Скачать презентацию Internet 2 Middleware Drinking Kool-Aid From A Fire Скачать презентацию Internet 2 Middleware Drinking Kool-Aid From A Fire

d1064f6e5f3cac6a37d4de5e2f71c079.ppt

  • Количество слайдов: 84

Internet 2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware Michael R. Internet 2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware Michael R. Gettes Principal Technologist Georgetown University [email protected] EDU http: //www. georgetown. edu/giia/internet 2

“Middleware is the intersection of what the Network Engineers and the Application Programmers don’t “Middleware is the intersection of what the Network Engineers and the Application Programmers don’t want to do” - Ken Klingenstein Chief Technologist, Univ. of Colorado, Boulder Director, Internet 2 Middleware Initiative Lead Clergy, MACE PS of LC Middleware makes “Transparently use” happen

Internet 2 Middleware If the goal is a PKI, then you need to consider: Internet 2 Middleware If the goal is a PKI, then you need to consider: • Identifiers (SSNs and other untold truths) • Identification & Authen process (“I & A”) • Authentication systems (Kerberos, LDAP, etc) • Lawyers, Policy & Money (lawyers, guns & $$$) • Directories (and the applications that use them) • Certificate Mgmt System (CMS) Deployment – CA Certficate, Server Certificates, Client Certificates • Authorizations (a real hard problem, Roles, etc) 3

Internet 2 Middleware • Building Application/System Infrastructure • What is missing in Internet 1 Internet 2 Middleware • Building Application/System Infrastructure • What is missing in Internet 1 • Not “Network Security” (wire level) • Assumes the wire is insecure • Assumes the Application is insecure If security was easy, everyone would be doing it. • http: //middleware. internet 2. edu 4

National Science Foundation NMI program • $12 million over 3 years • www. nsf-middleware. National Science Foundation NMI program • $12 million over 3 years • www. nsf-middleware. org • Middleware Service Providors, Integrators, Distributors • GRID (Globus) • Internet 2 + EDUCAUSE + SURA • May 2002 – first set of deliverables from all parties 5

MACE Middleware Architecture Committee for Ed. IT Architects – meet often – no particular MACE Middleware Architecture Committee for Ed. IT Architects – meet often – no particular religious affiliations MACE-DIR – edu. Person, Recipe, Do. DHE MACE-SHIBBOLETH – global Auth. N/Z MACE-PKI HEPKI (TAG/PKI-Labs) MACE-Web. ISO – Web Initial Sign-on VID-MID – Video Middleware (H. 323/SIP) MACE-FDRM – Federated Digital Rights Management NMI - NSF Middleware Initiative 6

MACE-ochists RL “Bob” Morgan, Chair, Washington Mark Poepping, CMU Steven Carmody, Brown David Wasley, MACE-ochists RL “Bob” Morgan, Chair, Washington Mark Poepping, CMU Steven Carmody, Brown David Wasley, UCOP Michael Gettes, Georgetown Von Welch, ANL/Grid Keith Hazelton, Wisconsin Paul Hill, MIT Ken Klingenstein, Colorado Jim Jokl, Virginia Scott Cantor, Ohio St Bruce Vincent, Stanford Euro: Brian Gilmore & Ton Verschuren, Diego Lopez 7

A Map of Middleware Land 8 A Map of Middleware Land 8

MACE-DIR Keith Hazelton, Chair, Wisconsin • edu. Person objectclass • LDAP-Recipe • Dir of MACE-DIR Keith Hazelton, Chair, Wisconsin • edu. Person objectclass • LDAP-Recipe • Dir of Dirs for Higher Education (Do. DHE) • Shibboleth project dir dependencies • Meta Directories – Meta. Merge • Groups (Dynamic vs. Static; Management) • Afilliated Directories (Stitched, Data Link) • http: //middleware. internet 2. edu/directories 9

