LDAP Management at Stony Brook

1
LDAP Management at Stony Brook

• Making Active Directory and PeopleSoft Work
  Together
• SUNY Technology Conference
• Rochester, New York
• Monday June 12, 2006

2
LDAP Management at Stony Brook

• Background
• Project Team
• Project Mandates
• Problems to Solve
• Realizations
• Decisions
• Active Directory
• How its designed
• What is the NetID?
• ADAM (Active Directory Application Mode)
• What is it?
• How it integrates with Active Directory
• LDAP Schema (stonybrookEduPerson)
• What is it?
• How its incorporated into ADAM
• NetID Process Management
• How NetIDs are provisioned/de-provisioned
• How AD, ADAM and PeopleSoft are synchronized
• Authentication/Authorization using AD/ADAM

3
LDAP Management at Stony Brook About Stony Brook

• Situated on 1,000 wooded acres on the north shore
  of Long Island
• Undergraduate students 14,287
• Total students 22,011
• More than 1,900 faculty
• More than 12,000 total employees

4
LDAP Management at Stony Brook Project Team

• Comprised of members from each of the DoIT
  departments
• Client Support
• Computer Operations
• Information Systems
• Instructional Computing
• Systems Support
• Telecommunication and Networking
• Other technical areas
• Lots of expertise
• Many problems to solve
• Many opinions

5
LDAP Management at Stony Brook Project Mandates

• Develop a mechanism for determining individuals
  eligibility for campus services
• Conform to I2/Educause standards
• Use the eduPerson model for LDAP

6
LDAP Management at Stony Brook Problems to solve

• Individuals have different user IDs in different
  systems
• Too many passwords to remember
• Different methods for resetting forgotten
  passwords
• Redundant efforts by system administrators
• Delays in provisioning/de-provisioning accounts
• How to handle guest accounts
• How to handle club accounts
• Need to extend access for users who are no longer
  active
• Difficulty troubleshooting users problems

7
LDAP Management at Stony Brook Realizations

• LDAP itself doesnt solve problems
• No magic bullet solution (cant solve every
  problem or handle every single exception with
  technology)
• If we try to do everything, well end up doing
  nothing

8
LDAP Management at Stony Brook Decisions

• Break up project into discreet tasks
• Phased-in approach
• Look at things that are working and keep them or
  improve them
• Computer Accounts Database
• Manages user accounts
• Most userids are standard across systems
• Set of rules for provisioning/de-provisioning
• Existing Microsoft Network
• Upgrade to Windows 2003Active Directory
• Leverage existing infrastructure, expertise
• PeopleSoft
• Authoritative source for person data
• Single identifier (Stony Brook ID) for all
  Students, Faculty, Staff, Alumni
• Existing method for tracking affiliates
• Self-Service system (SOLAR) provides secure,
  personalized web content.
• Customizable

9
LDAP Management at Stony Brook Active Directory

• Active Directory Design
• A simple Windows 2003 AD (Native Mode)
• AD Forest consists of two domains
• Empty root domain (sbroot.stonybrook.edu)
• Hosts DDNS servers
• Primary domain (campus.stonybrook.edu)
• Contains all user accounts, known as NetIDs
• All objects, including accounts, are maintained
  in OUs whose management can be delegated
• External trusts to other ADs

10
LDAP Management at Stony Brook Active Directory
11
LDAP Management at Stony Brook Active Directory

• What is the NetID?
• User accounts in AD
• NetIDs provisioned for all students, staff,
  faculty, affiliates, etc.
• Intended to be the single source of
  authentication for multiple systems and
  applications (not just for Windows PCs)
• Licensing costs per NetID (Microsoft
  Campus Agreement)

12
LDAP Management at Stony Brook ADAM

• ADAM (Active Directory Application Mode)
• It is an LDAP Directory Service
• Consider it Active Directory Lite, without the
  overhead of a full AD implementation
• Runs as a service on Windows Server 2003 R2 or
  Windows XP Pro SP2
• Can be run on a stand-alone server or member of a
  domain (Windows 2000, 2003 AD or NT 4.0 Domain)
• Multiple instances of ADAM can be run on the same
  server
• Its free!!!

