UNIL Administration. > Many databases and applications:



Similar documents
Security with LDAP. Andrew Findlay. February Skills 1st Ltd

Ciphermail Gateway Web LDAP Authentication Guide

Authentication Authorization Infrastructure

The Integration of LDAP into the Messaging Infrastructure at CERN

Open Source Identity Management

Authentication Methods

Practical LDAP on Linux

How To Create A Personalized Website In Chalet.Ch

KACE Appliance LDAP Reference Guide V1.4

Steps to setup authentication and enrolment through LDAP protocol

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

Linux Authentication using LDAP and edirectory

Authentication Integration

DB2 - LDAP. To start with configuration of transparent LDAP, you need to configure the LDAP server.

Avaya CM Login with Windows Active Directory Services

Shibboleth User Verification Customer Implementation Guide Version 3.5

Configuring Sponsor Authentication

Configuring Apache Web Server for x509 User Authentication

User Management / Directory Services using LDAP

U S E R D O C U M E N TA T I O N ( A L E P H I N O

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

Kerberos and Single Sign-On with HTTP

How To Set Up An Openfire With Libap On A Cdd (Dns) On A Pc Or Mac Or Ipad (Dnt) On An Ipad Or Ipa (Dn) On Your Pc Or Ipo (D

Guide to Web Hosting in CIS. Contents. Information for website administrators. ITEE IT Support

Integrating PISTON OPENSTACK 3.0 with Microsoft Active Directory

Bitrix Site Manager. Quick Guide To Using The AD/LDAP Module

Your Question. Article: Question: How do I Configure LDAP with Net Report?

ProxySG TechBrief LDAP Authentication with the ProxySG

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Setup Guide Access Manager 3.2 SP3

Quality Center LDAP Guide

1 Introduction. Windows Server & Client and Active Directory.

How to Use Microsoft Active Directory as an LDAP Source with the Oracle ZFS Storage Appliance

Securing SAS Web Applications with SiteMinder

VMware Identity Manager Administration

Active Directory Integration. Documentation. v1.02. making your facilities work for you!

Implementazione dell autenticazione con LDAP

MATLAB Toolbox implementation for LDAP based Server accessing

esoc SSA DC-I Part 1 - Single Sign-On and Access Management ICD

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

SAML-Based SSO Solution

Acano Solution 1.1. Multi-tenancy Considerations. Acano. April B

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Apache HTTP Server

LDAP and Active Directory Guide

Livezilla How to Install on Shared Hosting By: Jon Manning

Kerberos and Single Sign On with HTTP

Unified Authentication, Authorization and User Administration An Open Source Approach. Ted C. Cheng, Howard Chu, Matthew Hardin

Integrating a Shibboleth IdP with Microsoft Active Directory

Apache & Virtual Hosts & mod_rewrite

Configuration Worksheets for Oracle WebCenter Ensemble 10.3

IPedge Feature Desc. 5/25/12

Using LDAP Authentication in a PowerCenter Domain

VMware Virtual Desktop Manager User Authentication Guide

Using Kerberos to Authenticate a Solaris TM 10 OS LDAP Client With Microsoft Active Directory

MICROSOFT ISA SERVER 2006

ADAM (AD LDS) Pass thru Authentication. Idalia Torres STC Using ADAM to Keep AD out of Harm s Way

Nevepoint Access Manager 1.2 BETA Documentation

From centralized to single sign on

Adeptia Suite LDAP Integration Guide

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net

Microsoft Active Directory Authentication with SonicOS 3.0 Enhanced and SonicOS SC 1.0 (CSM 2100CF)

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

Integrating Webalo with LDAP or Active Directory

Integrating LANGuardian with Active Directory

Expresso Quick Install

Deploying RSA ClearTrust with the FirePass controller

How To Use Netiq Access Manager (Netiq) On A Pc Or Mac Or Macbook Or Macode (For Pc Or Ipad) On Your Computer Or Ipa (For Mac) On An Ip

Adobe Connect LMS Integration for Blackboard Learn 9

SUMMARY. e-soft s.r.l.

Client configuration and migration Guide Setting up Thunderbird 3.1

Configuring idrac6 for Directory Services

Tonido Cloud Admin Guide

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

LDAP Authentication and Authorization

FileCruiser. VA2600 SR1 Quick Configuration Guide

Web based single sign on. Caleb Racey Web development officer Webteam, customer services, ISS

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Migrating application users and passwords with Password Manager

LDAP / SSO Authentication

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Configuring User Identification via Active Directory

Identity Management in Quercus. CampusIT_QUERCUS

MIS Export via the FEM transfer software

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

LDAP User Service Guide 30 June 2006

Shibboleth Identity Provider (IdP) Sebastian Rieger

User Management Resource Administrator. Managing LDAP directory services with UMRA

