Presented by: Mark Hendricks

1
Presented by Mark Hendricks
mark.hendricks_at_humboldt.edu
2
H U M B O L D T

• Background
• Mix of centralized and de-centralized IT support
• 10,000 active Student/Staff/Faculty
• 25,000 user entries in LDAP
• Small technical implementation team
• Committed to open source solutions when available

3
IMI Authentication Technical Team

• Bill Cannon Director Information
  Technology/ISO
• Nick DeRuyter Manager University Computing
  Services
• System Administrators
• Mark Hendricks
• Josh Callahan
• DBA
• Peter Johnson
• Analyst Programmers
• Michael Bradley
• Jason Hardin
• Help Desk
• Melinda Christensen

Contact Mark Hendricks mark.hendricks_at_humboldt.
edu
4
IMI Authentication Priorities

• Security!!
• Uniform password strength and policy enforcement
• Reduce password/secret exposure and vulnerability
• Improve logging
• User Experience
• Reduce logins/single sign-on
• Unify account information (NetID/Password)
• Single location for password management
• Administration
• Enforcement of policies for access to campus
  resources confidential data
• Audit compliance
• Improve user administration efficiency (IT
  Systems Services)

5
Design Goals

• Open source
• Create authN / AuthZ capable of supporting all
  applications
• Minimize complexity
• Minimize auth sources
• Want IMI infrastructure that will support
  centralized and decentralized management

6
Initial IMI Auth Infrastructure
7
Password Management/Synchronization
8
Active DirectoryWhy AD?

• Windows desktop majority
• Distributed Windows desktop management using
  centralized authentication and dynamic groups
• Supports AuthN/AuthZ for most major operating
  systems out of the box

9
Desktop AuthN AuthZ Support
10
Active Directory

• Windows desktop majority
• Distributed Windows desktop management using
  centralized authentication and dynamic groups
• Supports AuthN/AuthZ for most major operating
  systems out of the box
• Windows XP/2000
• Mac OS X
• Unix (Tru64)
• Linux
• Samba
• Minimal schema extensions required
• Based on LDAP and Kerberos
• Kerberos prepares for Single Sign-On

11
Kerberos

• MIT vs. Microsoft
• Benefits
• Single Sign-on - Ticket Passing
• Non proprietary
• Unified and secure password repository
• Passwords outside Windows AD
• Reduces password/secret exposure
• Unified logging
• Easy set up/Robust
• Problems
• Difficult to obtain functional documentation/suppo
  rt
• Learning curve for users technical team
• Not supported by all applications
• Problems with OS integration

12
Where Are We Now?

• Progress
• Password Interface
• Password Synchronization
• Group Interface
• LDAP/AD/Kerberos Desktop Auth
• Email route/alias
• Library authN, authZ
• Wireless Auth
• Misc. Apache Auth

• Future
• Portal
• Guest Accounts
• Meta-Directory
• LDAP Standard Library
• Student (Central) Shares
• Kiosk
• Open Directory (Apple)
• Email

13
CSU Support/Collaboration

• CSU / eduPerson / group schema - courses
• Functional working groups / conference - Vendors
• CSU web page/list for directory/authentication
  collaboration
• CSU Grants for code and documentation development
• CSU Certificate Authority or contract with public
  CA