• No results found

Authentication Authorization Infrastructure

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Authentication Authorization Infrastructure"

Copied!
24
0
0

Loading.... (view fulltext now)

Download now ( 24 Page )

Full text

(1)

Authentication Authorization

Infrastructure

Jan Du Caju

(2)

AAI update

• ldap

• kerberos

• Shibboleth

(3)

LDAP

end user ldap servers

(in fail-over without password hashes): ldap.kuleuven.be (point to ldap1 and ldap2.kuleuven.be) search base: ou=people, dc=kuleuven, dc=be

authentication ldap servers

(in fail-over):

ldap-auth1.kuleuven.be (central services excluding samba) ldap-auth2.kuleuven.be (samba)

(4)

LDAP anonymous access

# organigram info http://organigram.kuleuven.be

dn: KULouNumber=50000052,ou=unit,dc=kuleuven,dc=be objectClass: organizationalUnit

objectClass: KULou ou: Secretariaat rector parentOu: 50000051 diensthoofd: u0026006 KULouNumber: 50000052

(5)

LDAP anonymous access

(continued)

# diploma informatie

dn: dipl=50045325,ou=diploma,dc=kuleuven,dc=be objectClass: KULdiploma

dipl: 50045325

diplnaam: Licentiaat in de Archeologie

# opleidingsinformatie

dn: oplnr=50046282,ou=opleiding,dc=kuleuven,dc=be objectClass: opleiding

oplnr: 50046282

(6)

LDAP anonymous access

(continued) # personnel info http://cwis.cc.kuleuven.be

dn: uid=u0001439,ou=people,dc=kuleuven,dc=be objectClass: person objectClass: eduPerson objectClass: KULPerson objectClass: posixAccount objectClass: sambaSamAccount objectClass: krb5Principal objectClass: krb5KDCEntry uid: u0001439 ou: people

ou: Leuvens Universitair Dienstencentrum voor Informatica en Telematica (LUDIT) cn: Jan Du Caju

LUDITserver: mail.cc.kuleuven.ac.be homeDirectory: /home/u0001439 loginShell: /bin/bash

(7)

LDAP anonymous access

(personnel continued) eduPersonOrgUnitDN: o=people,dc=kuleuven,dc=be uidNumber: 15677 gidNumber: 50000954 KULprimouNumber: 50000954 KULouNumber: 50000954,50014501,50000953,50000854 sn: Du Caju givenName: Jan

postalAddress: LUDIT, de Croylaan 52A, B-3001 Heverlee, Belgium telephoneNumber: +32 16 322785 KULvpnGroup: ou=Admins mail: [email protected],,[email protected] KULtap: ATP KULtypePers: ATP eduPersonAffiliation: staff,employee,member

(8)

LDAP anonymous access

(continued) # student info dn: uid=s0112264,ou=people,dc=kuleuven,dc=be objectClass: person objectClass: eduPerson objectClass: KULPerson objectClass: posixAccount objectClass: sambaSamAccount objectClass: krb5Principal objectClass: krb5KDCEntry ou: people uid: s0112264 cn: s0112264 LUDITserver: urc1.cc.kuleuven.ac.be gidNumber: 1000 stamnr: 990433020 KULid: 0112264

(9)

LDAP anonymous access

(students continued) eduPersonOrgDN: dc=kuleuven,dc=be eduPersonOrgUnitDN: o=people,dc=kuleuven,dc=be eduPersonAffiliation: student eduPersonAffiliation: member uidNumber: 229885 homeDirectory: /home/s0112264 loginShell: /bin/bash

(10)

LDAP attributes to specific apps

# not query-able, only ldap bind from KULeuvenNet authentication servers and LUDIT central servers (mail,Toledo)

userPassword: {SHA1}PASSWORD # to none

eduPersonPrincipalName: {SHA1}[email protected] KULCryptPassword: {CRYPT}PASSWORD

# towards central KULeuvenNet kerberos servers krb5PrincipalName: [email protected] krb5KeyVersionNumber: 3 krb5Key: {KERBEROS}PASSWORD krb5MaxLife: 86400 krb5MaxRenew: 604800 krb5KDCFlags: 126

(11)

LDAP attributes to specific apps

(continued)

# towards central LUDIT samba domain controller and decentral fysica samba domain controller sambaSID: S-1-5-21-1909459663-1903662737-1494088821-32354 sambaNTPassword: {NTLMv2}PASSWORD sambaPwdLastSet: 1 sambaPwdMustChange: 2147483647 sambaPwdCanChange: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaAcctFlags: [U ] sambaPrimaryGroupSID: S-1-5-21-1909459663-1903662737-1494088821-50000954

(12)

LDAP student attributes to specific apps

sn: Achternaam givenName: Voornaam dipl: 50000000 opl: 2004 50000000 02 mail: [email protected] KULlibisnr: 0000002 KULouNumber: 50000707

(13)

Kerberos

servers: kdc1.kuleuven.be and kdc2.kuleuven.be

principle: <intranetUid>@KULEUVEN.BE

Windows clients authenticating to central kdc's:

• users created in AD with random password

• mapped user to principal

• changed kdc of user from AD to central kdc's (name mappings)

