Authentication Authorization Infrastructure



Similar documents
UNIL Administration. > Many databases and applications:

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

Linux/Unix Active Directory Authentication Integration Using Samba Winbind

The Integration of LDAP into the Messaging Infrastructure at CERN

Shibboleth User Verification Customer Implementation Guide Version 3.5

Implementazione dell autenticazione con LDAP

Ciphermail Gateway Web LDAP Authentication Guide

Humboldt State University Request for Quote # Identity Management System

KACE Appliance LDAP Reference Guide V1.4

DB2 - LDAP. To start with configuration of transparent LDAP, you need to configure the LDAP server.

Single Sign On at Colorado State. Ron Splittgerber

User Management / Directory Services using LDAP

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Linuxdays 2005, Samba Tutorial

Authentication Methods

LDAP Schema Design. Andrew Findlay Skills 1st Ltd. February

Steps to setup authentication and enrolment through LDAP protocol

How to Use Microsoft Active Directory as an LDAP Source with the Oracle ZFS Storage Appliance

Typical Directory Implementations at Institutions in Higher Education

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources

Samba and LDAP in 30 Minutes

Cloudwork Dashboard User Manual

Integrating With LDAP Directories

Using LDAP Authentication in a PowerCenter Domain

Basic Configuration. Key Operator Tools older products. Program/Change LDAP Server (page 3 of keyop tools) Use LDAP Server must be ON to work

Integrating a Shibboleth IdP with Microsoft Active Directory

AD Ou structure generated by Adsync process

External and Federated Identities on the Web

Authentication Integration

Using Kerberos to Authenticate a Solaris TM 10 OS LDAP Client With Microsoft Active Directory

VMware Identity Manager Administration

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Practical LDAP on Linux

Version 9. Active Directory Integration in Progeny 9

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Linux Authentication using LDAP and edirectory

Identity Management in Quercus. CampusIT_QUERCUS

AAI - Authentication and Authorization Infrastructure

Please return this document to when complete.

P U R D U E U N I V E R S I T Y

Configuring and Using the TMM with LDAP / Active Directory

How To Search For An Active Directory On Goprint Ggprint Goprint.Org (Geoprint) (Georgos4) (Goprint) And Gopprint.Org Gop Print.Org

Feide Technical Guide. Technical details for integrating a service into Feide

System Authentication for AIX and Linux using the IBM Directory Server

MACE-Dir SAML Attribute Profiles

Avaya CM Login with Windows Active Directory Services

FirstClass Directory Services 10 (Build 11)

Domain Services for Windows: Best Practices Guide

Configuring idrac6 for Directory Services

MATLAB Toolbox implementation for LDAP based Server accessing

Technical Bulletin 41137

Getting Started with Single Sign-On

Single Sign-On: Reviewing the Field

Federated Identity Management

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

IMPLEMENTING DIRECTORY SERVICES INTEGRATION WITH HELIX MEDIA LIBRARY Revision Date: September 2014

Integrating PISTON OPENSTACK 3.0 with Microsoft Active Directory

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

Mac OS X Directory Services

CMDBuild Authentication (file auth.conf)

Integrating AIX into Heterogeneous LDAP Environments

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Introduction Installing and Configuring the LDAP Server Configuring Yealink IP Phones Using LDAP Phonebook...

IDENTITY MANAGEMENT ROLLOUT: IN A HURRY. Jason Blackader, UNIX Systems Administrator

High-available Authorization and Authentication

SEVENTH FRAMEWORK PROGRAMME. Scalable, Secure Storage Biobank. BiobankCloud Security: D3.3, Security Toolset (alpha version) Final

Privilege and Access Management. Jan Tax Identity Management Specialist UNC Chapel Hill

The following gives an overview of LDAP from a user's perspective.

Owner of the content within this article is Written by Marc Grote

Creating an LDAP Directory

Configure Directory Integration

TIBCO Spotfire Platform IT Brief

Migrating application users and passwords with Password Manager

Configuring User Identification via Active Directory

LDAP Directory Integration with Cisco Unity Connection

SUSE Manager 1.2.x ADS Authentication

SSSD and OpenSSH Integration

Web based single sign on. Caleb Racey Web development officer Webteam, customer services, ISS

Active Directory and Linux Identity Management

Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu

OpenLDAP. Linux Systems Authentication. Dr. Giuliano Taffoni IASFBO

Unified Authentication, Authorization and User Administration An Open Source Approach. Ted C. Cheng, Howard Chu, Matthew Hardin

ProxySG TechBrief LDAP Authentication with the ProxySG

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

Active Directory at the University of Michgan. The Michigan Way Since 2000

AA enabling a closed source legacy application

Your Question. Article: Question: How do I Configure LDAP with Net Report?

