Upload
edwin-arnold
View
215
Download
0
Embed Size (px)
Citation preview
Novell Account Management Overview and Futures
Doug AndersonProduct [email protected]
David CondreyEngineering [email protected]
Boyd WilsonProduct Architect,[email protected]
© March 10, 2004 Novell Inc, Confidential & Proprietary2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 10, 2004 Novell Inc, Confidential & Proprietary3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 10, 2004 Novell Inc, Confidential & Proprietary4
Agenda
• Covering the Basics
• Account Provisioning Across Heterogeneous Systems
• Password Management Across Heterogeneous Systems
• Component Location
• Summary
© March 10, 2004 Novell Inc, Confidential & Proprietary5
What’s Up With NAM and IDM?
Let’s clear this up now•These are complementary products, not competing products•Identity Manager is the family, and NAM is part of it•NAM is going to go from cousin to brother
© March 10, 2004 Novell Inc, Confidential & Proprietary6
How are Novell Account Management and Identity Manager Related?
• NAM has functionality not available in IDM2 (Fan-Out Drivers, Windows Standalone Mode, Authentication Redirection, Native Script Handling, password sync using standard eDir password)
• NAM also has limitations not found in IDM2 (Subscriber-Only, Different Architecture, Different Management Console)
© March 10, 2004 Novell Inc, Confidential & Proprietary7
What’s the Mission?
To make it easy for any Novell Account Management customer (and there are thousands), be it version 2.1 or 3.0, on any platform, to move forward, without losing any critical functionality, and, in fact, gaining significant functionality.
© March 10, 2004 Novell Inc, Confidential & Proprietary8
But, for today . . .
But for right now, let’s talk about how NAM works today, and how it will work in the future
Covering the Basics
© March 10, 2004 Novell Inc, Confidential & Proprietary10
In The One Net World
Management
Storage
Access
Collaboration
Others
CORESERVICES
eD
irecto
ry
™
PLATFORM
NetWare
Windows
Solaris
Linux
AIX
New
OPERATINGSYSTEMS
Windows
Solaris(Sparc &
x86)
OS/390
Others
AIX
HP-UX
SOLUTIONS &APPLICATIONS
Linux
Free BSD
Novell A
ccou
nt
Man
ag
em
en
t 3.0
Net Services
Storage
Collaboration
AS/400
© March 10, 2004 Novell Inc, Confidential & Proprietary11
Two Problems To Solve
User Account Provisioning – How to automate the process of grants, management and revoking the right accounts to the right systems at the right time, and giving the administrators of those systems ultimate control over the provisioning process on their respective systems?
Password Management – How do you provide a mechanism where the user has the same password for all systems, no matter how he attaches to or uses those systems?
© March 10, 2004 Novell Inc, Confidential & Proprietary12
One Product solves both problems
Novell’s Account Management Solution solves both the Account Management and Password Managementproblems for a wide variety of Operating Systems.
• Builds on the scalability of eDirectory™,
• The cross-platform history of prior versions of Account Management and NDS® Authentication Services,
•The extensibility of DirXML®
Account ProvisioningAcross Heterogeneous Systems
© March 10, 2004 Novell Inc, Confidential & Proprietary15
NoveII Nsure™
It’s about:• Immediate Access
– Instant On– Rapid time to productivity
• Security Confidence– Instant Off– Eliminate known and unknown exposures
• Real Cost Savings– Integrated, distributed identities– Reduced points of administration
Because it’s all oneNet
© March 10, 2004 Novell Inc, Confidential & Proprietary16
Digital Identities
The key to delivering services, applications and access to employees - customized to their roles or individual needs
© March 10, 2004 Novell Inc, Confidential & Proprietary17
Account Management Vision
Accounts
VMS
HP-UX
AS/400AIX
MVSRACF, ACF2, Top Secret
Linux
Free-BSD
NDSAD
NT Domains
SolarisOn Sparc & Intel
Tru64
LDAPDirector
y
Authoritative
Data Source
© March 10, 2004 Novell Inc, Confidential & Proprietary18
Account Management
Accounts
VMS
HP-UX
AS/400AIX
MVSRACF, ACF2, Top Secret
Linux
Free-BSD
NDSAD
NT Domains
SolarisOn Sparc & Intel
Tru64
AccountManagenment
IDM2 Core Driver
eDirectory®
© March 10, 2004 Novell Inc, Confidential & Proprietary19
Transaction Flow and Decision Points
TargetSystem
1. Idenity provisioning solutions like Novell Nsure allow management decisions to be made and polcies to be carried out based on information relevant to the Authoritative Data Source.
2. Administrators may manage identities from a centralized location using any tools that interact with the directory.
3. Platform administrators have the power to fully provision and manage users on their platform and can customize the application of each transaction.
