seminar 01f - architecting the institutional directory service advanced issues, problems, and...
TRANSCRIPT
Seminar 01F - Architecting the Institutional Directory
ServiceAdvanced Issues, Problems,
and SolutionsPresented by Brendan Bellina and Rob
BanzOctober 23, 2007
Overview• Speaker Introductions• Overview of Enterprise Directory
Models and implemented systems at USC and UMBC
• Data Transport• Directory Schema Design• Commercial Identity Mgmt. Products
Overview (cont.)• Controlling Access• Monitoring Performance• Directory Administration Tools• Directory Replication and
Synchronization• Authentication Services• Authorization Services• Managing Attribute Release
Overview (cont.)
• Directory Team Staffing• Additional Issues to Consider• Future Advancements• Institutional Policies• Inter-institutional Collaborative
Resources• Questions
Speaker Introductions
Brendan BellinaIdentity Services Architect, USC• Background in Financial Software
Development and Data Warehouse Design• Active in Higher-Education Identity
Management / Directory Services since 2001
• Designed and implemented the Enterprise Directory Service at the University of Notre Dame (2001-2004) http://eds.nd.edu
• Architect of USC Global Directory Service (2005-current) http://www.usc.edu/gds
• Presentations and online materials available at http://its.usc.edu/~bbellina
Robert Banz, UMBC
• Director, Computing Infrastructure, UMBC.
• Background in UNIX systems engineering and software architecture.
• Likes making things work together that aren’t supposed to…
• Architect of UMBC’s Enterprise Directory / IDMS ( 2000 - present )
• Presentations available at http://umbc.edu/~banz
NMI Middleware DiagramQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
PolicyData Collection Multiple Systems of Record
Identity Resolution Registry Functions
Data Migration Metadirectory scripts; Provisioning
Entry/Attribute Access and Release
LDAP Access Controls, Shibboleth ARP’s
Data Consumers LDAP designed for high-volume read, low-value write.
Applications, End-users, Application/NOS directories
Enterprise Directory Architectures
• Centralized EDS– Everything queries the central EDS– Central control– Performance bottleneck risk
• Replicated EDS– Replicate servers for performance– Small Risk of Data Latency
• Derivative directories– Distribute EDS data to stand-alone directories– Potential issues managing identities– Risk of data leakage and inconsistent access controls– Risk of Data Latency
Initial Implementation Plan• Production Hardware
– Redundancy– Security– Scalability– Monitoring– Availability– Performance– Recoverability
• Integrated Test/Development System(s)– Pre and Post Production Systems– Crash and Burn system
UMBC Server Architecture
UMBC Server Architecture
• Design with DR in mind!– Mirrored storage across datacenters for
important transactional data (registry, master directory, etc.)
– Easy to bring up on similar hardware when the time comes without losing changes
• Replicas– N+1. Be sure you can handle all of your
transactions if one is missing.– Hardware is cheap. Memory is cheap.
Overbuild now, and stay ahead of the curve.– Where’s the curve you ask? We’ll get to that.
UMBC Directory Architecture
UMBC Directory Architecture
UMBC Directory Architecture
UMBC Directory Architecture
UMBC Directory Architecture
• Future growth and projects– PeopleSoft Student Administration– Grouper-based Ad-Hoc Group Mgmt.– Expand physical access control integration– Logging & Diagnostics– Expanded services to alternative
populations(alumni, pre-admits, dropouts, etc)
• …and others that I can’t imagine yet.
Data Transport
Batch Pros and Cons
• Periodic processes are easier to support
• Periodic processes are easier to update• Batch processes allow looser
integration testing• Data Latency• Performance spikes• Effective delay of service
Real-Time Pros and Cons
• Shorter delays in processing• Transactions are spread-out
(generally) allowing smaller systems• Like spam, it never stops• Harder to test, support, and maintain
Why Batch Processes Cannot be Avoided
• Handling Time-triggered events requires a batch process
• Academic calendar often involves large quantity of transactions on specific dates
• Batch practices of SORs (imports, mass changes)
Data Extract Issues• Codes in tables or Values in entries
– Transaction systems often use codes– End services often require values. Standard
LDAP attributes are expected to be values.– Single changes in code tables may result in
many updates to values in entries– Values in entries alone may not provide
enough information for data selection
• Invalid data in source systems• Should directory be insulated from source
system table structures?
