Trying to implement IDM at MMUTrying to implement IDM at MMU

The pitfalls and minefields of an The pitfalls and minefields of an Identity Management project at Identity Management project at

Manchester Metropolitan UniversityManchester Metropolitan University

• Mike PreeceMike PreeceManchester Metropolitan UniversityManchester Metropolitan Universitym.preece@mmu.ac.ukm.preece@mmu.ac.uk

Trying to implement IDM at MMUTrying to implement IDM at MMU

Currently trying to implement Currently trying to implement Identity Management at MMU using Identity Management at MMU using Novell’s IDM3Novell’s IDM3

Tell you about the project and Tell you about the project and problems faced so farproblems faced so far

Solutions to problems facedSolutions to problems faced

AgendaAgenda

Background and situation at MMUBackground and situation at MMU My backgroundMy background Project initiationProject initiation Meta-DirectoryMeta-Directory Project scope creepProject scope creep Current PlanCurrent Plan Problems facedProblems faced ConclusionConclusion

Background and Situation at MMUBackground and Situation at MMU

MMU is in top 10 of British MMU is in top 10 of British Universities by number of Students.Universities by number of Students.

35 000 students, 5 000 staff35 000 students, 5 000 staffspread across many sites in and spread across many sites in and around Manchester.around Manchester.

Became a University in 1992.Became a University in 1992. Still seems to have a culture of a Still seems to have a culture of a

Public sector institution.Public sector institution.

Background and Situation at MMUBackground and Situation at MMU

One Main eDirectory that all staff and One Main eDirectory that all staff and students have an account in.students have an account in.

A few departments run smaller A few departments run smaller directories such as A.D. and directories such as A.D. and eDirectory.eDirectory.

LDAP provision based on the main LDAP provision based on the main eDirectoryeDirectory

Single 8 digit institution IDSingle 8 digit institution ID

My BackgroundMy Background

Started at MMU 18 months ago, from Started at MMU 18 months ago, from private sector.private sector.

Started with a strong background in Started with a strong background in A.D. but less knowledge of Novell A.D. but less knowledge of Novell products.products.

Main task to implement new student Main task to implement new student network account creation system.network account creation system.

Main person working on this project.Main person working on this project.

Project InitiationProject Initiation

New Student Record System is QLS using an New Student Record System is QLS using an Oracle DB, based on Active Directory.Oracle DB, based on Active Directory.

We currently maintain a SQL Server database We currently maintain a SQL Server database that stores details of all live students.that stores details of all live students.

Set of batch file scripts using JRB Utils run daily Set of batch file scripts using JRB Utils run daily to create or update students' network to create or update students' network accounts.accounts.

Currently if a student changes course a Currently if a student changes course a duplicate account is often created.duplicate account is often created.

Need to replace current system and Need to replace current system and synchronise the AD and eDirectory passwordssynchronise the AD and eDirectory passwords

Project InitiationProject Initiation

Required pulling data from the Oracle DB Required pulling data from the Oracle DB tables.tables.

Synchronising AD and eDirectory for staff Synchronising AD and eDirectory for staff accounts.accounts.

Few different Identity Management products Few different Identity Management products available.available.

We are primarily a Novell Shop and IDM has We are primarily a Novell Shop and IDM has good reputation in the market place.good reputation in the market place.

Soon discovered the concept of an ID Vault Soon discovered the concept of an ID Vault and Meta-Directory – the way forward for us.and Meta-Directory – the way forward for us.

A Meta-DirectoryA Meta-Directory

A System of Integrated DirectoriesA System of Integrated Directories 1 Username, 1 password for all 1 Username, 1 password for all

systems.systems. All different systems using up-to-date All different systems using up-to-date

and consistent data from the and consistent data from the authoritative systems.authoritative systems.

Less labour intensive account Less labour intensive account maintenancemaintenance

A Meta-DirectoryA Meta-Directory

A Meta-DirectoryA Meta-Directory

Concept well receivedConcept well received Concerns raised because helpdesk Concerns raised because helpdesk

staff that have ability to reset staff that have ability to reset eDirectory passwords can gain eDirectory passwords can gain access other systems.access other systems.

Can we add study unit enrolment Can we add study unit enrolment data?data?

Project Scope CreepProject Scope Creep

WebCT requires enrolment dataWebCT requires enrolment data Many enrolments types such as:Many enrolments types such as:

• Provisionally enrolledProvisionally enrolled• Fully enrolledFully enrolled• Fees not paidFees not paid

Can we also have staff data ASAP?Can we also have staff data ASAP? Timescales become unmanageableTimescales become unmanageable Arghh – project gets out of control!Arghh – project gets out of control!

Current Project PlanCurrent Project Plan

Only synchronise basic student data Only synchronise basic student data through the ID Vault and in to through the ID Vault and in to eDirectory.eDirectory.

Directly synchronise eDir and AD Directly synchronise eDir and AD accounts for some staff as required.accounts for some staff as required.

Build the system so it is scaleable Build the system so it is scaleable and include the rest at a later date.and include the rest at a later date.

