url by xiaoyounan

VIEWS: 3 PAGES: 84

									   Internet2 Middleware
Drinking Kool-Aid From A Fire Hose
                 or
        Sniffing Glue-Ware

                Michael R. Gettes
              Principal Technologist
             Georgetown University
            gettes@Georgetown.EDU
    http://www.georgetown.edu/giia/internet2
“Middleware is the intersection of what the
Network Engineers and the Application
Programmers don’t want to do”
                                                            - Ken Klingenstein
                                      Chief Technologist, Univ. of Colorado, Boulder
                                             Director, Internet2 Middleware Initiative
                                                                 Lead Clergy, MACE
                                                                           PS of LC


Middleware makes “Transparently use” happen
        Internet2 Middleware


If the goal is a PKI, then you need to consider:
     • Identifiers (SSNs and other untold truths)
     • Identification & Authen process (“I & A”)
     • Authentication systems (Kerberos, LDAP, etc)
     • Lawyers, Policy & Money (lawyers, guns & $$$)
     • Directories (and the applications that use them)
     • Certificate Mgmt System (CMS) Deployment
         – CA Certficate, Server Certificates, Client
           Certificates
     • Authorizations (a real hard problem, Roles, etc)



                                                          3
        Internet2 Middleware

• Building Application/System Infrastructure
• What is missing in Internet 1
• Not “Network Security” (wire level)
• Assumes the wire is insecure
• Assumes the Application is insecure


If security was easy,
      everyone would be doing it.

• http://middleware.internet2.edu

                                               4
        National Science Foundation
        NMI program

•$12 million over 3 years
•www.nsf-middleware.org
•Middleware Service Providors, Integrators,
Distributors
•GRID (Globus)
•Internet2 + EDUCAUSE + SURA
•May 2002 – first set of deliverables from all
parties



                                                 5
        MACE

Middleware Architecture Committee for Ed.

IT Architects – meet often – no particular religious
affiliations

MACE-DIR – eduPerson, Recipe, DoDHE
MACE-SHIBBOLETH – global AuthN/Z
MACE-PKI  HEPKI (TAG/PAG/PKI-Labs)
MACE-WebISO – Web Initial Sign-on
VID-MID – Video Middleware (H.323/SIP)
MACE-FDRM – Federated Digital Rights Management
NMI - NSF Middleware Initiative
                                                       6
             MACE-ochists


RL “Bob” Morgan, Chair,   Mark Poepping, CMU
      Washington          Jim Jokl, Virginia
Steven Carmody, Brown     David Wasley, UCOP
Michael Gettes,           Von Welch, ANL/Grid
       Georgetown
                          Scott Cantor, Ohio St
Keith Hazelton,
       Wisconsin          Bruce Vincent,
                                 Stanford
Paul Hill, MIT
Ken Klingenstein,
       Colorado           Euro: Brian Gilmore &
                          Ton Verschuren, Diego
                          Lopez

                                                  7
A Map of Middleware Land




                           8
           MACE-DIR


Keith Hazelton, Chair, Wisconsin
  • eduPerson objectclass
  • LDAP-Recipe
  • Dir of Dirs for Higher Education (DoDHE)
  • Shibboleth project dir dependencies
  • Meta Directories – MetaMerge
  • Groups (Dynamic vs. Static; Management)
  • Afilliated Directories (Stitched, Data Link)
  • http://middleware.internet2.edu/directories
                                                   9
         MACE-DIR:
         eduPerson 1.0 (1/22/01 release)

• MACE initiated (Internet2 + EDUCAUSE)
• Globally interesting useful attributes
• Get community buy-in, must use it also
eduPersonAffiliation (DoDHE),
eduPersonPrincipalName (Shibboleth)
• “Less is more”, how to use standard
objectclasses
• http://www.educause.edu/eduperson
                                           10
       eduPerson 1.5 object class


Included as part of the NSF Middleware
  Initiative (NMI) Release 1.0 May 7th, 02
eduPerson 1.0 is the production version,
  1.5 status is “released for public
  review” (RPR)
Next NMI release will include final 1.5
 based on review period discussions

                                             11
       eduPerson 1.5 object class


Changes from 1.0:
 • Introductory section added

 • RFC2252 style definitions included for the
   eduPerson object class itself and for each of the
   eduPerson attributes.

