240 likes | 405 Views
AAI@EduHr (From Radius Hierarchy to AAI). Miroslav Milinović University Computing Centre - Srce <miro@srce.hr> EuroCAMP Ljubljana, March 2006. Contents. History hrEdu radius/LDAP hierarchy AAI@EduHr project hrEdu schemas AOSI (adding AAI flavour) AAI@EduHr today
E N D
AAI@EduHr(From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce <miro@srce.hr> EuroCAMP Ljubljana, March 2006
Contents • History • hrEdu radius/LDAP hierarchy • AAI@EduHr project • hrEdu schemas • AOSI (adding AAI flavour) • AAI@EduHr today • Future development (PKI@EduHr?)
History • Directories and directory services • http://ds.carnet.hr • Netfind, Whois++, X.500 LDAP • killer application needed • Network access • AAA for dial-up access • introducing radius instead of tacacs+ • (highly) distributed user community • 200 member institutions (variable size of institution and amount of ICT resources) • expert knowledge is not equaly distributed/available
We started with ... • (hrEdu) radius/LDAP hierarchy • limited function, primarily for dial-up access • LDAP schema development started • AAI foreseen as a long-term goal / dial-up as a killer application for LDAP deployment • fully operational radius/LDAP hierarchy since Feb. 2003 • eduroam member since the very begining
hrEdu radius/LDAP hierarchy Dial-up access (CMU) resource user ID: user.realm (Lucent Navis) proxy radius server(s) central LDAP server for backup Radius proxy service Network Home Org X Home org X Home Org Y Home Org Z ≈ 200 (170) Home orgs ≈ 180000users SW: FreeRadius & OpenLDAP Radius Radius Radius server server server LDAP server LDAP server LDAP server
Missusing the radius attributes • Use of radius in AA(A) process: • AuthN • AuthZ = AuthN + “few simple attributes” • We use: • Connect-Info hrEduPersonExpireDate • Class hrEduPersonUniqueID (hrEduPersonUniqueNumber) • Configuration-Token hrEduPersonPrimaryAffiliation • but actually ... not good enough
Project AAI@EduHr • raising demands (network access & applications) • Radius/LDAP hierarchy is not good enough • project started in May 2004 • main goals: • define HrEdu schema(s) • set up IdPs • Set up the AAI for EduHr • Shibboleth was found as too complex • idea: add AAI flavour to the existing radius/LDAP infrastructure • http://www.aaiedu.hr/
hrEdu hierarchy evolved Dial-up access (CMU) StuDOM (8149 “student beds” connected) Wireless/wired access (Srce, CARNet, ...) eduroam (http://www.eduroam.org) UNIX/Linux PAM resource user (ID: user.realm) ID: user@realm.hr (Lucent Navis) proxy radius server(s) (central LDAP server for backup) ( radius ) proxy service Network Home Org X Home org X Home Org Y Home Org Z ≈200 (170) Home orgs ≈ 180000users SW: FreeRadius & OpenLDAP Radius Radius Radius server server server LDAP server LDAP server LDAP server
hrEdu schemas • hrEduPerson • HrEduOrg • registry: http://schema.aaiedu.hr • transition/migration from earlier versions • all LDAPs at the same version since Feb. 2006 • more work to do: harmonisation (with SCHAC, ...)
AOSI – adding AAI flavour • AOSI is: • an application for maintaing the content of the LDAP directory • an access tool for LDAP (e.g. local AAI component) • AOSI has two parts: • web service (core AOSI) • client application (“only” proof of concept; any other client can be used localy) • FWS/HLS = central (AOSI) service • AOSI “ShibLite”
AOSI-WS LDAP dir. AOSI System Home org AAI@EduHr AOSI Client Schema (XML) Codes, ... (XML) User access Data (XML) Administrator access
LDAP dir. AOSI System (2) Home org AAI@EduHr AOSI Client Schema (XML) PHP Codes, ... (XML) .Net Java Data (XML) AOSI-WS
AAI@EduHr user@realm Federation WS “routing” information Organization B AOSI Directory FWS in AAI@EduHr Organization A Application
AAI@EduHr user@realm Federation WS “routing” information Organization B AOSI Directory HLS in AAI@EduHr Organization A Application
AOSI WS and FWS • Currently based on Perl; FWS to be implemented in Java • Local AOSI WS: • Local service is described in http://ldaphost.homeorg.hr/aosi/aosi.wsdl • Generally runs at https://ldaphost.homeorg.hr:1443/AOSI • Client platforms working with service: • Perl • PHP • .Net • Java • FWS/HLS: • Based on AOSI • http://www.aaiedu.hr/fws/fws.wsdl • Documentation: • http://www.aaiedu.hr/aosi/aosi_wsdl.html • http://www.aaiedu.hr/fws/fws_wsdl.html
Resource Home Org AAI Component AAI Component Directory Entry Point AAI@EduHr today 197 (166) Home orgs FreeRadius AOSI WS Open LDAP Central AAI@EduHrServices(proxy, FWS/HLS...) User: uid@realm.hr
AAI@EduHr in real life • in full operation since Feb. 2006 • basic monitoring (http://www.aaiedu.hr/status_li.php) • 197 Home organisations (IdPs) • number of services: • Network access: dial-up, wireless & wired (eduroam, 802.1x) • www.eduroam.hr (fully operational by the end of April) • Application access: Web-based aplications, WebCT, Moodle, ...
PAP to EAP/TTLS Bridge • Improving security • multithreaded UDP server • based on TinyRadius Radius server API, (http://tinyradius.sourceforge.net/) and eapol_test (http://hostap.epitest.fi/) • works on Linux (we still work on Solaris version)
PAP EAP/TTLS Converts PAP to EAP/TTLS and back PAP Radiusproxy NAS Radius (EAP /TTLS) Bridge Radius(PAP)
An example: CARNet mobile service XYZ client Mobile CARNet AAA Home org. XYZ APN Mobile CARNet radius server RADIUS server Mobile AAA DB LDAP dir. uid@realm.hr CARNet AAI@EduHr radius proxy
An example: CARNet mobile service (2) HTTP client Mobile CARNet AAA Home org. Mobile CARNet Web Mobile CARNet radius server RADIUS server Mobile AAA DB LDAP dir. uid@realm.hr CARNet AAI@EduHr radius proxy FWS/HLS
Future work • become a “real” federation (policies, policies, ...) • central (vs. local) login page in production • resource registry (based on SWITCH solution) • certficates for services from TERENA SCS (provided by CARNet) • improved monitoring • start “speaking” SAML • Add ARP functionality to AOSI • “Shib gateway” in production • interoperate with eduGAIN • SSO • PKI@EduHr? (SX project)