(14)

WAYF where are you from K U L who are you jan handle handle+attributes? attributes pageX pageX 1 3 4 5 7 10 2 AAI-enabled resource W E B s e r v e r SP Service Provider shibboleth 9 6 AAI-enabled Home organization authentication system user directory shibboleth IdP Identity Provider

(15)

Shibboleth

Home organization:

cas.kuleuven.be idp.kuleuven.be

Service provider

(and documentation): http://shib.kuleuven.be

IdP ldap-auth1

(16)

Shibboleth Federation

Common set of policies, practices and guidelines

IdP|SP: no end user workstation, properly patched , ... a registry to process applications to the federation

distribution of membership information (IdP's en SP's)

Attributes needed for Shibboleth

classification of users for basic authorizations (access to app) exchange of attributes within federation

Federations

• K.U.Leuven

(17)

Classification of users for basic authorizations

eduPersonAffiliation:

• value

[student|faculty|staff|employee|alum|member|affiliate] affiliate = external, not member

Affiliate is intended to apply to people with whom the university has dealings, but to whom no general set of "community membership" privileges are

extended

if [student|faculty|staff] then also member if [faculty|staff] then also employee

• use

(federations)

(18)

Classification of users for basic authorizations

eduPersonScopedAffiliation:

• value

eduPersonAffiliation@<domain>.be e.g. [email protected]

• use

(federations) Associatie

• ARP

(Attribute Release Policy) general usability

(19)

Classification of users for basic authorizations

KULouPrimaryNumber:

• value

organigram code of unit(s) an employee is assigned to

• use

(federations) K.U.Leuven

• ARP

(Attribute Release Policy) general usability

(20)

Classification of users for basic authorizations

KULouNumber:

• value

– personnel (or employee)

KULouPrimaryNumber + all organigram codes of units above in organigram tree an employee is assigned to – student : organigram code of faculty

• use

(federations) K.U.Leuven

• ARP

(Attribute Release Policy) – personnel: general usability – student: specific apps

(21)

Classification of users for basic authorizations

dipl:

• value

code of a diploma e.g. 50045349 for

Kandidaat in de Taal- en Letterkunde: Germaanse Talen

• use

(federations) K.U.Leuven

• ARP

(Attribute Release Policy) specific apps

(22)

Classification of users for basic authorizations

opl:

• value

<year> <opleidingsnummer> <year_within_opleiding>

e.g. 2005 50046649 00 for opleidingsnummer 50046649 with name Kandidaat in de Taal- en Letterkunde: Germaanse Talen

• use

(federations) K.U.Leuven

• ARP

(Attribute Release Policy) specific apps

(23)

exchange of attributes within federations

K.U.Leuven federation

general

• KULouPrimaryNumber • KULouNumber

specific applications

• uid, cn, surName, givenName, mail (students) • opl, dipl

Associatie K.U.Leuven

general

• eduPersonAffiliation:

(24)

Release of attributes to Specific apps

Toledo & Kotnet

• uid@<domain>.be (eduPersonPrincipalName)

• surname

• givenName

• commonName

References

Download now ( PDF - 24 Page - 112.90 KB )

Related documents

MESSAGE FROM THE BOARD OF DIRECTORS

We have examined the accounts and transactions of Alarko Gayrimenkul Yatır›m Ortaklı¤› Anonim fiirketi for the period of January 1, 2011 to December 31, 2011, according to

Asymptotic limits in the Hitchin moduli space

The upcoming main theorem (Theorem 1.5.1 ) states says some- thing much stronger: for t  0, the approximate metric h app t is close to the actual harmonic h t solving

Individualization of risks diagnostics in assessment of investment potential of sectoral companies in developing countries

Keywords: Bayesian treatment, developing countries, efficiency, individualization of assessment, investment attractiveness, investment potential, power-generating company,

Analysing intermediary organisations and their influence on upgrading in emerging agricultural clusters

The incorporation of small producers in some agribusiness value chains and the focus on building local capacity has brought to relief the need create a strong

Identification of hard ticks (Acari: Ixodidae) and seroprevalence to Theileria parva in cattle raised in North Kivu Province, Democratic Republic of Congo.

Abstract This study aimed to identify tick species and to determine their relationship with the Theileria parva sero- prevalence in cattle raised under an extensive farming sys- tem

Pertussis Yukon Communicable Disease Control 4 Hospital Rd., Whitehorse, YT Y1A 3H8 Phone: (867) Fax: (867) May 2015

 Clarithromycin suspension is available in two formulations: 125mg/5ml or 250mg/5ml.  Clarithromycin may be taken with or without food.  Counsel women taking a hormonal form of

An Exploration of the Relationship between Child Welfare Workers’ Ambivalent Sexism and Beliefs about Father Involvement

White (Ed.), Comprehensive Handbook of Social Work and Social Welfare (Vol. Hoboken, NJ: John Wiley &amp; Sons, Inc. Social norms and the feeling of justice about unequal

Recommended Dietary Allowances for Ireland 1999

In 1996, the Nutrition Sub-committee of the Food Safety Authority of Ireland established a Working Group to review the Irish Recommended Dietary Allowances (RDAs) that were devised