From Chad to LDAPTwenty Years of Authorization,

Authentication, and Directory Services at UAB

Landy Manderson

User Services

UAB Telecommunications

University of Alabama at BirminghamCopyright © Landy Manderson 2003

This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To

disseminate otherwise or to republish requires written permission from the author.

First, Some Numbers

• 26,000+ employees (four different orgs)

• 56,000+ students (15,500 enrolled)

• 54,000+ alumni

• 115,000+ persons in directory

• 1,500 entities (schools, departments, services, offices, centers, etc.)

1983-84

• Implement ACF2 security software on administrative mainframe.

• Create database of eligible users by combining info from employee and student databases.

• This same process is still in operation today, basically untouched!

1985

• First new edition of printed Campus Directory in a number of years.

• Office automation and data merging experience were called upon to get it done quickly.

• Beginning of never-ending relationship with directory issues.

1985-95

• Time flies when you’re having fun. Or not.

• Insert graphic of calendar pages flipping by.

• Well, a few things did happen ….– Connected to BITNET, 1985– Founding member of SURAnet, 1986-87– BITNET/Internet connected mailhost, 1990

• Used same ID’s as admin mainframe

1995-96

• UIUC/CCSO qi directory brought online• Handles @uab.edu e-mail forwarding• “alias” registered through web page• Information provided from merge of

employee and student databases, users can update some personal info through web

• Borrowed from ACF2 merges• New e-mail server accounts sync’d with qi

1997-98

• LDAP mirror of qi brought online• New web interface• “Organizational listings”/non-person entries

added• Online input for printed Campus Directory

by departments• Admin mainframe begins using @uab.edu

addresses to send out reports/alerts

1999

• Phonebook alias used for web sign-in to authenticate SMTP relay (mail sent from outside UAB to non-UAB addresses) – anti-spamming measure

• Dr. Clair Goldsmith hired as CIO / VP for Information Technology

• PKI “push” = need to get LDAP act together

2000

• Dr. Goldsmith involved in eduPerson and LDAP Recipe activities

• LDAP committees formed

• Recipe 1.0 and eduPerson drafts published

• Windows 2000 Task Force created

• VPN implemented with qi authentication

• Library’s Virtual Desktop interfaced to qi

2001

• “Mail-only” aliases function added

• eduPerson 1.0 released

• Alias => BlazerID

• ResNet online using qi authentication

• LDAP committee and Win2K Task Force work continues

Pre-August 2002

• Recommendations from LDAP committees

• New programming to populate based on proposed data and eligibility requirements

• Incorporate eduPerson/Recipe into schema

• New web screens for sync/security

UAB LDAP, pre-8/02

• Wanted something online for e-mail clients only supporting LDAP query

• “Magazine” pressure

• Little guidance on schema/population

• Read-only – no passwords.

• No “unlisted” users.

• Only updated from qi once a day

UAB LDAP Committees

• Separate employee and student committees

• Propose useful attributes

• Define “continuums of association” and when we want people to be in directory

• PKI focused

Continuums of association

Employees Students

Job applicant Admissions applicant

Job offer extended Accepted for enrollment

Hired Enrolled

On leave Not taking classes

Terminated Dropped out

Retired Graduated

How NMI Helped

• Existing UAB schema was arbitrary, terribly out-of-date

• Really too much flexibility in LDAP

• Standard schema lacking important attributes useful to Educational institutions

• Opportunity to bring over additional data to support new apps

August 2002 Milestone

• New schema put into production• Passwords sync’d in real-time between qi and LDAP• Follows eduPerson and Recipe 1.0, committee suggestions• Local attributes herded under uabPerson based on

eduPerson• Non-person (entity) look-up• New base root per Recipe, but old still works• Passwords, “unlisted” users included – allows use by

WebCT, other apps• Useful attributes such as “courses taken”, “courses taught”

Post-August 2002• Synchronize with enterprise Active Directory – enable

departmental conversion• Central Exchange 2000 mail service• “BlazerID Central” • New web screens sync BlazerID and password

between qi, LDAP, AD, Novell.• All authentication done through secure services.• Strong passwords enforced. • *ix authentication (PAM)• More apps!