USC Data Transport• Batch components
– Account creation process for Members– Employee system updates to Registry– Sync between Account System and GDS– Sync between Person Registry and GDS– Rebuilding GDS groups and permissions– VIP authorized services feed between
iVIP and metadirectory
USC Data Transport• Real-time components
– Identity creation in Person Registry from Student System
– Identity creation in Person Registry from Employee System
– Identity creation from Guest/Affiliate “iVIP” system
– Update of ID card information from USCard system
– Creation of Sponsored User Accounts “SASU”
UMBC Data Transport
• Real Time Components– Student Status / Enrollment Changes– ID Card issuance ( Mag Strip / Library Card #)– Self / Administrative initiated changes
• Identity creation for new faculty/staff *• Identity creation for affiliates (guests, etc.)• Account creation / activation• Directory information updates
– Back-feeds of CampusID data
UMBC Data Transport
• Batch Components– CMS (Blackboard) Course Creation and
Enrollments– Faculty / Staff Identity Updates– Data feeds to Library
Directory Schema Design
Schema Topics
– Directory Information Tree (dn format, depth)
– People– Accounts– Groups– Permissions– Standard Object Classes– Schema extensions (Get your OID on!)– Indexing
Directory Design Decisions To Be Made
• DIT – Tall or Flat• Lots of attributes (“thick”) or only identifiers
(“thin”)• dn and rdn format• Direct or proxied update access• DS mastered content - entries & attributes• LDAP as password store• Duration / Permanence of directory entries and
identifiers• People vs. Accounts• Groups (subgroups, roles, dynamic groups, static
groups, managed groups, exceptions, personal groups, etc.)
DIT Architecture
Tall & Spiky Flat
ou=Academic
ou=Sciences ou=Arts & Letters
ou=Physics ou=Chemistry
ou=People ou=Groups
ou=Philosophy
Why not Tall & Spiky?
• Not amenable to people being in multiple organizational units simultaneously
• Not efficient when people move between organizational units frequently
• Not efficient when organizational hierarchy changes occur
Distinguished Name (dn) format• Issues
– Useful for LDAP enabled apps– Visible if any attribute in the entry is visible– Must be unique within scope– Benefits in being persistent, non-reassignable, and
opaque
• Standards– X.500 naming (based on geographical location)
• cn=Bullwinkle Moose, ou=people, o=Wossamotta U, st=Confusion, c=US
– Domain Component naming (most commonly used)• cn=Bullwinkle Moose, ou=people, dc=Wossamotta, dc=edu
• Relative Distinguished Name selection– uid, cn, directory id, or something else?
USC Decisions - General• dn: dc naming using unique directory id as
rdn• Flat DIT. Thick entries.• Central authN/authZ “where possible”• Single system for identities - Person Registry• Registry is “Cradle to Grave” or “Womb to
Tomb” eventually• Require use of service dn’s for LDAP-enabled
applications• Passwords in Kerberos rather than LDAP
where possible
USC Decisions - General
• Allow multiple accounts per person, but move to establish “NetID” for enterprise services
• Use of post-business-rule data source “signatures”
• Directory contains people who receive or have received electronic services
• Neither Registry nor Directory provide reporting services
• Groups for authorization, with group memberships and authorizations reflected in member entries
USC Decisions - People• People entries (ou=people)
– Use of standard eduPerson object class and creation of uscEduPerson object class
– An entry is created for each identity in the Person Registry that requires electronic services. Entries may be deactivated when service ends, but never deleted.
– People entries may be publicly accessible via LDAP protocol to allow use with email clients.
– People entries have no credentials or login capability.
