topics in directories: groups
DESCRIPTION
Topics in Directories: Groups. Dr. Tom Barton The University of Memphis. Outline. What is it for? Design factors – how to approach the design of a groups implementation Examples & vignettes Group management issues Vaporware References. Why do groups?. - PowerPoint PPT PresentationTRANSCRIPT
Topics in Directories: Groups
Dr. Tom Barton
The University of Memphis
25 June 2002 Base CAMP 2
Outline
• What is it for?
• Design factors – how to approach the design of a groups implementation
• Examples & vignettes
• Group management issues
• Vaporware
• References
25 June 2002 Base CAMP 3
Why do groups?
Leverage existing enterprise directory infrastructure to:
• Supply data for access control policies to directory integrated applications and service platforms.
• Supply data for customization needs, especially CMSs and portals.
• Facilitate group messaging.• Facilitate automated IT resource provisioning.
25 June 2002 Base CAMP 4
Design factors for a groups implementation
• How the group information is to be most commonly accessed.
• How the group information is to be maintained.
• How potential interactions arise between:• the type of group representation• the nature of the group (eg, size or privacy requirements)• capabilities of the particular directory service agent being
used
25 June 2002 Base CAMP 5
Design factors:Representations of groups
• Static: group object with multivalued membership attribute.
• groupOfNames• groupOfUniqueNames
dn: cn=groupA, ou=groups, dc=some, dc=eduobjectclass: groupOfUniqueNamescn: groupAuniquemember: uid=user1,ou=people,dc=some,dc=eduuniquemember: uid=user2,ou=people,dc=some,dc=eduuniquemember: uid=user3,ou=people,dc=some,dc=edu
25 June 2002 Base CAMP 6
Design factors:Representations of groups
• Dynamic: membership determined by executing an ldap url
• groupOfURLs (iPlanet proprietary)• No group object – ldap url exists only in applications using it.
dn: cn=groupB, ou=groups, dc=some, dc=eduobjectclass: groupOfURLscn: groupBmemberURL: ldap://ldap.some.edu389/ou=people, dc=some,dc=edu?dn?2?(ou=staff)
25 June 2002 Base CAMP 7
Design factors:Representations of groups
• Forward reference: multivalued attribute (isMemberOf) in an object lists its memberships.
dn: uid=user1, ou=people, dc=some, dc=eduobjectclass: someEduPersoncn: Some Bodysn: Body uid: user1isMemberOf: groupAisMemberOf: groupB
25 June 2002 Base CAMP 8
Design factors:Representations of groups
• Spatial: membership is inferred from object’s location in the DIT.
25 June 2002 Base CAMP 9
Design factors:Application access questions
• How will applications query for group information?
• Is object X in group A?• List all members of group A.• List all groups to which X belongs.• List all members of some boolean combination of groups.
• List all members of group A meeting specified additional criteria.
25 June 2002 Base CAMP 10
Design factors:Application access questions
• Are there application restrictions on:• group names• static group objectclass selection• ability to use object attributes (dynamic groups) • where in the DIT to look for group objects
• Are there application constraints impacting access policy?
• Can application BIND as a given user (aka serviceDN), enabling directory ACLs to accurately implement institutional access policy?
25 June 2002 Base CAMP 11
Design factors:Group maintenance questions
• Will membership info be automatically maintained based upon institutional data?
• Will membership info be manually maintained?
• How will delegation of group update priviledges be managed?
• Is it a personal group?
• What institutional policy pertains to the visibility of the group or privacy of its membership information?
25 June 2002 Base CAMP 12
Design factors:Group maintenance questions
• Both automatic and manual processes update the same group? Need a group maintenance application.
• Is there a need to hide personal groups from certain enterprise applications?
• Limited expressiveness of directory ACLs might limit ability to delegate maintenance of member object attributes without use of an intervening group maintenance application.
25 June 2002 Base CAMP 13
Design factors:DSA interactions
• Size limit for static groups?
• Replication performance for large static groups.
• Processor and return size limits vs. listing membership of large dynamic groups.
• Access control language vs. delegated maintenance of dynamic (or forward reference) groups.
25 June 2002 Base CAMP 14
Core middleware for an integrated architecture
25 June 2002 Base CAMP 15
Example: Class website
Students & instructor(s) use a course website to support class activities. The website provides views only to those resources associated with the role they have in each class.
class: ENGL2101002.2002Uinstructor: uid=user1, …student: uid=user2, …student: uid=user3, …
class: COMP3214001.2002Uinstructor: uid=user4, …student: uid=user5, …student: uid=user6, …
SIS Metadirectory MyClass
25 June 2002 Base CAMP 16
Example: Data Warehouse Access
GUI web reporting tool (BRIO) for DW access has native LDAP authentication, but groups used for application security are stored in the DW. Application level security priviledges are determined by combination of DW administrators and business office personnel.
owner: uid=DWadmin,…uniquemember: uid=user1, …uniquemember: uid=user2, …
owner: uid=BOadmin,…uniquemember: uid=user3, …uniquemember: uid=user4, …
DWGASP Duper BRIO
25 June 2002 Base CAMP 17
Student vignette
Mary is a grad student at Alpha U, taking courses both in a traditional classroom and online and interns at a biotech company nearby. Using her laptop, Mary needs to access her e-mail, courseware, calendar and library resources from all three locations; home, campus and work. She also uses a wireless PDA when on-campus to stay in touch with her lab mates.
Mailbox
CalendarWireless Gateway
NAS Server
Lib Proxies
CMSauthN
attrs
25 June 2002 Base CAMP 18
Provisioning vignette
The new Chair of the Dept. of Physiology has arrived on campus over the weekend. Dr. Agnew is very anxious to get access to campus IT resources such as e-mail, calendar, web services and the mainframe. He does not want to wait for the requisite 3-5 business days it takes to get the accounts setup. Since IT already knows of him, he can use a self-service interface to accomplish his goal.
HRS Metadirectory
Acct Init Service
authN
attrs
25 June 2002 Base CAMP 19
Group management issues
• Maintenance & indexing of membership attributes
• Delegating management
• Referential integrity
• Personal groups
• Privacy & visibility
• Group math
• Forward referencing
• Aging
• Namespace issues
25 June 2002 Base CAMP 20
Vapor groupware
GASP (Group Authorized Service Process). Utility that provides group create, rename, update, delete capabilities within an access controlled environment.
Grouper. Extension to DSA presenting group math capabilites to ldap clients.
RIbot. Referential Integrity maintenance utility. Maintains integrity of forward references too.
25 June 2002 Base CAMP 21
References
Practices in Directory Groups – Tom Barton
LDAP Recipe 2.0 – Michael Gettes
(forthcoming) Groups Implementation Guide – Eileen Shepard