User-ID Best Practices

Computer Services Documentation

SAML-Based SSO Solution

Cloud Services ADM. Agent Deployment Guide

QuickStart Guide for Mobile Device Management

Transcription:

Directories at UNIL

UNIL Administration > Many databases and applications: > ResHus: contracts with Etat de Vaud > SAP: other contracts > Immat: students > Physical persons in a single table > Moral persons in a single table > GESTU application is integrated in this system > management of accesses to services > management of groups

GESTU > Based on the concept of «service» and «access to a service» > Master services > eliot -> basic access (entry in the auth directory) > ula -> access to a VMS machine > > Dependent services: share the data with a master service > mailbox -> mailbox on our mail server > intranet -> access to our admin application > argos -> access to our HPC server > Access to a master service > Person > Admin. unit / gidnumber > username/uidnumber/initial-password > state of the access: open, closed, blocked, «echu» > Access to a dependent service > state of the access: open, closed, blocked, «echu»

GESTU > Automatic procedures > access creation for students: the day following the end of the immatriculation process (a letter is sent) > closing access: 6 months after exmatriculation > access creation for employees having a valid contract (through a web form) > send notification of access termination by email (1-2 month before) > > Manual procedure (operator) > create, close, > re-initialize password

Groups > An authorized user is able to create a group/emaillist > Groups > members are computed with criteria (recomputed daily) > members may be added manually

Directories GESTU LDAP auth LDAP Mac OSX replica Active Directory Web form for changing password LDAP attr LDAP annuaire Email Server

server Solaris GESTU files transfer LDAP protocol Iplanet replica protocol server Solaris GESTU programs LDAP auth server win 2k GESTU service ADSI Active Directory server Solaris LDAP auth replica server Linux LDAP attr server Mac OSX LDAP Mac OSX

LDAP and AD DIT dc=unil, dc=ch ou=gesu ou=unil-users ou=unil-groups uid=aroy uid=jguela uid=pryter uid=imoullet uid=pgardel... cn=ci-g cn=unicom-g cn=etudiants-g cn=pat-unil-g cn=profs-unil-g...

A LDAP auth user dn: uid=uone,ou=unil-users,ou=gesu,dc=unil,dc=ch objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: posixaccount uid: uone sn: One cn:user One givenname:user mail: User.One@ci.unil.ch uidnumber: 10281 gidnumber: 10010 loginshell: /bin/ksh gecos: User One homedirectory: /users/uone userpassword:***************

LDAP attr : a user (staff) dn: uid=uone,ou=unil-users,ou=gesu,dc=unil,dc=ch objectclass: swisseduperson cn: User One edupersonprincipalname: uone swissedupersonhomeorganizationtype: university swissedupersongender: 1 uid: uone swissedupersonhomeorganization: unil.ch swissedupersondateofbirth: 19640821 swissedupersonuniqueid: 578067@unil.ch swissedupersonstaffcategory: 300 edupersonaffiliation: staff sn: One edupersonentitlement: Pat-unil@unil.ch edupersonentitlement: Gesu@unil.ch edupersonentitlement: Ci@unil.ch edupersonentitlement: Argos-users@unil.ch edupersonentitlement: Acces-soft@unil.ch edupersonentitlement: Rect-da-services@unil.ch edupersonentitlement: Switch-oper@unil.ch mail: User.One@ci.unil.ch givenname: User

LDAP attr : a user (student) dn: uid=sone,ou=unil-users,ou=gesu,dc=unil,dc=ch objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: swisseduperson cn: Student One edupersonprincipalname: sone swissedupersonhomeorganizationtype: university swissedupersongender: 1 uid: sone swissedupersonhomeorganization: unil.ch swissedupersondateofbirth: 19831224 swissedupersonuniqueid: 589456@unil.ch edupersonaffiliation: student sn: one edupersonentitlement: All-etu@unil.ch edupersonentitlement: Etu-lett-geographie@unil.ch swissedupersonstudylevel: 1600-10 swissedupersonstudylevel: 4905-10 swissedupersonstudylevel: 1415-10 mail: Student.One@etu.unil.ch swissedupersonstudybranch3: 1600 swissedupersonstudybranch3: 1415 swissedupersonstudybranch3: 4905 givenname: Student

A LDAP auth group cn=ci-g, ou=unil-groups,ou=gesu,dc=unil,dc=ch objectclass=top objectclass=groupofuniquenames objectclass=posixgroup cn=ci-g description=ci-g gidnumber=20001 uniquemember=uid=uone,ou=unil-users,ou=gesu,dc=unil,dc=ch uniquemember=uid=utwo,ou=unil-users,ou=gesu,dc=unil,dc=ch uniquemember=uid=uthree,ou=unil-users,ou=gesu,dc=unil,dc=ch memberuid=uone memberuid=utwo memberuid=uthree

UNIL Directories > LDAP is Iplanet Directory 5.1 > operations on accesses: > daily > on demand by operator > change password: online > LDAP attr: updated daily > email and name in LDAP auth: updated daily > programs verifying directories >