Authoritative
Data SourceeDirectory®
© March 10, 2004 Novell Inc, Confidential & Proprietary20
Account Provisioning to a Target
By permitting a collaborative unit such as a container or a group to a target system, you automate the management of all users that may be associated with the collaborative unit in the future.
OS/390 LPAR 1
AIX Mail Server
Atlanta NT Domain
AIX
MVSRACF, ACF2, Top Secret
NT Domains
© March 10, 2004 Novell Inc, Confidential & Proprietary22
Principal Components
AS/400Unix
Other
Windows
390
Core Driver(s)
Fan OutAuditing
UIDGID MgmtAuthentication
RedirectionBi-directional
Password ReplicationUP Support
IDM2 IntegrationRequires fewer
objects in eDirectory
Platform ServiceseD
irecto
ryNovellDirXML
© March 10, 2004 Novell Inc, Confidential & Proprietary23
AS/400Unix
Other
Windows
390
Principal Components
eD
irecto
ry
Authentication
ServicesAPI
Platform Services
SystemIntercept
Platform
Services
Process
User and Group Management
Platform
Receiver
Receiver
Scripts
User Authentication
Core Driver(s)
Manager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
(iManager Integration)Journal ServicesAuth Redirection
(agent)
SSL
NovellDirXML
© March 10, 2004 Novell Inc, Confidential & Proprietary25
Adding Users To The Directory
Authentication
ServicesAPI
eD
irecto
ryNovellDirXML
Platform Services
SystemIntercept
Platform
Services
Process
User Authentication
User and Group Management
Platform
Receiver
Receiver
Scripts
Core Driver(s)
Manager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
(iManager Integration)Journal Services
Auth Redirection (agent)
SSL
1. A new user is created in eDirectory
3. Object Services creates an E-user object in the Census, associates it to the proper Platform and passes this information on to Event Journal Services
4A. The Platform Receiver requests an Access Management Event from Event Journal Services pertaining to the Platform Set that this particular platform is associated with
4B. Event Journal Services reads the information for the object specified in the Access Management Event out of eDirectory and passes it on to the Platform Receiver
5. The Platform Receiver processes the Access Management Event through a suitable script (Add User) and passes it on the local user security system
6. Event Journal Services notifies Audit Services which records the actions taken in the Audit Log
2. The Core Driver sees the change
© March 10, 2004 Novell Inc, Confidential & Proprietary26
Core Driver(s)
Manager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
(iManager Integration)Journal Services
Auth Redirection (agent)
Deleting Users From The Directory
Authentication
ServicesAPI
Platform Services
SystemIntercept
eD
irecto
ryNovellDirXML
Platform
Services
Process
User Authentication
User and Group Management
Platform
Receiver
Receiver
Scripts
Event Listener
SSL
1. A user is deleted in eDirectory
2. The Core Driver sees the change
4A. Object Services marks the E-user object in the Census inactive or removes the E-user object from the Census (according to configuration)
3. An Access Management Event is created and sent to Object Services
5. The Platform Receiver requests an Access Management Event from Event Journal Services pertaining to the Platform Set that this particular platform is associated with
7. Event Journal Services notifies Audit Services which records the actions taken in the Audit Log
6. The Platform Receiver processes the Access Management Event through a suitable script to delete or diasable the User and passes it on the local user security system
4B. Object Services changes the information on the Platform User Object accordingly
Password ManagementAcross Heterogeneous Systems
© March 10, 2004 Novell Inc, Confidential & Proprietary28
Target System Access
Security System
Operating System
Browser
Client/Server App FTP Terminal
EmulatorDB
Front-EndTerminal
TerminalController
Applications
© March 10, 2004 Novell Inc, Confidential & Proprietary29
Password Synchronization
In the strict sense, “synchronization” means that if a user changes his password on one system, the password is immediately pushed to the other system.
But, to the end user, passwords are “synchronized” between systems if the user can use the same password on both systems.
We can accomplish this end result in a number of ways.
