Identity Management in the Environment of Mendel University

Identity Management in the Environment of Mendel University in Brno Milan Šorm 26. března 2007 SDI 2007, ZČU v Plzni

Contents University in numbers Historical identity management Ideal solution University information system Current implemented situation Known problems Results Future ideas 26. března 2007 SDI 2007, ZČU v Plzni 2

University in numbers Medium-sized university 12 000 students 2 000 employees 2 000 other users in campus 4 faculties, 80 departments 5 000 prepared network connections 3 500 PCs 50 user servers 26. března 2007 SDI 2007, ZČU v Plzni 3

Historical identity management No centralized identity management No policy for building servers interconnecting department networks accessing network environment creating accounts connection information services to netword More than 20 admins Totally decentralized 26. března 2007 SDI 2007, ZČU v Plzni 4

Ideal solution One account credentials for one user Setup policy for connecting all PCs, servers and services to netword environment One place to define AAA for all services Minimize number of network admins Centralized storage for data and profiles Single sign on Maximum HA 26. března 2007 SDI 2007, ZČU v Plzni 5

University information system In last 7 year we reconstruct all small IT services and production ISs to one central complex information system with integrated data warehouse This information system can be source of all information about our users and their credentials, rights, roles etc. Unique source of informations 26. března 2007 SDI 2007, ZČU v Plzni 6

University information system Public information portal 26. března 2007 SDI 2007, ZČU v Plzni 7

University information General object qualify principle We can describe any group of objects (users, computers, departments, segments, roles, rights etc. ) and identify them by IDs We can put these groups to relations and prepare source of all AAA informations All of these informations are dynamic Example: students and schedules 26. března 2007 SDI 2007, ZČU v Plzni 8

Current implemented situation Many meetings with server and service administrators and IT departments lead to setup one policy in creating account (UIS based, algorithmized) setting groups, rights, quotas through Technology subsystem in UIS by power users (owners, specialists) accessing network and creating new services is maintained through central IT department 26. března 2007 SDI 2007, ZČU v Plzni 9

Current implemented situation Services LDAP replicas Primary LDAP server University IS Data warehouse 26. března 2007 SDI 2007, ZČU v Plzni 10

Current implemented situation UIS prepare all data for identity management in central data warehouse (Oracle 10 g) Application logic stored in DW (PL/SQL) create and update primary LDAP server (Open. LDAP) with all credentials LDAP push data to LDAP replicas All IT services are connected to one or more LDAP replicas for AAA services 26. března 2007 SDI 2007, ZČU v Plzni 11

Current implemented situation All faculty and university services are connected to this AAA infrastructure For accessing network you need: registered computer through computer authorization in UIS Technology subsystem account in AAA infrastructure for accessing network (eduroam connector, dormitories net connector, public network access during conferences etc. ) 26. března 2007 SDI 2007, ZČU v Plzni 12

Current implemented situation Consolidation of IT services centralized e-mail distributing system centralized file server services systém standardization of classrooms installations UIS know for each user his personalized policy: where user read e-mails desktop information fileserver connections … 26. března 2007 SDI 2007, ZČU v Plzni 13

Current implemented situation Classroom computers access central server farm for roaming Windows or Linux profile These profile has defined scripts for attaching other resources E-mail is passed through distribution server which run antispam and antivir and distribute e-mails to user favourite e-mail server Samba or AD solution Linux PAM solution 26. března 2007 SDI 2007, ZČU v Plzni 14

Current implemented situation Information about allowed classrooms is stored in LDAP and Samba/Linux classroom servers or stations use them for managing login process All other information (home directory, roaming profile, other resources) is accessed through dynamically created profile and scripts called from this profile 26. března 2007 SDI 2007, ZČU v Plzni 15

Current implemented situation Many other IT services access central LDAP UIS web interface Catering service (Anete Kredit) Network accessing service (eduroam, Faro) VPN concentrator Help. Desk software Impromat copy centre Old e-learning services Services on faculties 26. března 2007 SDI 2007, ZČU v Plzni 16

Known problems Changing passwords (only through UIS) Two profiles (Linux, Windows) Absence of SAP connector Not all things are online (e. g. e-mail groups, destroying of accounts…) No implementation of single sign on Less security due to only one account credentials 26. března 2007 SDI 2007, ZČU v Plzni 17

Results One login, one password, one account system, no account administrator Only 2 central administrator on university Very popular for basic user Very popular for technology owners Many statistics information Only start point on long journey for mobile work at university 26. března 2007 SDI 2007, ZČU v Plzni 18

Other results Implemented also for our customers: Slovak Technical University (26 000 users) Technical University in Zvolen (6 000 users) Škoda Auto University (1 000 users, in progress) Current situation: changed to central information systém activated primary LDAP generation first replicas installed some services connected 26. března 2007 SDI 2007, ZČU v Plzni 19

Future ideas Single sign on Mobile profile through VPN Adding printing profiles to LDAP User friendliness interface for administrators Using of virtual desktop infrastructure Using of some other identity tokens (cards, USB flash drives, tokens) Building PKI over this solution 26. března 2007 SDI 2007, ZČU v Plzni 20

Thank for your attention. Any questions? 26. března 2007 SDI 2007, ZČU v Plzni 21