Novell Account Management Overview and Futures Doug Anderson Product Manager [email protected] David Condrey Engineering Manager [email protected]

Novell Account Management Overview and Futures

Doug AndersonProduct [email protected]

David CondreyEngineering [email protected]

Boyd WilsonProduct Architect,[email protected]

© March 10, 2004 Novell Inc, Confidential & Proprietary2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


The one Net vision

Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.

Novell Nsure™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


Agenda

• Covering the Basics

• Account Provisioning Across Heterogeneous Systems

• Password Management Across Heterogeneous Systems

• Component Location

• Summary


What’s Up With NAM and IDM?

Let’s clear this up now•These are complementary products, not competing products•Identity Manager is the family, and NAM is part of it•NAM is going to go from cousin to brother


How are Novell Account Management and Identity Manager Related?

• NAM has functionality not available in IDM2 (Fan-Out Drivers, Windows Standalone Mode, Authentication Redirection, Native Script Handling, password sync using standard eDir password)

• NAM also has limitations not found in IDM2 (Subscriber-Only, Different Architecture, Different Management Console)


What’s the Mission?

To make it easy for any Novell Account Management customer (and there are thousands), be it version 2.1 or 3.0, on any platform, to move forward, without losing any critical functionality, and, in fact, gaining significant functionality.


But, for today . . .

But for right now, let’s talk about how NAM works today, and how it will work in the future

Covering the Basics


In The One Net World

Management

Storage

Access

Collaboration

Others

CORESERVICES

eD

irecto

ry

™

PLATFORM

NetWare

Windows

Solaris

Linux

AIX

New

OPERATINGSYSTEMS

Windows

Solaris(Sparc &

x86)

OS/390

Others

AIX

HP-UX

SOLUTIONS &APPLICATIONS

Linux

Free BSD

Novell A

ccou

nt

Man

ag

em

en

t 3.0

Net Services

Storage

Collaboration

AS/400


Two Problems To Solve

User Account Provisioning – How to automate the process of grants, management and revoking the right accounts to the right systems at the right time, and giving the administrators of those systems ultimate control over the provisioning process on their respective systems?

Password Management – How do you provide a mechanism where the user has the same password for all systems, no matter how he attaches to or uses those systems?


One Product solves both problems

Novell’s Account Management Solution solves both the Account Management and Password Managementproblems for a wide variety of Operating Systems.

• Builds on the scalability of eDirectory™,

• The cross-platform history of prior versions of Account Management and NDS® Authentication Services,

•The extensibility of DirXML®

Account ProvisioningAcross Heterogeneous Systems


NoveII Nsure™

It’s about:• Immediate Access

– Instant On– Rapid time to productivity

• Security Confidence– Instant Off– Eliminate known and unknown exposures

• Real Cost Savings– Integrated, distributed identities– Reduced points of administration

Because it’s all oneNet


Digital Identities

The key to delivering services, applications and access to employees - customized to their roles or individual needs


Account Management Vision

Accounts

VMS

HP-UX

AS/400AIX

MVSRACF, ACF2, Top Secret

Linux

Free-BSD

NDSAD

NT Domains

SolarisOn Sparc & Intel

Tru64

LDAPDirector

y

Authoritative

Data Source


Account Management

Accounts

VMS

HP-UX

AS/400AIX


Linux

Free-BSD

NDSAD

NT Domains

SolarisOn Sparc & Intel

Tru64

AccountManagenment

IDM2 Core Driver

eDirectory®


Transaction Flow and Decision Points

TargetSystem

1. Idenity provisioning solutions like Novell Nsure allow management decisions to be made and polcies to be carried out based on information relevant to the Authoritative Data Source.

2. Administrators may manage identities from a centralized location using any tools that interact with the directory.

3. Platform administrators have the power to fully provision and manage users on their platform and can customize the application of each transaction.

