Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java

Next Generation Directory-Based User Management for Cloud

Infrastructure

March 10, 2018

SCaLE 16X, Pasadena

1

Introduction

Shawn McKinney • Software Architect • PMC Apache Directory Project • Engineering Team

SCaLE 16X, Pasadena 2018 2

Session Objective

Think about how to implement user access controls on machines running in the cloud.

3 SCaLE 16X, Pasadena 2018

I had to keep guessing at the channel; I had to discern, mostly by inspiration, the signs of hidden banks; I watched for sunken stones; When you have to attend to things of that sort, to the mere incidents of the surface, the reality—the reality, I tell you—fades. The inner truth is hidden. Joseph Conrad, Heart of Darkness

https://en.wikipedia.org/wiki/File:VingtAnnees_286.jpg SCaLE 16X, Pasadena 2018

Inspiration

Session Agenda • History of Unix

• Building Blocks

• Security Model

• Data Model

• Solution

• Demo

Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA 5 SCaLE 16X, Pasadena 2018

Knowing the path forward means understanding where we’ve been.

History


History

https://upload.wikimedia.org/wikipedia/commons/7/77/Unix_history-simple.svg 7

Soup of the Day

RFC

23

07

PAM

NSS sudo

su

dns

users

POSIX

Security

NSS


Building Blocks


The Wheel

• Let’s not reinvent


Operating System AIX

The Idm engine bolts into chassis


Cloud Infrastructure

runs on the highways


Basic Building Blocks

1. POSIX security controls

2. Directory services

13

Best practices

SCaLE 16X, Pasadena 2018

Advanced Building Blocks

3. Mediation relatively new practice


Building Blocks Conceptual


Building Block Actual


Building Blocks - AuthN


Pluggable Authentication Module

• Authentication

• Coarse-grained Authorization

18

Just an authN service


Building Blocks - AuthZ


sudo

20

Just an authZ service

Building Blocks – Reporting


Name Service Switch

• Used by unix processes to lookup user and group info

22

Just a lookup service


What is LDAP

23

Building Blocks - LDAP

System of record

• Users

• Passwords

• Groups

24

Just a


Building Blocks - Mediator

• Keeps things in synch between the machines and LDAP as things change.


Mediator 1. Machine added to network, notifies mediator

2. Based on policies stored in DB

3. Updates ldap accordingly

1 3

2


Mediator == IdM

1. Provisioning

2. Parameterized Roles

3. Organizational Controls

4. Self-service

5. Approvals

6. Workflow

27

Requirements


Resources & Connectors 28

28

Users & Accounts 29

Provisioning 30


Governance

• High-level business processes, business rules, policies, organizational structures

• Combines with low-level identity management processes like data synchronization, system integration, data formats, data transformation, network protocols

defined:


Governance Controls

• Access Certifications

• Approvals & Notifications

• Audit Trail

• Organizational Controls

• …

32

for example:


Governance Controls (continued) • Policy Rules (limits)

• Remediation

• Role – Catalogs

– Constraints

– Controls

– Lifecycles

33


Open Source IdM Products

1. midPoint

2. Apache Syncope

3. Æ-DIR

4. OpenIDM

5. WSO2 Identity Server

34

lacking standards


midPoint Introduction

Requires

• Java version 8

• Java servlet container

• Relational database

Uses

• Spring Framework

– component wiring

• Apache Wicket

– user interface

• ConnId

– common connectors

(any)


midPoint as the Mediator

Bypass GUI, communicate directly with REST APIs Via the Model


Security Model

amsouth --------- m1001 m1002 m1003 …

afnorth --------- m2010 .....

aspac --------- m3100 …

Requirements


Three Kinds of Security Checks 1. Authentication with LDAP

2. Coarse-grained authZ - memberOf target machine – (i.e. LDAP group name == hostname)

3. Medium-grained authZ. memberOf at least one: – Admin - root access

– User - typical user access

– Auditor - read-only access to entire machine.

