Middleware UMBC

1
Middleware _at_UMBC

• LDAP, Loads of People, and
• Account Management

2
Middleware _at_UMBC

• Motivations
• Introduction to LDAP
• Managing People
• Our First Application Account Management

3
What is a Directory Service?

• Data
• Hardware and Software
• Policies and Procedures

4
Why build a Directory Service?

• Consolidation of existing directories
• Reduce replication of
• Policies
• Data
• Means LESS WORK!

5
Internet 2 Middleware Project

• http//www.internet2.edu/middleware
• UMBC is one of 11 participating institutions
• Goal Enable inter- intra-institutional
  collaboration
• How Agreed upon data representation and policies

6
UMBCs Environment

• Tightly centralized environment
• One department (OIT) manages most data sources
• Human Resources
• SIS
• Technical Data Access problems are simple to
  solve

7
Pre LDAP Environment

• PH/CSO Nameserver
• Account Database
• _at_umbc.edu Mail Redirection
• Authorization (Unix) NIS
• Authentication (Unix, NT) Kerberos
• Account Management AGUS

8
PH/CSO Nameserver

• Designed by UIUC, early to mid 90s.
• Indexed for speedy lookups
• Flat organization
• Static Schema
• Synchronized with HR SIS systems via text
  file dumps perl scripts

9
Kerberos

• Developed at MIT
• Cross-platform network authentication, including
  mutual client-server authentication
• http//www.mit.edu/afs/athena.mit.edu/astaff/proje
  ct/kerberos/www

10
AGUS

• Account Generationg ltsomething somethinggt
• Developed at UMBC in 1992, overhauled in 1994-95
• http//www.umbc.edu/people/paulr/lisa95.pdf

11
Brief Introduction to LDAP

• Definition
• Features
• Example Entries

12
LDAP - Definition

• Lightweight Directory Access Protocol
• Originally designed as a front-end to X.500
• Not reliant on the bulky OSI protocol stack

13
LDAP - Features

• Structure
• Flexible Schema
• Security (authentication)
• Security (access)
• Replication / Distribution of Services

14
LDAP - Structure

• Formed by the interpretation of the
  Distinguished Names of elements

Uidbanz,ouaccounts,oumbc.edu
Oumbc.edu
Ouaccounts
Oupeople
Uidbanz
15
LDAP - Structure

• Distinguished Names are unique
• Attribute Types that make it up are not
  restricted
• Typical Attributes
• Ou Organizational Unit
• O Organization

16
LDAP Schema (objects)

• Entry is a member of one or more object classes
• An Object Class defines which attributes are
  required or optional

17
LDAP Schema (attributes)

• An attribute has an identifier (name), and
  associated meaning.
• The meaning of the attribute is typically
  described in the objectClass definition that
  first used the attribute.
• While attributes can be used in other
  objectClasses, its meaning should remain the
  same.

18
LDAP Schema (attributes cont)

• An attribute is typically one of
• CIS ( Case Ignore String)
• CES ( Case Sensitive String )
• BIN ( Binary )
• DN (A Distinguished Name)
• INT (An Integer)
• Other attribute syntaxes exist, these are just
  the most typical
• Attributes can be Single Valued or Multi-Valued

19
Example Object - Person
The following is a very simple objectclass,
person
Objectclass person oid 2.5.6.6 superior
top requires sn, (sirname) cn (common
name) allows description, seeAlso telephon
eNumber, userPassword
20
Example Object - organizationalPerson
The following is a very simple objectclass,
person
Objectclass person oid 2.5.6.7 superior
person allows detinationIndicator, fascimilie
TelephoneNumber, internationalSDNNumber, l,
ou, physicalDeliveryOfficeName, postOffic
eBox, postalAddress, postalCode, preferre
dDeliveryMethod, registeredAddress, st, s
treet,
21
LDAP Security (authentication)

• Bind (connect) to the service
• Anonymously, or
• A DN
• Usually with a simple password, however other
  methods are supported
• Kerberos
• SSL
• extensible

22
LDAP - Replication

• Multiple Servers Redundancy
• Can replication parts, or all, of the directory
• Implementation Specific

23
A Person

• Heres a typical Person entry, of class
  umbcPerson (superior inetOrgPerson)
• Affiliation staff
• Billingaddress 8107 Callo Ln\nBaltimore, MD
  21237
• CampusPostalAddress 8107 Callo Ln\nBaltimore, MD
  21237
• Cn Robert Banz
• Cn Banz, robert A.
• Createtimestamp 20000810004455Z
• Creatorsname uidadmin,ouAdministrators,ouTopol
  ogyManagment,oNetscapeRoot
• Dateofbirth 08-Aug-72
• Departmentnumber 360080
• Givenname robert
• Guid 6cbfa31e-6e14-11d4-9669-8020cd7816
• Homephone 4106543175
• Mailacceptinggeneralid robert_banz
• Mailacceptinggeneralid robert.banz
• Maildrop banz_at_umbc.edu
• Modifiersname uidadmin,ouAdministrators,ouTopo
  logyManagment,oNetscapeRoot
• Modifytimestamp 20000901162434Z

