Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

LDAP Management at Stony Brook

advertisement 
LDAP Management at Stony Brook
Making Active Directory and PeopleSoft Work Together
SUNY Technology Conference
Rochester, New York
Monday June 12, 2006
LDAP Management at Stony Brook

Background






Active Directory






Applications/Systems which currently utilize AD/ADAM
PeopleSoft’s Role


How NetID’s are provisioned/de-provisioned
How AD, ADAM and PeopleSoft are synchronized
Authentication/Authorization using AD/ADAM


What is it?
How it’s incorporated into ADAM
NetID Process Management


What is it?
How it integrates with Active Directory
LDAP Schema (stonybrookEduPerson)


How it’s designed
What is the NetID?
ADAM (Active Directory Application Mode)


Project Team
Project Mandates
Problems to Solve
Realizations
Decisions
How PeopleSoft is used in the LDAP management process
Future Plans…
LDAP Management at Stony Brook:
About Stony Brook
Situated on 1,000 wooded acres on
the north shore of Long Island
 Undergraduate students: 14,287
 Total students: 22,011
 More than 1,900 faculty
 More than 12,000 total employees

LDAP Management at Stony Brook:
Project Team

Comprised of members from each of the
DoIT departments










Client Support
Computer Operations
Information Systems
Instructional Computing
Systems Support
Telecommunication and Networking
Other technical areas
Lots of expertise
Many problems to solve
Many opinions
LDAP Management at Stony Brook:
Project Mandates
Develop a mechanism for determining
individuals’ eligibility for campus
services
 Conform to I2/Educause standards
 Use the eduPerson model for LDAP

LDAP Management at Stony Brook:
Problems to solve









Individuals have different user IDs in different
systems
Too many passwords to remember
Different methods for resetting forgotten
passwords
Redundant efforts by system administrators
Delays in provisioning/de-provisioning accounts
How to handle guest accounts
How to handle club accounts
Need to extend access for users who are no longer
“active”
Difficulty troubleshooting users’ problems
LDAP Management at Stony Brook:
Realizations
LDAP itself doesn’t solve problems
 No magic bullet solution (can’t solve
every problem or handle every single
exception with technology)
 If we try to do everything, we’ll end
up doing nothing

LDAP Management at Stony Brook:
Decisions



Break up project into discreet tasks
Phased-in approach
Look at things that are working and keep them or improve
them

Computer Accounts Database

Manages user accounts



Existing Microsoft Network



Most userid’s are standard across systems
Set of rules for provisioning/de-provisioning
Upgrade to Windows 2003…Active Directory
Leverage existing infrastructure, expertise
PeopleSoft

Authoritative source for person data




Single identifier (Stony Brook ID) for all Students, Faculty, Staff, Alumni
Existing method for tracking affiliates
Self-Service system (SOLAR) provides secure, personalized web
content.
Customizable
LDAP Management at Stony Brook:
Active Directory

Active Directory Design
A simple Windows 2003 AD (Native Mode)
 AD Forest consists of two domains

 Empty

root domain
Hosts DDNS servers
 Primary



(sbroot.stonybrook.edu)
domain
(campus.stonybrook.edu)
Contains all user accounts, known as NetID’s
All objects, including accounts, are maintained in
OU’s whose management can be delegated
External trusts to other AD’s
LDAP Management at Stony Brook:
Active Directory
LDAP Management at Stony Brook:
Active Directory

What is the NetID?
User accounts in AD
 NetID’s provisioned for all students,
staff, faculty, affiliates, etc.
 Intended to be the single source of
authentication for multiple systems and
applications (not just for Windows PC’s)
 Licensing costs per NetID
(Microsoft Campus Agreement)

LDAP Management at Stony Brook:
ADAM

ADAM (Active Directory Application Mode)




It is an LDAP Directory Service
Consider it Active Directory Lite, without the
overhead of a full AD implementation
Runs as a service on Windows Server 2003 R2
or Windows XP Pro SP2
Can be run on a stand-alone server or member
of a domain (Windows 2000, 2003 AD or NT 4.0
Domain)


Multiple instances of ADAM can be run on the
same server
It’s free!!!
LDAP Management at Stony Brook:
ADAM

Integrates with Active Directory

Supports SASL (Windows) for authentication


Supports simple bind for authentication


Can use AD credentials for authentication
Bind redirection used to create security principles
(userProxy accounts) in ADAM which redirect authentication
to AD
NetID synchronized between AD and ADAM

ADAMSYNC.EXE tool used to synchronize from AD to ADAM


NetID’s are replicated to ADAM as userProxy accounts
Schema changes can be implemented in ADAM without
affecting the AD schema

