LDAP user database
Marina Vermezović
Academic Network of Serbia
Skopje 15.09.2011.
What is it all about?
Services/resources
to access the network – wireless, VPN
web services – e-learning, e-library, student portal
Authentication - who are you ?
Authorization – what can you do ?
AAI - Authentication and authorization infrastructure
makes access to protected services easier
Akademska mreža Srbije
www.amres.ac.rs
2
Without AAI
Faculty A
Service Providers
Auth
Autz
wireless
Auth
Autz
videoconference
Auth
Autz
e-learning
Auth
Autz
Student services
Library B
Service Providers
Akademska mreža Srbije
www.amres.ac.rs
Auth
Autz
wireless
Auth
Autz
e-books
3
With AAI
Faculty A
Service Providers
Autz
Autz
Autz
Autz videoconference
Identity provider
Identity
Management
wireless
A
u
t
h
Autz
Autz
e-learning
Autz
Autz Student services
Library
Service Providers
Autz
Autz
Autz
Autz
Akademska mreža Srbije
www.amres.ac.rs
wireless
e-books
4
Circle of Trust
High level AAI diagram
ntw SP
web SP
NAS
Web
resurs
eduroam
VPN
Radius
Wiki
pages
SAML
Radius
Akademska mreža Srbije
www.amres.ac.rs
Federation
SAML
User
database
IdP
Basics for development
of all services that
needs local and
inter-institutional
AutH and AutZ
5
What is digital user identity ?
Set of data (attributes) about a user:
Personal user data
surname
Data regardingname,
affiliation
to institution
date of birth
name
ofidentification
institution number
national
Credentials used
for authentication
affiliation
(student, employee,
guest)
contact
information:
mail, address,
phone
designation
(foraemployees)
username/password
Data that uniquely
identifies
person
type of studies (for students)
certificate
identifying : username@institutional.domain
local identification
number
User roles and person
privileges
non
person
identifyingmail, address, phone
contact
information:
Akademska mreža Srbije
www.amres.ac.rs
6
LDAP user database
Akademska mreža Srbije
www.amres.ac.rs
Which database to use for storing user IDs?
Basicaly you can choose any:
Relational: MySQL, ORACLE, Postgre SQL
Hierarchy: openLDAP, Active Directory
But.. there are some advantages
Akademska mreža Srbije
www.amres.ac.rs
8
Directories – made for storing user IDs ?
Relational Databases vs Directories
Relational
Databases
Schema
No standard schema
for tables and data
fields
Akademska mreža Srbije
www.amres.ac.rs
Directories
International
standards to describe
persons and
organizations
9
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
Directories – made for storing user IDs ?
Relational Databases vs Directories
Relational
Databases
One logical entity can
be stored in multiple
tables
Akademska mreža Srbije
www.amres.ac.rs
Schema
Organization
Directories
One logical entity
=One entry in DIT
10
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
Directories – made for storing user IDs ?
Relational Databases vs Directories
Relational
Databases
Mandates new table,
or fixed number of
multiple data fields
Akademska mreža Srbije
www.amres.ac.rs
Schema
Organzation
Multivalue data
Directories
Native support for
multivalue attributes
11
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
Baza korisnika – zašto LDAP?
Relational Databases vs Directories
Relational
Databases
Changes in data fields
can require big effort
Akademska mreža Srbije
www.amres.ac.rs
Schema
Organzation
Multivalue data
Flexibility
Directories
Granular modification
of schema.
Easy to add attributes
12
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
Directories – made for storing user IDs ?
Relational Databases vs Directories
Relational
Databases
No standard protocol
for access via network
Akademska mreža Srbije
www.amres.ac.rs
Schema
Organzation
Multivalue data
Flexibility
Access
Directories
Defines protocol to
access via network LDAP
13
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
Directories – made for storing user IDs ?
Relational Databases vs Directories
Relational
Databases
Akademska mreža Srbije
www.amres.ac.rs
Schema
Organzation
Multivalue data
Flexibility
Access
Optimization
Directories
Optimised for reading
14
Resource: http://www.terena.org/activities/idm/moldova/intro2LDAP.pdf
LDAP dictionary
LDAP dictionary reveled
Data Information Tree
- term for structure data is organized in
- uses hierarchy manner (tree - like)
Akademska mreža Srbije
www.amres.ac.rs
16
LDAP dictionary reveled
Organization
Person
Organizational Unit
Entry
- Single input in directory tree which describes one object
Akademska mreža Srbije
www.amres.ac.rs
17
LDAP dictionary reveled
Attribute
- Attribute Name – Attribute Value pair contained in the entry
- Can be
- univalued or multivalued
Akademska mreža Srbije
www.amres.ac.rs
18
LDAP dictionary reveled
objectClass
- logical group of attributes
- entry has assigned one or more objectClasses – must have exactly one structural !
- attributes can be optional or mandatory
Akademska mreža Srbije
www.amres.ac.rs
19
LDAP dictionary reveled
RDN – Relative Distinguished Name
- value that entries are distinguished by in one branch
- constructed from some attributes from the entry
- something like folder name, or primary key in relational databases
Akademska mreža Srbije
www.amres.ac.rs
20
LDAP dictionary reveled
DN – Distinguished Name
- “path” to the entry, that uniquely identifies it
- consists of all RDNs found on the path to the entry, separated by commas
Akademska mreža Srbije
www.amres.ac.rs
21
LDAP dictionary reveled
Base DN
- DN of DIT root
Akademska mreža Srbije
www.amres.ac.rs
22
LDAP schema mistery ?
schema consists of one or more objectClass
schema
object ClassX
attributeX
attributeX definition
Akademska mreža Srbije
www.amres.ac.rs
23
Which schema should I use ?
