LDAP user database Marina Vermezović Academic Network of

LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15. 09. 2011.

What is it all about? Services/resources to access the network – wireless, VPN web services – e-learning, e-library, student portal Authentication - who are you ? Authorization – what can you do ? AAI - Authentication and authorization infrastructure makes access to protected services easier Akademska mreža Srbije www. amres. ac. rs 2

Without AAI Faculty A Service Providers Auth Autz wireless Auth Autz videoconference Auth Autz e-learning Auth Autz Student services Library B Service Providers Auth wireless Auth Akademska mreža Srbije www. amres. ac. rs Autz e-books 3

With AAI Faculty A Service Providers Autz videoconference Autz Identity provider Identity Management wireless A u t h Autz e-learning Autz Student services Autz Library Service Providers Autz Akademska mreža Srbije www. amres. ac. rs wireless e-books 4

Circle of Trust High level AAI diagram ntw SP web SP NAS Web resurs eduroam VPN Radius Wiki pages SAML Radius Akademska mreža Srbije www. amres. ac. rs Federation SAML User database Id. P Basics for development of all services that needs local and inter-institutional Aut. H and Aut. Z 5

What is digital user identity ? Set of data (attributes) about a user: Personal user data Data regardingname, surname institution affiliation to date of birth name of institution national identification Credentials used for authenticationnumber affiliation (student, mail, address, phone contact information: employee, guest) designation (for person username/password Data that uniquely identifies aemployees) type of studies (for students) certificate person identifying : username@institutional. domain local identification number User roles and non person identifying privileges contact information: mail, address, phone Akademska mreža Srbije www. amres. ac. rs 6

LDAP user database Akademska mreža Srbije www. amres. ac. rs

Which database to use for storing user IDs? Basicaly you can choose any: Relational: My. SQL, ORACLE, Postgre SQL Hierarchy: open. LDAP, Active Directory But. . there are some advantages Akademska mreža Srbije www. amres. ac. rs 8

Directories – made for storing user IDs ? Relational Databases vs Directories Relational Databases Schema No standard schema for tables and data fields Akademska mreža Srbije www. amres. ac. rs Directories International standards to describe persons and organizations 9 Resource:

Directories – made for storing user IDs ? Relational Databases vs Directories Relational Databases One logical entity can be stored in multiple tables Akademska mreža Srbije www. amres. ac. rs Schema Organization Directories One logical entity =One entry in DIT 10 Resource:

Directories – made for storing user IDs ? Relational Databases vs Directories Relational Databases Mandates new table, or fixed number of multiple data fields Schema Organzation Multivalue data Akademska mreža Srbije www. amres. ac. rs Directories Native support for multivalue attributes 11 Resource:

Baza korisnika – zašto LDAP? Relational Databases vs Directories Relational Databases Changes in data fields can require big effort Schema Organzation Multivalue data Flexibility Akademska mreža Srbije www. amres. ac. rs Directories Granular modification of schema. Easy to add attributes 12 Resource:

Directories – made for storing user IDs ? Relational Databases vs Directories Relational Databases No standard protocol for access via network Schema Organzation Multivalue data Flexibility Access Akademska mreža Srbije www. amres. ac. rs Directories Defines protocol to access via network LDAP 13 Resource:

Directories – made for storing user IDs ? Relational Databases vs Directories Relational Databases Schema Organzation Multivalue data Flexibility Access Optimization Akademska mreža Srbije www. amres. ac. rs Directories Optimised for reading 14 Resource:

LDAP dictionary

LDAP dictionary reveled Data Information Tree - term for structure data is organized in - uses hierarchy manner (tree - like) Akademska mreža Srbije www. amres. ac. rs 16

LDAP dictionary reveled Organization Person Organizational Unit Entry - Single input in directory tree which describes one object Akademska mreža Srbije www. amres. ac. rs 17

LDAP dictionary reveled Attribute - Attribute Name – Attribute Value pair contained in the entry - Can be - univalued or multivalued Akademska mreža Srbije www. amres. ac. rs 18

LDAP dictionary reveled object. Class - logical group of attributes - entry has assigned one or more object. Classes – must have exactly one structural ! - attributes can be optional or mandatory Akademska mreža Srbije www. amres. ac. rs 19

LDAP dictionary reveled RDN – Relative Distinguished Name - value that entries are distinguished by in one branch - constructed from some attributes from the entry - something like folder name, or primary key in relational databases Akademska mreža Srbije www. amres. ac. rs 20

LDAP dictionary reveled DN – Distinguished Name - “path” to the entry, that uniquely identifies it - consists of all RDNs found on the path to the entry, separated by commas Akademska mreža Srbije www. amres. ac. rs 21

LDAP dictionary reveled Base DN - DN of DIT root Akademska mreža Srbije www. amres. ac. rs 22

LDAP schema mistery ? schema consists of one or more object. Class schema object Class. X attribute. X definition Akademska mreža Srbije www. amres. ac. rs 23

