EZproxy: Past, Present, Future

1
EZproxy Past, Present, Future

• Andrew Bennett lta.bennett_at_library.uq.edu.augt
• University of Queensland
• Chris Zagar ltzagar_at_usefulutilities.comgt
• Useful Utilities

2
Overview

• EZproxy history
• New features
• High Availability
• Enhanced LDAP
• Shibboleth
• Related Technologies

3
History
4
The Beginning

• Created in 1999
• Designed to address the need to provide simple
  access to library resources without requiring
  remote users to change browser settings
• Anticipated audience small colleges with limited
  IT support
• Actual audience colleges and universities of all
  sizes

5
Numbers

• First copy sold August, 1999
• First Australian institution in March 2000 Curtin
  University of Technology
• Acquired by over 1400 institutions in 34
  countries, including 52 Australian institutions

6
Milestones

• 1999 1.0 Released
• 2001 1.2 Proxy by hostname
• 2002 2.0 SSL (https) support
• 2004 3.0 High-availability configurations,
  Enhanced LDAP
• Upcoming Shibboleth

7
High Availability Configuration
8
High-Availability (HA) Configuration

• Allows starting point URLs to access multiple
  EZproxy servers
• Eliminates single point of failure
• Existing EZproxy server name can be used as
  high-availability name, allowing existing URLs to
  automatically take advantage of this feature

9
HA System Requirements

• Two or more EZproxy servers with identical
  configurations
• Servers may use proxy by port or proxy by
  hostname
• All servers must use the same port number for
  login processing
• High availability name must be a DNS Address
  record pointing all EZproxy servers

10
HA Hostname Requirements

• Each server has a unique name (e.g.
  ezp1.yourlib.org 68.14.229.197, ezp2.yourlib.org
  68.14.229.198)
• Servers share a common name that has DNS Address
  records pointing to all servers (e.g.
  ha.yourlib.org 68.14.229.197 and 68.14.229.198)
• All names must all end in the same domain (e.g.
  .yourlib.org)

11
HA SSL Support

• To use SSL (https), each server must have its
  own, separate SSL certificate that matches the
  servers unique name

12
HA ezproxy.cfg directives

• All servers share common configuration except for
  Name and Interface directives
• Recommendation Place Name and Interface
  directives into file local.cfg, then reference it
  from ezproxy.cfg with IncludeFile local.cfg

13
HA Sample Configuration

• Name and Interface should go in specific.cfg
• IncludeFile specific.cfg
• HAName is just the name all servers share
• HAName ha.yourlib.org
• HAPeer is the complete URL to the servers
• HAPeer http//ezp1.yourlib.org2048
• HAPeer http//ezp2.yourlib.org2048
• Regular ezproxy.cfg directives follow

14
LDAP
15
LDAP

• EZproxy 3.0 contains enhanced LDAP support
• Original LDAP functionality remains to avoid
  issues while updating

16
LDAP Configuration

• Includes a web-based tool to query LDAP server
  and help define the configuration syntax needed
  for ezproxy.usr

17
(No Transcript)
18
LDAP Features

• Search for users across organizational units
  based on specified attribute(s)
• Allow or deny access to EZproxy based on
  attributes and group memberships
• Vary EZproxy group membership based on attributes
  and group memberships

19
LDAP Sample Usage

• LDAP
• BindUser cnezproxy,dcyourlib,dcorg
• BindPassword searching4people
• URL ldap//ldapserv.yourlib.org/DCyourlib,DCorg?
  uid?sub?(objectClassperson)
• Group GeneralAlumni
• Test eduPersonAffiliation student Allow
• Test eduPersonAffiliation faculty Allow
• Test eduPersonAffiliation employee Allow
• Group Alumni
• Test eduPersonAffiliation alumni Allow
• Deny unauthorized.html
• /LDAP

20
Shibboleth
21
Shibboleth

• Hebrew word referring to a criterion or test that
  separates one group from another
• Internet2 project supporting authentication and
  authorization across multiple institutions
• Project web site http//shibboleth.internet2.edu

22
Identify Providers (IdP) andService Providers
(SP)

• Shibboleth Identity Providers authenticate users
• Shibboleth Services Providers provide users with
  access to resources
• Identify Providers can release as much or as
  little information as required to Service
  Providers, including information on institutional
  affiliation that may determine the level of
  access to permit to a resource

23
EZproxy Shibboleth support

• The next release of EZproxy contains built-in
  support for EZproxy to act as a Shibboleth
  Service Provider (SP)
• With the addition of a few configuration lines,
  your EZproxy server can participate in Shibboleth
  user authentication and authorization

24
Shibboleth beta testing

• EZproxy Shibboleth beta testing starts this month
• If your institution has setup a Shibboleth
  Identify Provider and would like to test EZproxy
  Shibboleth features, contact zagar_at_usefulutilities
  .com

25
Related Technologies
26
Related Technologies

• Electronic Resource Management Solutions
• Course Management Systems
• Portals
• OpenURL resolvers
• MetaSearch engines

27
Questions?