PSUMAC101: Intro to Auth

Transcription

1 PSUMAC101: Intro to Auth

2 We Are... Jeremy Hill Systems Design Specialist, Applied Information Technology Ryan Coleman Systems Administrator, Applied Information Technology

3 Overview Why, What and When of Auth (entication and orization) The Penn State Auth Environment Tying your site into Access Account services Directory Services Integration - Hands on lab Storage Services Integration

4 Why? Reasons for System Admins / System Designers Reasons for End Users

5 Why? Reasons for Admins Stop managing users Stop managing passwords Less administrative overhead Reduce points of failure Embrace benefits of scale

6 Why? Reasons for Admins, cont d Begin to embrace SSO Nobody knows the password, except the user Make authorization decisions based upon known user information without duplicating data Security, security, security...with some convenience!

7 Why? Reasons for Users Less account info to remember Leverage SSO (less typing) Security, security, security...with some convenience!

8 Kerberos Primer The Triple Headed Beast

9 What is it? network authentication protocol uses secret-key cryptography to... store and protect passwords!

10 The Traditional Method Server Username & Password Client Login

11 The Traditional Method Server Username & Password Client Login

12 The Traditional Method Server Username & Password Client File Share

13 The Traditional Method Server Username & Password Client File Share

14 KDC Kerberos Client Key Distribution Center Kerberized Client Kerberized Server/Service Server

15 KDC Encrypted Wrapper The Current Time Other Bits Client My packet of data Server

16 KDC Encrypted Wrapper The Current Time Other Bits Client I can decrypt this! Server

17 KDC Ticket Granting Ticket Client Server

18 KDC Ticket Granting Ticket Client Server

19 KDC Ticket Granting Ticket Client Server NFS File Server

20 KDC Ticket Granting Ticket Client May I have some files? Server NFS File Server

21 KDC Client May I have some files? Ticket Granting Ticket Server NFS File Server

22 KDC Client May I have some files? Ticket Granting Ticket Sure! Server NFS File Server

23 KDC Client May I have some files? Ticket Granting Ticket NFS Service Ticket Some Files Sure! Server NFS File Server

24 KDC Ticket Granting Ticket NFS Service Ticket Some Files Client Thanks! Sure! Server NFS File Server

25 What is it? Secure Single-Sign-On

26 LDAP Primer The Bookie

27 What? LDAP - Lightweight Directory Access Protocol Better known as Penn State s Online Directory Simply a repository/database of information about a user Certain fields are protected by laws/regulations (FERPA, HIPAA, etc) Groups of all kinds

28 What? LDAP cont d What kind of info about a user? Name(s) UserID (s) Affiliation(s)

29 What? LDAP cont d Address(es) Department All kinds of unofficial information GROUP MEMBERSHIPS!!

30 What? Auth pieces Piece #1 - Kerberos Piece #2 - LDAP

31 What? Active Directory Better known as AD Simply put -- Microsoft packaged Kerberos 5, LDAP and GPO with a pretty interface That s it...no, really, that s it!!

32 Apple Open Directory Kerberos + LDAP MCX Managed Client extensions Think Group Policy Objects from the Windows world See the User Management Doc (or Brett yesterday)

33 What? Out of Scope, but useful WebAccess SSO Website Authentication (Cosign) InCommon Federation with other entities (Shibboleth)

34 Planning a Migration Graduate School Case Study

35 Planning a Migration Graduate School Case Study ~50 end-users, mostly Windows ~5 IT staff, mostly Mac Apache/Coldfusion Web Services with MS-SQL Backend

36 Planning a Migration Graduate School Case Study Windows/Mac tied into Local AD SQL Servers and Storage in Local AD

37 Planning a Migration Graduate School Case Study Ideal Case Windows tied into PSU WinAD Mac tied into OD (with PSU Passwords) SQL Servers and Storage in combination of above

38 Planning a Migration Graduate School Case Study Problems to be aware of Where are your user records stored? Where are your passwords? What about the services they use?

39 Recap... Kerberos (UserID & Password, Credentials) LDAP (User and Group information, Directory) AD (Microsoft packaged stuff) OD (Apple packaged stuff) Other useful services Not to be implemented on the fly

40 Authentication (AuthN)!= Authorization (AuthZ) Authentication Verifying credentials Trusting those credentials The user is exactly who they say they are Use Kerberos for this!! Skit...we ll need some volunteers

41 Authorization (AuthZ)!= Authentication (AuthN) Authorization Deciding what the user can do based upon attributes Completely separate from verifying credentials YOU decide who is authorized to do what based on anything you want! Use LDAP for this!! Skit...continued

42 End of PSUMAC101 Questions?