next generation directory-based user management for … 5. wso2 identity server 34 lacking standards...
TRANSCRIPT
![Page 1: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/1.jpg)
Next Generation Directory-Based User Management for Cloud
Infrastructure
March 10, 2018
SCaLE 16X, Pasadena
1
![Page 2: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/2.jpg)
Introduction
Shawn McKinney • Software Architect • PMC Apache Directory Project • Engineering Team
SCaLE 16X, Pasadena 2018 2
![Page 3: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/3.jpg)
Session Objective
Think about how to implement user access controls on machines running in the cloud.
3 SCaLE 16X, Pasadena 2018
![Page 4: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/4.jpg)
I had to keep guessing at the channel; I had to discern, mostly by inspiration, the signs of hidden banks; I watched for sunken stones; When you have to attend to things of that sort, to the mere incidents of the surface, the reality—the reality, I tell you—fades. The inner truth is hidden. Joseph Conrad, Heart of Darkness
https://en.wikipedia.org/wiki/File:VingtAnnees_286.jpg SCaLE 16X, Pasadena 2018
Inspiration
![Page 5: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/5.jpg)
Session Agenda • History of Unix
• Building Blocks
• Security Model
• Data Model
• Solution
• Demo
Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA 5 SCaLE 16X, Pasadena 2018
![Page 6: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/6.jpg)
Knowing the path forward means understanding where we’ve been.
History
6 SCaLE 16X, Pasadena 2018
![Page 7: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/7.jpg)
History
https://upload.wikimedia.org/wikipedia/commons/7/77/Unix_history-simple.svg 7
![Page 8: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/8.jpg)
Soup of the Day
RFC
23
07
PAM
NSS sudo
su
dns
users
POSIX
Security
NSS
8 SCaLE 16X, Pasadena 2018
![Page 9: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/9.jpg)
Building Blocks
9 SCaLE 16X, Pasadena 2018
![Page 10: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/10.jpg)
The Wheel
• Let’s not reinvent
10 SCaLE 16X, Pasadena 2018
![Page 11: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/11.jpg)
Operating System AIX
The Idm engine bolts into chassis
11 SCaLE 16X, Pasadena 2018
![Page 12: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/12.jpg)
Cloud Infrastructure
runs on the highways
12 SCaLE 16X, Pasadena 2018
![Page 13: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/13.jpg)
Basic Building Blocks
1. POSIX security controls
2. Directory services
13
Best practices
SCaLE 16X, Pasadena 2018
![Page 14: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/14.jpg)
Advanced Building Blocks
3. Mediation relatively new practice
14 SCaLE 16X, Pasadena 2018
![Page 15: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/15.jpg)
Building Blocks Conceptual
15 SCaLE 16X, Pasadena 2018
![Page 16: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/16.jpg)
Building Block Actual
16 SCaLE 16X, Pasadena 2018
![Page 17: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/17.jpg)
Building Blocks - AuthN
17 SCaLE 16X, Pasadena 2018
![Page 18: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/18.jpg)
Pluggable Authentication Module
• Authentication
• Coarse-grained Authorization
18
Just an authN service
SCaLE 16X, Pasadena 2018
![Page 19: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/19.jpg)
Building Blocks - AuthZ
19 SCaLE 16X, Pasadena 2018
![Page 20: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/20.jpg)
sudo
20
Just an authZ service
![Page 21: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/21.jpg)
Building Blocks – Reporting
21 SCaLE 16X, Pasadena 2018
![Page 22: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/22.jpg)
Name Service Switch
• Used by unix processes to lookup user and group info
22
Just a lookup service
SCaLE 16X, Pasadena 2018
![Page 23: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/23.jpg)
What is LDAP
23
![Page 24: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/24.jpg)
Building Blocks - LDAP
System of record
• Users
• Passwords
• Groups
24
Just a
SCaLE 16X, Pasadena 2018
![Page 25: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/25.jpg)
Building Blocks - Mediator
• Keeps things in synch between the machines and LDAP as things change.
