Versions Compared

Old Version 2

changes.mady.by.user Paul B Hill

Saved on

compared with

New Version Current

changes.mady.by.user Paul B Hill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

One OID (Oracle Internet Directory) instance is run by NIST to support PDA synchronization to MIT's TechTime. This is used purely as an LDAP authentication system to support the PDAs and mobile devices. It is not offered as a general LDAP authentication service to the MIT developer community.

The server runs on the same box that hosts the TechTime calendar server. It will not accept connections from other servers or clients. A user's password reaches the calendar server over TLS. The calendar server then passes the username and password to the OID instance. The OID instance then verifies the username and password correctness using the KDC.

5.3.   OID - run by SAIS

SAIS runs an OID instance runs two instances of OID. One instance is used in support of the insideMIT the insideMIT portal. It receives feeds from the MIT Data Warehouse for Kerberos ID and other user data, from SAP for various HR data and portal "profiles", and from the MIT Roles database for authorization data. Plans also call for it to The second instance of OID is used for the MITSIS system. Plans call for the later system to receive feeds from SIS systems regarding student data to support the use of the portal by SIS.

The decision to have two distinct OID instances within SAIS was a result of requirements feedback from OIS.

5.4.   LDAP.MIT.EDU

5.4.1.      Inventory and topology

Wiki MarkupThis is implemented on OpenLDAP version \[XXX\]. Two servers with the same data reside behind an F5 switch. This configuration provides for fail over and load balancing.Ldap.mit.edu is implemented on OpenLDAP version [XXX]. Two servers with the same data reside behind an F5 switch. This configuration provides for fail over and load balancing. The individual servers should not be queried directly except for when testing for consistency or other troubleshooting. The host names of the individual servers are subject to change without notice. The current hostnames are w92-130-ldap-1 and w92-130-ldap-2. They are currently Dell 2850s.

5.4.2.      History

The service was introduced shortly after the introduction of TechTime, about the same time as the NIST OID (for support of TechTime). The primary usage over the past few years has been as an address book for email clients. Since the formation of ISDA there has been a growing interest in using LDAP as a way to look up group memberships to perform authorization decisions.

...

  • Looking up email addresses of people from various email clients including Outlook, Apple Mail, and Thunderbird
  • The ability to look up many of the Moira group memberships
  • Wiki Markup
    Used to provide SIP.edu functionality with OpenSER for MIT VoIP pilot and MIT Personal SIP service \[?\]
  • up Moira group memberships for Moira lists that are of type visible. Type visible within Moira indictes that non-members may view the membership.
  • Used to provide SIP.edu functionality with OpenSER for MIT VoIP pilot and MIT Personal SIP service [?]
  • Used by the core MIT Touchstone Shibboleth IdP to generate Shibboleth attribute assertions.

5.4.4         Data sources used by ldap.mit.edu

Ldap.mit.edu recieves data feeds from multiple systems, these include:

  • Moira
  • Registrar via the Data Warehouse
  • HR via the Data Warehouse
  • NIC

6.      Proposed initiatives and tasks

...

8.1.   LDAP authentication - This should not be confused with the LDAP bind operation. LDAP authentication is often used to indicate that an application is passing a username and password over TLS to an LDAP server and the LDAP server then evaluates the username/password pair to determine if the user should be successfully authenticated. It may do this by storing the password in the ldap directory, or it may forward the information on to another back end system such as Kerberos to perform the evaluation.
8.2.   OID (Oracle Internet Directory) - http://www.oracle.com/technology/products/oid/index.html

9. Proposed responsibilities

NIST will be responsible for operating ldap.mit.edu this includes

  • system administration of ldap.mit.edu inclduing normal maintenance of the server hardward and applying security patches
  • modification of configuration or updates in response to operational situations, e.g. disabling the update of student data in order to prevent unintended disclosure of cell phone numbers due to miscommunications amongst other groups
  • notification of changes to configuraiton or updates in repsonse to operational situations in a reasonable period of time
  • coordination planning with ISDA for tested and planned changes, e.g. schema changes, or maintenance of feeds
  • providing ISDA with staging machines which adequately reflect the operational machines (the assumption is that ISDA will bear the cost of the hardware for the staging machines)

ISDA will be responsible for

  • maintenance of the data feeds from Moira
  • creation and maintenance of data feeds from Roles DB
  • maintainenance of data feeds from DW (if necessary)
  • testing feeds
  • coordinating and testing schema changes
  • creating sample source code for developers interested in integrating applications with ldap.mit.edu services
  • creating documentation for developers interested in integrating applications with ldap.mit.edu
  • developing improved monitoring tools to ensure that ldap.mit.edu is available and providing consistent responses
  • provide 2nd teir support to determine problem solution when a user or developer complains about availability, data consistency, or other data issues