 • Notes on additional attributes from existing
   object classes, existing notes clarified, syntax
   and indexing recommendations updated.

                                                       12
        eduPerson 1.5 object class


Two new attributes:
eduPersonPrimaryOrgUnitDN
eduPersonEntitlement
  • Simple case: value is the name of a contract for
    licensed resource
  • http://xstor.com/contract1234
  • Values of eduPersonEntitlement can be URLs or
    URNs

                                                       13
       eduPerson 1.5 object class


eduPersonEntitlement
 • Values of eduPersonEntitlement can be URLs or
   URNs
   – http://www.w3.org/Addressing/
   – RFC2396 Uniform Resource Identifiers
   – RFC2141 Uniform Resource Names
 • URNs to allow federation of name creation
   without name clashes.
   – urn:mace:brown.edu:foo
 • mace-submit@internet2.edu for information on
   URN registration

                                                   14
          eduOrg 1.0


eduOrg 1.0 released as “Experimental” object
  class
  • Basic organizational info attributes from X.520
      – Telecomm, postal, locale
  •   eduOrgHomePageURI
  •   eduOrgIdentityAuthNPolicyURI
  •   eduOrgLegalName
  •   eduOrgSuperiorURI
  •   eduOrgWhitePagesURI




                                                      15
      LDAP-Recipe
      positioning and the NMI R1

•A special case document
•Pre-existed NMI and MACE document
standards for format and naming.
•Will conform to NMI/MACE naming
and future process for acceptance.
•Content??? Well, we shall see…


                                     16
      LDAP-Recipe
      Version 1.5 (pre May 7, 2002)

•Directory Tree
•Schema (Design, upgrading, maint)
•AuthN (binding and pw mgmt)
•eduPerson attr discussion (select)
•Access Control
•Replication
•Name population
                                      17
         LDAP-Recipe
         Version 2.0 (NMI R1 May 7, 2002)

•Groups, Groups, Groups
  • Static, Dynamic, app issues, builds on “NMI Groups Doc”
•E-Mail Routing considerations
  • Attribute firewalling, Sendmail, app issues
•eduPersonOrgDN and
eduPerson{Primary}OrgUnitDN
  • Original Intent for eduPerson 1.0 and Primary
•RDN Issues (a must read)
•Software reference (small, needs to grow)

                                                              18
           MACE-DIR:
           Directory of Directories
           for Higher Education
Web of Data vs. Web of People
Prototype: April, 2000 (by M. Gettes)
Highly scalable parallel searching
   • Interesting development/research problems
   • Configs, LDAP libraries, Human Interface
Realized the need to:
  • Promote eduPerson & common schema
  • Promote good directory design (recipe)
Work proceeding – Sun Microsystems Grant
http://middleware.internet2.edu/dodhe
                                                 19
             MACE-DIR:
             DoDHE and LDAP Analyzer

Todd Piket, Michigan Tech
Web based tool to empirically analyze a directory


eduPerson compliance
Indexing and naming
LDAP-Recipe guidance (good practice)


Beta: http://morpheus.dcs.it.mtu.edu/~tcpiket/dodhe


                                                      20
           MACE-Dir Futures

•Technical Advisory Board
•eduOrg, eduPerson, edu???????
•Shibboleth and other related work
•Roles (RBAC)
•Group Implementations (Eileen Shepard, BC; Tom Barton, Memphis)
•Blue Pages
•LDAP-Recipe (next?)
•Affiliated Directories (Rob Banz, UMBC)
•pkiUser/pkiCa, Bridge CA, etc…
•Video Middleware (commObject{Uri} OCs)
•GRID interoperability
•Directory Policy



                                                                   21
          MACE-Dir Futures (continued)


EduOrg “blue page” entries

EduOrgUnit 1.0 object class and attributes

Affiliated directories scenarios
  •   Identity management in Health Sciences
  •   Assembling info on the fly
  •   Data/Metadata bundles as units of exchange
  •   Exploring with our Technical Advisory Board




                                                    22
       MACE-SHIBBOLETH


Steven Carmody, Brown, Chair
A Biblical pass phrase – “password”
   • Get it right or “off with your head”
   • Inter-institutional
     Authentication/Authorization
   • Web Authorization of Remote Sites with
     Local Credentials
   • Authentication via WebISO
   • October, 2002 – Version 1.0 with NMI
   • http://middleware.internet2.edu/shibboleth
                                                  23
         MACE-WEBISO
         Web Initial Sign-on


