Post on 10-Jan-2016
description
FSU Directory Project
The Issue of Identity Management
Jeff BauerFlorida State University
http://fsuid.fsu.edu/admin
The Problems (2003)• Individuals have to remember too many
different names and passwords to access our systems; accounts were created on different web pages
• With new PeopleSoft ERP, we wanted to avoid yet another username & password
• We have too many LDAP directories, with almost the same information in each (need to consolidate!)
• Many of our systems (electronic and in-person) still rely on asking an individual for their Social Security Number as a method for authentication
The SSN Problem
• SSN is used as a method for authenticating students and employees via web and in-person challenges
• Mandates to protect & hide SSN abound
• SSN is still required for certain business processes (HR, external identity of students to Feds, etc.)
The Proposal (2003)
• This proposal is an attempt to combine identity terms and solve the SSN/multiple identity problem
• Proposal:– FSUID = new public “login
name”/password– FSUSN = new “SSN-like” private
number– A combined directory will manage this
information
The Identity Problem
•C.A.R.S. (”ldap1”)–All students, faculty & staff plus visitors –Tied into automated systems on campus, such as FSUCard, HRMS, etc.–Used for authorizing “garnet/mailer” email servers, dialup service
The Identity Problem
•O.P.S. (Secure Login; ”ldap2”)–All students, faculty & staff plus visitors–Tied into automated systems on campus, such as FSUCard, HRMS, etc.–Used for authorizing many administrative applications (many, but not all of which, were replaced by PeopleSoft functionality)
The Identity Problem
•Web registration for classes (SSN)
The Identity Problem
•Administrative Email (“@admin.fsu.edu”)
–Managed in the enterprise “FSU” Microsoft Active Directory (Outlook users)–Semi-manual account management–Mostly used by some ~6,000 administrative employees
The Identity Problem•Netware Account
–Provides authentication & file service–Manual account management–Mostly used by some ~6,000 administrative employees
The Identity Merger (2004)
CARSldap1
identity
SecureLoginldap2
identity
PINRegistration
identity
WindowsAD/Outlook
identity
PeopleSoftidentity
NovellNetwareidentity
Departmentalidentites
FSU Identity(FSUID)
https://fsuid.fsu.edu
FSUID Initial Signup
FSUID Helpdesk Utility
Behind the Scenes
• Novell eDirectory 8.7.3.6– Five production RedHat servers– Two development RedHat servers
• Separate iPlanet LDAP strictly for public employee attributes and quick searches
• Multitude of Perl scripts updating attributes
• All LDAP over SSL (port 636)
eDirectory Ring (production)•One master node•Four R/W replicants•R/Ws can happen anywhere•eDir will sync values over time (up to 30 mins)•Housed in different physical locations•All LDAP-reachable
Schema & eDir Details• Schema is EduPerson compliant (200312)• ~150 FSU-specific attributes
(“fsuEduXXXX”)• Many attributes are indexed to increase
performance• Use proxy accounts and ACLs to limit
view of attributes to specific applications• Used Perl for rapid app development and
ease of data sources (LDAP, flat files, Oracle, AD, iPlanet, DB2, etc.)
Example of FSU-specific attribute
LDAP clients using FSUID authentication
• Central Authentication Service (CAS) instance, connecting Blackboard & FSUID
• PeopleSoft instances• Business Objects instance• VPN Concentrators directly or via
RADIUS; BlueSocket boxes for Wireless A&A
• Java properties for business applications• UNIX hosts
Departmental Identity Management
• Number of departments now use FSUID-driven data to manage their student & employee accounts
• Mostly Active Directories with information “pushed” via LDAPS (account creation, directory attribute updating, password resets, etc.)
Good, Bad & the Ugly•DirXML
–Main reason decided to purchase eDir instead of using, say, iPlanet or OpenLDAP because of PeopleSoft integration piece (real time directory updates from HR)–We have not implemented this as yet, alas
•“ndsd” (eDir daemon)–Multi-threaded–memory problems (crashes); still not fully resolved
•eDir’s unencrypted “database”
What Next?
•Shorten up “hire/admit to login” time lag•Rewrite FSUID web pages as native Blackboard Java/JSP pages•Merge more FSU identities into the FSUID directory•Push FSUSN usage across campus•Manage more departmental identities•Set up production Shibboleth using this directory