sudo

PAM


Four Types of Control Groups

1. Machine Sets

2. Machines

3. Security Roles

4. sudo Roles

Mediator

PAM

sudo


m1set --------- m1001 m1002 m1003 …

m2set --------- m2010 m2020 m2030 …

m3set --------- m3100 m3200 m3300 …

1. Machine Sets

Used by mediator to compute policies


2. Machines

Used by PAM


3. Security Roles

Sudo needs this


4. sudo Roles

Sudo needs this


m1set --------- m1001 m1002 m1003 …

m2set --------- m2010 m2020 m2030 …

m3set --------- m3100 m3200 m3300 …

User, role and machine set

admin

auditor

user

Policy Combiner

The mediator can do this


Pick Two


Data Model


LDAP Data Model

Employ standard object schemas

1. RFC2307bis

– posixAccount

– posixGroup

2. sudoRole

3. groupOfNames


RFC2307bis

48

Covered here before

• LDAPCon 2015, Edinburg

• DBIS: Directory-Based Information Services

• Mark R. Bannister

• link to slides

• link to paper


http://ldapcon.org/2015/wp-content/uploads/2015/09/DBIS-Presentation-2015.pdf

http://ldapcon.org/2015/wp-content/uploads/2015/09/DBIS-Paper-2015.pdf

Use RFC2307bis LDAP Schema


LDAP Data Model

Hierarchical


Machine Set M1

dn: cn=m1set, ou=Groups, ...

description: Machine Set 1

member: cn=m1001,...



… 52 SCaLE 16X, Pasadena 2018

Machine M1001

dn: cn=m1001, ou=Groups,…

objectClass: posixGroup

description: Machine Group M1001

member: uid=curly,ou=People,…

member: uid=frank,ou=People,…

member: uid=marla,ou=People,… …


Security Role M1Admin dn: cn=m1admin, ou=Groups, ...

objectClass: posixGroup

description: Admin Machine Set 1

cn: m1admin

member: uid=curly,ou=People,...

member: uid=frank,ou=People,...

member: uid=marla,ou=People,... …


sudo LDAP Schema objectclass ( 1.3.6.1.4.1.15953.9.2.1

NAME 'sudoRole' SUP top STRUCTURAL

DESC 'Sudoer Entries'

MUST ( cn )

MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser

$ sudoRunAsGroup $ sudoOption

$ sudoNotBefore $ sudoNotAfter

$ sudoOrder $ description )

)


sudo M1Admin dn: cn=admin access to m1,ou=sudo,dc=example,dc=com

objectClass: sudoRole

cn: admin access to m1

sudoUser: %m1admin

sudoHost: m1001

sudoHost: m1002

sudoHost: m1003

sudoHost: m1004


Solution


System Architecture

58

High-level Design

59

Mediator --->


Client Machines

Script runs during machine instantiation:

1. Binds PAM, sudo and NSS into the LDAP server.

2. Calls mediator to add or remove from machine set.


IdM ‘Server’ 1. MidPoint - mediator

– html & http admin services

2. PostGreSQL – master database – users, roles, orgs, svcs

3. OpenLDAP – security database – users, groups

– posixAccount, posixGroup

61

Deployment

62

IdM machine#1 --->

<-dev machine#1

<-test machine#2

<-prod machine#3

IdM machine#2 --->

IdM machine#3 --->

hyper visor ---> …

Demo 63

63 SCaLE 16X, Pasadena 2018c

Demo Scenario

Manage users and unix machines running in the cloud.

64

64 SCaLE 16X, Pasadena 2018c

User-Role-Machine

m1001 m1002 m1003 m2010 m2020 m2030 m3100 m3200 m3300

Curly Admin Admin Admin

Moe Auditor Auditor Auditor

Larry User User User

Demo User to Role to Machine <----- Set 1------> <-------Set 2 ------> <----- Set 3 ----->


Demo Environment 66


Demo Environment

Google Apps connector

HCM connector (peoplesoft)

Open

67


Wrap-up

• Questions


Contact

https://iamfortress.net

https://symas.com

[email protected]

@shawnmckinney Twitter:

Website:

Email:

Project: https://directory.apache.org/fortress

Blog:


https://iamfortress.net/

http://symas.com

https://directory.apache.org/fortress/

Documents

Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards SCaLE 16X, Pasadena 2018 . midPoint Introduction Requires •Java version 8 •Java