MACE-DIR: edu. Person 1. 0 (1/22/01 release) • MACE initiated (Internet 2 + EDUCAUSE) MACE-DIR: edu. Person 1. 0 (1/22/01 release) • MACE initiated (Internet 2 + EDUCAUSE) • Globally interesting useful attributes • Get community buy-in, must use it also edu. Person. Affiliation (Do. DHE), edu. Person. Principal. Name (Shibboleth) • “Less is more”, how to use standard objectclasses • http: //www. educause. edu/eduperson 10

edu. Person 1. 5 object class Included as part of the NSF Middleware Initiative edu. Person 1. 5 object class Included as part of the NSF Middleware Initiative (NMI) Release 1. 0 May 7 th, 02 edu. Person 1. 0 is the production version, 1. 5 status is “released for public review” (RPR) Next NMI release will include final 1. 5 based on review period discussions 11

edu. Person 1. 5 object class Changes from 1. 0: • Introductory section added edu. Person 1. 5 object class Changes from 1. 0: • Introductory section added • RFC 2252 style definitions included for the edu. Person object class itself and for each of the edu. Person attributes. • Notes on additional attributes from existing object classes, existing notes clarified, syntax and indexing recommendations updated. 12

edu. Person 1. 5 object class Two new attributes: edu. Person. Primary. Org. Unit. edu. Person 1. 5 object class Two new attributes: edu. Person. Primary. Org. Unit. DN edu. Person. Entitlement • Simple case: value is the name of a contract for licensed resource • http: //xstor. com/contract 1234 • Values of edu. Person. Entitlement can be URLs or URNs 13

edu. Person 1. 5 object class edu. Person. Entitlement • Values of edu. Person. edu. Person 1. 5 object class edu. Person. Entitlement • Values of edu. Person. Entitlement can be URLs or URNs – http: //www. w 3. org/Addressing/ – RFC 2396 Uniform Resource Identifiers – RFC 2141 Uniform Resource Names • URNs to allow federation of name creation without name clashes. – urn: mace: brown. edu: foo • [email protected] 2. edu for information on URN registration 14

edu. Org 1. 0 released as “Experimental” object class • Basic organizational info attributes edu. Org 1. 0 released as “Experimental” object class • Basic organizational info attributes from X. 520 – Telecomm, postal, locale • • • edu. Org. Home. Page. URI edu. Org. Identity. Auth. NPolicy. URI edu. Org. Legal. Name edu. Org. Superior. URI edu. Org. White. Pages. URI 15

LDAP-Recipe positioning and the NMI R 1 • A special case document • Pre-existed LDAP-Recipe positioning and the NMI R 1 • A special case document • Pre-existed NMI and MACE document standards format and naming. • Will conform to NMI/MACE naming and future process for acceptance. • Content? ? ? Well, we shall see… 16

LDAP-Recipe Version 1. 5 (pre May 7, 2002) • Directory Tree • Schema (Design, LDAP-Recipe Version 1. 5 (pre May 7, 2002) • Directory Tree • Schema (Design, upgrading, maint) • Auth. N (binding and pw mgmt) • edu. Person attr discussion (select) • Access Control • Replication • Name population 17

LDAP-Recipe Version 2. 0 (NMI R 1 May 7, 2002) • Groups, Groups • LDAP-Recipe Version 2. 0 (NMI R 1 May 7, 2002) • Groups, Groups • Static, Dynamic, app issues, builds on “NMI Groups Doc” • E-Mail Routing considerations • Attribute firewalling, Sendmail, app issues • edu. Person. Org. DN and edu. Person{Primary}Org. Unit. DN • Original Intent for edu. Person 1. 0 and Primary • RDN Issues (a must read) • Software reference (small, needs to grow) 18

MACE-DIR: Directory of Directories for Higher Education Web of Data vs. Web of People MACE-DIR: Directory of Directories for Higher Education Web of Data vs. Web of People Prototype: April, 2000 (by M. Gettes) Highly scalable parallel searching • Interesting development/research problems • Configs, LDAP libraries, Human Interface Realized the need to: • Promote edu. Person & common schema • Promote good directory design (recipe) Work proceeding – Sun Microsystems Grant http: //middleware. internet 2. edu/dodhe 19

