[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ask for some tips of unified identity using LDAP

To: "ntyunaka@uol.com.br" <yunakaof@usp.br>, Openldap list <openldap-software@OpenLDAP.org>
Subject: Re: ask for some tips of unified identity using LDAP
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Mon, 15 Mar 2004 09:37:41 -0800
Content-disposition: inline
In-reply-to: <6.0.1.1.0.20040315120754.028e0ac0@spider.usp.br>
References: <6.0.1.1.0.20040315120754.028e0ac0@spider.usp.br>

--On Monday, March 15, 2004 12:30 PM -0300 "ntyunaka@uol.com.br" <yunakaof@usp.br> wrote:

Hi,

I would like to ask for tips, on how people make a directory system to
make an unique login/password relating all individual information
relating to autorization for each service that an individual could
access.
As service I mean physical access control to a room or building,
e-mail system authentication, dial-up authentication, RADIUS
authentication for other services depends on RADIUS, computer
use access by login in any computer anywhere in a university
campus, administrative system access login, intranet web access
by login, employee entrance control, etc.
This type of directory system exist ?
It can be done using LDAP ?
There is any similar system using OpenLDAP ?

How Universities and big companies do to implement an unique ID
for individuals in fact ?


Hi Nelson,

We use a persons uid (not uidNumber) as their unique name. Thus, my unique name at Stanford, is "quanah". We use Kerberos as our backend authentication piece. All people entering the university must sign up for a UID at a web application. That web application checks a backend database that contains a list of all used UIDs.

We currently also use RADIUS off of our OpenLDAP servers as well. The way we do this, is through "privilege groups". Our server has an attribute that is multi-valued that stores all the privileges you have. So the RADIUS servers queries to see if you belong to particular groups. If you do, you get access via RADIUS. This also allows us to update and maintain these groups through another web application.

As for logins, etc, you might want to see our posixAccount information at:

http://www.stanford.edu/services/directory/

One of the main pieces you are missing here is using Kerberos as an authentication mechanism that ties together with LDAP. With kerberos, we can immediately deactivate people from having login access around the university.

For the web access piece, you might want to look at:

http://webauthv3.stanford.edu/

which ties together Kerberos & LDAP for authentication/authorization purposes.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- ask for some tips of unified identity using LDAP
  - From: "ntyunaka@uol.com.br" <yunakaof@usp.br>

Prev by Date: Re: ssh authentication through openldap on RH9
Next by Date: Re: DB_CONFIG
Index(es):
- Chronological
- Thread