LDAP for AuthenticationLDAP for Authenticationand Authorization @ UHand Authorization @ UH

Info. Tech. Svcs.

University of Hawaii

Russell Tokuyama 10/03/00University of Hawaii © 2000

What is LDAP?What is LDAP?

lLightweight directory accessprotocol

lClient-server protocol fordirectory service (e.g., X.500)

lSchema and transport

lStandards based

What is a directory What is a directory svcsvc??

lCentral information source, likewhite pages phone book

lPrimarily lookup, read often

l Infrequent writes

lNot a relational database

Why a central Why a central dirdir??

lM inimize duplication ofinformation

lReduce errors due to copyingand multiple sources

lSingle identifier (ID) for user

Why not central Why not central dirdir??

lFERPA (confidentiality ofstudent’s information)

l Don’t trust others with the datal Fear of big brother

l Fear of fall ing into wrong hands

l But managable with planning

Why central LDAP?Why central LDAP?

lMany roles at several campuses

lCommon source of informationfor users and applications

lEnables Web-based servicestailored to users’ needs

lStd protocol for client access

Why central LDAP? Why central LDAP? ((contcont))

lUser authentication

lAccess control (authorization)

lConfigurability

lCore services

lSingle, well-managed passwordimproves security (universal ID)

ITS UsernameITS Username

lStudents in credit classes

lOutreach students

lFaculty

lStaff

lClinical staff

ITS Username ITS Username ((contcont ))

lRCUH

lE W C

lVisiting faculty

lProfessor Emeritus

lSpecial programs with approval

UNISON UNISON (previous)(previous)

UNISON

A/R

OHR

R C U H

E W C

UHF

UHUNIX

ModemPool

PA`E

NIS

FTP

ID + passw

ord

Got LDAP?Got LDAP?

lStudent Employment andCooperative Education

lOHR’s Historical LeaveInformation

lmore to come...

What’s in LDAP?What’s in LDAP?

luid (ITS username)

lpassword (UNIX encrypted)

lname (last, first, middle)

l alternateID (SSN)

l affiliation (faculty, staff, student)

lhomeCampus

Central LDAP Central LDAP (current)(current)

UNISON

LDAP

Central

LDAP

WebMai l

UHUNIX

OHR Leave

SECE

Modem

Pool

ID + passw

ord

Central LDAP Central LDAP (future)(future)

UNISON Central

LDAP

WebMai l

UHUNIX

OHR Leave

SECE

Portals

Web Apps

Modem

Pool

What/who will use it?What/who will use it?

lWireless LAN access

lNew Web applications

lPortals

lRoaming profiles

What’s next?What’s next?

l Improve data collection andprocessing for UNISON

lUH Portal

lWeb registration for the CCs

lDigital signatures

lElectronic approvals

What’s I2 got do w/ it?What’s I2 got do w/ it?

lM iddleware infrastructure

lEarly Adopters program

lEduPerson

lDirectory of directories

lUniversal identifiers

Those other guys?Those other guys?

lLDAP allows any other backend

lActive Directory Service (ADS)

– tight Win2K integration

lNovell Directory Service (NDS)

– tight Novell integration

LinksLinks

lLDAP: Use as Directed– http://www.data.com/990207/ldap .html

l An LDAP Roadmap & FAQ– http:/ /www.kingsmountain .com/ldapRoadmap .

shtml

l Mark W ahl's LDAP FAQ– http:/ /www3.innosoft .com/ldapworld /ldapfaq .ht

m l

Links Links ((contcont))

l ITS Username– http:/ /www.hawaii.edu/infotech/yourusername.

h tml

lLDAP v2 (RFC 1777, 1778, 1779)

lLDAP v3 (RFC 2251, 2252, 2253)

l ITS LDAP Team– russ@ hawaii.edu