Embed Size (px)
Citation preview
UAB NMI Testbed Program: Integrated Directory Services
Grid Computing
UAB Middleware Team
2Internet2 Member Meeting28 Sept – Oct 1, 2004
UAB Middleware Team & SupportOther IT Divisions
Sheila SandersLandy MandersonDavid Green
IT Academic ComputingDavid L. ShealyJill GemmillJohn-Paul RobinsonJason LynnZach GarnerRamesh PuljalaRajani SadasivamAditya SrinivasanPravin JoshiSilbia PeechakaraYiyi Chen
Acknowledgement of SupportUAB Office VPITNSF ANI-0123937 via SURA-2002-103 NMI Testbed Participant Shealy, Gemmill NSF EPS-0096193 Alabama EPSCoR Cooperative Agreement : Internet2 InitiativeGriffin (PI), Cordes, Gemmill, Graves, Hancock, ShealyNSF ANI-022710 ViDe.Net: Middleware for Scalable Video Services for Research and Higher Education. Gemmill (PI), Chatterjee, Johnson, Verharen
3Internet2 Member Meeting28 Sept – Oct 1, 2004
UAB Benefits from NMIEnhanced Integrated Directory Services, based on eduPerson, eduOrg, LDAP RecipeWebLogin service is rolling out, based on PubcookieGrid Computing service is rolling out, based on Globus
4Internet2 Member Meeting28 Sept – Oct 1, 2004
OUTLINE
Integrated Directory Services
WebLogin using Pubcookie
Grid Computing using Globus
5Internet2 Member Meeting28 Sept – Oct 1, 2004
Historical Background1983-90:
Implemented Access Control Facility (ACF2) security software on mainframe & database of eligible usersCampus DirectoryBITNET; SURAnet; Internet mailhost
1991-99:UIUC/CCSO qi directory online for “[email protected]” e-mail forwarding with web page registration where information provided from merge of employee and student databasesSetup LDAP directory to mirror qi directory Phonebook alias used for web sign-in to authenticate SMTP relay
6Internet2 Member Meeting28 Sept – Oct 1, 2004
Historical Background2000-02:
Dr. Clair Goldsmith hired as CIO / VPITLDAP committees formed; and then , recommendations from LDAP and Win2K Task Force were implementedUAB Alias => BlazerIDVPN implemented with qi authenticationLibrary’s Virtual Desktop interfaced to qiResNet online using qi authentication
7Internet2 Member Meeting28 Sept – Oct 1, 2004
UAB LDAP CommitteesPropose useful attributesDefine “continuums of association” and when to add, remove, or inactivate people in LDAP directory
Employees StudentsJob applicant Admissions applicant
Job offer extended Accepted for enrollmentHired Enrolled
On leave Not taking classesTerminated Dropped out
Retired Graduated
8Internet2 Member Meeting28 Sept – Oct 1, 2004
How NMI HelpedExisting UAB LDAP schema was arbitrary, out-of-date, and did not have important attributes useful to educational institutions, such as, courses taught or enrolled in
NMI eduPerson gave opportunity to add additional data to campus LDPA for support of new applications
9Internet2 Member Meeting28 Sept – Oct 1, 2004
LDAP Milestones – Aug 2002New schema put into productionPasswords sync in real-time between qi and LDAPFollow eduPerson and Recipe 1.0, which were LDAP Committee recommendationsGroup local attributes under uabPerson based on eduPerson, such as, courses taken or taughtProvide for non-person (entity) look-upImplement new base root per Recipe, but old still worksInclude passwords & “unlisted” users so that WebCTand other applications can use LDAP directory
10Internet2 Member Meeting28 Sept – Oct 1, 2004
LDAP 2002 - 03Created BlazerID CentralNew web screens sync BlazerID and password between qi, LDAP, AD, Novell.All authentication done through secure servicesStrong passwords enforced Microsoft Active Directory synchronization Central Exchange 2000 mail serviceOracle HR/Finance sign-onUnix authentication (PAM)Wireless sign-onClass e-mail distribution & bulk/broadcast e-mail
11Internet2 Member Meeting28 Sept – Oct 1, 2004
Where UAB is Today
Single authoritative directorySingle management point for
Creating BlazerIDpassword resets user account creation/deactivation
Implemented Groups, commObject, latest NMI schema recommendations(eduPerson, eduOrg, LDAP Recipe)Even more applications use LDAP
12Internet2 Member Meeting28 Sept – Oct 1, 2004
UAB Authoritative Directory
13Internet2 Member Meeting28 Sept – Oct 1, 2004
More on LDAP-enabled Apps…
Authentication & Authorization ServicesAuthentication – Identifying people Authorization – Allow proper access
Download Software Licensed to UAB Community Unix Account Management
14Internet2 Member Meeting28 Sept – Oct 1, 2004
Application: Download Software Licensed to UAB Community
Client - Browser JSP with embedded HTML
HTTP server ApacheApplication container
Tomcat version 4.0.3 – JSP, Servlets
Backend connectivity
JNDI
Backend LDAP
Implementation DetailsSession Management Session Management Secure Socket layer Secure Socket layer (SSL) for Authentication (SSL) for Authentication but not for downloadbut not for downloadCollecting the Collecting the authenticated user’s authenticated user’s group information for group information for making a policy decisionmaking a policy decisionCustomizable timeout Customizable timeout mechanism during loginmechanism during login
Problems Solved
http://www.uab.edu/it/software/index.html
15Internet2 Member Meeting28 Sept – Oct 1, 2004
Application: Unix Account Management
ToolsEnterprise LDAP InfrastructureOSF Pluggable Authentication Module (PAM) ArchitecturePADL Software’s LDAP module for PAM on Unix Systems (pam_ldap)
http://www.uab.edu/it/academic/Presentations/presentations/authentication-timgroup.ppt
16Internet2 Member Meeting28 Sept – Oct 1, 2004
OUTLINE
Integrated Directory Services
WebLogin using Pubcookie
Grid Computing using Globus
17Internet2 Member Meeting28 Sept – Oct 1, 2004
What is WebLogin?