MACE-DIR: Do. DHE and LDAP Analyzer Todd Piket, Michigan Tech Web based tool to MACE-DIR: Do. DHE and LDAP Analyzer Todd Piket, Michigan Tech Web based tool to empirically analyze a directory edu. Person compliance Indexing and naming LDAP-Recipe guidance (good practice) Beta: http: //morpheus. dcs. it. mtu. edu/~tcpiket/dodhe 20

MACE-Dir Futures • Technical Advisory Board • edu. Org, edu. Person, edu? ? ? MACE-Dir Futures • Technical Advisory Board • edu. Org, edu. Person, edu? ? ? ? • Shibboleth and other related work • Roles (RBAC) • Group Implementations (Eileen Shepard, BC; Tom Barton, Memphis) • Blue Pages • LDAP-Recipe (next? ) • Affiliated Directories (Rob Banz, UMBC) • pki. User/pki. Ca, Bridge CA, etc… • Video Middleware (comm. Object{Uri} OCs) • GRID interoperability • Directory Policy 21

MACE-Dir Futures (continued) Edu. Org “blue page” entries Edu. Org. Unit 1. 0 object MACE-Dir Futures (continued) Edu. Org “blue page” entries Edu. Org. Unit 1. 0 object class and attributes Affiliated directories scenarios • • Identity management in Health Sciences Assembling info on the fly Data/Metadata bundles as units of exchange Exploring with our Technical Advisory Board 22

MACE-SHIBBOLETH Steven Carmody, Brown, Chair A Biblical pass phrase – “password” • Get it MACE-SHIBBOLETH Steven Carmody, Brown, Chair A Biblical pass phrase – “password” • Get it right or “off with your head” • Inter-institutional Authentication/Authorization • Web Authorization of Remote Sites with Local Credentials • Authentication via Web. ISO • October, 2002 – Version 1. 0 with NMI • http: //middleware. internet 2. edu/shibboleth 23

MACE-WEBISO Web Initial Sign-on Based on University of Washington “pubcookie” implementation Washington will developing MACE-WEBISO Web Initial Sign-on Based on University of Washington “pubcookie” implementation Washington will developing and steward with external funding JA-SIG u. Portal, Blackboard, Web. CT, Shibboleth – will do or are highly likely to do. http: //www. washington. edu/computing/pubcookie 24

VID-MID Video Middleware Authentication and Authorization of H. 323 sessions. Client to MCU Directory VID-MID Video Middleware Authentication and Authorization of H. 323 sessions. Client to MCU Directory enabled How to find video enabled people? What is necessary to describe video capabilities? Will likely extend to IP Telephony and so on… 25

PKI is 1/3 Technical and 2/3 Policy? Technical Policy 26 PKI is 1/3 Technical and 2/3 Policy? Technical Policy 26

HEPKI TAG – Technical Activities Group • Jim Jokl, Chair, Virginia • Mobility, Cert HEPKI TAG – Technical Activities Group • Jim Jokl, Chair, Virginia • Mobility, Cert Profiles, PKI-Lite, etc, lots of techno PAG – Policy Activities Group • Default Chair, Ken Klingenstein, Colorado • Knee-deep in policy, HEBCA, Campus, Subs+RP PKI Labs (AT&T)– Neal Mc. Burnett, Avaya • Wisconsin-Madison & Dartmouth • Industry, Gov. , Edu expert guidance http: //www. educause. edu/hepki 27

28 Multiple CAs in FBCA Membrane • Survivable PKI • Cross Certificates allow for 28 Multiple CAs in FBCA Membrane • Survivable PKI • Cross Certificates allow for “one/two-way policy” • Directories are critical in BCA world. http: //www. educause. edu/ Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island)

