LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011

LDAP user database

Marina VermezovićAcademic Network of Serbia

Skopje 15.09.2011.

What is it all about?

Services/resourcesto access the network – wireless, VPNweb services – e-learning, e-library, student portal

- who are you ?

– what can you do ? - Authentication and authorization

infrastructure makes access to protected services easier

Akademska mreža Srbijewww.amres.ac.rs

AAI

Authenticati

on Authorization

2

Without AAI


wireless

Faculty A

Service Providers

Library B

Service Providers

Auth Autz

videoconferenceAuth Autz

e-learningAuth Autz

Student servicesAuth Autz

wirelessAuth Autz

e-booksAuth Autz

3

With AAI


Faculty A

Identity Management

wireless

Identity provider

Service Providers

videoconference

e-learning

Student services

Auth

Library

wireless

Service Providers

e-books

AutzAutz

AutzAutz

AutzAutz

AutzAutz

AutzAutz

AutzAutz

4


High level AAI diagram

IdP

Radius

User databas

e

SAML

ntw SP

Radius

NAS

web SP

SAML

Web resurs

eduroamVPN

Wiki pages

Basics for development of all services that needs local and inter-institutional AutH and AutZ

Circle of Trust

Federation

5

What is digital user identity ?

Set of data (attributes) about a user:

Personal user data

Data regarding affiliation to institution

Credentials used for authentication

Data that uniquely identifies a person

User roles and privileges


name, surname date of birthnational identification numbercontact information: mail, address, phone

name of institution affiliation (student, employee, guest) designation (for employees) type of studies (for students) local identification number contact information: mail, address, phone

username/password certificateperson identifying : [email protected] person identifying

6

LDAP user database


Which database to use for storing user IDs?

Basicaly you can choose any:

Relational: MySQL, ORACLE, Postgre SQL

Hierarchy: openLDAP, Active Directory

But.. there are some advantages


8


Directories – made for storing user IDs ?

Relational Databases vs Directories

Schema

Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf

Relational Databases

Directories

No standard schema for tables and data fields

International standards to describe persons and organizations

9



SchemaOrganizationOne logical entity can

be stored in multiple tables

One logical entity =One entry in DIT



Directories


10



SchemaOrganzation

Multivalue data

Mandates new table, or fixed number of multiple data fields

Native support for multivalue attributes



Directories


11


Baza korisnika – zašto LDAP?


SchemaOrganzation

Multivalue data Flexibility

Changes in data fields can require big effort

Granular modification of schema.

Easy to add attributes


Directories


12



SchemaOrganzation


Access

No standard protocol for access via network

Defines protocol to access via network -LDAP



Directories


13



SchemaOrganzation


AccessOptimization

Optimised for reading



Directories


14

LDAP dictionary

LDAP dictionary reveled


Data Information Tree - term for structure data is organized in - uses hierarchy manner (tree - like) 16



Entry- Single input in directory tree which describes one object

Organization

Person

Organizational Unit

17



Attribute - Attribute Name – Attribute Value pair contained in the entry- Can be

- univalued or multivalued 18



objectClass - logical group of attributes - entry has assigned one or more objectClasses – must have exactly one structural ! - attributes can be optional or mandatory

19



RDN – Relative Distinguished Name - value that entries are distinguished by in one branch - constructed from some attributes from the entry - something like folder name, or primary key in relational databases 20



DN – Distinguished Name - “path” to the entry, that uniquely identifies it - consists of all RDNs found on the path to the entry, separated by commas21



Base DN - DN of DIT root

22


LDAP schema mistery ?

schema consists of one or more objectClass

schema

object ClassX

attributeX

attributeX definition

23

Which schema should I use ?

