandatory
19
![Page 20: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/20.jpg)
LDAP dictionary reveled
Akademska mreža Srbijewww.amres.ac.rs
RDN – Relative Distinguished Name - value that entries are distinguished by in one branch - constructed from some attributes from the entry - something like folder name, or primary key in relational databases 20
![Page 21: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/21.jpg)
LDAP dictionary reveled
Akademska mreža Srbijewww.amres.ac.rs
DN – Distinguished Name - “path” to the entry, that uniquely identifies it - consists of all RDNs found on the path to the entry, separated by commas21
![Page 22: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/22.jpg)
LDAP dictionary reveled
Akademska mreža Srbijewww.amres.ac.rs
Base DN - DN of DIT root
22
![Page 23: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/23.jpg)
Akademska mreža Srbijewww.amres.ac.rs
LDAP schema mistery ?
schema consists of one or more objectClass
schema
object ClassX
attributeX
attributeX definition
23
![Page 24: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/24.jpg)
Which schema should I use ?
One can define proprietary schema to use within organization
But… if inter-institutional AutH and AutZ is used – such as in NREN AAI, using the same schema becomes important
Institutions that are involved in NREN AAI should use the same schema because it:
Unifies attributes, their use and semantics Service Providers know what to expect during AutH and AuthZ
Akademska mreža Srbijewww.amres.ac.rs
24
![Page 25: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/25.jpg)
Akademska mreža Srbijewww.amres.ac.rs
Standard LDAP schemas Designed for campus directories
eduPerson (eduPerson200604) Internet2 MACE groupAttributes depicts person in higher education
eduOrg (eduOrg200210)Internet2 MACE groupAttributes depicts organization in higher education
eduMember (eduMember200507) Internet2 MACE-Dir WG Deals with problem of assigning rights and privileges for users
SCHAC (SCHema for ACademia)TERENA TF za Middleware, TF-EMC2Complements eduOrg i eduPerson with attributes specific to European education system
25
![Page 26: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/26.jpg)
How to approach ?
schema for national AAI should be defined
Examples: rsEdu
https://bpd.amres.ac.rs/doku.php?id=amres_aai_wiki:pregled_atributa
hrEdu http://schema.aaiedu.hr/shema/
norEduhttp://www.feide.no/feide/sites/drupal.uninett.no.feide/files/documents/norEdu_spec.pdf
More at https://refeds.terena.org/index.php/FederationSchema
Akademska mreža Srbijewww.amres.ac.rs
26
![Page 27: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/27.jpg)
How to design national schema?
Use standard schemas : eduPerson, eduOrganizazation, SCHAC
If some attribute specific for national education system doesn’t exist, define it in national schema
Have in mind that you want to describe NREN students, researchers, teachers…
Enables compatibility between national AAI - confederation
Akademska mreža Srbijewww.amres.ac.rs
27
![Page 28: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/28.jpg)
How to implement LDAP directory?
LDAP is the protocol for accessing the directoryCurrent LDAPv3, described in RFC 4510Uses TCP, port 389Client-server model, some operations:
Start TLSBind SearchCompare Add a new entryDelete an entryModify an entry
Akademska mreža Srbijewww.amres.ac.rs
28
![Page 29: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/29.jpg)
Which LDAP Server software to use ?
Quite long list ..:
Akademska mreža Srbijewww.amres.ac.rs
29
![Page 30: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/30.jpg)
How to manage LDAP data ?
Manually, ldap command line LDAP browsers:
Apache Directory StudiophpLDAPadmin..
Make your own applicationBulk import/synhornization from other sources system - Student Informational System, Employee Registry..
Akademska mreža Srbijewww.amres.ac.rs
30
![Page 31: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/31.jpg)
Identity Management
![Page 32: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/32.jpg)
Akademska mreža Srbijewww.amres.ac.rs
The lifecycle o user digital identity - IdM
Set of procedures and rules which define:1. Who has the right to own digital identity2. When is digital identity assigned to a
person3. How is digital identity maintained4. How is the digital identity used5. How is the digital identity terminated
Every institution should have its own IdM policyMust comply with national personal data protection lawEU Data Protection Directive
32
![Page 33: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/33.jpg)
1. Who has the right to own digital identity
Pupils
Students
Teaching staff
Other employes
Other persons affiliated to the institution –
members, guests ?
Akademska mreža Srbijewww.amres.ac.rs
33
![Page 34: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/34.jpg)
2. When is digital identity assigned to a person
When should digital identity be
created?
Which information should it contain ?
Where do you get information from?
What is the quiality of information?
Akademska mreža Srbijewww.amres.ac.rs
Student- when apply for addmision - when enroll to faculty
- on first day of studies- when he/she needs it
Employee
- on first working day- when he/she needs it
• mandatory or optional• univalue or multivalue• sintax• predefined values• rules for usernames and
passwords
• Automatic from other source• Manually from filled in form• Manually verbal way
• Multiple sources – sync problem
How and when are identity checked ?
Other systems rely on that data, so it should be accurate
34
![Page 35: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/35.jpg)
3. How is digital identity maintained
Digital identity data should be accurate and up to dateWho is responsible to report change of data and which?How do you make the changes? When are the changes made?
Akademska mreža Srbijewww.amres.ac.rs
User• Personal data
Institution administration • Data regarding study/employmentUser• by using self-service portal
Institution administration • automatic from other source• manually from filled in form• manually verbal way
ASAP !
35
![Page 36: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/36.jpg)
4. How is the digital identity used
Which systems can access the
information?
Which data should be accessable?
How are user rights and privileges
defined?
Akademska mreža Srbijewww.amres.ac.rs
Ones which needs AutH, AutZ and/or user data. They can access directory:
• Directly using LDAP protocol• Using mediator authentication
server: Radius, SAML..
Access should be limited to the reasonable info:
birthday• Use existing user attributes• Add attribute that describes user role
36
![Page 37: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/37.jpg)
5. How is the digital identity terminated
When is digital identity terminated?
Who reports it should be terminated?
How is it terminated?
Is it deleted permanently?
Akademska mreža Srbijewww.amres.ac.rs
When person is no longer affiliated with institution
• student – when he/she graduates• Employee – when he/she stops working• guest - ?
Time between person is no longer affiliated to institution and id termination should be minimum
• User • Student administration service• Employee administration service• For guests ?Administration service
• automatic from other source• manually from filled in form• manually verbal way
Should you reassign once used usernames ?
37
![Page 38: LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011](https://reader035.vdocuments.us/reader035/viewer/2022062320/56649c7b5503460f9492ebe4/html5/thumbnails/38.jpg)
Thank you for your attention
Questions ?
Akademska mreža Srbijewww.amres.ac.rs
38