Since ADAM synchronizes with AD, this effectively allows us
to extend the AD schema without ever having touched it
LDAP Management at Stony Brook:
LDAP Schema (stonybrookEduPerson)

stonybrookEduPerson
A schema definition based upon
eduPerson
 Extends eduPerson to provide specific
attributes required at Stony Brook


This schema was defined in the ADAM
instance that is synchronized with AD
LDAP Management at Stony Brook:
NetID Process Management

NetID Provisioning




Person information/status entered into
PeopleSoft
Computer Accounts Database reads in new
information and assigns a NetID
Scripts read in updates from Computer
Accounts Database and creates new NetID in
AD and updates the associated person
information in PeopleSoft with NetID
information
NetID creations synchronized from AD to ADAM
LDAP Management at Stony Brook:
NetID Process Management

NetID De-provisioning





Person status changes in PeopleSoft
(terminated, graduated, etc.)
Computer Accounts Database reads in new
information and disables associated NetID
Computer Accounts deletes NetID’s if they
remain disabled for a predetermined amount of
time
Scripts read in updates from Computer
Accounts and disables/deletes accounts in AD
and updates associated person information in
PeopleSoft with NetID information
NetID deletions synchronized from AD to
ADAM. No need to synchronize disabled
NetID’s, as AD remains the single source of
authentication through use of bind redirection
LDAP Management at Stony Brook:
NetID Process Management

Attribute/Group Synchronization


Specific attributes as defined in
“stonybrookEduPerson” are stored and
maintained in PeopleSoft for each person who
has a NetID
Group membership is also stored and
maintained in PeopleSoft for each person who
has a NetID


StudentActive, StudentEnrolled, EmployeeActive, etc.
Scripts read in this information and update the
associated attributes or group memberships for
each NetID in ADAM
LDAP Management at Stony Brook:
NetID Process Management

User Self-Service

A web interface is provided through PeopleSoft
which allows users to reset their NetID
password



Web interface utilizes a separate authentication based
upon Stony Brook ID#
Security questions must also be answered before a
password reset can occur
Scripts read in these password resets and
update AD with the new passwords. No need to
synchronize password resets for NetID’s, as AD
remains the single source of authentication
through use of bind redirection
LDAP Management at Stony Brook:
NetID Process Management
LDAP Management at Stony Brook:
Authentication/Authorization using AD/ADAM



Applications/Systems can choose to authenticate
using LDAP can do so against AD or ADAM using
SASL or simple bind over SSL
Applications/Systems which require specific
attributes or group memberships for authorization
purposes utilize ADAM
Applications/Systems which are currently using
AD/ADAM for authentication/authorization:




Remote Access (VPN, dial-up, wireless) via RADIUS
Student PC Registration
Blackboard (Online Courses)
Ex Libris - Aleph (Library System)
LDAP Management at Stony Brook:
PeopleSoft’s Role

Provide general information about
NetID and services
LDAP Management at Stony Brook:
PeopleSoft’s Role

Give users their NetID
LDAP Management at Stony Brook:
PeopleSoft’s Role

NetID password change
LDAP Management at Stony Brook:
PeopleSoft’s Role

Test NetID Password from SOLAR
LDAP Management at Stony Brook:
PeopleSoft’s Role

Help desk view of AD accounts
LDAP Management at Stony Brook:
PeopleSoft’s Role
Group maintenance
 Send attributes to AD/ADAM
 Reconcile discrepancies between PS
and directory
 Allow system administrators to
disable accounts using service
indicators

LDAP Management at Stony Brook:
Future Plans…
Migrate functionality of Computer Accounts
Database into PeopleSoft




All NetID provisioning/de-provisioning will occur
directly in PeopleSoft
Add functionality to update LDAP directly from
PeopleSoft, eliminating the need and delay
inherent in the use of scheduled scripts
Continue adding applications and systems to
utilize AD/ADAM for authentication and
authorization




ezProxy
SoftWeb (allows authorized persons to download
software)
UNIX Logons
And more….
LDAP Management at Stony Brook:
Contact us
Andrew Kirsch
andrew.kirsch@stonybrook.edu
(631) 632-8722
Brian Heller
brian.heller@stonybrook.edu
(631) 632-9254
Related documents
Friends of the Library
Friends of the Library
REU Application form - Stony Brook University
REU Application form - Stony Brook University
Activating your NetID: 1. Go to http://gateway.tamu.edu/ and click on
Activating your NetID: 1. Go to http://gateway.tamu.edu/ and click on
Stony Brook Cancer Center Research Lecture Series 2008
Stony Brook Cancer Center Research Lecture Series 2008
Department/College - Faculty Center
Department/College - Faculty Center
Download
advertisement