24
more person

• Objectclass top
• Objectclass person
• Objectclass organizationalPerson
• objectClass inetOrgPerson
• objectClass umbcPerson
• postalAddress 1 Wellhaven Cir\nApt 1225\nOwings
  Mills, MD 21117
• Roomnumber ECS
• Sn banz
• Socialsecuritynumber xxx885013
• telephoneNumber 4104553933
• Umbcbuckley 00
• Umbcdatasource SIS
• Umbcdatasource HR
• Umbcdatecurrenttitle 20000326050000Z
• Umbcdepartment Office of Informaiton Technology
• Umbchiredate 19980126050000Z
• Umbclasttermelig 199509
• Umbclasttermreg 199509
• Umbcnameconfidential 00

25
UMBCs Person Database

• Represent all needed HR SIS information in an
  LDAP Database
• (near) Real-Time synchronization
• Entries are
• Eternal
• Unique
• Non-Reusable

26
Our Identifier

• Must be Universally Unique
• Using the DCE UUID
• Guaranteed unique over all time and space
• Not particularly for human consumption

27
Structure - Hierarchical

• Location in the tree conveys meaning
• Ideal for corporate environments
• Difficult for Universities

28
Structure - Flat

• No meaning is conveyed by position, but by
• Group Membership, or
• Information in entry
• Persons position remains static, while position
  in the organization can be fluid

29
UMBCs Schema

• Keep in mind Internet2 Middleware Standards, its
  all about interoperation
• Unfortunately, standards are not complete
• Eduperson
• http//www.educause.edu/eduperson

30
Implementation

• Made up of three main elements
• LDAP Server Software
• Hardware
• Glue

31
Implementation - Software

• Chose Netscape Directory Server
• Mature product
• Considered the best, but not cheap
• Handles the Load
• Our Person Database has 300,000 entries
• Other Alternatives
• OpenLDAP
• Innosoft
• NDS
• many more

32
Hardware

• Master Server
• Sun Enterprise 220R,
• 2G RAM (yes, it uses it)
• 2x 440mhz processors
• Slave Servers (2)
• Sun NetraT1
• 512M RAM (would love to have more)
• 1x 440mhz processor

33
Glue

• Changes to Oracle SIS HR tables cause entries
  to be made in a changelog table
• Perl script
• Scans the log table, and makes the appropriate
  changes
• Web Based utilities for editing adding entries

34
Future Directions

• Campus MetaDirectory
• Synchronize the data sources we are synchronizing
  with
• Driving Other Applications
• Card Key Access Control
• Single Application Interface

35
UMBCs Account Management

• First application to make use of the LDAP Person
  Directory
• It, itself, keeps most of its data in LDAP

36
Account Management - Goals

• Utilize the Person Database for account
  authorization information
• Web-Enabled, for
• Self Service Account Creation
• Password Changing
• Near-Real-Time Creation
• Manage both Krb5 AFS metadata
• Populate Users account w/ default files
• Manage the _at_umbc.edu Email Address Space
• Utilize RFC2307 Compliant Schema

37
Account Management - Bitses

• WebAdmin Interfaces
• Kerberos AFS Manager (accountqd)
• LDAP Based Mail Redirector
• NIS Map Generator

38
WebAdmin Interfaces

• Allows both self-service Administrator level
• Account Creation
• Account Activation
• Account Editing
• Kerberos 5 Password Changes
• other administrative tasks

39
accountqd

• Perl Daemon
• Periodically (every 5 minutes), checks for
  account entries that need processing
• Creates
• Kerberos 5 Instance
• AFS pts database entry
• AFS Volume
• Populates AFS volume with default files

40
LDAP Based Mail Redirector

• Part of Sendmail 8.11
• Also in previous versions, but less mature
• Listed as other Alias maps
• One map keys on mailacceptinggeneralid in
  ouPeople,oumbc.edu returns the maildrop
  entry(s) that are associated with the matching
  dn.
• Other keys on uid in ouAccounts,oumbc.edu
  returns the maildrop entries(s).
• Much quicker than the old phquery mailer ?

41
NIS Map Updater

• Perl Script
• Runs every 15 minutes on NIS master servers
• Generates NIS maps based on information in the
  ouAccounts tree
• Will be replaced

42
Future Stuff

• WebAdmin interface isnt complete
• Alias Management
• Account Deletion (yay!)
• however, first few weeks of a semester are kind
  of busy ?
• OSs that support it (Solaris, IRIX, etc) can
  query LDAP directly (the RFC2307 Schema thing)

43
Places to Visit

• Internet2 http//www.internet2.edu
• WebAdmin http//webadmin.umbc.edu/
• LDAPworld http//www/innosoft.com/ldapword
• ModPerl (all of our interfaces are written in it)
  http//perl.apache.org
• UMBCs UCE Home http//www.gl.umbc.edu
• If we post any of our code, this is where youll
  find it.