Which schema should I use ? One can define proprietary schema to use within organization But… if inter-institutional Aut. H and Aut. Z is used – such as in NREN AAI, using the same schema becomes important Institutions that are involved in NREN AAI should use the same schema because it: Unifies attributes, their use and semantics Service Providers know what to expect during Aut. H and Auth. Z Akademska mreža Srbije www. amres. ac. rs 24

Standard LDAP schemas Designed for campus directories edu. Person (edu. Person 200604) Internet 2 MACE group Attributes depicts person in higher education edu. Org (edu. Org 200210) Internet 2 MACE group Attributes depicts organization in higher education edu. Member (edu. Member 200507) Internet 2 MACE-Dir WG Deals with problem of assigning rights and privileges for users SCHAC (SCHema for ACademia) TERENA TF za Middleware, TF-EMC 2 Complements edu. Org i edu. Person with attributes specific to European education system Akademska mreža Srbije www. amres. ac. rs 25

How to approach ? schema for national AAI should be defined Examples: rs. Edu https: //bpd. amres. ac. rs/doku. php? id=amres_aai_wiki: pregled_atributa hr. Edu http: //schema. aaiedu. hr/shema/ nor. Edu http: //www. feide. no/feide/sites/drupal. uninett. no. feide/files/docume nts/nor. Edu_spec. pdf More at https: //refeds. terena. org/index. php/Federation. Schema Akademska mreža Srbije www. amres. ac. rs 26

How to design national schema? Use standard schemas : edu. Person, edu. Organizazation, SCHAC If some attribute specific for national education system doesn’t exist, define it in national schema Have in mind that you want to describe NREN students, researchers, teachers… Enables compatibility between national AAI confederation Akademska mreža Srbije www. amres. ac. rs 27

How to implement LDAP directory? LDAP is the protocol for accessing the directory Current LDAPv 3, described in RFC 4510 Uses TCP, port 389 Client-server model, some operations: Start TLS Bind Search Compare Add a new entry Delete an entry Modify an entry Akademska mreža Srbije www. amres. ac. rs 28

Which LDAP Server software to use ? Quite long list. . : 389 Directory Server Active Directory Apache Directory Server Apple Open Directory Free. IPA IBM Tivoli Directory Server Mandriva Directory Server Novell e. Directory Open. DJ Open. DS Open. LDAP Optimal Id. M Oracle Internet Directory Radiant Logic VDS Sun Java System Directory Server Akademska mreža Srbije www. amres. ac. rs 29

How to manage LDAP data ? Manually, ldap command line LDAP browsers: Apache Directory Studio php. LDAPadmin. . Make your own application Bulk import/synhornization from other sources system - Student Informational System, Employee Registry. . Akademska mreža Srbije www. amres. ac. rs 30

Identity Management

The lifecycle o user digital identity - Id. M Set of procedures and rules which define: 1. Who has the right to own digital identity 2. When is digital identity assigned to a person 3. How is digital identity maintained 4. How is the digital identity used 5. How is the digital identity terminated Every institution should have its own Id. M policy Must comply with national personal data protection law EU Data Protection Directive Akademska mreža Srbije www. amres. ac. rs 32

1. Who has the right to own digital identity Pupils Students Teaching staff Other employes Other persons affiliated to the institution – members, guests ? Akademska mreža Srbije www. amres. ac. rs 33

2. When is digital identity assigned to a person When should digital identity be created? Student - when apply for addmision Which information should it contain ? - when enroll to faculty • mandatoryfirst day of studies - on or optional • univalue or multivalue - when he/she needs Where do you get information from? it • sintax • Automatic from other source • predefined values Employee • Manually usernames and passwords What is the quiality rulesinformation? form • of for from filled in day - on first working • Manually verbal way - when he/she needs it Other systems rely on that data, so it should be accurate – sync problem • Multiple sources How and when are identity checked ? Akademska mreža Srbije www. amres. ac. rs 34

3. How is digital identity maintained Digital identity data should be accurate and up to date Who is responsible to report change of data and which? User How do you make the changes? • Personal data When are the Institution administration changes made? study/employment • Data regarding User • by using self-service portal ASAP ! Institution administration • automatic from other source • manually from filled in form • manually verbal way Akademska mreža Srbije www. amres. ac. rs 35

4. How is the digital identity used Which systems can access the information? Ones which needs Aut. H, Aut. Z Which data should access directory: and/or user data. They can be accessable? How are Akademska mreža Srbije www. amres. ac. rs • Directly using LDAP the reasonable info: Access should be limited to protocol • Using mediator authentication server: user rights and privileges defined? mail Radius, SAML. . birthday • Use existing user attributes • Add attribute that describes user role 36

5. How is the digital identity terminated When is digital identity terminated? When person is no longer affiliated with institution • student – when he/she graduates Who reports it should be terminated? • Employee – when he/she stops working • Userguest - ? • How is it terminated? • Student administration service • Employee administrationlonger affiliated to Time between person is no service Administration id termination should For guests ? institution and service Is it deleted • permanently? other source be minimum • automatic from • you reassign once used usernames ? Should manually from filled in form • manually verbal way Akademska mreža Srbije www. amres. ac. rs 37

Thank you for your attention Questions ? Akademska mreža Srbije www. amres. ac. rs 38