1 / 20

The Integration of LDAP into the Messaging Infrastructure at CERN

The Integration of LDAP into the Messaging Infrastructure at CERN. Ray Jackson CERN / IT - Internet Services Group 23rd April 2001 - HEPiX/HEPNT Conference, LAL-Orsay, France. Roadmap. How we use LDAP at CERN CERN Address Books Mailing List Data stored on LDAP Web authentication

telyn
Download Presentation

The Integration of LDAP into the Messaging Infrastructure at CERN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Integration of LDAP into the Messaging Infrastructure at CERN Ray Jackson CERN / IT - Internet Services Group 23rd April 2001 - HEPiX/HEPNT Conference, LAL-Orsay, France.

  2. Roadmap • How we use LDAP at CERN • CERN Address Books • Mailing List Data stored on LDAP • Web authentication • GroupWare • PAM Authentication • Message Routing via Sendmail • Future of LDAP at CERN Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  3. How we use LDAP at CERN • Address Book and White Pages • Address auto-completion (Mail clients) • Listbox Web Interface (SIMBA) • Groupware definitions for authentication • System level Scripts (e.g. Userinfo) • Web authentication (Archives, interfaces) • PAM authentication (System Level Auth.) • Calendar Pilot Service (50+ users) • Netscape Roaming Pilot Service (40+ users) • On test: Sendmail Message Routing, Webmail Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  4. CERN LDAP tree overview Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  5. CERN Address Books • 32,000+ people (15,000+ external) • Mixture of CCDB entries and Listbox users • Mailing List & Services Addressbooks • HEP Global address book (o=hep) • Supported at CERN by Netscape, Pine, Eudora and Outlook • Web based search engines (Currently test only – possibility in future?) Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  6. Mailing List Data on LDAP • 2,300+ mailing lists stored on LDAP • 800+ list owners 33,000+ list users • ALL info related to mailing lists now on LDAP (70+ attributes e.g. configuration etc.) • Huge improvement on Previous interface (better security, more functionality etc.) • Authentication for all 33,000 users using LDAP authentication mechanism • LDAP makes searching for mailing list data easy and fast! Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  7. SIMBA Listbox Web Interface https://wwwlistbox.cern.ch

  8. Web Authentication & LDAP • All major web servers can support LDAP for authentication (Apache, IIS, E’prise) • Based mainly on group ACL’s e.g. ou=it-div-is-in • Simple to setup and configure (Used extensively in secure web archiving) • Does not require any physical accounts to be created on the OS. (few lines of LDIF only) • Authentication based on user ID’s for internal users or email addresses for external users. (Password can be sent to external users via email) Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  9. Groupware and LDAP • We use LDAP to store Groupware definitions (mainly for authorisation purposes) • Many types of group e.g. Mailing lists, Organisational, Status, Projects, Accounts, Management etc. • Group simply defined by a name, description and list of unique members • Naming convention needed (e.g. it-div-is-staff) • Allows us to assign access rights to a single group instead of individual people. • Most groups are “self-maintaining” by extracting data from HR database each evening and updating LDAP Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  10. Example of Groupware entry dn: ou=service-mail,ou=Lists,ou=Groups,o=cern,c=ch ou: service-mail description: Mailing list containing Mail Service administrators uniquemember: employeenumber=123,ou=People,o=cern,c=ch uniquemember: employeenumber=321,ou=People,o=cern,c=ch uniquemember: employeenumber=49527,ou=People,o=cern,c=ch uniquemember: employeenumber=4321,ou=People,o=cern,c=ch uniquemember: employeenumber=2678,ou=People,o=cern,c=ch Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  11. Example of Web ACL File • Example of an Apache .htaccess file authenticating with LDAP. Authtype Basic AuthName “mail-service Web Archive” LDAPAuth on LDAPServer “ldap://ldap.cern.ch:389” …. LDAPBase ou=People,o=cern,c=ch require group ou=mail-service,ou=Lists,ou=Groups,o=cern,c=ch require group ou=service-admin,ou=Lists,ou=Groups,o=cern,c=ch require user cn=John Smith,ou=People,o=cern,c=ch Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  12. Web authentication - Archives https://wwwlistbox.cern.ch/earchive/proj-ldap

  13. PAM authentication • “Plugable-authentication Modules” • Available for numerous UNIX platforms (Solaris, Linux, HP etc.) – pam.conf • Can store most /etc data on LDAP (passwd/shadow, group, fstab, mail alias, protocol, rpc, service, host etc.) • GroupWare definitions on LDAP can be used to specify groups as seen in /etc/group on Unix • No duplication of accounts and group data across machines (synchronisation issues) • Already used in authenticated SMTP service. Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  14. Example of PAM data on LDAP dn: cn=Ray Jackson,ou=People,o=cern,c=ch objectclass: posixAccount uid: rjackson userpassword: {crypt}G51j29jsl09 loginshell: /usr/local/bin/bash uidnumber: 416 gidnumber: 10 homedirectory: /homedir/r/rjackson gecos: Ray Jackson account: mail4 Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  15. Message routing by LDAP • Not just sendmail (Sun, Netscape etc.) • Very fast lookups for mail routing • Simple, dynamic and immediate updates • Single source of routing data rather than distribution to 10+ machines • Synchronisation and update delays eliminated • Highly scalable (millions of addresses possible – ISP’s using LDAP already for routing) Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  16. Example of routing in LDAP dn: cn=Ray Jackson,ou=People,o=cern,c=ch mail: Ray.Jackson@cern.ch objectclass: inetLocalMailRecipient mailHost: mail4.cern.ch mailRoutingAddress: rjackson@mail4.cern.ch mailLocalAddress: Ray.Jackson@cern.ch mailLocalAddress: rjackson@mail.cern.ch mailLocalAddress: Raymond.Jackson@cern.ch mailLocalAddress: ldap.support@cern.ch Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  17. Future applications of LDAP? • Webmail Test Interface at CERN • No limits to what can be achieved thanks to API’s in Java, C++, Perl etc. • Store serialised Java objects on LDAP (CMS) • Hardware - Network routers etc. • Shared Folders • Archive Information (Catalog data) • Storing certificates and interaction with Kerberos V • Any search/read intensive application can benefit from the power of LDAP Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  18. Webmail Test Interface & LDAP https://mailwww.cern.ch (This is a test interface we are reviewing at CERN for users to access their IMAP folders via the Web in a secure way, especially when traveling outside of the CERN domain. It is a good example of the type of application which can benefit from the power of LDAP. All configuration/session information for all our users is stored on our LDAP server) Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  19. Future of LDAP at CERN • Separating the service from the data! • Move all user,listbox,group data OFF the 10+ mail servers and onto LDAP • Eliminate the need for duplication of data and synchronisation problems. • Use LDAP to provide web access to mail information (e.g. Webmail based on LDAP) Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

  20. Questions and feedback Thanks for listening… do you have any questions about what you’ve heard? Ray Jackson - The Integration of LDAP into the Messaging Infrastructure at CERN

More Related