Project DIRECT - Web Help

viraginitysplashInternet και Εφαρμογές Web

10 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

95 εμφανίσεις

Project DIRECT

Dir
ectory of
E
dinburgh University
C
orporate
T
opography


john.smith@ed.ac.uk

Deliverables


Joint project between EUCS and MIS


LDAP directory


Authentication and authorisation


All individuals know to University


Generated from relational database


Authentication services for SCWEIMS
portal (www.scweims.ac.uk)


Investigate linking up with NDS and ADS

Problem Areas


Privacy


Obtaining full access to data from the “owner”


Authoritative Data Sources


Students


Not all have a single central record etc.


Staff


Significant numbers of casual and non
-
paid staff at all levels


Grey members


Visitors, guests, consultants, retirees etc.

Directory Services


LDAP (Lightweight Directory Access Protocol)
defined in
RFC 2251


Simple version of X500 (ITU
-
T/ISO)


Many vendors provide LDAP v3 products or
interfaces


Sun, Oracle, Novell, Microsoft


Database optimised for reading with entries as
attribute value pairs


Provide sophisticated filtering capabilities

The Directory Server


iPlanet Directory server v4.n


Includes eduPerson object class


Widely used attributes in higher education


Uses
domain component naming

dc=ed,dc=ac,dc=uk


Everyone is in the “people” bucket


Avoids admin overhead of complex DIT


dn: cn=jsmith,ou=people,dc=ed,dc=ac,dc=uk

Populating the Directory


Directory management is via
LDIF

files


LDIF files produced from Oracle “people”
database using sqlplus job


Database uses attribute names for table column names


Based on student and staff corporate systems


Daily full and incremental loads for staff and students


Directory is automatically updated each day using cron
scripts.


Directory performance poor whilst updating

Example of eduPerson

dn: uid= John Smith
-

1852, ou=people, dc=ed, dc=ac, dc=uk

changetype: add

objectclass: top

objectclass: person

objectclass: organizationalPerson

objectclass: inetOrgPerson

objectclass: eduPerson

cn: John Smith

sn: Smith

departmentNumber:356

displayName: John Smith

employeetype: Staff

givenName: John

initials: JS

l: "MAIN LIBRARY","GEORGE SQUARE","EH8 9LJ","",""

preferredLanguage: en

edupersonAffiliation: Staff

edupersonnickname: John

eduPersonOrgDN: dc=ed, dc=ac, dc=uk

eduPersonOrgUnitDN: ou=people, dc=ed, dc=ac, dc=uk

employeeNumber: 1852

Simple Directory Enabled
Applications


“White pages” e.g. email and telephone numbers


Microsoft Outlook, Netscape Communicator


WWW enabled applications using PHP4 or Cold
Fusion


Use ACL’s to implement security policy


No standard so vendor’s implementations can vary


Student email address unavailable outwith ed.ac.uk
domain


iPlanet specific features


Adds targetfilter construct to ACL syntax


Missing and inaccessible data is an issue

Sample ACL

dn: ou=people, dc=ed, dc=ac, dc=uk

changetype: modify

add: aci

aci: (target="ldap:///uid=*, ou=people, dc=ed, dc=ac, dc=uk") (targetfilter


="(edupersonaffiliation=student)") (targetattr="cn || sn || mail || telep


honenumber") (version 3.0; acl "local permit of student details"; all


ow (read, search, compare) userdn = "ldap:///anyone" and dns = "*.ed.ac.u


k";)


Authentication for SCWEIMS
Portal


S
tudent
C
entric
W
eb
-
based
E
ducational and
I
nstructional
M
anagement
S
ystem


Funded by SHEFC


Uses Cold Fusion as the application server
and Oracle or SQL Server as the data
warehouse


Runs on either Solaris or NT/Win2K


Roll out Autumn 2001

Providing Authentication


Cold Fusion Advanced Security


Uses
Netegrity’s SiteMinder
product


Supports many vendors directory server products


Allows use of LDAP enabled directory for:


User authentication


Policy Store
-

what authenticated users can do


Single
-
stop authentication and authorisation
mechanism for multiple applications

