henry - PowerPoint

Document Sample
henry - PowerPoint Powered By Docstoc
					                 University of Maryland
                    LDAP Directory

                             David Henry
                  Office of Information Technology
                       University of Maryland
                             College Park
                   david_henry@umail.umd.edu



David Henry, CSG - May, 2000
            University of Maryland Stats
•    Land Grant University
•    13 Colleges, 1 Campus
•    ~35,000 Undergrad
•    ~15,000 Grad
•    ~8,500 Faculty
•    ~5,200 Staff



    David Henry, CSG - May, 2000
                         U of MD History
• 1988 – Rollout of email system with integrated directory
  for faculty and staff (aka umail)
   – Faculty/Staff only
   – Finger, whois servers
   – Email forwarding service
• 1993 – CSO name server
   – Faculty/staff only
   – Used by Web directory page
• 1997 – installed Esys/Simeon X.500/LDAP server (based
  on ISODE/Quipu)
   – Decommissioned in Feb 2000
• 1999 – installed IBM Secureway LDAP directory
   – Faculty/Staff + Students + Affiliates
   – ~60,000 DN’s
 David Henry, CSG - May, 2000
               How we got where we are
• Extemporize…
   – Reorg
   – LDAP committee
   – Data feeds
• Savings argument




 David Henry, CSG - May, 2000
                                The DN
• DN
   – Employeenumber=<uid>,dc=people,dc=umd.edu
   – Sample <uid>: 103660231
• Qualities of uid
  – NOT SSN
  – Can be public
  – Never will change
  – Contains a check digit
  – Everyone gets one (even unadmitted student
    applicants)

 David Henry, CSG - May, 2000
             Some of our local attributes
• Major, department,etc.
• umID (aka SSN, not public)
• umIDhash
   – sha1 hash of umID
   – Read/search for authenticated access
• Set of Booleans
   – umFaculty, umStaff, umEmployee, umStudent,
     umAffiliate, umAlumni, umBuckleyflag
• Also umPINhash and UMParentPINhash
   – Sha1 has of student and parent PINs

 David Henry, CSG - May, 2000
          IBM Secureway LDAP Issues
• ACL Support
   – Object Level Only
         • Each attribute within an object is assigned to an
           access level (normal, sensitive, critical)
         • We want to fully populate all attributes and control
           access by ACL
   – IBM says ACL support is fixed in next release
     (GA July)
         • Attribute level ACL support consistent with
           proposed standard
         • LDIF syntax for ACL NOT consistent with
           proposed standard
 David Henry, CSG - May, 2000
          IBM Secureway LDAP Issues
• Bulkload – disaster recovery
   – 60,000 entries takes ~24 hours to load
         • ACL processing (23.75 hours)
   – IBM is looking at problem – no solution
• Kerberos Support
   – K5 authentication supported in the next release
   – No support for K4… maybe through Transarc
• Next release GA July 2000
   – We received early release yesterday
 David Henry, CSG - May, 2000
           Anticipated Uses of Directory
• Authentication/authorization for modem pool,
  central mail drop, student records, etc.
• Lost card digit
• Place holder for students who are “admitted, letter
  sent”
• Dynamic email lists (major, course, student status)
• Door swipe access
• Library patron authorization
• Userid reserve list
• Tie in to NDS? W2K?

 David Henry, CSG - May, 2000
                  Current Uses of Directory
•    Email forwarding service @umd.edu
•    Email client searches
•    Web directory searches
•    Authentication services for web pages
•    Corporatetime




    David Henry, CSG - May, 2000
                Corporatetime vs. LDAP
• CT only supports Netscape DS and Control Data
  Systems Global DS
   – Schema/ACL syntax fixes for IBM LDAP
• ACL Issues – separate server for CT until attribute
  level ACL support
• No support for multivalue attributes
• It is not possible to create CT user w/o being in
  LDAP
• Meeting related data is stored on CT server not in
  LDAP server
 David Henry, CSG - May, 2000
                Corporatetime vs. LDAP
• Defined ctCalUser, ctCalAdmin,
  ctCalResource object classes
• Attributes specific to CT stored in CT
  specific part of the tree
   – cn=ctserv,dc=ct
• Example attributes
   – ctCalAccess, ctCalFlags, ctCalHost



 David Henry, CSG - May, 2000
                       Some Policy Issues
• Student information is accessible only after
  authenticated to LDAP
• Who gets to be added?
   – Students, Faculty, Staff, Affiliates
   – Admitted students, letter sent
         • Removed after they decline
   – Affiliates
         •   Volunteers, collaborating faculty, business partners
         •   Alumni? (not so far at UMD)
         •   Who gets the rights to add affiliates?
         •   Currently, one year duration.

 David Henry, CSG - May, 2000
                               That’s it!

                              David Henry
                   Office of Information technology
                        Universty of Maryland
                              College Park
                    David_henry@umail.umd.edu




David Henry, CSG - May, 2000

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:8/23/2012
language:English
pages:14