One can define proprietary schema to use within organization

But… if inter-institutional AutH and AutZ is used – such as in NREN AAI, using the same schema becomes important

Institutions that are involved in NREN AAI should use the same schema because it:

Unifies attributes, their use and semantics Service Providers know what to expect during AutH and AuthZ


24


Standard LDAP schemas Designed for campus directories

eduPerson (eduPerson200604) Internet2 MACE groupAttributes depicts person in higher education

eduOrg (eduOrg200210)Internet2 MACE groupAttributes depicts organization in higher education

eduMember (eduMember200507) Internet2 MACE-Dir WG Deals with problem of assigning rights and privileges for users

SCHAC (SCHema for ACademia)TERENA TF za Middleware, TF-EMC2Complements eduOrg i eduPerson with attributes specific to European education system

25

How to approach ?

schema for national AAI should be defined

Examples: rsEdu

https://bpd.amres.ac.rs/doku.php?id=amres_aai_wiki:pregled_atributa

hrEdu http://schema.aaiedu.hr/shema/

norEduhttp://www.feide.no/feide/sites/drupal.uninett.no.feide/files/documents/norEdu_spec.pdf

More at https://refeds.terena.org/index.php/FederationSchema


26

How to design national schema?

Use standard schemas : eduPerson, eduOrganizazation, SCHAC

If some attribute specific for national education system doesn’t exist, define it in national schema

Have in mind that you want to describe NREN students, researchers, teachers…

Enables compatibility between national AAI - confederation


27

How to implement LDAP directory?

LDAP is the protocol for accessing the directoryCurrent LDAPv3, described in RFC 4510Uses TCP, port 389Client-server model, some operations:

Start TLSBind SearchCompare Add a new entryDelete an entryModify an entry


28

Which LDAP Server software to use ?

Quite long list ..:


29

How to manage LDAP data ?

Manually, ldap command line LDAP browsers:

Apache Directory StudiophpLDAPadmin..

Make your own applicationBulk import/synhornization from other sources system - Student Informational System, Employee Registry..


30

Identity Management


The lifecycle o user digital identity - IdM

Set of procedures and rules which define:1. Who has the right to own digital identity2. When is digital identity assigned to a

person3. How is digital identity maintained4. How is the digital identity used5. How is the digital identity terminated

Every institution should have its own IdM policyMust comply with national personal data protection lawEU Data Protection Directive

32

1. Who has the right to own digital identity

Pupils

Students

Teaching staff

Other employes

Other persons affiliated to the institution –

members, guests ?


33

2. When is digital identity assigned to a person

When should digital identity be

created?

Which information should it contain ?

Where do you get information from?

What is the quiality of information?


Student- when apply for addmision - when enroll to faculty

- on first day of studies- when he/she needs it

Employee

- on first working day- when he/she needs it

• mandatory or optional• univalue or multivalue• sintax• predefined values• rules for usernames and

passwords

• Automatic from other source• Manually from filled in form• Manually verbal way

• Multiple sources – sync problem

How and when are identity checked ?

Other systems rely on that data, so it should be accurate

34

3. How is digital identity maintained

Digital identity data should be accurate and up to dateWho is responsible to report change of data and which?How do you make the changes? When are the changes made?


User• Personal data

Institution administration • Data regarding study/employmentUser• by using self-service portal

Institution administration • automatic from other source• manually from filled in form• manually verbal way

ASAP !

35

4. How is the digital identity used

Which systems can access the

information?

Which data should be accessable?

How are user rights and privileges

defined?


Ones which needs AutH, AutZ and/or user data. They can access directory:

• Directly using LDAP protocol• Using mediator authentication

server: Radius, SAML..

Access should be limited to the reasonable info:

mail

birthday• Use existing user attributes• Add attribute that describes user role

36

5. How is the digital identity terminated

When is digital identity terminated?

Who reports it should be terminated?

How is it terminated?

Is it deleted permanently?


When person is no longer affiliated with institution

• student – when he/she graduates• Employee – when he/she stops working• guest - ?

Time between person is no longer affiliated to institution and id termination should be minimum

• User • Student administration service• Employee administration service• For guests ?Administration service

• automatic from other source• manually from filled in form• manually verbal way

Should you reassign once used usernames ?

37

Thank you for your attention

Questions ?


38

Documents

LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011