Management of LDAP attr > used by Shibboleth AA only > updated daily > Gestu produces an xml files containing all the users with their attributes > a program > read the xml file > load the list of the users in the LDAP > one by one delete and recreate users entries with data from the xml file > remove LDAP entries not in the xml file > add new entries > ~ 18000 entries > updated in 25 minutes > function for computing swissedupersonuniqueid from pernum

XML entry (staff) > <swisseduperson> > <uid>arootti</uid> > <unilpernum>485</unilpernum> > <swissedupersonuniqueid></swissedupersonuniqueid> > <surname>rootti</surname> > <givenname>aregg</givenname> > <swissedupersondateofbirth>19640927</swissedupersondateofbirth> > <swissedupersongender>1</swissedupersongender> > <mail>aregg.rootti@ci.unil.ch</mail> > <swissedupersonhomeorganization>unil.ch</swissedupersonhomeorganization> > <swissedupersonhomeorganizationtype>university</swissedupersonhomeorganizationty pe> > <swissedupersonhomeorganization>unil.ch</swissedupersonhomeorganization> > <swissedupersonhomeorganizationtype>university</swissedupersonhomeorganizationty pe> > <edupersonaffiliation>staff</edupersonaffiliation> > <swissedupersonstaffcategory>300</swissedupersonstaffcategory> > <edupersonentitlement>acces-soft@unil.ch</edupersonentitlement> > <edupersonentitlement>all-users-portail@unil.ch</edupersonentitlement> > </swisseduperson>

> <swisseduperson> > <uid>ostudent</uid> XML entry (student) > <unilpernum>58573</unilpernum> > <swissedupersonuniqueid></swissedupersonuniqueid> > <surname>student</surname> > <givenname>one</givenname> > <swissedupersondateofbirth>19831228</swissedupersondateofbirth> > <swissedupersongender>2</swissedupersongender> > <mail>one. Student@etu.unil.ch</mail> > <swissedupersonhomeorganization>unil.ch</swissedupersonhomeorganization> > <swissedupersonhomeorganizationtype>university</swissedupersonhomeorganizationtype> > <edupersonaffiliation>student</edupersonaffiliation> > <swissedupersonstudybranch3>1415</swissedupersonstudybranch3> > <swissedupersonstudybranch3>1600</swissedupersonstudybranch3> > <swissedupersonstudybranch3>1700</swissedupersonstudybranch3> > <swissedupersonstudylevel>1415-10</swissedupersonstudylevel> > <swissedupersonstudylevel>1600-10</swissedupersonstudylevel> > <swissedupersonstudylevel>1700-10</swissedupersonstudylevel> > <edupersonentitlement>all-etu@unil.ch</edupersonentitlement> > </swisseduperson>

Shibboleth User s Home Org 3 Credentials 2 1 Resource Owner Shibboleth Authentication User Dir 3 5 HS AA 3 4 5 WAYF Handle 2 5 Resource Attributes 5 Authentication = OK

Unil Directories and AAI server Linux server Solaris LDAP auth Pubcookie HS LDAP attr AA

<IfModule mod_jk.c> Origin site: httpd.conf Authentication Include /etc/httpd/conf/mod_jk.conf </IfModule> # Pubcookie Configuration PubcookieAuthTypeNames EGNetID PubcookieInactiveExpire -1 PubcookieLogin https://login.unil.ch/ <Location /shibboleth/hs> AuthType EGNetID AuthName "shibboleth/hs" require valid-user </Location>

Origin site: resolver.xml Attributes <SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissedupersonuniqueid" > <DataConnectorDependency requires="directory"/>. </SimpleAttributeDefinition> <JNDIDirectoryDataConnector id="directory"> <Search filter="uid=%principal%"> <Controls searchscope="subtree_scope" returningobjects="false" /></Search> <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.ldapctxfactory" /> <Property name="java.naming.provider.url" value="ldap://cati.unil.ch:390/ou=unilusers,ou=gesu,dc=unil,dc=ch" /> <Property name="java.naming.security.principal" value="uid=xxxxxx,dc=unil,dc=ch" /> <Property name="java.naming.security.credentials" value="xxxxx" /> </JNDIDirectoryDataConnector>

Conclusion > GESTU : central management of users > Two LDAP > LDAP for authentication > LDAP for attributes > Extracting data (XML file) -> easy in our case > xml : future extension > GESTU : evolution

Shibboleth: origin site Unil Login Server AA Url: https://login.unil.ch/shibboleth/aa username password PubCookie module HS Url: https://login.unil.ch/shibboleth/hs Tomcat + Apache LDAP attr Linux

Pubcookie login server LDAP auth username password 6 5 3 7cookie 4 username password User 1 8 cookie PubCookie server Apache Linux 2 redirect PubCookie module Apache Linux

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information