140 likes | 158 Views
Explore the journey of implementing LDAP authentication at Southwestern University, its benefits, challenges, and future goals. Learn about LDAP vendors, integration, and best practices for seamless authentication across diverse systems.
E N D
Todd K. Watson Senior System/Network Administrator Southwestern University tkw@southwestern.edu LDAP Authentication2003 IT Fall RetreatAssociated Colleges of the South tkw@southwestern.edu Todd K. Watson Information Technology Services http://tkdubs.net
Disclosure: I am not an LDAP expert!! • Brief background • Overview of current technologies. • Tell what SU is doing • Rhodes will follow • Everyone else chimes in with their plans, etc tkw@southwestern.edu Todd K. Watson Information Technology Services http://tkdubs.net
Traditional Systems Authentication • Unix -- /etc/passwd, /etc/shadow, NIS • Microsoft -- NT LANMan, hacks prior to NT • Apple -- “At Ease”, Multi-user (OS-9) • WWW – local passwd DB (eg. htaccess) Kerberos was only viable existing solution for cross-platform system and application authentication. Was complex and required specialized clients and servers, which limited choice and flexibility. tkw@southwestern.edu Todd K. Watson Information Technology Services http://tkdubs.net
Enter LDAP..... (Lightweight Directory Access Protocol) tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
LDAP – The Big Picture A vendor independent method of consolidating information about users across different systems and services on different OS`s. What's most useful to us in the discussion about authentication Graph from “LDAP Directories Explained” by Brian Arkills -- Published by Addison Wesley tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
Historical LDAP Authentication Problems • LDAP was originally designed as a directory, not an authentication, server. Evolved from X.500, and was pioneered at Univ. Michigan. • Lack of support by clients • Lack of encryption – passwords in the clear • Lack of Access Control – Authorization • LDAP v3 RFCs and vendor implementations address these issues tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
Where to Start with LDAP • RESEARCH!!! -- Read and study as much as you can prior to building your LDAP install. (references appendix later) • LDAP has a natural mapping to your DNS space. Use this to your advantage, and avoid straying from this. • Choose a vendor product wisely! LDAP consists of only 10 basic funtions ((un)bind, abandon, search, compare, add, modify, delete,..) so each product differs on the extras, the interface, schemas, etc. • Make sure all of your systems and services will integrate with that vendor's LDAP implementation. (eg. Does Datatel or Banner recommend/support?) tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
Some LDAP Vendors/Products tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
Southwestern`s LDAP Requirements Unified Authentication for: • Unix systems, which provide POP, IMAP, SMTP • Web services -- webmail, software downloads, timeclocks, MySU portal, Campus Notices (W&L), library catalogs, ... • Lab computers – both Macs and PCs • Wired and Wireless network access (via NetReg) • Datatel WebAdvisor • Group calendaring (currently CorpTime – now Oracle) Authoritative source of data must reside on Unix server, and have a web- based management interface with multiple levels of access-control. tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
Southwestern Univ. Active Directory(AD) • This summer ('03) we implemented MS Active Directory on a Win2K Advanced Server for WinXP and MacOS-X clients. • This provided seamless data storage to our Network Appliance file server (also used via NFS to our Unix servers) from any lab computer on campus. • MacOS-X -- we use the “Admit Mac” product by Thursby Software to allow Macs to “join the Active Directory domain”. Macs are treated just like PCs on domain with transparent Desktop and (My)Documents folder mappings like on PC. • Currently NO synchronization between AD and Unix hosted LDAP and NIS. • Old (pre-existing) accounts had to have new password for AD, though can reset • New accounts are created after Unix/email account and use the same passwords • Password changes must be done on both systems! VERY CONFUSING..... • Account management done from Win/Mac/Linux using VNC. Plans to possibly add web scripts with Perl LDAP/ActiveDir module hooks. tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
Future Goals for Southwestern Univ. LDAP Infrastructure • Unix-based product (need Enterprise stability!) • Datatel supported (for WebAdvisor) • **Synchronization/Replication to/from Active Directory** • Flexibility/Extensibility. Need Access to data stores without complex API. • Standards based – extremely important for future product integration tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
Doug Walker and Richie Trenthem from Rhodes College And now another perspective... tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
What is everyone else doing/thinking? Who has experience with LDAP products besides Microsoft Active Directory? Washington & Lee uses Novell eDirectory, but could not be here to talk about it. Ask Julie during the break how it is working for them. What requirements does your campus have? What are your strengths and weaknesses in playing the LDAP game? Discussion.... tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services
http://www.openldap.org http://www.kingsmountain.com the “LDAP RoadMap and FAQ” has many great resources http://perl-ldap.sourceforge.net Net::LDAP module provides ability to create hooks into LDAP via CGI or CLI scripts to do custom management funtions References “LDAP Directories Explained: An Introduction and Analysis” by Brian Arkills (Addison Wesley – 2003) “LDAP System Administration”, by Gerald Carter (O'Reilly & Associates – 2003) “Understanding and Deploying LDAP Directory Services (2nd Ed.)”, by Timothy Howes (Addison Wesley – 2003) [the bridge book] tkw@southwestern.edu Todd K. Watson http://tkdubs.net Information Technology Services