View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Presented by: Mark [email protected]
H U M B O L D T
Background • Mix of centralized and de-
centralized IT support• 10,000 active
Student/Staff/Faculty • 25,000 user entries in LDAP• Small technical implementation
team• Committed to open source
solutions when available
IMI Authentication Technical Team
• Bill Cannon – Director: Information Technology/ISO• Nick DeRuyter – Manager: University Computing
ServicesSystem Administrators• Mark Hendricks• Josh CallahanDBA• Peter JohnsonAnalyst Programmers• Michael Bradley• Jason HardinHelp Desk• Melinda ChristensenContact: Mark Hendricks – [email protected]
IMI Authentication Priorities
Security!!• Uniform password strength and policy enforcement• Reduce password/secret exposure and vulnerability• Improve loggingUser Experience• Reduce logins/single sign-on• Unify account information (NetID/Password)• Single location for password managementAdministration • Enforcement of policies for access to campus
resources & confidential data• Audit compliance• Improve user administration efficiency (IT Systems &
Services)
Design Goals
• Open source• Create authN / AuthZ capable of supporting all
applications• Minimize complexity• Minimize auth sources• Want IMI infrastructure that will support
centralized and decentralized management
Initial IMI Auth Infrastructure
Banner--------Oracle
PeoplesoftHR
Kerberos
HSU HRDepartmentAuthorization Athorityfor Faculty, Staff, andstudent employeeAccount Creation
OEMAuth Authority
for studentaccess to
Banner
OEMAuth Authorityfor facultyaccess toBanner
PeoplesoftFinancePolicy
Person
Students Faculty/Staff/StudentEmployees
OEMAuth Authority forStudent account
creation
Policy
Person
Fiscal AffairsAuth Authority forAccess to PeoplesoftFinance
LDAP
AuthN/AuthZ
Auxiliary
Alumni
Community
CampusServices
Computer Labs
Wireless Network
Web Servers
E-mail Server
Faculty/Staff Workstations
Library Services
LMS Systems
Peoplesoft
Person
Person
Person
Policy
Policy
Policy
Policy
AD
Password Management/Synchronization
Kerberos
LDAP
Banner Web
---------Oracle
Person
Students Faculty/Staff
Person
Axe(email)
Sorrel(www)
Redwod(Student)
Alpha (Tru64 Unix) C2 Security1. Hash created/changed inOracle2. PL/SQL --Socket — PerlTransmission
LDAP UserPassword attr1. Hash created/changed inOracle2. Oracle PL/SQL — LDAPTransmission
Kerberos Principal Secret1.Clear Text Password created/changed in Oracle2. PL/SQL --Java — PerlTransmission
AD
AD UnicodePassword attr1. Unicode Passwordcreated/changed in Oracle2. PL/SQL — Java — LDAPTransmission
Active DirectoryWhy AD?
• Windows desktop majority• Distributed Windows desktop management using
centralized authentication and dynamic groups• Supports AuthN/AuthZ for most major operating
systems “out of the box”
Desktop AuthN AuthZ Support
Win XPWin 2K/2k3 CIFS
LinuxLinux/Samba (3.02)
OS XOS X/Samba
SolarisTru64
AD
AD/KRB5
KRB5
LDAP
Active Directory• Windows desktop majority• Distributed Windows desktop management using
centralized authentication and dynamic groups• Supports AuthN/AuthZ for most major operating
systems “out of the box”– Windows XP/2000– Mac OS X– Unix (Tru64)– Linux– Samba
• Minimal schema extensions required• Based on LDAP and Kerberos• Kerberos prepares for Single Sign-On
Kerberos• MIT vs. Microsoft• Benefits
– Single Sign-on - Ticket Passing – Non proprietary – Unified and secure password repository – Passwords outside Windows AD– Reduces password/secret exposure– Unified logging– Easy set up/Robust
• Problems– Difficult to obtain functional documentation/support– Learning curve for users & technical team– Not supported by all applications– Problems with OS integration
Where Are We Now?
Progress • Password Interface• Password Synchronization• Group Interface• LDAP/AD/Kerberos Desktop
Auth• Email route/alias• Library authN, authZ• Wireless Auth• Misc. Apache Auth
Future • Portal• Guest Accounts• Meta-Directory• LDAP Standard Library• Student (Central) Shares• Kiosk• Open Directory (Apple)• Email