Based on University of Washington “pubcookie”
implementation


Washington will developing and steward with external
funding


JA-SIG uPortal, Blackboard, WebCT, Shibboleth – will do or
are highly likely to do.


http://www.washington.edu/computing/pubcookie


                                                             24
         VID-MID
         Video Middleware


Authentication and Authorization of H.323 sessions.
        Client to Client
        Client to MCU


Directory enabled
        How to find video enabled people?
        What is necessary to describe video capabilities?


Will likely extend to IP Telephony and so on…



                                                            25
         PKI is
     1/3 Technical
    and 2/3 Policy?



Technical      Policy




                        26
         HEPKI


TAG – Technical Activities Group
   • Jim Jokl, Chair, Virginia
   • Mobility, Cert Profiles, PKI-Lite, etc, etc, lots of techno
PAG – Policy Activities Group
   • Default Chair, Ken Klingenstein, Colorado
   • Knee-deep in policy, HEBCA, Campus, Subs+RP
PKI Labs (AT&T)– Neal McBurnett, Avaya
    • Wisconsin-Madison & Dartmouth
    • Industry, Gov., Edu expert guidance
http://www.educause.edu/hepki



                                                               27
                                                                                                                           28



    Multiple CAs in FBCA Membrane
• Survivable PKI
• Cross Certificates
  allow for
  “one/two-way
  policy”
• Directories are
  critical in BCA
  world.
                                      http://www.educause.edu/    Common Solutions Group, January, 2002 (Sanibel Island)

        Transforming Education Through Information Technologies
                                                                                                                                   29

    A Snapshot of the U.S. Federal PKI

                 DOD PKI                                             Illinois PKI


CANADA
  PKI


                                     Federal Bridge CA

         NASA PKI

                                                              Higher Education Bridge CA

                                                                                                       University
                                                NFC PKI                                                   PKI

                                         http://www.educause.edu/         Common Solutions Group, January, 2002 (Sanibel Island)

           Transforming Education Through Information Technologies
                                                                     NIH




                     Special Relationships                                          DoD




                                                   Peer-to-peer


UNIVERSITY



             Georgetown                          USA Government                      NASA
              University                            Federal
                                                      BCA


                                Peer-to-peer
UNIVERSITY




             ...
                                   USA
                              Higher Education                             Mayo
                                   BCA                                     Clinic



UNIVERSITY



             University of
             W ashington
                               Special
                                                     Peer-to-peer
                             Relationships

                                                   USA Health Care
                                                    "Health Key"
                                                        BCA


UNIVERSITY



             University of
              Edinburgh                                                             NCHICA

                                Peer-to-peer


UNIVERSITY


                                 European
                              Higher Education
                                   BCA




                                                                                          30
                  Bridge CAs


• Higher Education Bridge CA – FBCA peering
• We have a draft HEBCA CP (Net@EDU PKI WG) FBCA Compatible
• How many HEBCAs? (EDUCAUSE!)
• Do we really understand PKI implementations with respect to policy
needs? (proxy certificates, relying party agreements, name
constraints, FERPA, HIPAA, who eats who?)
• BCA seems to be the most promising perspective. Will each person
be a BCA?
• Does ALL software (Client/Server) need to be changed?
• Mitretek announces new BCA deployment model 2/15/2001
    • Scalable & deployable
    • Server plug-ins make client changes less likely
                                                                  31
                       The PKI Puzzle



    Fed Bridge                                  Educause HE Bridge



                                                                                        EDU              COM
             Serv er            CREN Root CA                                            PK I             PK I
             Cert s                                                                  Hierarchy        Hierarchy
                                                        Campus
                                                          PKI
                        Campus
 Vendor                                                                 Campus

Resources       Shib      PK I                                          Sy st em s           Medical
                                                                                                PK I
                                    Campus             Dir ec t o r y
                                                                                           Hi e r a r c h y
  Campus
                                    Sy st ems
 Resources