29 A Snapshot of the U. S. Federal PKI DOD PKI Illinois PKI CANADA 29 A Snapshot of the U. S. Federal PKI DOD PKI Illinois PKI CANADA PKI Federal Bridge CA NASA PKI Higher Education Bridge CA NFC PKI http: //www. educause. edu/ Transforming Education Through Information Technologies University PKI Common Solutions Group, January, 2002 (Sanibel Island)

30 30

Bridge CAs • Higher Education Bridge CA – FBCA peering • We have a Bridge CAs • Higher Education Bridge CA – FBCA peering • We have a draft HEBCA CP ([email protected] PKI WG) FBCA Compatible • How many HEBCAs? (EDUCAUSE!) • Do we really understand PKI implementations with respect to policy needs? (proxy certificates, relying party agreements, name constraints, FERPA, HIPAA, who eats who? ) • BCA seems to be the most promising perspective. Will each person be a BCA? • Does ALL software (Client/Server) need to be changed? • Mitretek announces new BCA deployment model 2/15/2001 • Scalable & deployable • Server plug-ins make client changes less likely 31

The PKI Puzzle Medical PK I Hierarchy By David Wasley, UCOP 32 The PKI Puzzle Medical PK I Hierarchy By David Wasley, UCOP 32

domain. Component (DC=) Naming • Traditional X. 500 naming: cn=Michael R Gettes, ou=Server Group, domain. Component (DC=) Naming • Traditional X. 500 naming: cn=Michael R Gettes, ou=Server Group, ou=UIS, o=Georgetown University, c=US • domain. Component (DC) naming: uid=gettes, ou=People, dc=georgetown, dc=edu • HEPKI is issuing guidance and advice on DC= naming 33

Attributes for PKI Store them in a Certificate? • Attributes persist for life of Attributes for PKI Store them in a Certificate? • Attributes persist for life of Certificate • No need for Directory or other lookup – The Certificate itself becomes the Auth. Z control point Store them in a Directory? • Very light-weight Certificates • Requires Directory Access • Long-term Certificate, Directory is Auth. Z control point. How many Certificates will we have? Pseudonymous Certificates 34

We’re Building A “Bridge Over The River PKI” We’re Building A “Bridge Over The River PKI”

Shibboleth Update Steven Carmbody, Brown University Project Leader, Shibboleth Michael R. Gettes, Georgetown University Shibboleth Update Steven Carmbody, Brown University Project Leader, Shibboleth Michael R. Gettes, Georgetown University

Shibboleth Architecture Concepts - High Level Pass content if user is allowed Authorization Phase Shibboleth Architecture Concepts - High Level Pass content if user is allowed Authorization Phase Browser Authentication Phase Target Web Server First Access - Unauthenticated Origin Site Target Site 37

Shibboleth Architecture Concepts (detail) Authentication Authorization Success! Phase Entitlements Attribute Server Ent Prompt Req Shibboleth Architecture Concepts (detail) Authentication Authorization Success! Phase Entitlements Attribute Server Ent Prompt Req Ent Web Login Server Target Web Server Browser Auth OK Authentication Second Access - Authenticated Pass entitlements for authz decision Redirectcontent if. Local is allowed Pass User to user Web Login Ask to Obtain Entitlements First Access - Unauthenticated Origin Site Target Site 38

Shibboleth Architecture 39 Shibboleth Architecture 39

Shibboleth Components 40 Shibboleth Components 40

Descriptions of services 1. local authn server - assumed part of the campus environment Descriptions of services 1. local authn server - assumed part of the campus environment 2. web sso server - typically works with local authn service to provide web single sign-on 3. resource manager proxy, resource manager - may serve as control points for actual web page access 4. attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables 5. attribute repository - an LDAP directory, or roles database or…. 6. Where are you from service - one possible way to direct external users to their own local authn service 7. attribute mapper - converts user entitlements into local authorization values 8. PDP - policy decision points - decide if user attributes meet authorization requirements 9. SHAR - Shibboleth Attribute Requestor - used by target to request user attributes 41