– Example: uscrdn=usc.edu.scbs5rm6,ou=people,dc=usc,dc=edu
– http://eds.nd.edu/cgi-bin/nd_ldap_search.pl?ldapurl=gds-ldap.usc.edu:389/uscrdn=usc.edu.scbs5rm6,ou=people,dc=usc,dc=edu&ldapheadattr=displayname&displayformat=generic
USC Decisions - Accounts• Account entries (ou=accounts)
– Use of standard posixAccount object class and creation of uscAccount object class
– An entry is created for each active enterprise Unix account. These are intended to be used only by Unix services. Entries may be deactivated when service ends, but never deleted.
– An “aggregate” account is created based on username for each set of Unix accounts a person has. Usually a person has a single aggregate account. This is intended to be used by Shibboleth and LDAP-enabled services.
USC Decisions - Accounts• Account entries (ou=accounts)
– A “privilege” account is created for non-Unix services, is attached to a sponsor’s person entry, and is restricted to a single application. This can accommodate LDAP-enabled applications that use reserved account names - like “sa” or “admin” or provide limited access to services for non-people (like vendors).
– No account entries are visible publicly. They are visible to the owner.
– LDAP-enabled apps that construct dn CANNOT WORK
– Example: uscrdn=usc.edu.scdv5wtq6,ou=accounts,dc=usc,dc=edu
USC Decisions - Groups• Group entries (ou=groups)
– Use of standard groupOfUniqueNames object class and creation of uscGroupEntry object class
– Static groups are used rather than dynamic groups. Members of groups can be person or account entries, but not other groups.
– Groups may be rule-based. The rule is defined as an LDAP filter. Rule-based groups are reconstructed each business day.
– Groups may have any number of inclusion or exclusion groups that are applied to their membership. Inclusion and exclusion groups are manually administered. Groups that have dependencies on inclusion or exclusion groups are reconstructed each business day.
USC Decisions - Groups• Group entries (ou=groups)
– Authorizations are controlled via groups. Shibboleth entitlements, eligibilities, and membership of a group are maintained in member attributes to facilitate use by Shibboleth, in group-math-based LDAP filters, and in directory access controls.
– No group entries are currently visible publicly, although it is possible for a group to be defined as public.
– Example: uscrdn=usc.edu.scmb9tg2,ou=groups,dc=usc,dc=edu
UMBC Decisions
• dc= naming(our public directory has it…)
• Registry has a long history (back to 1980 for students!)
• Passwords in Kerberos, but synchronized to LDAP for other uses.
• Group membership *or* attribute definitions may determine authorization. (e.g. affiliation=student makes you eligible for certain services such as a computer “account”)
• No “self modify” of entries except through approved applications
UMBC Decisions
• ou=People– You can “bind” (authenticate) as a person– Most applications are using a “person’s” rights
for authorization data (shibboleth, etc)– dn’s are opaque:
(guid=6cbfa31e-6e14-11d4-9669-8020cd7816,ou=people,…)
• ou=Accounts– can “bind” as an account too!– dn’s aren’t opaque :(
(uid=banz,ou=accounts,…)
• Problem: primary account objects and their owner should be merged.
UMBC Decisions
• Groups– Appear in a few places in the DIT
• ou=Courses– Trees of groups for each semester containing course
enrollment. Used for lab access control, Blackboard course population, dynamic email lists, etc.
