| Version 2 (modified by lttoth@…, 10 years ago) (diff) |
|---|
Overview of Enterprise Directory Architecture
Original author: Beth Mercer - 20081031
The University of Alaska Enterprise Directory and Authentication Service are comprised of the following four architectural components:
- EDIR Directories
- EDIR "registry"
- Web Gateways
- Equalizer
EDIR Directory : SUN LDAP iPlanet Directories
iplanet UNIX account
source of information for web gateways source of identity for authentication service enforces uniqueness
(BannerID, UASystemID, UASystemLegacyID, UID and mailAlternateAddress)
enforces limited password logic
(age, length, composition, reuse)
contains plugin for kerberos authentication
3 instances; Test, Prep, Prod on 4 servers; eklutna, egegik, edgar, elias (soon to be 5th server; elfin)
EDIR "registry" : Oracle Databases
sxldap UNIX account and OPS$SXLDAP schema
superset of directory data reconciliation of entities from various systems of origin
(primarily Banner)
enforces business logic
3 instances; RPTT, RPTQ, RPTS on 1 server; summit
Web Gateways
ldapgw UNIX account for EDIR/AUTHSERV
AUTHSERV: web authentication service and interface to security related functions; also interface to kerberos password/account management for kerberized directory records (e.g. password changes/resets, locking/unlocking accounts, creating guest accounts, etc.)
EDIR: white pages and interface to self service updates
iplanet UNIX account for UPDATE
UPDATE: interface called by both EDIR and AUTHSERV to perform directory updates
3 instances each; Test, Prep, PROD on 4 servers; eklutna, egegik, edgar, elias (soon to be 5th server; elfin)
Equalizer
load balancing for DNS names
edirtest.alaska.edu edirprep.alaska.edu edir.alaska.edu
authservtest.alaska.edu authservprep.alaska.edu authserv.alaska.edu
email-lookup.alaska.edu
for http/https ports for ldap/ldaps ports
Historical Use of Kerberos
NOTE: Originally Kerberos synchronized LDAP password information with OIT. That implementation is no longer current and not maintained in anyway. At that time the Kerberos Realm consisted of:
- Synchronization Command: oitsynch UNIX account
- A password store behind iPlanet Directory
- A directory plugin implements kerberos authentication during directory bind
- An UPDATE interface behind AUTHSERV implements kerberos password reset/change/lock/unlock functionality
- 3 realms: test.alaska.edu, prep.alaska.edu, prod.alaska.edu - 1 each on 3 servers: cisca, cobalt, cupola
######################################################## LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki ######################################################## 20081031 elm corrected typos