© March 10, 2004 Novell Inc, Confidential & Proprietary30
AM Password Management3 Methods to Choose From
1. Re-Direction2. Re-Direction with Local Sync3. Replication (Event-Driven Sync)
The architecture supports 3 Authenticationmethods for a given platform:
© March 10, 2004 Novell Inc, Confidential & Proprietary31
Authentication Replication(Password Check/Change)
eD
irecto
ry
PWRedir
OS 390
Applications
RACF
AM 3.0
Agent(s)
eDir ID/ PW
LDAP
Y/N
ID/ PW
Y/N
RACF DB
If Local Sync
Option Enabled
Y
© March 10, 2004 Novell Inc, Confidential & Proprietary32
Authentication Replication(Password Check/Change)
eD
irecto
ry
PWRedir
OS 390
Applications
RACF
AM 3.0
Agent(s)
RACF DB
ID/PW
Y/N
© March 10, 2004 Novell Inc, Confidential & Proprietary33
Password Change and SyncVia Redirect
OS 390
PWRedir
RACF
RACF DB
HP UX
PWRedir
PAM
UNIX DB
eDirectory
eDirectory
DirXMLPasswordChange
ID/PW
ID/PW
ID/PW
ID/PW
© March 10, 2004 Novell Inc, Confidential & Proprietary34
ID/PW
ID/PW
Password Change and SyncVia Redirect
OS 390
PWRedir
RACF
RACF DB
HP UX
PWRedir
PAM
UNIX DB
eDirectory
eDirectory
DirXMLPasswordChange
ID/PW
ID/PW
© March 10, 2004 Novell Inc, Confidential & Proprietary35
When Redirect Is Not An Option…
Redirection is great technology, but you have to be
able to intercept the following on the target system:
1. Password Check 2. Password Change
…But we can’t intercept Check everywhere. However, we can intercept Change. And if we can intercept Change, then we can still use method 3 – Replication (Event-driven Sync)
© March 10, 2004 Novell Inc, Confidential & Proprietary36
AM 3.x
Core Driver(s)
Authentication Replication(Event-Driven Password Sync)
Windows Server
Intercept
Application
Domain e
Dir
ecto
ry
PasswordChange
ID/PW
Domain Controller
© March 10, 2004 Novell Inc, Confidential & Proprietary37
Authentication Replication(Event-Driven Password Sync)
AM 3.x
Core Driver(s)
Windows Server
Intercept
Domain Controller
Application
Domain e
Dir
ecto
ry
PasswordChange
AM 3.0ID/PW
© March 10, 2004 Novell Inc, Confidential & Proprietary38
Authentication Replication(Event-Driven Password Sync)
eD
irecto
ry
Dir
XM
L
AM
Dri
ver
AM 3.xAccountProvide
r(Core
Driver)
Platform Receiver
(Method=Replicate)
Target 1SS
Platform Receiver
(Method=Replicate)
Target 2SS
Platform Receiver
(Method=Replicate)
Target 3SS
Component Location
© March 10, 2004 Novell Inc, Confidential & Proprietary40
Component Location (Core Driver)
• The Core Driver now includes all the functionality of the former Event Listener, Manager and Agents.
• A Core Driver must be installed on the server(s) where replicas of the provisioned users and ASAM System container reside.
• The Core Driver uses a mix of DirXML and LDAP calls to accomplish its mission
• You can install more than one Core Driver for redundancy, when you upgrade upgrade the Manager first, then the agents all to Core Drivers
© March 10, 2004 Novell Inc, Confidential & Proprietary41
eD
irecto
ry
NovellDirXML
Core DriverManager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
Journal ServicesAgent Services
DirXML
LDAP/SSL
Core Driver Communications Installed on the Same System
© March 10, 2004 Novell Inc, Confidential & Proprietary42
Multiple Core Drivers
eD
irecto
ry
NovellDirXML
eD
irecto
ry
NovellDirXML
Multiple Core Drivers can watch for events in different or the same replica rings.
DirXML
LDAP/SSL
DirXML
LDAP/SSL
Core DriverManager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
Journal ServicesAgent Services
Core DriverManager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
Journal ServicesAgent Services
© March 10, 2004 Novell Inc, Confidential & Proprietary43
Component Location (Platform Services)
• Platform Services run on the target system.
• Delivery and Installation based on the Native Platform.
© March 10, 2004 Novell Inc, Confidential & Proprietary44
CoreDriver(s)
eD
irecto
ry
NovellDirXML
Platform Services – OS/390
LDAP
RACF DB
APIInterface
Started
TaskPassCh
eckExit
PassChangeExit
RACF
APP 1
APP 2
APP 3
APP N
Futures
© March 10, 2004 Novell Inc, Confidential & Proprietary46
Facts
• The same engineering team now develops and supports the Account Management and NIS Driver deliveries in the UNIX solution space.
• There are fits for each solution today.• NIS driver is good if UNIX is authoritative for
account creations.• NAM is good if you have lots of systems to
connect or if you have not enabled Universal Password.
• Account Management and Identity Management are converging using a multiple phase approach.
© March 10, 2004 Novell Inc, Confidential & Proprietary47
IDM/NAM Convergence
• This does NOT mean simply that Account Management is going away and being converted to drivers.
• Convergence requires new functionality in the current IDM Engine and management infrastructure as well as a change in current NAM management methodologies.
• This will open up new possibilities for managing how drivers work.
• This will allow for a common management and customization infrastructure.
• Migrations from current DirXML/Identity Manager drivers and NAM implementations will be made seamless.
• No need to wait to deploy!
RoadmapTime Sensitive Information
© March 10, 2004 Novell Inc, Confidential & Proprietary49
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.