13
LDAP Management at Stony Brook ADAM

• Integrates with Active Directory
• Supports SASL (Windows) for authentication
• Can use AD credentials for authentication
• Supports simple bind for authentication
• Bind redirection used to create security
  principles (userProxy accounts) in ADAM which
  redirect authentication to AD
• NetID synchronized between AD and ADAM
• ADAMSYNC.EXE tool used to synchronize from AD to
  ADAM
• NetIDs are replicated to ADAM as userProxy
  accounts
• Schema changes can be implemented in ADAM without
  affecting the AD schema
• Since ADAM synchronizes with AD, this effectively
  allows us to extend the AD schema without ever
  having touched it

14
LDAP Management at Stony Brook LDAP Schema
(stonybrookEduPerson)

• stonybrookEduPerson
• A schema definition based upon eduPerson
• Extends eduPerson to provide specific attributes
  required at Stony Brook
• This schema was defined in the ADAM instance that
  is synchronized with AD

15
LDAP Management at Stony Brook NetID Process
Management

• NetID Provisioning
• Person information/status entered into PeopleSoft
• Computer Accounts Database reads in new
  information and assigns a NetID
• Scripts read in updates from Computer Accounts
  Database and creates new NetID in AD and updates
  the associated person information in PeopleSoft
  with NetID information
• NetID creations synchronized from AD to ADAM

16
LDAP Management at Stony Brook NetID Process
Management

• NetID De-provisioning
• Person status changes in PeopleSoft (terminated,
  graduated, etc.)
• Computer Accounts Database reads in new
  information and disables associated NetID
• Computer Accounts deletes NetIDs if they remain
  disabled for a predetermined amount of time
• Scripts read in updates from Computer Accounts
  and disables/deletes accounts in AD and updates
  associated person information in PeopleSoft with
  NetID information
• NetID deletions synchronized from AD to ADAM. No
  need to synchronize disabled NetIDs, as AD
  remains the single source of authentication
  through use of bind redirection

17
LDAP Management at Stony Brook NetID Process
Management

• Attribute/Group Synchronization
• Specific attributes as defined in
  stonybrookEduPerson are stored and maintained
  in PeopleSoft for each person who has a NetID
• Group membership is also stored and maintained in
  PeopleSoft for each person who has a NetID
• StudentActive, StudentEnrolled, EmployeeActive,
  etc.
• Scripts read in this information and update the
  associated attributes or group memberships for
  each NetID in ADAM

18
LDAP Management at Stony Brook NetID Process
Management

• User Self-Service
• A web interface is provided through PeopleSoft
  which allows users to reset their NetID password
• Web interface utilizes a separate authentication
  based upon Stony Brook ID
• Security questions must also be answered before a
  password reset can occur
• Scripts read in these password resets and update
  AD with the new passwords. No need to synchronize
  password resets for NetIDs, as AD remains the
  single source of authentication through use of
  bind redirection

19
LDAP Management at Stony Brook NetID Process
Management
20
LDAP Management at Stony Brook
Authentication/Authorization using AD/ADAM

• Applications/Systems can choose to authenticate
  using LDAP can do so against AD or ADAM using
  SASL or simple bind over SSL
• Applications/Systems which require specific
  attributes or group memberships for authorization
  purposes utilize ADAM
• Applications/Systems which are currently using
  AD/ADAM for authentication/authorization
• Remote Access (VPN, dial-up, wireless) via RADIUS
• Student PC Registration
• Blackboard (Online Courses)
• Ex Libris - Aleph (Library System)

21
LDAP Management at Stony Brook PeopleSofts Role

• Provide general information about NetID and
  services

22
LDAP Management at Stony Brook PeopleSofts Role

• Give users their NetID

23
LDAP Management at Stony Brook PeopleSofts Role

• NetID password change

24
LDAP Management at Stony Brook PeopleSofts Role

• Test NetID Password from SOLAR

25
LDAP Management at Stony Brook PeopleSofts Role

• Help desk view of AD accounts

26
LDAP Management at Stony Brook PeopleSofts Role

• Group maintenance
• Send attributes to AD/ADAM
• Reconcile discrepancies between PS and directory
• Allow system administrators to disable accounts
  using service indicators

27
LDAP Management at Stony Brook Future Plans

• Migrate functionality of Computer Accounts
  Database into PeopleSoft
• All NetID provisioning/de-provisioning will occur
  directly in PeopleSoft
• Add functionality to update LDAP directly from
  PeopleSoft, eliminating the need and delay
  inherent in the use of scheduled scripts
• Continue adding applications and systems to
  utilize AD/ADAM for authentication and
  authorization
• ezProxy
• SoftWeb (allows authorized persons to download
  software)
• UNIX Logons
• And more.

28
LDAP Management at Stony BrookContact us
Andrew Kirsch andrew.kirsch_at_stonybrook.edu (631)
632-8722 Brian Heller brian.heller_at_stonybrook.edu
(631) 632-9254