                       Direct ory

                                                                            PKI provides:
                                                                            • St rong Aut hent icat ion
                                                                            • Flexible Aut horizat ion
                                                                            • Secure Digit al Signat ure
                                                                            • Powerful Dat a Securit y
By David Wasley, UCOP                                                                                             32
              domainComponent (DC=) Naming


• Traditional X.500 naming:
cn=Michael R Gettes, ou=Server Group, ou=UIS,
o=Georgetown University, c=US

• domainComponent (DC) naming:
uid=gettes,ou=People,dc=georgetown,dc=edu

  • HEPKI is issuing guidance and advice on DC= naming

                                                    33
                 Attributes for PKI


Store them in a Certificate?
   • Attributes persist for life of Certificate
   • No need for Directory or other lookup
       – The Certificate itself becomes the AuthZ control point
Store them in a Directory?
   • Very light-weight Certificates
   • Requires Directory Access
   • Long-term Certificate, Directory is AuthZ control point.
How many Certificates will we have?
Pseudonymous Certificates

                                                                  34
     We’re Building A


“Bridge Over The River PKI”
Shibboleth Update


Steven Carmbody, Brown University
          Project Leader, Shibboleth

Michael R. Gettes, Georgetown University
                Shibboleth Architecture
                Concepts - High Level




                     Pass content if user is allowed


                       Authorization Phase

Browser                                                         Target
                                                                 Web
                     Authentication Phase                       Server



               First Access - Unauthenticated


      Origin Site                                 Target Site            37
                             Shibboleth Architecture
                             Concepts (detail)


                                        Authorization
                                          Success!
                                        Authentication
            Entitlements
Attribute
                                           Phase
 Server     Ent Prompt
                                                                               Target
               Req Ent     Browser                                              Web
                                                                               Server

                                   Second Access - Authenticated
  Web        Auth OK             Pass entitlements for authz decision
 Login
 Server                                 Pass User to user Web Login
                                      Redirectcontent ifLocal is allowed
            Authentication

                                            Ask to Unauthenticated
                                     First Access -Obtain Entitlements
                   Origin Site                                   Target Site            38
Shibboleth Architecture




                          39
Shibboleth Components




                        40
                    Descriptions of services

1. local authn server - assumed part of the campus environment
2. web sso server - typically works with local authn service to provide web
   single sign-on
3. resource manager proxy, resource manager - may serve as control
   points for actual web page access
4. attribute authority - assembles/disassembles/validates signed XML
   objects using attribute repository and policy tables
5. attribute repository - an LDAP directory, or roles database or….
6. Where are you from service - one possible way to direct external users
   to their own local authn service
7. attribute mapper - converts user entitlements into local authorization
   values
8. PDP - policy decision points - decide if user attributes meet
   authorization requirements
9. SHAR - Shibboleth Attribute Requestor - used by target to request user
   attributes
                                                                              41
Shibboleth Flows Draft




                         42
            Shibboleth Architecture --
            Managing Trust



                    TRUST
Attribute                                 Shib
 Server                                  engine




                                           Target
  Browser                                   Web
                                           Server


 Origin Site                      Target Site       43
          Personal Privacy


Web Login Server provides a pseudononymous
identity
An Attribute Authority releases Personal Information
associated with that pseudnonymous identity to site
X based on:

    • Site Defaults                            Site
                                               Defaults   My AA
         – Business Rules
    • User control
         – myAA                               Contact Provisions
    • Filtered by
         – Contract provisions


                                                   Browser
                                                    User
                                                                   44
Managing ARPs




                45
Middleware Marketing
                Drivers of Vapor Convergence




Shibboleth Inter-Realm AuthZ We all get Web SSO for
                             Local Authentication and
 OKI/Web Authentication      an Enterprise
                             Authorization Framework
                             with an Integrated Portal
 JA-SIG uPortal Authen
                             that will all work inter-
Local Web SSO Pressures institutionally!

                                                   47
              Middleware Inputs & Outputs

                 Licensed       Embedded
                Resources      App Security

                         JA-SIG &      Inter-realm
 Grids      OKI                                          futures
                          uPortal      calendaring




          Shibboleth, eduPerson, Affiliated Dirs, etc.
                                                            Enterprise
                                                              authZ

Campus     Enterprise       Enterprise         Legacy
Web SSO    Directory       Authentication      Systems
                                                                   48
Errata--ica
             The Liberty Alliance
             www.project-liberty.org

Sun Microsystems, American Express, United Airlines, Nokia,
MasterCard, AOL Time Warner, American Airlines, Bank of
America, Cisco, France Telecom, Intuit, NTT DoCoMo,
Verisign, Schlumberger, Sony …


Initiated in September 2001.