Transcription:

Authentication Authorization Infrastructure Jan Du Caju LUDIT - KULeuvenNet

AAI update ldap kerberos Shibboleth

LDAP end user ldap servers (in fail-over without password hashes): ldap.kuleuven.be (point to ldap1 and ldap2.kuleuven.be) search base: ou=people, dc=kuleuven, dc=be authentication ldap servers (in fail-over): ldap-auth1.kuleuven.be (central services excluding samba) ldap-auth2.kuleuven.be (samba)

LDAP anonymous access # organigram info http://organigram.kuleuven.be dn: KULouNumber=50000052,ou=unit,dc=kuleuven,dc=be objectclass: organizationalunit objectclass: KULou ou: Secretariaat rector parentou: 50000051 diensthoofd: u0026006 KULouNumber: 50000052

LDAP anonymous access (continued) # diploma informatie dn: dipl=50045325,ou=diploma,dc=kuleuven,dc=be objectclass: KULdiploma dipl: 50045325 diplnaam: Licentiaat in de Archeologie # opleidingsinformatie dn: oplnr=50046282,ou=opleiding,dc=kuleuven,dc=be objectclass: opleiding oplnr: 50046282 oplnaam: Licentiaat in de Archeologie

LDAP anonymous access (continued) # personnel info http://cwis.cc.kuleuven.be dn: uid=u0001439,ou=people,dc=kuleuven,dc=be objectclass: person objectclass: eduperson objectclass: KULPerson objectclass: posixaccount objectclass: sambasamaccount objectclass: krb5principal objectclass: krb5kdcentry uid: u0001439 ou: people ou: Leuvens Universitair Dienstencentrum voor Informatica en Telematica (LUDIT) cn: Jan Du Caju LUDITserver: mail.cc.kuleuven.ac.be homedirectory: /home/u0001439 loginshell: /bin/bash edupersonorgdn: dc=kuleuven,dc=be

LDAP anonymous access (personnel continued) edupersonorgunitdn: o=people,dc=kuleuven,dc=be uidnumber: 15677 gidnumber: 50000954 KULprimouNumber: 50000954 KULouNumber: 50000954,50014501,50000953,50000854 sn: Du Caju givenname: Jan postaladdress: LUDIT, de Croylaan 52A, B-3001 Heverlee, Belgium telephonenumber: +32 16 322785 KULvpnGroup: ou=admins mail: Jan.DuCaju@cc.kuleuven.be,,Jan.DuCaju@aiv.kuleuven.be KULtap: ATP KULtypePers: ATP edupersonaffiliation: staff,employee,member

LDAP anonymous access (continued) # student info dn: uid=s0112264,ou=people,dc=kuleuven,dc=be objectclass: person objectclass: eduperson objectclass: KULPerson objectclass: posixaccount objectclass: sambasamaccount objectclass: krb5principal objectclass: krb5kdcentry ou: people uid: s0112264 cn: s0112264 LUDITserver: urc1.cc.kuleuven.ac.be gidnumber: 1000 stamnr: 990433020 KULid: 0112264

LDAP anonymous access (students continued) edupersonorgdn: dc=kuleuven,dc=be edupersonorgunitdn: o=people,dc=kuleuven,dc=be edupersonaffiliation: student edupersonaffiliation: member uidnumber: 229885 homedirectory: /home/s0112264 loginshell: /bin/bash

LDAP attributes to specific apps # not query-able, only ldap bind from KULeuvenNet authentication servers and LUDIT central servers (mail,toledo) userpassword: {SHA1}PASSWORD # to none edupersonprincipalname: {SHA1}UniqueReferenceToUser@kuleuven.be KULCryptPassword: {CRYPT}PASSWORD # towards central KULeuvenNet kerberos servers krb5principalname: u0001439@kuleuven.be krb5keyversionnumber: 3 krb5key: {KERBEROS}PASSWORD krb5maxlife: 86400 krb5maxrenew: 604800 krb5kdcflags: 126

