User Tools

Site Tools


ldap_design_and_configuration

This page is a discussion of the design goals, requirements, and configuration of the new LDAP server system to support NCEAS and the broader ecoinformatics community.

LDAP configuration

LDAP is installed on Triana and replicated on Dean. Several DN subtrees are maintained there:

  • dc=ecoinformatics,dc=org
    • Accounts for KNB/Morpho/wiki access
  • ou=Acount,dc=ecoinformatics,dc=org
    • restricted shell accounts for cvs access
  • o=ucnrs.org

For ecoinformatics.org, some useful links include:

InCommon Identity Provider design

The Shibboleth Identity Provider (IdP v2.3.8) software is deployed on identity.nceas.ucsb.edu (“frey”) and configured to authenticate and provide attributes for accounts in the following subtrees of the ldap.ecoinformatics.org LDAP server:

  1. ou=Account (all considered verified accounts because they have been manually entered and are closely affiliated with NCEAS)
  2. o=unaffiliated (considered unverified because they are self-registered via web form)

The following attributes will be released to InCommon service providers:

  1. uid (considered the eduPersonPrincipalName, “eppn”)
  2. givenName
  3. sn (surname)
  4. mail (email address)

CILogon will construct subject DNs for our identities using the following form:

  • CN=uid,O=NCEAS Identity Provider,C=US,DC=cilogon,DC=org

Note that this is different from their normal subject scheme that uses the full name and random alphanumeric string in the CN:

  • CN=givenName sn <alphanumeric>,O=NCEAS Identity Provider,C=US,DC=cilogon,DC=org

This will allow use to know the CILogon DN before any users actually attempt to authenticate with the service provider so that we can map the legacy LDAP DNs to the new CILogon certificate subject DNs. For example, my two legacy accounts will both map to the new CILogon account

  • uid=leinfelder,ou=Account,dc=ecoinformatics,dc=org –> CN=leinfelder,O=NCEAS Identity Provider,C=US,DC=cilogon,DC=org (directly used for authentication and providing attributes)
  • uid=leinfelder,o=NCEAS,dc=ecoinformatics,dc=org –> CN=leinfelder,O=NCEAS Identity Provider,C=US,DC=cilogon,DC=org (o=NCEAS migrated to ou=Account)

TODOs for implementation

  1. Move all o=NCEAS accounts that do not yet exist in ou=Account into ou=Account. Map old o=NCEAS account to new/existing ou=Account
  2. Eliminate duplicate accounts in o=unaffiliated and use the ou=Account entry where appropriate. If the user is the same, map their o=unaffiliated account to their new ou=Account account. If the user is different, assign them a new o=unaffiliated account that does not exist in ou=Account so that UID is unique
  3. Change LDAP web registration process to check for existing UID in both o=unaffiliated and ou=Account so that no duplicate UIDs can be added. Would be nice if there was a rule that the LDAP system could enforce to not allow duplicate UIDs in different subtrees, but I think that's wishful thinking.

HISTORIC LDAP INFORMATION BELOW

LDAP System design

The LDAP system will be used for the following services.

National services

  • Authenticate KNB and EcoGrid users via Morpho, Metacat, Kepler, and other clients
    • Authenticate ESA data registry users
  • Authenticate wiki users for the SEEK and Kepler wikis
  • Authenticate shell access via SSH for CVS access
  • Authenticate Bugzilla users (future)

Local NCEAS Services

  • Authenticate wiki users for the NCEAS Help wikis
  • Authenticate NCEAS web site Working Group users (collab areas and eventual wiki)
  • Shell access to selected NCEAS machines?
  • Email accounts and aliases

Background

Who maintains data, what organizations are involved

Requirements

availability requirements, maintenance and account creation, features supported (e.g., X.509)

Relationship to EcoGrid/GAMA

Proposed design of LDAP

DN conventions, referrals, how searching will work, how replication will work, who needs to be trusted for this stuff to work, etc.

History

The following trees were removed 2/17/09:

  • o=NCEAS,c=US
    • The original NCEAS subtree, was used for web authentication
  • dc=nceas,dc=ucsb,dc=edu
    • The “new” NCEAS subtree, was to be reconfigured for all local services

The original data directories and LDIF dumps (with slapcat) are stored in /var/lib/ldap/backups on ceres.

ldap_design_and_configuration.txt · Last modified: 2016/02/24 11:49 by hetmank