Protect Privacy, Federated Administration, Interoperability,
Standards based but requires new technology, hard problems
to solve, a Network Identity Service


Funny, doesn’t this stuff sound familiar?
                                                               50
Got Directory?
       Techniques for Product
       Independence

Good/Evil – make use of cool features of your
product.
   • Does this make it more difficult or
     impossible to switch products later?
   • Does this make you less interoperable?
     Standard?
   • Does this limit your ability to leverage
     common solutions?
All the above applies to enabled apps as well.


                                                 52
         Groups, Groups, Groups


Static vs. Dynamic (issues of large groups)
    • Static Scalability, performance, bandwidth
    • Dynamic Manageability (search based, but search limits)
Is there something neutral?
Indexed Static Groups
    • MACE-DIR consideration (Todd Piket, MTU)
    • Index unique/member
    • The likely approach, IMHO, doesn’t inhibit dynamic stuff


Group Math
   (& (group=faculty)(!(group=adjunct)) (member=DN) )



                                                                 53
       Roles


Is this an LDAP issue?
    • MIT roles DB – a roles registry
Are groups good enough for now?
   • Probably not, see next
Are your apps prepared for this? Maybe they
  need some service to consult? Will
  Shibboleth help here?
Vendors have proprietary solutions.



                                              54
          Stitching disparate directories


How to relate to distinct directories and their entries.
  Kjk@colorado & kjk@ViDe -- are they the same?


Locate someone in a large directory (DoDHE) and then
   switch to their video abilities


Suggestion: define new object of a “data source directory”.
  Associate it with a Cert. Send signature of all data
  elements for an object, store in same. This allows for
  digital trust/verification. Still working this out. Not much
  work in this space? (the affiliated dirs problem)
X.520 AttributeIntegrityInfo Attribute – will it suffice?


                                                                 55
                       A Campus Directory Architecture


                                                               border
                                                              directory
    Enterprise           metadirectory
  applications dir



       enterprise
        directory            departmental OS directories
                              directories (MS, Novell, etc)




directory            registries
                                                   source
database                                          systems
                                                                    56
                      Middleware 201
                        Directories
                 Configuration & Operations


Michael R. Gettes
Principal Technologist
Georgetown University
Gettes@Georgetown.EDU
         How Deep?


Background
Site Profile - configuration
Applications
General Operational Controls
Schema
Access Lists
Replication
Related Directories


LDAP-Recipe – http://middleware.internet2.edu


                                                58
                               Site Profile
                          dc=georgetown,dc=edu


Netscape/iPlanet DS version 4.16
   • 2 Sun E250 dual cpu, 512MB RAM
105,000 DNs (25K campus, others = alums + etc)
Directory + apps implemented in 7 months
Distinguished names: uid=x,ou=people
    • DC rap, “Boom shacka lacka”
    • Does UUID in DN really work?
NSDS pre-op plugin (by gettes@Princeton.EDU)
   • Authentication over SSL; Required
   • Can do Kerberos – perf problems to resolve
1 supplier, 4 consumers

                                                  59
                         Authentication:
                         Overall Plan @ Georgetown

Currently, Server-Side PKI self-signed
Best of all 3 worlds
    • LDAP + Kerberos + PKI
        – LDAP Authentication performs Kerberos Authentication out
           the backend. Jan. 2001 to finish iPlanet plug-in.
              • Credential Caching handled by Directory.
              • Cooperative effort – Georgetown, GATech, Michigan
        – All directory authentications SSL protected. Enforced with
           necessary exceptions
    • Use Kerberos for Win2K Services and to derive X.509 Client
      Certificates
    • One Userid/Password (single-signon vs. FSO)



                                                                   60
       Applications


Mail routing with Sendmail 8.12 (lists also)
Netscape messaging server v 4.15 (IMAP)
   • WebMail profile stored in LDAP
Apache server for Netscape roaming (no SSL)
Apache & Netscape enterprise web servers
Blackboard CourseInfo Enterprise 5.5.1
Whitepages: Directory Server GateWay
DSGW for priv’d access and maintenance


