Authentication Authorization Infrastructure

Transcription

1 Authentication Authorization Infrastructure Jan Du Caju LUDIT - KULeuvenNet

2 AAI update ldap kerberos Shibboleth

3 LDAP end user ldap servers (in fail-over without password hashes): ldap.kuleuven.be (point to ldap1 and ldap2.kuleuven.be) search base: ou=people, dc=kuleuven, dc=be authentication ldap servers (in fail-over): ldap-auth1.kuleuven.be (central services excluding samba) ldap-auth2.kuleuven.be (samba)

4 LDAP anonymous access # organigram info dn: KULouNumber= ,ou=unit,dc=kuleuven,dc=be objectclass: organizationalunit objectclass: KULou ou: Secretariaat rector parentou: diensthoofd: u KULouNumber:

5 LDAP anonymous access (continued) # diploma informatie dn: dipl= ,ou=diploma,dc=kuleuven,dc=be objectclass: KULdiploma dipl: diplnaam: Licentiaat in de Archeologie # opleidingsinformatie dn: oplnr= ,ou=opleiding,dc=kuleuven,dc=be objectclass: opleiding oplnr: oplnaam: Licentiaat in de Archeologie

6 LDAP anonymous access (continued) # personnel info dn: uid=u ,ou=people,dc=kuleuven,dc=be objectclass: person objectclass: eduperson objectclass: KULPerson objectclass: posixaccount objectclass: sambasamaccount objectclass: krb5principal objectclass: krb5kdcentry uid: u ou: people ou: Leuvens Universitair Dienstencentrum voor Informatica en Telematica (LUDIT) cn: Jan Du Caju LUDITserver: mail.cc.kuleuven.ac.be homedirectory: /home/u loginshell: /bin/bash edupersonorgdn: dc=kuleuven,dc=be

7 LDAP anonymous access (personnel continued) edupersonorgunitdn: o=people,dc=kuleuven,dc=be uidnumber: gidnumber: KULprimouNumber: KULouNumber: , , , sn: Du Caju givenname: Jan postaladdress: LUDIT, de Croylaan 52A, B-3001 Heverlee, Belgium telephonenumber: KULvpnGroup: ou=admins mail: KULtap: ATP KULtypePers: ATP edupersonaffiliation: staff,employee,member

8 LDAP anonymous access (continued) # student info dn: uid=s ,ou=people,dc=kuleuven,dc=be objectclass: person objectclass: eduperson objectclass: KULPerson objectclass: posixaccount objectclass: sambasamaccount objectclass: krb5principal objectclass: krb5kdcentry ou: people uid: s cn: s LUDITserver: urc1.cc.kuleuven.ac.be gidnumber: 1000 stamnr: KULid:

9 LDAP anonymous access (students continued) edupersonorgdn: dc=kuleuven,dc=be edupersonorgunitdn: o=people,dc=kuleuven,dc=be edupersonaffiliation: student edupersonaffiliation: member uidnumber: homedirectory: /home/s loginshell: /bin/bash

10 LDAP attributes to specific apps # not query-able, only ldap bind from KULeuvenNet authentication servers and LUDIT central servers (mail,toledo) userpassword: {SHA1}PASSWORD # to none edupersonprincipalname: {SHA1}UniqueReferenceToUser@kuleuven.be KULCryptPassword: {CRYPT}PASSWORD # towards central KULeuvenNet kerberos servers krb5principalname: u @kuleuven.be krb5keyversionnumber: 3 krb5key: {KERBEROS}PASSWORD krb5maxlife: krb5maxrenew: krb5kdcflags: 126

11 LDAP attributes to specific apps (continued) # towards central LUDIT samba domain controller and decentral fysica samba domain controller sambasid: S sambantpassword: {NTLMv2}PASSWORD sambapwdlastset: 1 sambapwdmustchange: sambapwdcanchange: 0 sambalogontime: 0 sambalogofftime: sambakickofftime: sambaacctflags: [U ] sambaprimarygroupsid: S

12 LDAP student attributes to specific apps sn: Achternaam givenname: Voornaam dipl: opl: mail: KULlibisnr: KULouNumber:

13 Kerberos kerberos LDAP servers: kdc1.kuleuven.be and kdc2.kuleuven.be principle: Windows clients authenticating to central kdc's: users created in AD with random password mapped user to principal changed kdc of user from AD to central kdc's (name mappings) tested: policies and printing

14 authentication system user directory shibboleth IdP Identity Provider AAI-enabled Home organization 6 10 who are you jan 7 5 WAYF 3 where K are U you L from 4 handle+attributes? attributes 1 handle pagex pagex 2 9 shibboleth SP Service Provider W E B s e r v e r AAI-enabled resource

15 Shibboleth IdP ldap-auth1 CAS Home organization: cas.kuleuven.be idp.kuleuven.be Service provider (and documentation): WAYF: wayf.associatie.kuleuven.be

16 Shibboleth Federation Common set of policies, practices and guidelines IdP SP: no end user workstation, properly patched,... a registry to process applications to the federation distribution of membership information (IdP's en SP's) Attributes needed for Shibboleth classification of users for basic authorizations (access to app) exchange of attributes within federation Federations K.U.Leuven Associatie K.U.Leuven

17 Classification of users for basic authorizations edupersonaffiliation: value [student faculty staff employee alum member affiliate] affiliate = external, not member Affiliate is intended to apply to people with whom the university has dealings, but to whom no general set of "community membership" privileges are extended if [student faculty staff] then also member if [faculty staff] then also employee use (federations) K.U.Leuven and Associatie ARP (Attribute Release Policy) general usability

18 Classification of users for basic authorizations edupersonscopedaffiliation: value e.g. use (federations) Associatie ARP (Attribute Release Policy) general usability

19 Classification of users for basic authorizations KULouPrimaryNumber: value organigram code of unit(s) an employee is assigned to use (federations) K.U.Leuven ARP (Attribute Release Policy) general usability

20 Classification of users for basic authorizations KULouNumber: value personnel (or employee) KULouPrimaryNumber + all organigram codes of units above in organigram tree an employee is assigned to student : organigram code of faculty use (federations) K.U.Leuven ARP (Attribute Release Policy) personnel: general usability student: specific apps

21 Classification of users for basic authorizations dipl: value code of a diploma e.g for Kandidaat in de Taal- en Letterkunde: Germaanse Talen use (federations) K.U.Leuven ARP (Attribute Release Policy) specific apps

22 opl: Classification of users for basic authorizations value <year> <opleidingsnummer> <year_within_opleiding> e.g for opleidingsnummer with name Kandidaat in de Taal- en Letterkunde: Germaanse Talen use (federations) K.U.Leuven ARP (Attribute Release Policy) specific apps

23 exchange of attributes within federations K.U.Leuven federation general KULouPrimaryNumber KULouNumber specific applications uid, cn, surname, givenname, mail (students) opl, dipl Associatie K.U.Leuven general edupersonaffiliation: [student,faculty,staff,employee,alum,member,affiliate] edupersonscopedaffiliation:

24 Release of attributes to Specific apps Toledo & Kotnet (edupersonprincipalname) surname givenname commonname mail