• ou=Applications– Application-specific group trees
• ou=Departments– Group trees for specific university departments
• ou=Radius– Groups used by our radius servers for VPN access
UMBC Decisions
• Two kinds of groups…– standard (groupofuniquenames)
• Used by external applications
– Extended (umbcgroupofuniquenames)• Used by internal applications• Can contain nested groups (internal applications
know how to grok them)
• Future?– These should/will both be replaced with groups
generated from
Standard Object ClassesUsed at USC:• top• person• organizationalPerson• inetOrgPerson• eduPerson• posixAccount• groupOfUniqueNames• eduCourse
Schema Extensions
• Step One: Get an OID assignment for your institution from IANA
• Step Two: Create new objectclasses for new attributes
• DO NOT make up or reuse an OID• DO NOT modify a standard objectclass• DO NOT populate standard attributes
in non-standard ways
USC Schema Extensions• For all directory entries:
– uscDirectoryEntry objectclass
• For people entries:– uscEduPerson objectclass– uscMailRecipient objectclass– uscEduCourse objectclass
• For account entries– uscEduPerson objectclass– uscAccount objectclass
• For group entries– uscGroupEntry objectclass
uscDirectoryEntryobjectclasses: ( 1.3.6.1.4.1.13363.3.2.1 NAME 'uscDirectoryEntry' DESC 'USC Directory Entry Object Class' SUP top AUXILIARY MUST ( uscGuid $ uscRDN $ uscPvid $ createTimestamp ) MAY ( uscEntryNote $ uscEntryStatus $ uscEntryExpirationDate $ uscEntrySource $ uscEntryUsage $ uscEntryCategory $ uscEntryCreateDate $ uscEntryDeactivationDate $
uscEntryReleasePolicy $ uscAttributeReleasePolicy $ uscAuthEligible $ uscAuthEligibleDN $ uscEntrySignature $ uscHistoricalPvid $ uscOwnerPvid $ creatorsName $ modifyTimestamp $ modifiersName $ searchguide $ labeledURI $ owner $ description $ userPassword ) X-ORIGIN 'user defined' )
uscGroupEntryobjectclasses: ( 1.3.6.1.4.1.13363.3.2.5 NAME 'uscGroupEntry' DESC 'USC uscGroupEntry Object Class' SUP groupOfUniqueNames STRUCTURAL MUST ( uscGroupType ) MAY ( owner $ uscGroupMember $ uscGroupRule $ uscGroupRuleComponent $ uscGroupIncludeDN $ uscGroupExcludeDN $ uscGroupOptInDN $ uscGroupOptOutDN $ uscGroupSelfOptOut $ uscGroupEnrollmentType $
uscGroupCategory $ uscGroupLevel $ uscGroupOwner $ uscGroupOwnerProxy $ uscGroupManager $ uscGroupSponsor $ uscGroupMemberAuthEligible $ uscGroupMemberAuthEligibleDN $ uscGroupMembershipListVisibleToMembers $ uscGroupKeyword $ uscGroupIsNestable $ uscGroupUniqueMemberSignature $ uscGroupMembershipAttributeControl $ uscGroupExcludeOverrideDN $ uscGroupMemberEntitlement ) X-ORIGIN 'user defined' )
Commercial ID Mgmt. Products
• Available in bundled “suites” including– Directory Server product– Web SSO solution– Metadirectory / Provisioning system
• Many out there -- similar problem space
Sun IDM
• Works well with Sun Java* Directory Server
• Sun Access Manager– You’d rather use Shibboleth
• No java included.
Sun IDM
• Java-based web service• Provides both an administrative and
user portal to various functions• Heavy focus on provisioning
– Fully fleshed out collection of connectors for various ERP products, directories of an active sort
• Great for reconciling and synchronizing across various existing account silos
Sun IDM
• Can it really solve all of my problems?Probably not.
• People-registry building is really best left to external processes
• Account lifecycle, policy-based provisioning, population of application specific directories, and password synchronization are its strengths.
Controlling Access
Directory Access• Direct access via LDAP/LDAPS
– Directory Access Control Lists / Instructions• Netscape / iPlanet / Sun uses ACI’s
# Allow all access to the Directory Administrators Groupaci: (targetattr ="*") (version 3.0;acl "Directory Administrators Group"; allow (all) (groupdn = "ldap:///cn=Directory Administrators,
dc=usc,dc=edu") ; )#
Access to an entry is based on attributes of the entry. Group membership is not an attribute unless you create one like isMemberOf and populate it.
Directory Access
• Proxied access– Shibboleth ARP’s
<AttributeReleasePolicy>
<Rule>
<Target>
<Requester>ServiceProvider</Requester>
</Target>
<Attribute name=“urn:attributeURN”>
<AnyValue release=“permit”|“deny” matchFunction=
“urn:functionURN”>attributeValue</Value>
</Attribute>
</Rule>
</AttributeReleasePolicy>
Directory Access• Shibboleth Rule Constraint (USC authored patch for
Shibboleth 1.3; included in 2.0)<Constraint attributeName=“urn:attributeURN”
matchFunction=“urn:functionURN”
matches=”(any|all|none)”>value</Constraint>
This allows Shibboleth to restrict attribute release to a Service Provider based on attributes of the entry. This mimics the capabilities of Directory ACI’s.