Shibboleth Flows Draft 42 Shibboleth Flows Draft 42

Shibboleth Architecture -Managing Trust TRUST Attribute Server Browser Origin Site Shib engine Target Web Shibboleth Architecture -Managing Trust TRUST Attribute Server Browser Origin Site Shib engine Target Web Server Target Site 43

Personal Privacy Web Login Server provides a pseudononymous identity An Attribute Authority releases Personal Personal Privacy Web Login Server provides a pseudononymous identity An Attribute Authority releases Personal Information associated with that pseudnonymous identity to site X based on: • Site Defaults – Business Rules Site Defaults My AA • User control – my. AA • Filtered by Contact Provisions – Contract provisions Browser User 44

Managing ARPs 45 Managing ARPs 45

Middleware Marketing Middleware Marketing

Drivers of Vapor Convergence Shibboleth Inter-Realm Auth. Z We all get Web SSO for Drivers of Vapor Convergence Shibboleth Inter-Realm Auth. Z We all get Web SSO for Local Authentication and OKI/Web Authentication an Enterprise Authorization Framework with an Integrated Portal JA-SIG u. Portal Authen that will all work inter. Local Web SSO Pressures institutionally! 47

Middleware Inputs & Outputs Licensed Resources Grids OKI Embedded App Security JA-SIG & u. Middleware Inputs & Outputs Licensed Resources Grids OKI Embedded App Security JA-SIG & u. Portal Inter-realm calendaring Shibboleth, edu. Person, Affiliated Dirs, etc. Campus Web SSO Enterprise Directory Enterprise Authentication futures Enterprise auth. Z Legacy Systems 48

Errata--ica Errata--ica

The Liberty Alliance www. project-liberty. org Sun Microsystems, American Express, United Airlines, Nokia, Master. The Liberty Alliance www. project-liberty. org Sun Microsystems, American Express, United Airlines, Nokia, Master. Card, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT Do. Co. Mo, Verisign, Schlumberger, Sony … Initiated in September 2001. Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service Funny, doesn’t this stuff sound familiar? 50

Got Directory? Got Directory?

Techniques for Product Independence Good/Evil – make use of cool features of your product. Techniques for Product Independence Good/Evil – make use of cool features of your product. • Does this make it more difficult or impossible to switch products later? • Does this make you less interoperable? Standard? • Does this limit your ability to leverage common solutions? All the above applies to enabled apps as well. 52

Groups, Groups Static vs. Dynamic (issues of large groups) • Static Scalability, performance, bandwidth Groups, Groups Static vs. Dynamic (issues of large groups) • Static Scalability, performance, bandwidth • Dynamic Manageability (search based, but search limits) Is there something neutral? Indexed Static Groups • MACE-DIR consideration (Todd Piket, MTU) • Index unique/member • The likely approach, IMHO, doesn’t inhibit dynamic stuff Group Math (& (group=faculty)(!(group=adjunct)) (member=DN) ) 53

Roles Is this an LDAP issue? • MIT roles DB – a roles registry Roles Is this an LDAP issue? • MIT roles DB – a roles registry Are groups good enough for now? • Probably not, see next Are your apps prepared for this? Maybe they need some service to consult? Will Shibboleth help here? Vendors have proprietary solutions. 54

Stitching disparate directories How to relate to distinct directories and their entries. Kjk@colorado & Stitching disparate directories How to relate to distinct directories and their entries. [email protected] & [email protected] De -- are they the same? Locate someone in a large directory (Do. DHE) and then switch to their video abilities Suggestion: define new object of a “data source directory”. Associate it with a Cert. Send signature of all data elements for an object, store in same. This allows for digital trust/verification. Still working this out. Not much work in this space? (the affiliated dirs problem) X. 520 Attribute. Integrity. Info Attribute – will it suffice? 55

A Campus Directory Architecture metadirectory Enterprise applications dir enterprise directory database border directory departmental A Campus Directory Architecture metadirectory Enterprise applications dir enterprise directory database border directory departmental OS directories (MS, Novell, etc) registries source systems 56