UAB LDAP, late 2002 forward

• CampusCards• Link with Novell eDirectory for Student

Center computer lab• Wireless• Class e-mail distribution; general

bulk/broadcast e-mail coming soon• Lots more apps! Including HR/Finance

administrative system replacement.

Obligatory Confusing Diagram

qi

“Official sources”Employees(HURS, HSF, EFH, VIVA)

StudentsOrganizational Hierarchy

Oracle HR (STEPS)

www.uab.edu/phonebook@uab.edu forwarding

“User-input”

Alias/BlazerID/password

Personal info update

‘Unofficial’ entities

Org listings (“bluepages”)

VPNResNet

SMTPrelay

LDAP ADAdminappsStudent

portals

For people and entities alike!

Wi-Fi

Call CenterLibraries

OfficialSources

PAM dirXML

WebCT

Email clients

NMI

CEDS

Exchange

Computer labsDFS

DesktopPEBBLES

Course info (stu/instr)

PrintedPhonebook

Okay, why qi?

• Thing to use when we started

• Still most efficient for @uab.edu mail

• Still friendliest for basic queries

• Very simple text-based protocol

• Current efforts just now addressing LDAP issues/weaknesses/lack of standardization

• MacGyver rules!

What Can BlazerIDs Do?For everyone at UAB:· @uab.edu e-mail addresses· free UAB e-mail and Web site (WWW) accounts· Lister Hill Library (LHL) Virtual Desktop· download of certain UAB site-licensed software· access to the UAB Virtual Private Network (VPN) For employees:· e-mail alerts from various online administrative

applications (e.g., purchase order queue notifications)· update of departmental information in the UAB

Electronic Phonebook· login access to some departmental networks and services

(with more on the way)· to receive important information e-mailed from your

department, school and designated UAB support areas (some of this is already being done, with more applications being discussed)

· inter- and intracampus videoconferencing access (under development)

· numerous other online administrative and employee portal applications (e.g., Data Warehouse, STEPS) which are currently being deployed, tested, procured, or developed

For students:· access to the ResNet residence hall network· some departmental computer labs (with more on the way)· WebCT online courses· DARS Degree Audit system (when it comes online)· class mailing lists, and to receive important information

e-mailed from your department, school, and designated UAB support areas

· other student online portals which are currently in testing or under development

For faculty/researchers, in addition to the employee services listed above:

· WebCT online course shell management (tentatively for Fall semester)

· automatically generated/managed class mailing lists· grant information/submission (under development)· online grade posting (under development)· DARS Degree Audit system (when it comes online)

(This info taken from link off BlazerID Central… more apps are coming online daily.)

UAB LDAP, going forward

• Incorporate eduPerson 1.5 and Recipe 2.0; voice concerns to NMI.

• NMI: Groups, SAGE, eduOrg, commObject, etc.

• Even more apps!• Determine if the proposed specs and

suggestions really enable cross-institution access/authentication.

What’s Next In General?• Continue bringing new apps, resources on board• CampusCards, BlazerID education• New HR/Finance systems coming online• NMI R2 eval finished, starting R3

– Push for more continuum, student, entity attributes in eduPerson

– Middleware roadmap, validation tools– Do some inter-institutional stuff!

• “LDAP Committees” still need to fully address continuum, privacy granularity, workflow

• What about PKI?

Closing Thoughts

• Really helps to have a couple of decades of experience with identity management and resource security! Hopefully these presentations help shorten that.

• Right place, right time• At any given time, any given technology has a

bleeding, leading and very long trailing edge– This is true for feeder systems, Internet protocols,

server software, user interfaces– Middleware can help

More Closing Thoughts• Great to finally have some guidelines for attribute

schema and population• But … more work needs to be done• That said, technical considerations are just the tip

of the iceberg:– Privacy– Ongoing management, education– Who owns the data?– Continuums of association– Who can vouch for X?– Beware the L-word when committees involved!

Links

UAB Electronic Phonebook:http://www.uab.edu/phonebookldap://ldap.uab.edu (port 389, root “dc=uab,dc=edu”

BlazerID Resources:http://www.uab.edu/blazerid (BlazerID Central)http://www.dpo.uab.edu/BlazerID.htm (FAQ)

Author’s e-mail:landy@uab.edu