See http://its.usc.edu/~bbellina/gds/software/shibboleth/ShibbolethRuleConstraint.pdf
USC Access Decisions
• Public entries should not have credentials - reduces risk of brute-force password attack
• End-user web applications should not handle user passwords– Promote use of Shibboleth rather than LDAP– Promote use of iVIP and SASU rather than
local user accounts– Discourage creation of alternate user stores
UMBC Access Decisions
• Web-Based Applications should not handle their own logins– With certain exceptions, of course– Currently using in-house WebISO
(WebAuth)– Shibboleth for external providers
• Other services (IMAP, host logins, etc) should use Kerberos if possible, LDAP if not.
NMI Shibboleth
Shibboleth is…• An open source SAML-based Web SSO package
– Provides both intra- and inter-campus Web SSO– Privacy Preserving– Attribute Delivery– Supports federation model
• Relies on pre-existing authentication and attribute sources.– Authentication done against existing system– Attributes obtained from existing System “Attribute Authority”
• SP is Apache and MS IIS compatible• free to use and customize• Version 1.3 available since 2005, supports SAML 1.1 spec• Version 2.0 currently in alpha testing, supports SAML 2.0
spec
Adoption in Higher-Ed
• Finland• Sweden• Denmark• Germany• Switzerland• Greece• The Netherlands
• Belgium• France• Spain• United Kingdom• Australia• New Zealand• United States
Why Shibboleth?– Use same SSO for intra- and inter-
campus– Easy evolution from:
• Intra• Local partners• Federated
– SP support for different web servers– Increasingly, campus applications need
attributes for personalization and access control
– Privacy Preserving
Shibboleth and USC
Configuring Shibboleth to Preserve Privacy
• No attributes released through Shibboleth by default
• Well-defined Attribute Request Process supported by Data Stewards
• Shibboleth does not release attributes for non-authorized users (via Rule Constraint Patch)
• Shibboleth can prevent access by anonymous Service Providers (via USC patch, default in Shibboleth 2.0)
• Release entitlement rather than attributes• Name-based identifiers replaced with persistent
non-name-based id’s (uscPvid, eduPersonTargetedId) wherever possible
• Confidentiality respected (via Rule Constraint)
Use Shibboleth for…• Information about the user accessing the web
application• Authentication using enterprise account without the
application handling the enterprise password• Authorization using pre-established populations
defined based on SOR data and managed exceptions• Single sign-on (SSO) experience• Extension of services to EDS user populations -
students, staff, faculty, affiliates (through iVIP) and future populations (prospects, admits, alumni, parents, donors, etc.)
• Federated integration with other Shibbolized institutions
Use LDAP rather than Shibboleth for…
• Information about users who are not the user logging in to the web application
• Information about groups• For non-Shibbolizable applications, provides
Authentication using enterprise credentials (single account, though not single sign-on)
• For non-Shibbolizable applications, provides Authorization using pre-defined populations
• Server queries to the Enterprise Directory
Using Shibboleth and iVIP to Extend eServices to
Affiliates• User is sponsored in iVIP which establishes a Person Registry entry and allows the assignment of USC services.
• User uses the USC First Login web page to establish a link between their home institution account and the USC iVIP account.
• User authenticates at home institution but is authorized by USC IdP to access USC services. USC assigned identifier is provided to the USC service, not the home institution identifier.
Monitoring Performance
Why Monitor Performance?• Availability It’s up… isn’t it?
Directories often require 7x24 availability• Responsiveness It’s fast enough… maybe.
Directories often require extremely fast response and can be affected by unplanned usage through public interfaces
• Scalability We can handle that… I think.
Structural changes, indices, increases # of entriesor # of attributes or # of queries may affect performance.