Middleware 201 Directories Configuration & Operations Michael R. Gettes Principal Technologist Georgetown University Gettes@Georgetown. Middleware 201 Directories Configuration & Operations Michael R. Gettes Principal Technologist Georgetown University [email protected] EDU

How Deep? Background Site Profile - configuration Applications General Operational Controls Schema Access Lists How Deep? Background Site Profile - configuration Applications General Operational Controls Schema Access Lists Replication Related Directories LDAP-Recipe – http: //middleware. internet 2. edu 58

Site Profile dc=georgetown, dc=edu Netscape/i. Planet DS version 4. 16 • 2 Sun E Site Profile dc=georgetown, dc=edu Netscape/i. Planet DS version 4. 16 • 2 Sun E 250 dual cpu, 512 MB RAM 105, 000 DNs (25 K campus, others = alums + etc) Directory + apps implemented in 7 months Distinguished names: uid=x, ou=people • DC rap, “Boom shacka lacka” • Does UUID in DN really work? NSDS pre-op plugin (by [email protected] EDU) • Authentication over SSL; Required • Can do Kerberos – perf problems to resolve 1 supplier, 4 consumers 59

Authentication: Overall Plan @ Georgetown Currently, Server-Side PKI self-signed Best of all 3 worlds Authentication: Overall Plan @ Georgetown Currently, Server-Side PKI self-signed Best of all 3 worlds • LDAP + Kerberos + PKI – LDAP Authentication performs Kerberos Authentication out the backend. Jan. 2001 to finish i. Planet plug-in. • Credential Caching handled by Directory. • Cooperative effort – Georgetown, GATech, Michigan – All directory authentications SSL protected. Enforced with necessary exceptions • Use Kerberos for Win 2 K Services and to derive X. 509 Client Certificates • One Userid/Password (single-signon vs. FSO) 60

Applications Mail routing with Sendmail 8. 12 (lists also) Netscape messaging server v 4. Applications Mail routing with Sendmail 8. 12 (lists also) Netscape messaging server v 4. 15 (IMAP) • Web. Mail profile stored in LDAP Apache server for Netscape roaming (no SSL) Apache & Netscape enterprise web servers Blackboard Course. Info Enterprise 5. 5. 1 Whitepages: Directory Server Gate. Way DSGW for priv’d access and maintenance 61

Applications (Continued) Remote access with RADIUS (funk). • No SSL (3/2000); proper LDAP binds Applications (Continued) Remote access with RADIUS (funk). • No SSL (3/2000); proper LDAP binds (fix 8/2000) • Authenticates and authorizes for dial -up, DSL and VPN services using RADIUS called-id. • We want to use this for other access control such as Oracle 62

RADIUS + LDAP User calls 202 -555 -1110 NAS (terminal server) Called. Id from RADIUS + LDAP User calls 202 -555 -1110 NAS (terminal server) Called. Id from NAS is mapped to gu. Rad. Prof RADIUS server LDAP Filter is: gu. Rad. Prof = 2025551110 + Net. ID = gettes Dialup Users Directory Server Netid = gettes gu. Rad. Prof = 2025550001 gu. Rad. Prof = 2025551110 gu. Rad. Prof = Oracle. Fin 63

Applications (Continued) Alumni services (Hoyas. Online). • External vendor in Dallas, TX (PCI). • Applications (Continued) Alumni services (Hoyas. Online). • External vendor in Dallas, TX (PCI). • They authenticate back to home directories. Apache used to authenticate and proxy to backend IIS server. • Email Forwarding for Life 64

Hoyas. Online Architecture OS/390 LDAP Master LDAP Replica TMS HRIS NET ID Other local Hoyas. Online Architecture OS/390 LDAP Master LDAP Replica TMS HRIS NET ID Other local hosts GU provided selfservice applications SIS Alumni Gratuitous Architectural Graphic (GAG) WWW hoyasonline Content PCI (Dallas) Vendorprovided services Way Down In Texas Client Browser 65