LDAP attributes to specific apps (continued) # towards central LUDIT samba domain controller and decentral fysica samba domain controller sambasid: S-1-5-21-1909459663-1903662737-1494088821-32354 sambantpassword: {NTLMv2}PASSWORD sambapwdlastset: 1 sambapwdmustchange: 2147483647 sambapwdcanchange: 0 sambalogontime: 0 sambalogofftime: 2147483647 sambakickofftime: 2147483647 sambaacctflags: [U ] sambaprimarygroupsid: S-1-5-21-1909459663-1903662737-1494088821- 50000954

LDAP student attributes to specific apps sn: Achternaam givenname: Voornaam dipl: 50000000 opl: 2004 50000000 02 mail: voornaam.achternaan@student.kuleuven.ac.be KULlibisnr: 0000002 KULouNumber: 50000707

Kerberos kerberos LDAP servers: kdc1.kuleuven.be and kdc2.kuleuven.be principle: <intranetuid>@kuleuven.be Windows clients authenticating to central kdc's: users created in AD with random password mapped user to principal changed kdc of user from AD to central kdc's (name mappings) tested: policies and printing

authentication system user directory shibboleth IdP Identity Provider AAI-enabled Home organization 6 10 who are you jan 7 5 WAYF 3 where K are U you L from 4 handle+attributes? attributes 1 handle pagex pagex 2 9 shibboleth SP Service Provider W E B s e r v e r AAI-enabled resource

Shibboleth IdP ldap-auth1 CAS Home organization: cas.kuleuven.be idp.kuleuven.be Service provider (and documentation): http://shib.kuleuven.be WAYF: wayf.associatie.kuleuven.be

Shibboleth Federation Common set of policies, practices and guidelines IdP SP: no end user workstation, properly patched,... a registry to process applications to the federation distribution of membership information (IdP's en SP's) Attributes needed for Shibboleth classification of users for basic authorizations (access to app) exchange of attributes within federation Federations K.U.Leuven Associatie K.U.Leuven

Classification of users for basic authorizations edupersonaffiliation: value [student faculty staff employee alum member affiliate] affiliate = external, not member Affiliate is intended to apply to people with whom the university has dealings, but to whom no general set of "community membership" privileges are extended if [student faculty staff] then also member if [faculty staff] then also employee use (federations) K.U.Leuven and Associatie ARP (Attribute Release Policy) general usability

Classification of users for basic authorizations edupersonscopedaffiliation: value edupersonaffiliation@<domain>.be e.g. student@kuleuven.be use (federations) Associatie ARP (Attribute Release Policy) general usability

Classification of users for basic authorizations KULouPrimaryNumber: value organigram code of unit(s) an employee is assigned to use (federations) K.U.Leuven ARP (Attribute Release Policy) general usability

Classification of users for basic authorizations KULouNumber: value personnel (or employee) KULouPrimaryNumber + all organigram codes of units above in organigram tree an employee is assigned to student : organigram code of faculty use (federations) K.U.Leuven ARP (Attribute Release Policy) personnel: general usability student: specific apps

Classification of users for basic authorizations dipl: value code of a diploma e.g. 50045349 for Kandidaat in de Taal- en Letterkunde: Germaanse Talen use (federations) K.U.Leuven ARP (Attribute Release Policy) specific apps

opl: Classification of users for basic authorizations value <year> <opleidingsnummer> <year_within_opleiding> e.g. 2005 50046649 00 for opleidingsnummer 50046649 with name Kandidaat in de Taal- en Letterkunde: Germaanse Talen use (federations) K.U.Leuven ARP (Attribute Release Policy) specific apps

exchange of attributes within federations K.U.Leuven federation general KULouPrimaryNumber KULouNumber specific applications uid, cn, surname, givenname, mail (students) opl, dipl Associatie K.U.Leuven general edupersonaffiliation: [student,faculty,staff,employee,alum,member,affiliate] edupersonscopedaffiliation: <edupersonaffiliation>@<domain>.be

Release of attributes to Specific apps Toledo & Kotnet uid@<domain>.be (edupersonprincipalname) surname givenname commonname mail Jan.DuCaju@KULeuven.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information