25 SCaLE 16X, Pasadena 2018
![Page 26: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/26.jpg)
Mediator 1. Machine added to network, notifies mediator
2. Based on policies stored in DB
3. Updates ldap accordingly
1 3
2
26 SCaLE 16X, Pasadena 2018
![Page 27: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/27.jpg)
Mediator == IdM
1. Provisioning
2. Parameterized Roles
3. Organizational Controls
4. Self-service
5. Approvals
6. Workflow
27
Requirements
SCaLE 16X, Pasadena 2018
![Page 28: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/28.jpg)
Resources & Connectors 28
28
![Page 29: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/29.jpg)
Users & Accounts 29
![Page 30: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/30.jpg)
Provisioning 30
SCaLE 16X, Pasadena 2018
![Page 31: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/31.jpg)
Governance
• High-level business processes, business rules, policies, organizational structures
• Combines with low-level identity management processes like data synchronization, system integration, data formats, data transformation, network protocols
defined:
SCaLE 16X, Pasadena 2018 31
![Page 32: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/32.jpg)
Governance Controls
• Access Certifications
• Approvals & Notifications
• Audit Trail
• Organizational Controls
• …
32
for example:
SCaLE 16X, Pasadena 2018 32
![Page 33: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/33.jpg)
Governance Controls (continued) • Policy Rules (limits)
• Remediation
• Role – Catalogs
– Constraints
– Controls
– Lifecycles
33
SCaLE 16X, Pasadena 2018 33
![Page 34: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/34.jpg)
Open Source IdM Products
1. midPoint
2. Apache Syncope
3. Æ-DIR
4. OpenIDM
5. WSO2 Identity Server
34
lacking standards
SCaLE 16X, Pasadena 2018
![Page 35: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/35.jpg)
midPoint Introduction
Requires
• Java version 8
• Java servlet container
• Relational database
Uses
• Spring Framework
– component wiring
• Apache Wicket
– user interface
• ConnId
– common connectors
(any)
SCaLE 16X, Pasadena 2018 35
![Page 36: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/36.jpg)
midPoint as the Mediator
Bypass GUI, communicate directly with REST APIs Via the Model
SCaLE 16X, Pasadena 2018 36
![Page 37: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/37.jpg)
Security Model
amsouth --------- m1001 m1002 m1003 …
afnorth --------- m2010 .....
aspac --------- m3100 …
Requirements
37 SCaLE 16X, Pasadena 2018
![Page 38: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/38.jpg)
Three Kinds of Security Checks 1. Authentication with LDAP
2. Coarse-grained authZ - memberOf target machine – (i.e. LDAP group name == hostname)
3. Medium-grained authZ. memberOf at least one: – Admin - root access
– User - typical user access
– Auditor - read-only access to entire machine.
sudo
PAM
38 SCaLE 16X, Pasadena 2018
![Page 39: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/39.jpg)
Four Types of Control Groups
1. Machine Sets
2. Machines
3. Security Roles
4. sudo Roles
Mediator
PAM
sudo
39 SCaLE 16X, Pasadena 2018
![Page 40: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/40.jpg)
m1set --------- m1001 m1002 m1003 …
m2set --------- m2010 m2020 m2030 …
m3set --------- m3100 m3200 m3300 …
1. Machine Sets
Used by mediator to compute policies
40 SCaLE 16X, Pasadena 2018
![Page 41: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/41.jpg)
2. Machines
Used by PAM
41 SCaLE 16X, Pasadena 2018
![Page 42: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/42.jpg)
3. Security Roles
Sudo needs this
42 SCaLE 16X, Pasadena 2018
![Page 43: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/43.jpg)
4. sudo Roles
Sudo needs this
43 SCaLE 16X, Pasadena 2018
![Page 44: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/44.jpg)
m1set --------- m1001 m1002 m1003 …
m2set --------- m2010 m2020 m2030 …
m3set --------- m3100 m3200 m3300 …
User, role and machine set
admin
auditor
user
Policy Combiner
The mediator can do this
44 SCaLE 16X, Pasadena 2018
![Page 45: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/45.jpg)
Pick Two
45 SCaLE 16X, Pasadena 2018
![Page 46: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/46.jpg)
Data Model
46 SCaLE 16X, Pasadena 2018
![Page 47: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/47.jpg)
LDAP Data Model
Employ standard object schemas
1. RFC2307bis
– posixAccount
– posixGroup
2. sudoRole
3. groupOfNames
47 SCaLE 16X, Pasadena 2018
![Page 48: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/48.jpg)
RFC2307bis
48
![Page 49: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/49.jpg)
Covered here before
• LDAPCon 2015, Edinburg
• DBIS: Directory-Based Information Services
• Mark R. Bannister
• link to slides
• link to paper
49 SCaLE 16X, Pasadena 2018
![Page 50: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/50.jpg)
Use RFC2307bis LDAP Schema
50 SCaLE 16X, Pasadena 2018
![Page 51: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/51.jpg)
LDAP Data Model
Hierarchical
51 SCaLE 16X, Pasadena 2018
![Page 52: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/52.jpg)
Machine Set M1
dn: cn=m1set, ou=Groups, ...
description: Machine Set 1
member: cn=m1001,...
member: cn=m1002,...
member: cn=m1003,...