Metrics to Monitor
Response timeConnection requestsBind requestsBind errorsSearch requestsSearch errorsAvg count & size of search resultsDirectory Cache Hits
Directory Cache Tries
Bind response time
Search response time
Current connections
Avg connection length
Current binds
Current searches
# Bytes transmitted
# Entries transmitted
Methods to Monitor
• LDAP query• LDAP log monitoring• Directory Probing• Existing Free Utilities
– Orca - open source tool for monitoring OS– Look - LDAP operational Orca "k"ollector– Cacti - open source tool for monitoring OS
via SNMP
Directory Administration Tools
Directory Administration Tools
• USC– ACI’s and schema managed via LDIF– Perl admin scripts for querying, adding
attributes to entries, replacing attributes in entries, modifying group membership
– Plans to write a web utility for group creation and maintenance
– Plans to write a web utility to allow departments to manage group memberships
Directory Administration Tools
• UMBC– Sun One Directory Server Console
(it’s almost usable again…)
– Custom web applications for administration and self-service
– Perl, perl, perl. (and a little bit of java)
– Exploring Grouper & Signet for advanced group and role management
Directory Replication and Synchronization
Replication / Synchronization
• Why?– Redundancy– Capacity– Isolation of heavy directory consumers
(e.g. mail servers query their own replicas)
• What?– The whole directory, or just some…
Replication / Synchronization
• Whole directory replicas…– “built in” to most modern directory
servers• OpenLDAP, Sun JDS, Active Directory, etc.
– Replicas are typically “read only”– Some support “multi-master” replication
• Some do it well (Active Directory), some not so well…
Replication / Synchronization
• Partial / Filtered Replication… Why?– An application may only need one subtree of
the DIT (e.g. mail routing)– A “white pages” directory with restricted
information (outside of a firewall)– An application may need to have information
represented in a “special” way (boo!)– An application may only work against “brand
y” directory and you have “brand x” (tsk tsk!)
Replication / Synchronization
• How ?– Some products have the ability to filter
attributes and/or subtrees.– Want to do something more complicated?
• Sun JDS has query-able “changelog” that can advise you when a directory object has been modified to trigger a synchronization operation
• UMBC does it’s real-time external feeds through monitoring for interesting changelog events.
• Write code to do something as simple as comparing/updating an object on a remote directory to transforming attributes, groups, etc…
Authentication Services
Internal Authentication
• userPassword attribute• Password can be encrypted using
several encryption algorithms, although required compatibility with services may limit the choices
• LDAP bind operation• LDAP compare operation
External Authentication
• Passing authentication to Kerberos– Free directory plug-ins for iPlanet/Sun
available• University of Notre Dame• Duke• USC (currently available on request, will
eventually be released as open-source)
Authorization Services
USC Directory Enforced AuthZ
LDAP-enabled applications use ACI’s to constrain the application service account so that authorized user entries are accessible– Group defines the authorized users of the
application. Each member entry has eligibility attributes set - uscAuthEligible, uscAuthEligibleDN.
– Application is assigned a service account that is constrained by an ACI to see only the entries with the uscAuthEligibleDN value for the application.
– Uses wildcards to allow a single ACI to handle most constrained application service accounts.
– Use an ACI to prevent constrained apps from seeing publicly visible entries
Managing Attribute Release
Attribute Release• Consider impact of FERPA and
HIPAA. Make sure that applications are not passing data on to other applications or displaying protected data inappropriately.
• Keep track of what is released to who so that impacts are known when directory changes must be made
• Make it easy on yourself: default == deny.
Attribute Release Mechanisms
Releasing attributes via LDAP service accounts– Use service accounts and ACI’s to limit attribute
release to those applications that require it.– Can be used to retrieve attributes about any visible
entries.– Mapping to groups via LDAP may be used to reduce
the need to propagate group information to applications.
Releasing attributes via Shibboleth– Attributes for the user logging in are released.
Shibboleth normally not used to retrieve attributes about other users, groups, or other directory objects.
Attribute Release Mechanisms
Provisioning– Directory log watcher used to provision to
an external directory real-time– Using signature attributes to facilitate
provisioning of static groups
Federalization (via Shibboleth)– Releasing local attributes to remote
Services– Releasing local attributes about remote
guests
Directory Team Staffing
USC Directory Technical Team• 1 FTE Identity Services/Directory Architect
• 1 FTE Sr Developer focused on Registry• 1 FTE Technical Analyst focused on
Shibboleth, Directory Design, Metadirectory Functions, Application Integration
• 1 FTE Sr Application Developer• 1 FTE Developer• 2 FTE Sr Account System Administrators• Open - 1 FTE Sr Developer for Web Services
• Note: Hardware and OS support are managed by resources in another department.