How SiteMinder Works

1.
User attempts to access resource secured by
SiteMinder

2.
User is prompted for credentials

3.
SiteMinder passes this to directory for authentication

4.
Strongly encrypted cookie is sent and stored in user’s
browser

5.
Cookie is then passed in all further requests

6.
SiteMinder checks policy store to see if the user is
authorised to have access to a resource

7.
Determines if the user is a member of a policy group
whose rules allow this type of access to the resource

Providing Authentication
(cont’d)


Install and configure Advanced Security


Import policy store classes into directory using
LDIF


Can use same or different directory as for users


Configure SiteMinder to use LDAP as policy
store


Define “User Directory”


Create a “Security Context”


Define “Rules” and “Policies” for “Resources”

The CFML Code



<CFAUTHENTICATE>

tag to handle
authentication to LDAP

<!
---



authenticate the user

---
>

<cftry>

<!
---

use error trapping
---
>


<cfauthenticate



securitycontext="#attributes.security_context#"



username="#attributes.username#"



password="#attributes.password#">







<cfcatch type="Security">




<!
---

if we catch an error send email
---
>




<cfmail to="#emailfooter#"




from="#emailfooter#"




subject="LDAP Demo
-

authentication failure">

The LDAP Demo application authentication produced the following output:



#cfcatch.message# at #nowtime# on #nowdate#


Remote host: #CGI.remote_addr#


User Agent: #CGI.http_user_agent#





</cfmail>




</cfcatch>

</cftry>

CFML Code (cont’d)


Calls
IsAuthenticated

function to check
authenticated status

<cfif isauthenticated('#attributes.security_context#')>


Calls
IsAuthorized

function to check that
action allowed on this resource

<cfcase value="showschema">


<!
---

check if the user is authenticated
---
>



<cfinclude template="action/act_isauthenticated.cfm">



<!
---

check if the user is authorised for this resource
---
>



<cfif IsAuthorized("Datasource","eduperson","select")>




<!
---

OK build page to display eduPerson schema
---
>

Authentication Delivered


Easy to implement in well structured applications


Only required changes to < 6 code pages


Modify user directory by adding uid and
userpassword attributes


LDAP based authentication integrated as an option
into the SCWEIMS distribution


Difficult to discover information and poorly
documented


PHP4 could (probably) provide similar
functionality


Extensive set of
LDAP functions

Novell Directory Services


NDS tree under UK
-
AC
-
ED


eDirectory8.5 provides an LDAP v3 interface to the NDS


Use as if pure LDAP directory service


User “jsmith” in context “ucs.ed”


Gives a DN of:


cn=jsmith, ou=ucs, ou=ed, ou=ac, o=uk


Default use of “cn” attribute and “ou” and “o” rather than “uid”
and “dc” naming


Default mappings between NDS objects and LDAP
attributes


Novell supplied LDIF file to create “inetorgperson” object
class


Novell Directory Services (contd)


Use as a “white page” application


Address book in Outlook, Communicator, WWW
application etc.


Manage NDS using LDIF files

ldapmodify
-
v
-
c
-
h foo.ucs.ed.ac.uk
-
D
"cn=Admin, ou=ed,ou=ac,o=uk"
-
w password
-
f
modusers.ldif


Use with CF Advanced Security


Provide User Directory for SCWEIMS

Active Directory Services


Referred to ongoing internal Project 2000


Nothing further to report at this presentation

Some Suggestions


Make use of referrals to combine directories


Use both subordinate and superior referrals


Refer to other directories e.g. eDirectory for authentication


Use pure LDAP implementations


OpenLDAP project


Avoid:


Having to disinter vendor’s terminology and interface


Temptation to use vendor’s proprietary extensions e.g. iPlanet’s
extended ACI syntax


Use SSL for client/server exchanges


WWW based applications


Where authentication is being used

Outcomes


Significant difficulties obtaining and maintaining
information to populate directory


Unique situation for each HEI institution


Information management
not

technology issue


Effective LDAP based services can be implemented


White pages, authentication services for applications


Observe needs for privacy and non
-
disclosure


MIS investigating use of Oracle’s Internet Directory
Server


Provide “white pages” and authentication services

Questions?