Event-Driven Architecture for Synchronizing Active

Directory Groups

Nathan Dors – University of Washingtondors@uw.edu

Eric Kool-Brown – University of Washingtonkool@uw.edu

EDA & Syncing AD Groups 2013.11.07 2

Active Directory in Higher Ed IT• Granting access to Windows resources via Access

Control List entries• Best practice to use groups as ACE trustees rather than

individual user accounts

• Groups being used as Exchange Distribution Lists• Interop with Linux/Unix systems via LDAP, Kerberos,

and SAMBA• Customers continue to figure out new ways to use

our AD services

EDA & Syncing AD Groups 2013.11.07 3

Connecting Access Management Systems• The Vision

• Seamless information flow through IT systems• Architectural agility for updating IT systems

• Traditional Solutions• Domain-specific, hardwired, batch oriented• Scheduled rather than real-time

• IDM Suites (OpenIDM, OIM, AD/FIM)• Relatively heavyweight alternatives

• Enterprise Integration Patterns• Guidance on how to roll your own heavyweight system

• Event Driven Architecture – a lightweight approach

EDA & Syncing AD Groups 2013.11.07 4

Event Driven Architecture

• EDA facilitates the transfer of information between producing and consuming systems• It is a design pattern that decouples components

• An intermediate component: a message queue• An intermediate format: a message schema• Flexibility as to the propagation model

• It provides near real-time information propagation• Components and systems can evolve independently

• The message schema is versioned

• EDA can facilitate a GR/DR capability if the queue is in the cloud

EDA & Syncing AD Groups 2013.11.07 5

Propagating Access Management Changes• The UW uses Grouper as the groups data master• There are multiple downstream consumers of Grouper

changes• AD changes used to be pulled via scheduled batch

processes• We switched to EDA via Apache ActiveMQ a year ago

• Requires in-house hardware and support

• We are moving to Amazon SNS and SQS• AWS is an attractive option due to simplicity, flexibility, and

reasonable cost• Trivial to add new consumer queues to an SNS topic

EDA & Syncing AD Groups 2013.11.07 6

Information Security Considerations• Group data risk assessment and classification• Assessment conducted by Michael Brogan 2 years ago

• http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001722&event=1035

• UW policy data classes: public, restricted, or confidential

• Groups have a hierarchical administrative model• Admin controls on who can create groups and modify

their attributes and membership

• Group data is signed and encrypted while in transit• In addition to the SSL data channel encryption

• Groups with viewer restrictions cannot be Exchange email-enabled

EDA & Syncing AD Groups 2013.11.07 7

UW AD as a Group Event Consumer• Group Sync Agent is a Windows Service and reads from the

ActiveMQ or SQS queue• Periodic reconciliation compares Grouper data to AD data and

adjusts the latter as needed• Group viewership restrictions result in the updating of AD

group ACLs• Brian’s Hiding Data in AD http://blogs.uw.edu/uwwi-blog/

• Administrative model is enforced in Grouper, AD groups updated only by Group Sync (with a few exceptions)

• AD replication latency issues resolved by using domain controller affinity• Event queues are abstracted as interfaces

EDA & Syncing AD Groups 2013.11.07 8

What's Next?

• Completing the switch over to Amazon SNS/SQS• Implementations for other queues, e.g. Azure

Message Bus?• Using the message queue model for bi-directional

group change flow (for those exceptional groups)• Perhaps inserting a workflow processor in place of

a simple queue• Sharing code?

EDA & Syncing AD Groups 2013.11.07 9

Conclusion

• Happy with results, it’s very reliable and usually quite fast• ~50k messages per month

• Course group creation at quarter start imposes an unusual load; ACL setting causes queue back ups• Prioritizing interactive group changes over bulk updates• Release course creation over a longer period of time

• Looking at other places were the EDA pattern can be applied

EDA & Syncing AD Groups 2013.11.07 10

Appendix

EDA & Syncing AD Groups 2013.11.07 11

MessageQueueFactory

IMessageQueue CreateMessageQueue(QueueType queueType)

<<Interface>>

IMessageQueue

IQueueMessage ReadMessage()void CancelRead()

SqsQueue : IMessageQueue

IQueueMessage ReadMessage()void CancelRead()

NmsQueue : IMessageQueue

IQueueMessage ReadMessage()void CancelRead()

<<Interface>>

IQueueMessage

string RawBody()void RemoveFromQueue()

SqsQueueMessage

string RawBody()void RemoveFromQueue()

NmsQueueMessage

string RawBody()void RemoveFromQueue()

GroupChangeObject

SqsMessageDeserializer : IGroupsMessageDeserializer

<<Interface>>

IGroupsMessageDeserializer

GroupChangeObject Deserialize(string rawBody)

NmsMessageDeserializer : IGroupsMessageDeserializer

GroupChangeObject Deserialize(string rawBody)

GroupChangeObject Deserialize(string rawBody)

GroupNameMembersother group properties

GroupsServiceDeserializerFactory

IGroupsMessageDeserializer CreateMessageDeserializer(QueueTypes queueType)

Group Sync Agent EventMessage Classes

10/24/2013