                                               61
      Applications (Continued)


Remote access with RADIUS (funk).
  • No SSL (3/2000); proper LDAP
    binds (fix 8/2000)
  • Authenticates and authorizes for
    dial-up, DSL and VPN services
    using RADIUS called-id.
  • We want to use this for other access
    control such as Oracle

                                           62
                RADIUS + LDAP
                                                    CalledId from
                                                    NAS is mapped
User calls                                           to guRadProf
202-555-1110
                                    RADIUS server
                      NAS
                (terminal server)

                                                 LDAP Filter is:
                                                 guRadProf =
 Dialup
                                                 2025551110
 Users                                           + NetID = gettes

                            Netid = gettes
                            guRadProf = 2025550001
          Directory         guRadProf = 2025551110
          Server            guRadProf = OracleFin
                                                             63
      Applications (Continued)


Alumni services (HoyasOnline).
   • External vendor in Dallas, TX (PCI).
   • They authenticate back to home
     directories. Apache used to
     authenticate and proxy to backend
     IIS server.
   • Email Forwarding for Life



                                            64
                    HoyasOnline Architecture
         OS/390                                  LDAP
                           LDAP Master
                                                 Replica
 TMS

                           Other local hosts
HRIS                       GU provided self-        PCI (Dallas)
                  NET ID   service
                           applications             Vendor-provided
 SIS                                                services


                                   WWW
Alumni                                                     Way
                                   hoyasonline
                                   Content                 Down
       Gratuitous                                          In Texas
       Architectural       Client
       Graphic (GAG)       Browser
                                                                   65
        Applications (Continued)


Access+
   • Georgetown developed
   • Web interface to legacy systems using Unix front-
     end to custom made mainframe tasks. Many
     institutions have re-invented this wheel.
   • LDAP authentication, mainframe doesn’t yet do
     SSL. Always exceptions to rules.
   • Student, Faculty, Staff, Directory/Telephone
     Access+ Services. This technique keeps mainframe
     alive. (good or bad?)




                                                         66
       Applications (Continued)


Specialized support apps
   • Self service mail routing
   • Help Desk: mail routing, password resets,
     quota management via DSGW
   • Change password web page
Person registry populates LDAP people data,
  currently MVS (mainframe) based.
PerLDAP used quite a bit – very powerful!
  (make sure version >= 1.4)
  Now moving to Net::LDAP
                                                 67
       Applications (Continued)


Georgetown Netscape Communicator Client
  Customization Kit (CCK).
   • Configured for central IMAP/SSL and
      directory services.
   • Handles versions of profiles. Poor man’s
      MCD
Future: more apps! Host DB, Kerberos
  integration, win2k/ad integration?, Oracle
  RADIUS integration, Automatic lists,
  Dynamic/static Groups, Top-Secret, Bb –
  further integration.

                                                68
        General Operational Controls


Size limit trolling (300 or 20 entries?)
Lookthru limit (set very low)
Limit 3 processors for now, MP issues still! (v4)
100MB footprint, about 8000 DNs in cache
   • Your mileage will vary – follow cache
     guidelines documented by iPlanet.
24x7 operations
What can users change?? (Very little)
No write intensive applications

                                                    69
    General Ops Controls (cont…)


Anonymous access allowed
 •Needed for email clients
 •Anonymous access is good if
  you resolve FERPA and other
  data access issues.




                                   70
       Schema: Design & Maint


Unified namespace: there can be only one!
Schema design and maintenance
   • Space/time tradeoffs on indexing
   • Eduperson 1.0 vs. guPerson
   • guRestrict, guEmailBox, guAffil, guPrimAfil
   • guPWTimebomb, guRadProf, guType,
     guSSN
   • Relationships (guref)
Maintained by ldif file using ldapmodify

                                                   71
       Access Lists
       Design & Maintenance

Access lists: design & maintenance
  • Buckley(FERPA) protection & services
  • Priv’d users and services
  • userPassword & SSN
Maintained by file using ldapmodify
Working on large group controls at GU
  • Groups vs. Roles
  • Likely easy to populate, hard to design &
    implement

                                                72
         Replication


Application/user performance
Failover, user and app service
Impact of DC= naming (replica init)
   • Fixed in 4.13 and iDS 5.0
Monitoring: web page and notification
Dumper replica – periodic LDIF dumps
Backups? We don’t need no stinkin’ backups!
   • Vendor Specific
   • No good solution for backups (iPlanet)
   • IBM uses DB2 under the covers
   • Novell?