Authoritative

Data SourceeDirectory®


Account Provisioning to a Target

By permitting a collaborative unit such as a container or a group to a target system, you automate the management of all users that may be associated with the collaborative unit in the future.

OS/390 LPAR 1

AIX Mail Server

Atlanta NT Domain

AIX


NT Domains


Principal Components

AS/400Unix

Other

Windows

390

Core Driver(s)

Fan OutAuditing

UIDGID MgmtAuthentication

RedirectionBi-directional

Password ReplicationUP Support

IDM2 IntegrationRequires fewer

objects in eDirectory

Platform ServiceseD

irecto

ryNovellDirXML


AS/400Unix

Other

Windows

390

Principal Components

eD

irecto

ry

Authentication

ServicesAPI

Platform Services

SystemIntercept

Platform

Services

Process

User and Group Management

Platform

Receiver

Receiver

Scripts

User Authentication

Core Driver(s)

Manager ServicesObject ServicesAudit Services

Certificate ServicesWeb Services

(iManager Integration)Journal ServicesAuth Redirection

(agent)

SSL

NovellDirXML


Adding Users To The Directory

Authentication

ServicesAPI

eD

irecto

ryNovellDirXML

Platform Services

SystemIntercept

Platform

Services

Process

User Authentication


Platform

Receiver

Receiver

Scripts

Core Driver(s)



(iManager Integration)Journal Services

Auth Redirection (agent)

SSL

1. A new user is created in eDirectory

3. Object Services creates an E-user object in the Census, associates it to the proper Platform and passes this information on to Event Journal Services

4A. The Platform Receiver requests an Access Management Event from Event Journal Services pertaining to the Platform Set that this particular platform is associated with

4B. Event Journal Services reads the information for the object specified in the Access Management Event out of eDirectory and passes it on to the Platform Receiver

5. The Platform Receiver processes the Access Management Event through a suitable script (Add User) and passes it on the local user security system

6. Event Journal Services notifies Audit Services which records the actions taken in the Audit Log

2. The Core Driver sees the change


Core Driver(s)



(iManager Integration)Journal Services

Auth Redirection (agent)

Deleting Users From The Directory

Authentication

ServicesAPI

Platform Services

SystemIntercept

eD

irecto

ryNovellDirXML

Platform

Services

Process

User Authentication


Platform

Receiver

Receiver

Scripts

Event Listener

SSL

1. A user is deleted in eDirectory

2. The Core Driver sees the change

4A. Object Services marks the E-user object in the Census inactive or removes the E-user object from the Census (according to configuration)

3. An Access Management Event is created and sent to Object Services

5. The Platform Receiver requests an Access Management Event from Event Journal Services pertaining to the Platform Set that this particular platform is associated with

7. Event Journal Services notifies Audit Services which records the actions taken in the Audit Log

6. The Platform Receiver processes the Access Management Event through a suitable script to delete or diasable the User and passes it on the local user security system

4B. Object Services changes the information on the Platform User Object accordingly

Password ManagementAcross Heterogeneous Systems


Target System Access

Security System

Operating System

Browser

Client/Server App FTP Terminal

EmulatorDB

Front-EndTerminal

TerminalController

Applications


Password Synchronization

In the strict sense, “synchronization” means that if a user changes his password on one system, the password is immediately pushed to the other system.

But, to the end user, passwords are “synchronized” between systems if the user can use the same password on both systems.

We can accomplish this end result in a number of ways.


