Background

About This Presentation

Title:

Background

Description:

Interface to the iPlanet Directory Server's 'changelog' ... A daemon to monitor the LDAP changelog, and write appropriate changes to Active Directory ... – PowerPoint PPT presentation

Number of Views:51

Avg rating:3.0/5.0

Slides: 25

Provided by: greg441

Category:

more less

Transcript and Presenter's Notes

Title: Background

1
Background

UMBCs Stats
Enrollment of approx. 11,200
750 full part-time faculty, 1500 staff

2
Existing Infrastructure

iPlanet-based LDAP directory
Kerberos 5 used for authentication
Campus-wide AFS-based file-store
For instructional, research, and other use
LAN file print services provided by Novell 4
Used by administrative academic departments

3
The Project

To migrate the campus LAN environment from Novell
to Windows 2000 and Active Directory.

4
Why Not AD Everywhere?

Pros
Reasonably well performing LDAP server
Already part of Win2k Server
Powerful schema managment
Cons
Objectclass/Attribute definitions not 100
standard
ex cn (Common Name) not Multi-Valued
New, unproven technology

5
How?

Deploy an Active Directory infrastructure,
containing accounts managed through our current
account management system.
Migrate Windows NT instructional labs to the
Win2k/AD environment.
Migrate departmental systems to 2k, and retire
Novell.
? Begin migration to the next big thing

6
The Problem

Integrate
Existing campus directory and account management
system, based on the iPlanet directory server
Existing campus-wide authentication, based on MIT
Kerberos 5

7
Kerberos 5 Integration

Already supported by Microsoft!
http//www.microsoft.com/technet/prodtechnol/windo
ws2000serv/deploy/confeat/kerbstep.asp
Solves most of the authentication problem
more on this later.

8
Resources

Directory Team
Experienced with LDAP
Existing directory tools connectors written in
Perl
Group generally takes on software development
projects
Windows/LAN Team
Little LDAP experience
Little Active Directory experience does anyone
have a lot ?
Not a software development oriented group

9
Choices

Updates
Batch, or
real time ?
Development platform
Windows w/ADSI, or
UNIX w/Perl ?

10
Batch Updates

Heavy periodic processing load
Long reaction time not acceptable to user
community

11
Real Time Updates

Uses iPlanet changelog function
Often, but light processing
snappy reaction times to user administrative
actions

12
Windows/ADSI Development

Reasonably well documented
but also requires a reasonable amount of
Windows development proficiency

13
Perl/LDAP/UNIX Development

Requires a bit of poking and prodding
Active Directorys LDAP interface is fully
functional.
Reasonably well documented, as these things go
however, there are some holes in the docs.
luckily, a bit of experimentation closed these
holes

14
Our Choice

Develop on Unix with Perl our platform of
choice
Aim for near real time updates

15
Components Needed

Interface to the iPlanet Directory Servers
changelog
Logic to create Active Directory account
objects from a umbcAccount object
Interface to the Active Directory

16
Changelog Interface

Used by iPlanet to manage replication
Queried via LDAP
Had already written an interface as part of
another integration project!

17
Translation Logic

Perl module
Given a umbcAccount LDAP entry, generate an
appropriate Active Directory entry
Includes a standard API used by the changelog
interface

18
AD Interface

AD accepts LDAP and SSL-LDAP connections
All AD attributes can be queried and modified
via the LDAP interface
Microsofts ADSI uses this interface too!

19
The Completed System

Consists of
A script to populate/mass modify all Active
Directory account objects, and
A daemon to monitor the LDAP changelog, and
write appropriate changes to Active Directory

20
Problems