… 52 SCaLE 16X, Pasadena 2018
![Page 53: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/53.jpg)
Machine M1001
dn: cn=m1001, ou=Groups,…
objectClass: posixGroup
description: Machine Group M1001
member: uid=curly,ou=People,…
member: uid=frank,ou=People,…
member: uid=marla,ou=People,… …
53 SCaLE 16X, Pasadena 2018
![Page 54: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/54.jpg)
Security Role M1Admin dn: cn=m1admin, ou=Groups, ...
objectClass: posixGroup
description: Admin Machine Set 1
cn: m1admin
member: uid=curly,ou=People,...
member: uid=frank,ou=People,...
member: uid=marla,ou=People,... …
54 SCaLE 16X, Pasadena 2018
![Page 55: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/55.jpg)
sudo LDAP Schema objectclass ( 1.3.6.1.4.1.15953.9.2.1
NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser
$ sudoRunAsGroup $ sudoOption
$ sudoNotBefore $ sudoNotAfter
$ sudoOrder $ description )
)
55 SCaLE 16X, Pasadena 2018
![Page 56: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/56.jpg)
sudo M1Admin dn: cn=admin access to m1,ou=sudo,dc=example,dc=com
objectClass: sudoRole
cn: admin access to m1
sudoUser: %m1admin
sudoHost: m1001
sudoHost: m1002
sudoHost: m1003
sudoHost: m1004
56 SCaLE 16X, Pasadena 2018
![Page 57: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/57.jpg)
Solution
57 SCaLE 16X, Pasadena 2018
![Page 58: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/58.jpg)
System Architecture
58
![Page 59: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/59.jpg)
High-level Design
59
Mediator --->
SCaLE 16X, Pasadena 2018
![Page 60: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/60.jpg)
Client Machines
Script runs during machine instantiation:
1. Binds PAM, sudo and NSS into the LDAP server.
2. Calls mediator to add or remove from machine set.
SCaLE 16X, Pasadena 2018
![Page 61: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/61.jpg)
IdM ‘Server’ 1. MidPoint - mediator
– html & http admin services
2. PostGreSQL – master database – users, roles, orgs, svcs
3. OpenLDAP – security database – users, groups
– posixAccount, posixGroup
61
![Page 62: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/62.jpg)
Deployment
62
IdM machine#1 --->
<-dev machine#1
<-test machine#2
<-prod machine#3
IdM machine#2 --->
IdM machine#3 --->
hyper visor ---> …
![Page 63: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/63.jpg)
Demo 63
63 SCaLE 16X, Pasadena 2018c
![Page 64: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/64.jpg)
Demo Scenario
Manage users and unix machines running in the cloud.
64
64 SCaLE 16X, Pasadena 2018c
![Page 65: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/65.jpg)
User-Role-Machine
m1001 m1002 m1003 m2010 m2020 m2030 m3100 m3200 m3300
Curly Admin Admin Admin
Moe Auditor Auditor Auditor
Larry User User User
Demo User to Role to Machine <----- Set 1------> <-------Set 2 ------> <----- Set 3 ----->
65 SCaLE 16X, Pasadena 2018
![Page 66: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/66.jpg)
Demo Environment 66
66 SCaLE 16X, Pasadena 2018
![Page 67: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/67.jpg)
Demo Environment
Google Apps connector
HCM connector (peoplesoft)
Open
67
SCaLE 16X, Pasadena 2018 67
![Page 68: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/68.jpg)
Wrap-up
• Questions
68 SCaLE 16X, Pasadena 2018
![Page 69: Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java](https://reader034.vdocuments.us/reader034/viewer/2022042708/5ae66bf97f8b9a08778d074e/html5/thumbnails/69.jpg)
Contact
https://iamfortress.net
https://symas.com
@shawnmckinney Twitter:
Website:
Email:
Project: https://directory.apache.org/fortress
Blog:
69 SCaLE 16X, Pasadena 2018