160 likes | 167 Views
This presentation discusses the use of the LDAP-based registry for authentication, attribute information, and the security measures in place. It covers the data items stored in the registry and the access controls implemented. The presentation also explains the governance and selection process for data items in the registry.
E N D
Registry Services Security LDAP-based Attributes and Authentication
Presentation Goals • Describe • The Registry • Its use for authentication • Its use for attribute information • Security of Registry information
The Registry • A database exposed through LDAP protocols • Populated from both authoritative and other sources • Failure-tolerant architecture • Looks like a directory with more data items • But it’s NOT the “white pages”
What Data Items? • Names, addresses, phone numbers • Affiliations, positions, locations, groups • E-mail routing • Passwords and certificates • Entitlements • Optional information • Standards-based items
LDAP Cluster IT Computing Services SNAP SES HRIS Extraction Replication Replication Load balancing Load balancing directory.northwestern.edu registry.northwestern.edu White Pages Registry Note: schematic – not an engineering representation
Access to Data Items • Access is controlled in four ways: • Anonymous bind to registry is reserved to known e-mail hosts • User binding restricted by IP address • Attribute retrieval protected by application credentialing and Access Control Lists • White pages is an extract of registry data
Anonymous Binding Outlook ?? • Appropriate for white pages lookup • Fast – no encryption • Program binds, then queries by indexed attribute • Return is defined by ACL Relay Eudora LDAP Service
User Binding SNAP • The only means to check username and password validity • Restricted by IP address to avoid brute-force attacks • Encrypted via SSL • Will eventually be isolated from the application by SSO • Return is defined by ACL Hecky SES LDAP Service
Attribute Retrieval Binding VPN • Application presents assigned credentials to bind as itself • Queries and receives return defined by unique ACL • Encrypted via SSL • Ex: from NetID get DN NUTV Course Mgmt LDAP Service
ACLs Registry Data IP Address Restrictions • Restriction of LDAP protocols by IP address is performed by ITCS firewall • Request-specific ACL limits exposure of data items LDAP Registry
Use of Bindings • Anonymous binding is used by e-mail clients • Access to Registry is strictly controlled • Passwords and private attributes are protected via SSL Bindings
Typical Three-Step Scenario • Binding with DN and password is IP-restricted and isolated from application coding • Binding as an application presents credentials defining returned attributes Web Server Application Server Transaction data including NetID (SSL) LDAP Plug-in LDAP Plug-in • Bind as web server, search by NetID for DN, then • Bind by DN to validate password 3. Bind as application Key: NetID Return: attributes (SSL) (SSL) Registry
White Pages is a Separate Service • White pages (directory.northwestern.edu) is a separate service on separate hardware: • To increase performance • To separate the Registry for better security • To expose only the relevant data items to potential compromise
How is Registry Access Governed? • Due to the protections in place, access must be requested through NUIT. • Requests must be approved by the custodian(s) of the data. • NUIT then assigns the appropriate ACL to restrict access to only the approved data items.
How are Data Items Selected? • Registry data items fall into categories: • Those entrusted by SES and HRIS • Those necessary for e-mail routing and selective access to network services as defined by NUIT • Those historically available in the white pages
New Data Items • Requests to include new items must be reviewed by NUIT and the source • Additional reviews by administrative offices may be required • New data items are not automatically exposed to existing ACLs