Current Project Plan – From this:Current Project Plan – From this:

Current Project Plan – to this:Current Project Plan – to this:

Current Project PlanCurrent Project Plan

A Driver in the live tree to send data A Driver in the live tree to send data to Active Directoryto Active Directory• This was easiest way to implement this This was easiest way to implement this

quickly, works really well.quickly, works really well. Only existing accounts synchronised, no Only existing accounts synchronised, no

need to define policiesneed to define policies Passwords synchronisation requires Passwords synchronisation requires

Universal PasswordUniversal Password

Can now focus on student account Can now focus on student account sideside

Current Project Plan – Student AccountsCurrent Project Plan – Student Accounts

Two parts:Two parts:• Synchronise Oracle database with ID Synchronise Oracle database with ID

Vault Vault • Synchronise ID Vault with eDirectorySynchronise ID Vault with eDirectory

Oracle to ID VaultOracle to ID Vault• IDM is an event triggered systemIDM is an event triggered system• Don’t put triggers on live DB, we used a Don’t put triggers on live DB, we used a

reporting instance insteadreporting instance instead

Synchronise Oracle database with ID VaultSynchronise Oracle database with ID Vault

Synchronise ID Vault with eDirectorySynchronise ID Vault with eDirectory

Much easier once correct data is in ID Much easier once correct data is in ID Vault and in is correct formatVault and in is correct format

Complex container placement rules based Complex container placement rules based on students faculty, home department, on students faculty, home department, primary course code and study level primary course code and study level (PG/UG/Foundation yr etc)(PG/UG/Foundation yr etc)

If account matched then is updated, if not If account matched then is updated, if not found then is created with a default found then is created with a default password based on students personal datapassword based on students personal data• Need to eliminate duplicate accountsNeed to eliminate duplicate accounts

Problems we facedProblems we faced

Procedures and policies for create/update/deleteProcedures and policies for create/update/delete• These need to be well defined, we could not use These need to be well defined, we could not use

existing rules as they were not correct in first place existing rules as they were not correct in first place for reasons such as licensing rules.for reasons such as licensing rules.

• Requires higher level management to get involvedRequires higher level management to get involved What systems will connect?What systems will connect?

• Decide what data is required in ID VaultDecide what data is required in ID Vault Important for ShibbolethImportant for Shibboleth

• Needs to be clearly definedNeeds to be clearly defined• Other system managers need to get involvedOther system managers need to get involved

LDAP tree– sync from eDir or source systems?LDAP tree– sync from eDir or source systems?

Problems we faced – LDAP TreeProblems we faced – LDAP Tree

Do all eDirectory accounts need to be in the LDAP Do all eDirectory accounts need to be in the LDAP Tree?Tree?

Permissible that only valid student and staff Permissible that only valid student and staff accounts from source systems in LDAP tree?accounts from source systems in LDAP tree?

Problems we facedProblems we faced

How to process deletes?How to process deletes?• Students are never deleted form source Students are never deleted form source

systems but just un-enrolled and so systems but just un-enrolled and so disappeared from a view.disappeared from a view.

A daily procedure that checks the view against A daily procedure that checks the view against last nights view and performs a compare?last nights view and performs a compare?

Rollout PlanRollout Plan• Change authoritative system for email alias Change authoritative system for email alias

generationgeneration• Do you really want to re-sync all eDir objects Do you really want to re-sync all eDir objects

with source system and loose all changes?with source system and loose all changes?

Problems we faced – Rollout PlanProblems we faced – Rollout Plan

1.) Sync existing system with Vault (get all email aliases into Vault)2.) Overwrite ID Vault with existing Student account info in eDir3.) Pull in data from Student Record System (no overwrite)4.) Push all back to eDirFinish with updates from Stu records overwriting ID Vault + eDir

Problems we faced - PasswordsProblems we faced - Passwords

Password PolicyPassword Policy• Need a Institution-wide password policyNeed a Institution-wide password policy

Universal PasswordUniversal Password• Allows eDirectory to store passwords in a Allows eDirectory to store passwords in a

decryptable format.decryptable format.• Need NMAS on every workstationNeed NMAS on every workstation• Need password policy applied to all usersNeed password policy applied to all users• Security container must be widely replicatedSecurity container must be widely replicated• SeeSee

www.novell.com/documentation/nmas23/index.htmlwww.novell.com/documentation/nmas23/index.html TID’s: 10094494, 10091354TID’s: 10094494, 10091354

ConclusionsConclusions

Get Management buy-in early onGet Management buy-in early on Define business policies and proceduresDefine business policies and procedures Decide what data to store in the ID Vault / Decide what data to store in the ID Vault /

Meta-DirectoryMeta-Directory How do you want to provide LDAP?How do you want to provide LDAP? Will delete operations be a problem?Will delete operations be a problem? Define a institution password policy and Define a institution password policy and

implement Universal Password earlyimplement Universal Password early Do you want to re-synchronise all Do you want to re-synchronise all

accounts?accounts? How will you implement / rolloutHow will you implement / rollout