UMBC Directory Team
• 1 FTE IDMS Architect / Integrator• 1 FTE Junior Developer (open!)• … other intrepid souls in our
department and others picking up tasks such as:• Identity Resolution issues• Managing identities of campus affiliates
Additional Issues to Consider• Not a “safe” career path
– Saying “no” in higher-ed is unhealthy. Even saying “no without data steward approval” is unhealthy when in central IT.
• Compatibility with all applications is not achievable– dn syntax– Use of service accounts– Use of Shibboleth
• Application Administrators are always a problem– Special accounts– Special privileges– Poorly managed
Future Advancements
• NMI Grouper– Groups Registry
• NMI Signet– Privileges Registry
• NMI Shibboleth 2.0– SAML 2.0 compliant web SSO product
that supports a federalized model and privacy protection
Institutional Policies to Consider
Institutional Policies• Release of data should require data steward approval
– Risk: They’ll stop giving you data
• Registry should not be used for reporting or end-user access– Risk: Access Controls between Registry and Directory may be
impossible to sync, so you may release data inappropriately. Performance may suffer.
• Access Controls should be in the directory– Risk: Applications will use whatever data they can get. Honey
pots of identity information will exist on department servers that are likely to be poorly managed and secured.
• Applications should not pass data to each other– Risk: Understanding of what apps are using what data will be
lost. Data stewards will lose trust and stop providing data. Cripples ability to make changes in the directory which could lead to being non-standard.
Institutional Policies• Authorization should be required
– Risk: Authentication alone forces applications to do authorization. This will cause problems when you expand the population of the directory. It also makes it impossible for an audit to determine who has what authorizations. It also requires the continued bad practice of data stewards shipping data to end-user apps.
• Know who is using what attributes– Risk: Directory changes are inevitable. If you do not
know who is using what you will be unable to make changes without knowing the impacts.
• Follow standards wherever possible– Risk: Following standards is the safest way to ensure
compatibility with the widest possible array of applications and services. If an application cannot use your enterprise directory they will build their own.
Institutional Policies• Applications should only be given persistent
identifiers that are never reissued– Risk: Applications may have different purge practices. The
reuse of identifiers risks a person getting inappropriate access to another person’s records.
• Anonymous access should not allow access to FERPA or otherwise private information– Risk: Privacy needs to be protected. In addition if a service
tries to use the public interface to the directory without approval for their application it will not work for FERPA and private people, which will eventually force them to seek appropriate approval.
• Do not delete entries from the Registry or Directory– Risk: Identifiers may be mistakenly reissued. A person
returning may not be recognized and given new identifiers. This means though that when people return privileges must be reexamined.
Inter-institutional Collaborative Resources
• MACE : Middleware Architecture Committee for Education
• MACE-Dir : MACE Directories Working Group
• NMI : National Middleware Initiative• Internet2• EDUCAUSE
Questions
Online Resources• USC Global Directory Service,<http://www.usc.edu/gds>• UMBC Directory, <http://www.umbc.edu/oit>• Notre Dame Enterprise Directory Service, <http://eds.nd.edu>• eduPerson object class, <http://www.educause.
edu/eduperson/>• Internet2 Middleware, <http://middleware.internet2.edu/>• ORCA software, <http://www.orcaware.com>• Look software, <http://middleware.internet2.edu/dir/look/>• Cacti, <http://www.cacti.net>• ND iDS Kerberos4/5 Plug-in, <http://eds.nd.
edu/docs/authnplugin>• Duke iDS Auth Plug-in, <http://www.oit.duke.
edu/~rob/krbdirp/>
Contact Information:
Brendan [email protected]://isd.usc.edu/~bbellina
Rob [email protected]://umbc.edu/~banz
Copyright 2006-2007 by Brendan Bellina and Rob Banz. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.