WebLogin allows users with standard web browsers to authenticate to web-based resources across many web servers using a central authentication service with username & password. WebLogin is moving towards a production service at UAB
18Internet2 Member Meeting28 Sept – Oct 1, 2004
Overview of WebLoginFeatures
Single Sign-OnConsistent Login Interface and ExperienceUser SecurityIndependence for Web Server Administrators
ComponentsUser-Agent (Web Browser)Authentication Service (e.g. Campus LDAP Server)Uses Pubcookie
Application Server (Web Server Plug-in to protect resource)Login Server
19Internet2 Member Meeting28 Sept – Oct 1, 2004
… What is it?Open-source software for intra-institutional web authentication - http://www.pubcookie.org/Uses a standalone login server and modules for common web server platforms like Apache and Microsoft IIS. Uses these components with existing authentication services (like Kerberos, LDAP, or NIS) into a solution for single sign-on authentication to websites throughout an institution. At UAB, pubcookie authenticates username & password (“BlazerID”) with LDAP directory.
20Internet2 Member Meeting28 Sept – Oct 1, 2004
Using PubcookieInstall a pubcookie Apache or IIS module on each web server to be protectedPut protected information in a directory protected by this moduleUser’s attempts to access the URLPubcookie redirects them to login if they have not today; otherwise cookie credential is checked
21Internet2 Member Meeting28 Sept – Oct 1, 2004
Pubcookie LimitationsAll authenticated users are equal; useful for resources available to entire campus only
Library materialsLicensed software
Usually, the target population is smallerStudents in a particular school or classFaculty, staff, students in School of Engineering
22Internet2 Member Meeting28 Sept – Oct 1, 2004
User’s First Login Perspective1. User tries to access secure
webpage/application/document.2. User is presented with UAB login screen.3. User supplies BlazerID and Password
(over a secure connection).4. Upon successful credentials, user sees
the secured webpage & application doc.
23Internet2 Member Meeting28 Sept – Oct 1, 2004
User’s Perspective After Initial Login1. User tries to access secure
webpage/application/document.2. User sees the secured
webpage/application/document.
24Internet2 Member Meeting28 Sept – Oct 1, 2004
WebLogin DemonstrationServers
metric.it.uab.edu (Apache Webserver 1.3.27)Sample 01Sample 02Sample 03Sample 05
polka.it.uab.edu (IIS Webserver 5.0)Sample 04
Demonstration Webpagehttp://lab.ac.uab.edu/node/view/145
Serversmetric.it.uab.edu (Apache Webserver 1.3.27)
Sample 01Sample 02Sample 03Sample 05
polka.it.uab.edu (IIS Webserver 5.0)Sample 04
Demonstration Webpagehttp://lab.ac.uab.edu/node/view/145
25Internet2 Member Meeting28 Sept – Oct 1, 2004
Modifying Existing Applications
The ProblemMany Web Applications create their own authentication systemSo, the user needs a username/password for each application
The SolutionPubcookie-enable those applications to use centralized username/password
26Internet2 Member Meeting28 Sept – Oct 1, 2004
Modifying Existing Applications
Two Pubcookie-enabled two open source applications
Bugzilla (Written in Perl)PHPWebsite (Written in PHP)
Similar changes were required for both applications
27Internet2 Member Meeting28 Sept – Oct 1, 2004
Modifications
Remove old user login/password web formInstead, Pubcookie authenticates the user Authenticated users can proceed if they also have a Bugzilla or PHPwebsite account
Change behavior of “Log Out” and “Change Password” pages
28Internet2 Member Meeting28 Sept – Oct 1, 2004
Future Directions
Modifying Pubcookie to support Client-Side SSL Certificates
Enables authentication of users without a user remembering username/password
Modifying Pubcookie to support PAM for the authentication mechanism
PAM is a standard system for flexibly using a large number of authentication systems.
29Internet2 Member Meeting28 Sept – Oct 1, 2004
OUTLINE
Integrated Directory Services
WebLogin using Pubcookie
Grid Computing using Globus
UABGrid Resource Infrastructure
UABGrid Software Infrastructure
UABGrid Architecture
One Time Registration
Login for Registered Users
User Environment
Usage Management -Details(One Time Registration)
UABGrid Summary
38Internet2 Member Meeting28 Sept – Oct 1, 2004
Summary of Benefits from NMI
Enhanced Integrated Directory Services, based on eduPerson and LDAP RecipeCampus WebLogin service is rolling out, based on PubcookieGrid Computing service is rolling out, based on Globus