Applications (Continued) Access+ • Georgetown developed • Web interface to legacy systems using Unix Applications (Continued) Access+ • Georgetown developed • Web interface to legacy systems using Unix frontend to custom made mainframe tasks. Many institutions have re-invented this wheel. • LDAP authentication, mainframe doesn’t yet do SSL. Always exceptions to rules. • Student, Faculty, Staff, Directory/Telephone Access+ Services. This technique keeps mainframe alive. (good or bad? ) 66

Applications (Continued) Specialized support apps • Self service mail routing • Help Desk: mail Applications (Continued) Specialized support apps • Self service mail routing • Help Desk: mail routing, password resets, quota management via DSGW • Change password web page Person registry populates LDAP people data, currently MVS (mainframe) based. Per. LDAP used quite a bit – very powerful! (make sure version >= 1. 4) Now moving to Net: : LDAP 67

Applications (Continued) Georgetown Netscape Communicator Client Customization Kit (CCK). • Configured for central IMAP/SSL Applications (Continued) Georgetown Netscape Communicator Client Customization Kit (CCK). • Configured for central IMAP/SSL and directory services. • Handles versions of profiles. Poor man’s MCD Future: more apps! Host DB, Kerberos integration, win 2 k/ad integration? , Oracle RADIUS integration, Automatic lists, Dynamic/static Groups, Top-Secret, Bb – further integration. 68

General Operational Controls Size limit trolling (300 or 20 entries? ) Lookthru limit (set General Operational Controls Size limit trolling (300 or 20 entries? ) Lookthru limit (set very low) Limit 3 processors for now, MP issues still! (v 4) 100 MB footprint, about 8000 DNs in cache • Your mileage will vary – follow cache guidelines documented by i. Planet. 24 x 7 operations What can users change? ? (Very little) No write intensive applications 69

General Ops Controls (cont…) Anonymous access allowed • Needed for email clients • Anonymous General Ops Controls (cont…) Anonymous access allowed • Needed for email clients • Anonymous access is good if you resolve FERPA and other data access issues. 70

Schema: Design & Maint Unified namespace: there can be only one! Schema design and Schema: Design & Maint Unified namespace: there can be only one! Schema design and maintenance • Space/time tradeoffs on indexing • Eduperson 1. 0 vs. gu. Person • gu. Restrict, gu. Email. Box, gu. Affil, gu. Prim. Afil • gu. PWTimebomb, gu. Rad. Prof, gu. Type, gu. SSN • Relationships (guref) Maintained by ldif file using ldapmodify 71

Access Lists Design & Maintenance Access lists: design & maintenance • Buckley(FERPA) protection & Access Lists Design & Maintenance Access lists: design & maintenance • Buckley(FERPA) protection & services • Priv’d users and services • user. Password & SSN Maintained by file using ldapmodify Working on large group controls at GU • Groups vs. Roles • Likely easy to populate, hard to design & implement 72

Replication Application/user performance Failover, user and app service Impact of DC= naming (replica init) Replication Application/user performance Failover, user and app service Impact of DC= naming (replica init) • Fixed in 4. 13 and i. DS 5. 0 Monitoring: web page and notification Dumper replica – periodic LDIF dumps Backups? We don’t need no stinkin’ backups! • Vendor Specific • No good solution for backups (i. Planet) • IBM uses DB 2 under the covers • Novell? 73

Replication (Continued) Application/users config for mult servers Deterministic operations vs random Failover works for Replication (Continued) Application/users config for mult servers Deterministic operations vs random Failover works for online repairs Config servers are replicated also 10 to 1 SRA/CRA ratio recommended Cannot cascade with DC= (i. Planet) • Cascading is scary to me 74

Replica Structure WHITEPAGES Users MASTER MAILHOST POSTOFFICE Users Web Servers Normal Ops DUMPER Net. Replica Structure WHITEPAGES Users MASTER MAILHOST POSTOFFICE Users Web Servers Normal Ops DUMPER Net. ID Registry Failure Ops 75

