1 / 21

Identity M anagement in the Environment of Mendel University in Brno

Identity M anagement in the Environment of Mendel University in Brno. Milan Šorm. Contents. University in numbers Historical identity management Ideal solution University information system Current implemented situation Known problems Results Future ideas. University in numbers.

stuart
Download Presentation

Identity M anagement in the Environment of Mendel University in Brno

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Managementin the Environment ofMendel University in Brno Milan Šorm

  2. Contents • University in numbers • Historical identity management • Ideal solution • University information system • Current implemented situation • Known problems • Results • Future ideas SDI 2007, ZČU v Plzni

  3. University in numbers • Medium-sized university • 12 000 students • 2 000 employees • 2 000 other users in campus • 4 faculties, 80 departments • 5 000 prepared network connections • 3 500 PCs • 50 user servers SDI 2007, ZČU v Plzni

  4. Historical identity management • No centralized identity management • No policy for • building servers • interconnecting department networks • accessing network environment • creating accounts • connection information services to netword • More than 20 admins • Totally decentralized SDI 2007, ZČU v Plzni

  5. Ideal solution • One account credentials for one user • Setup policy for connecting all PCs, servers and services to netword environment • One place to define AAA for all services • Minimize number of network admins • Centralized storage for data and profiles • Single sign on • Maximum HA SDI 2007, ZČU v Plzni

  6. University information system • In last 7 year we reconstruct all small IT services and production ISs to one central complex information system with integrated data warehouse • This information system can be source of all information about our users and their credentials, rights, roles etc. • Unique source of informations SDI 2007, ZČU v Plzni

  7. University information system Public informationportal SDI 2007, ZČU v Plzni

  8. University information • General object qualify principle • We can describe any group of objects (users, computers, departments, segments, roles, rights etc.) and identify them by IDs • We can put these groups to relations and prepare source of all AAA informations • All of these informations are dynamic • Example: • students and schedules SDI 2007, ZČU v Plzni

  9. Current implemented situation • Many meetings with server and service administrators and IT departments lead to setup one policy in • creating account (UIS based, algorithmized) • setting groups, rights, quotas through Technology subsystem in UIS by power users (owners, specialists) • accessing network and creating new services is maintained through central IT department SDI 2007, ZČU v Plzni

  10. Current implemented situation Services LDAP replicas Primary LDAP server University IS Datawarehouse SDI 2007, ZČU v Plzni

  11. Current implemented situation • UIS prepare all data for identity management in central data warehouse (Oracle 10g) • Application logic stored in DW (PL/SQL) create and update primary LDAP server (OpenLDAP) with all credentials • LDAP push data to LDAP replicas • All IT services are connected to one or more LDAP replicas for AAA services SDI 2007, ZČU v Plzni

  12. Current implemented situation • All faculty and university services are connected to this AAA infrastructure • For accessing network you need: • registered computer through computer authorization in UIS Technology subsystem • account in AAA infrastructure for accessing network (eduroam connector, dormitories net connector, public network access during conferences etc.) SDI 2007, ZČU v Plzni

  13. Current implemented situation • Consolidation of IT services • centralized e-mail distributing system • centralized file server services systém • standardization of classrooms installations • UIS know for each user his personalized policy: • where user read e-mails • desktop information • fileserver connections … SDI 2007, ZČU v Plzni

  14. Current implemented situation • Classroom computers access central server farm for roaming Windows or Linux profile • These profile has defined scripts for attaching other resources • E-mail is passed through distribution server which run antispam and antivir and distribute e-mails to user favourite e-mail server • Samba or AD solution • Linux PAM solution SDI 2007, ZČU v Plzni

  15. Current implemented situation • Information about allowed classrooms is stored in LDAPand Samba/Linux classroom servers or stations use them for managing login process • All other information (home directory, roaming profile, other resources) is accessed through dynamically created profile and scripts called from this profile SDI 2007, ZČU v Plzni

  16. Current implemented situation • Many other IT services access central LDAP • UIS web interface • Catering service (Anete Kredit) • Network accessing service (eduroam, Faro) • VPN concentrator • HelpDesk software • Impromat copy centre • Old e-learning services • Services on faculties SDI 2007, ZČU v Plzni

  17. Known problems • Changing passwords (only through UIS) • Two profiles (Linux, Windows) • Absence of SAP connector • Not all things are online (e.g. e-mail groups, destroying of accounts…) • No implementation of single sign on • Less security due to only one account credentials SDI 2007, ZČU v Plzni

  18. Results • One login, one password, one account system, no account administrator • Only 2 central administrator on university • Very popular for basic user • Very popular for technology owners • Many statistics information • Only start point on long journey for mobile work at university SDI 2007, ZČU v Plzni

  19. Other results • Implemented also for our customers: • Slovak Technical University (26 000 users) • Technical University in Zvolen (6 000 users) • Škoda Auto University (1 000 users, in progress) • Current situation: • changed to central information systém • activated primary LDAP generation • first replicas installed • some services connected SDI 2007, ZČU v Plzni

  20. Future ideas • Single sign on • Mobile profile through VPN • Adding printing profiles to LDAP • User friendliness interface for administrators • Using of virtual desktop infrastructure • Using of some other identity tokens (cards, USB flash drives, tokens) • Building PKI over this solution SDI 2007, ZČU v Plzni

  21. Thank for your attention.Any questions? SDI 2007, ZČU v Plzni

More Related