One can define proprietary schema to use within
organization
But… if inter-institutional AutH and AutZ is used – such
as in NREN AAI, using the same schema becomes
important
Institutions that are involved in NREN AAI should use the
same schema because it:
Unifies attributes, their use and semantics
Service Providers know what to expect during AutH and
AuthZ
Akademska mreža Srbije
www.amres.ac.rs
24
Standard LDAP schemas
Designed for campus directories
eduPerson (eduPerson200604)
Internet2 MACE group
Attributes depicts person in higher education
eduOrg (eduOrg200210)
Internet2 MACE group
Attributes depicts organization in higher education
eduMember (eduMember200507)
Internet2 MACE-Dir WG
Deals with problem of assigning rights and privileges for
users
SCHAC (SCHema for ACademia)
TERENA TF za Middleware, TF-EMC2
Complements eduOrg i eduPerson with attributes specific
to European education system
Akademska mreža Srbije
www.amres.ac.rs
25
How to approach ?
schema for national AAI should be defined
Examples:
rsEdu
https://bpd.amres.ac.rs/doku.php?id=amres_aai_wiki:pregled_atributa
hrEdu
http://schema.aaiedu.hr/shema/
norEdu
http://www.feide.no/feide/sites/drupal.uninett.no.feide/files/docume
nts/norEdu_spec.pdf
More at https://refeds.terena.org/index.php/FederationSchema
Akademska mreža Srbije
www.amres.ac.rs
26
How to design national schema?
Use standard schemas : eduPerson,
eduOrganizazation, SCHAC
If some attribute specific for national education
system doesn’t exist, define it in national schema
Have in mind that you want to describe NREN
students, researchers, teachers…
Enables compatibility between national AAI confederation
Akademska mreža Srbije
www.amres.ac.rs
27
How to implement LDAP directory?
LDAP is the protocol for accessing the directory
Current LDAPv3, described in RFC 4510
Uses TCP, port 389
Client-server model, some operations:
Start TLS
Bind
Search
Compare
Add a new entry
Delete an entry
Modify an entry
Akademska mreža Srbije
www.amres.ac.rs
28
Which LDAP Server software to use ?
Quite long list ..:
389 Directory Server
Active Directory
Apache Directory Server
Apple Open Directory
FreeIPA IBM Tivoli Directory
Server
Mandriva Directory Server
Novell eDirectory
OpenDJ
OpenDS
OpenLDAP
Optimal IdM
Oracle Internet Directory
Radiant Logic VDS
Sun Java System Directory
Server
Akademska mreža Srbije
www.amres.ac.rs
29
How to manage LDAP data ?
Manually, ldap command line
LDAP browsers:
Apache Directory Studio
phpLDAPadmin
..
Make your own application
Bulk import/synhornization from other sources
system - Student Informational System, Employee
Registry..
Akademska mreža Srbije
www.amres.ac.rs
30
Identity Management
The lifecycle o user digital identity - IdM
Set of procedures and rules which define:
1. Who has the right to own digital identity
2. When is digital identity assigned to a person
3. How is digital identity maintained
4. How is the digital identity used
5. How is the digital identity terminated
Every institution should have its own IdM policy
Must comply with national personal data protection
law
EU Data Protection Directive
Akademska mreža Srbije
www.amres.ac.rs
32
1. Who has the right to own digital identity
Pupils
Students
Teaching staff
Other employes
Other persons affiliated to the institution –
members, guests ?
Akademska mreža Srbije
www.amres.ac.rs
33
2. When is digital identity assigned to a person
When should digital identity be created?
Student
- when
apply for addmision
Which information should
it contain
?
- when enroll to faculty
• mandatory
or optional
- on first
day of studies
• univalue
or multivalue
Where do you get information
from?
- when
he/she
needs it 
• sintax
•• Automatic
other source
predefinedfrom
values
Employee
•• Manually
from filled and
in form
What is the quiality
of information?
rules
for
passwords
- onusernames
first working day
• Manually verbal way
- when he/she needs it 
Other systems rely on that data, so it
should
be accurate
• Multiple
sources – sync problem
How and when are identity checked ?
Akademska mreža Srbije
www.amres.ac.rs
34
3. How is digital identity maintained
Digital identity data should be accurate and up to
date
Who is responsible to report change of data and
which?
User
How do you make• the
changes?
Personal
data
administration
When are the Institution
changes
made?
• Data regarding study/employment
User
• by using self-service portal
ASAP !
Institution administration
• automatic from other source
• manually from filled in form
• manually verbal way
Akademska mreža Srbije
www.amres.ac.rs
35
4. How is the digital identity used
Which systems can access the information?
Ones which needs AutH, AutZ and/or user data.
Which data should
be accessable?
They can access directory:
How are
Akademska mreža Srbije
www.amres.ac.rs
• should
Directlybeusing
LDAP
Access
limited
toprotocol
the reasonable info:
• Using
mediator
authentication
server:
user rights
and
privileges
defined?
mail
Radius, SAML..
birthdayuser attributes
• Use existing
• Add attribute that describes user role
36
5. How is the digital identity terminated
When is digital identity terminated?
When person is no longer affiliated with institution
• studentbe
– when
he/she graduates
Who reports it should
terminated?
• Employee – when he/she stops working
• User

• guest
-?
How is it terminated?
• Student administration service
•Time
Employee
administration
serviceaffiliated to
between
person is no longer
service
•institution
For guests
and? id
termination should be minimum
Is it deleted Administration
permanently?
• automatic from other source
• manually
from
filled
in form
Should
you reassign
once
used
usernames ?
• manually verbal way
Akademska mreža Srbije
www.amres.ac.rs
37
Thank you for your attention
Questions ?
Akademska mreža Srbije
www.amres.ac.rs
38