                                              73
       Replication (Continued)


Application/users config for mult servers
Deterministic operations vs random
Failover works for online repairs
Config servers are replicated also
10 to 1 SRA/CRA ratio recommended
Cannot cascade with DC= (iPlanet)
  • Cascading is scary to me



                                            74
              Replica Structure



         WHITEPAGES                MAILHOST



 Users
                    MASTER             POSTOFFICE
   Users



Web Servers           DUMPER        NetID Registry


         Normal Ops               Failure Ops
                                                     75
           Netscape Console


• Java program (FAT client).
• Used to create, configure and monitor Netscape
  servers.
• Preferred the web page paradigm of the version
  3 products.
• Has enough bugs that it is only used by server
  admins, not for mere mortals.
• Demo??? (nope)



                                                   76
      Other Directories


Novell – GU abandoning GroupWise.
Active directory??? Ugh!!!
  • Static Groups Only
  • Strict Tree Structure for Group Policy
  • No plans for MS to change this…




                                             77
          Buyer Beware


• LDAP is LDAP is LDAP – yeah, right!
• “Sure! We support LDAP!” What does that
mean?
• Contract for functionality and performance
• Include your Directory/Security Champion!!!
• Verify with other schools – so easy, rarely done.
• Beware of products that specify Dir Servers
• Get vendor to document product requirements
and behavior. You paid for it!

                                                      78
         Microsoft Win2K Integration


Project Pismere
        http://web.mit.edu/pismere
        MIT, CMU, Michigan, Stanford, Colorado, etc…


One way trust from MIT KDC to Win2K KDC
        The devil we know


Metamerge can play an important role


Handle DHCP/DNS as your site wishes



                                                       79
           Win2K & Enterprise Integration



W2K Kerb        3                           1
 AuthN                                          Ent Kerb
                                                 AuthN
                                        2
               One-way X-realm Trust
                   Identity mgmt


  W2K Active                                    Enterprise
   Directory                                    Directory
                    Meta-Dir Function
                      MetaMerge?
                                                        80
Other examples of research…
        Current Research (examples)


GROUPER
         A special LDAP server (OpenLDAP) engineered to
handle group math operations against the enterprise
directory for applications that are not group savvy.


Application -> get group BLAH -> GROUPER -> combine 15
groups and remove those in the exclusion group -> give
back combined static object as group BLAH




                                                          82
         Certificate Parsing Server


Peter Gietz - a draft to describe X.509 certificates as plain
old directory objects. Finding certificates becomes easy for
directory aware applications. Use PKI operations on the cert
you select to verify it.


David Chadwick - a Certificate Parsing Server (CPS). Like
GROUPER but only works on add/delete/modify operations
and stores cert objects as child objects as well as
userCertificate attributes where they are now.


This should have a dramatic impact on Bridge CA model
operations.


                                                                83
                What to do next?

8    •eduOrg, eduPerson, edu(other …)   1    •Directory Policy
11   •Shibboleth                        1    •PKI Policy
2    •Roles (RBAC)                      5    •Identity Mgmt Practices
4    •GIG (Group Implementer’s Guide)   11   •Metadirectories
3    •GROUPER, RI-Bot, GASP             4    •Dir of Dirs Higher Ed (DoDHE)
0    •Blue Pages                        1    •LDAP Analyzer
7    •LDAP-Recipe (next?)               4    •The Art of Directories/Databases
4    •Affiliated Directories            4    •PKI-Lite and S/MIME
1    •HEBCA, Bridge PKI, etc…           5    •Early Harvest for App Developers
3    •Video Middleware (commObject)     0    •Digital Rights Management (DRM)
0    •GRID AuthN campus integration     2    •Outreach and Dissemination
0    •GRID AuthZ campus integration     5    •N-Tier Systems (portals)
1    •Medical Middleware (MedMid)       1    •Filesystems
6    •Operational Issues (perf/mon)     2    •Selling it
                                        1    •Project Mgmt                  84

								
To top