AM Password Management3 Methods to Choose From

1. Re-Direction2. Re-Direction with Local Sync3. Replication (Event-Driven Sync)

The architecture supports 3 Authenticationmethods for a given platform:


Authentication Replication(Password Check/Change)

eD

irecto

ry

PWRedir

OS 390

Applications

RACF

AM 3.0

Agent(s)

eDir ID/ PW

LDAP

Y/N

ID/ PW

Y/N

RACF DB

If Local Sync

Option Enabled

Y


Authentication Replication(Password Check/Change)

eD

irecto

ry

PWRedir

OS 390

Applications

RACF

AM 3.0

Agent(s)

RACF DB

ID/PW

Y/N


Password Change and SyncVia Redirect

OS 390

PWRedir

RACF

RACF DB

HP UX

PWRedir

PAM

UNIX DB

eDirectory

eDirectory

DirXMLPasswordChange

ID/PW

ID/PW

ID/PW

ID/PW


ID/PW

ID/PW

Password Change and SyncVia Redirect

OS 390

PWRedir

RACF

RACF DB

HP UX

PWRedir

PAM

UNIX DB

eDirectory

eDirectory

DirXMLPasswordChange

ID/PW

ID/PW


When Redirect Is Not An Option…

Redirection is great technology, but you have to be

able to intercept the following on the target system:

1. Password Check 2. Password Change

…But we can’t intercept Check everywhere. However, we can intercept Change. And if we can intercept Change, then we can still use method 3 – Replication (Event-driven Sync)


AM 3.x

Core Driver(s)

Authentication Replication(Event-Driven Password Sync)

Windows Server

Intercept

Application

Domain e

Dir

ecto

ry

PasswordChange

ID/PW

Domain Controller



AM 3.x

Core Driver(s)

Windows Server

Intercept

Domain Controller

Application

Domain e

Dir

ecto

ry

PasswordChange

AM 3.0ID/PW



eD

irecto

ry

Dir

XM

L

AM

Dri

ver

AM 3.xAccountProvide

r(Core

Driver)

Platform Receiver

(Method=Replicate)

Target 1SS

Platform Receiver

(Method=Replicate)

Target 2SS

Platform Receiver

(Method=Replicate)

Target 3SS

Component Location


Component Location (Core Driver)

• The Core Driver now includes all the functionality of the former Event Listener, Manager and Agents.

• A Core Driver must be installed on the server(s) where replicas of the provisioned users and ASAM System container reside.

• The Core Driver uses a mix of DirXML and LDAP calls to accomplish its mission

• You can install more than one Core Driver for redundancy, when you upgrade upgrade the Manager first, then the agents all to Core Drivers


eD

irecto

ry

NovellDirXML

Core DriverManager ServicesObject ServicesAudit Services


Journal ServicesAgent Services

DirXML

LDAP/SSL

Core Driver Communications Installed on the Same System


Multiple Core Drivers

eD

irecto

ry

NovellDirXML

eD

irecto

ry

NovellDirXML

Multiple Core Drivers can watch for events in different or the same replica rings.

DirXML

LDAP/SSL

DirXML

LDAP/SSL








Component Location (Platform Services)

• Platform Services run on the target system.

• Delivery and Installation based on the Native Platform.


CoreDriver(s)

eD

irecto

ry

NovellDirXML

Platform Services – OS/390

LDAP

RACF DB

APIInterface

Started

TaskPassCh

eckExit

PassChangeExit

RACF

APP 1

APP 2

APP 3

APP N

Futures


Facts

• The same engineering team now develops and supports the Account Management and NIS Driver deliveries in the UNIX solution space.

• There are fits for each solution today.• NIS driver is good if UNIX is authoritative for

account creations.• NAM is good if you have lots of systems to

connect or if you have not enabled Universal Password.

• Account Management and Identity Management are converging using a multiple phase approach.


IDM/NAM Convergence

• This does NOT mean simply that Account Management is going away and being converted to drivers.

• Convergence requires new functionality in the current IDM Engine and management infrastructure as well as a change in current NAM management methodologies.

• This will open up new possibilities for managing how drivers work.

• This will allow for a common management and customization infrastructure.

• Migrations from current DirXML/Identity Manager drivers and NAM implementations will be made seamless.

• No need to wait to deploy!

RoadmapTime Sensitive Information


General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

Documents

Novell Account Management Overview and Futures Doug Anderson Product Manager [email protected] David Condrey Engineering Manager [email protected]