Netscape Console • Java program (FAT client). • Used to create, configure and monitor Netscape Console • Java program (FAT client). • Used to create, configure and monitor Netscape servers. • Preferred the web page paradigm of the version 3 products. • Has enough bugs that it is only used by server admins, not for mere mortals. • Demo? ? ? (nope) 76

Other Directories Novell – GU abandoning Group. Wise. Active directory? ? ? Ugh!!! • Other Directories Novell – GU abandoning Group. Wise. Active directory? ? ? Ugh!!! • Static Groups Only • Strict Tree Structure for Group Policy • No plans for MS to change this… 77

Buyer Beware • LDAP is LDAP – yeah, right! • “Sure! We support LDAP!” Buyer Beware • LDAP is LDAP – yeah, right! • “Sure! We support LDAP!” What does that mean? • Contract for functionality and performance • Include your Directory/Security Champion!!! • Verify with other schools – so easy, rarely done. • Beware of products that specify Dir Servers • Get vendor to document product requirements and behavior. You paid for it! 78

Microsoft Win 2 K Integration Project Pismere http: //web. mit. edu/pismere MIT, CMU, Michigan, Microsoft Win 2 K Integration Project Pismere http: //web. mit. edu/pismere MIT, CMU, Michigan, Stanford, Colorado, etc… One way trust from MIT KDC to Win 2 K KDC The devil we know Metamerge can play an important role Handle DHCP/DNS as your site wishes 79

Win 2 K & Enterprise Integration W 2 K Kerb Auth. N 3 1 Win 2 K & Enterprise Integration W 2 K Kerb Auth. N 3 1 2 Ent Kerb Auth. N One-way X-realm Trust Identity mgmt Enterprise Directory W 2 K Active Directory Meta-Dir Function Meta. Merge? 80

Other examples of research… Other examples of research…

Current Research (examples) GROUPER A special LDAP server (Open. LDAP) engineered to handle group Current Research (examples) GROUPER A special LDAP server (Open. LDAP) engineered to handle group math operations against the enterprise directory for applications that are not group savvy. Application -> get group BLAH -> GROUPER -> combine 15 groups and remove those in the exclusion group -> give back combined static object as group BLAH 82

Certificate Parsing Server Peter Gietz - a draft to describe X. 509 certificates as Certificate Parsing Server Peter Gietz - a draft to describe X. 509 certificates as plain old directory objects. Finding certificates becomes easy for directory aware applications. Use PKI operations on the cert you select to verify it. David Chadwick - a Certificate Parsing Server (CPS). Like GROUPER but only works on add/delete/modify operations and stores cert objects as child objects as well as user. Certificate attributes where they are now. This should have a dramatic impact on Bridge CA model operations. 83

What to do next? 8 11 2 4 3 0 7 4 1 3 What to do next? 8 11 2 4 3 0 7 4 1 3 0 0 1 6 • edu. Org, edu. Person, edu(other …) • Shibboleth • Roles (RBAC) • GIG (Group Implementer’s Guide) • GROUPER, RI-Bot, GASP • Blue Pages • LDAP-Recipe (next? ) • Affiliated Directories • HEBCA, Bridge PKI, etc… • Video Middleware (comm. Object) • GRID Auth. N campus integration • GRID Auth. Z campus integration • Medical Middleware (Med. Mid) • Operational Issues (perf/mon) 1 1 5 11 4 4 5 0 2 5 1 2 1 • Directory Policy • PKI Policy • Identity Mgmt Practices • Metadirectories • Dir of Dirs Higher Ed (Do. DHE) • LDAP Analyzer • The Art of Directories/Databases • PKI-Lite and S/MIME • Early Harvest for App Developers • Digital Rights Management (DRM) • Outreach and Dissemination • N-Tier Systems (portals) • Filesystems • Selling it • Project Mgmt 84