wiki:ALL__architecture

Version 5 (modified by lttoth@…, 10 years ago) (diff)

--

Overview of Enterprise Directory Architecture

Original author: Beth Mercer - 20081031

The University of Alaska Enterprise Directory and Authentication Service are comprised of the following four architectural components:

  • EDIR Directories
  • EDIR "registry"
  • Web Gateways
  • Equalizer

EDIR Directory : SUN LDAP iPlanet Directories

The account, iplanet, is found on both the Linux IDMP Cluster and "E" box SUN UNIX servers.

IDMP Cluster Functions and Instances

  • Source of information for web gateways
  • Source of identity for authentication service
  • Enforces uniqueness via LDIF updates
    • BannerID
    • UASystemID
    • UASystemLegacyID
    • UID
    • mailAlternateAddress
  • Stores daily transaction log files for daily LDAP processing
  • Stores daily access logs for EDIR authenticated services
  • One active Instance; Prod on IDMP-3
  • Two inactive instances; Prep (IDMP-0), Test (IDMP-1)

"E" Box Functions and Instances

  • Enforces uniqueness via Web Edits
  • Enforces limited password logic via Web Edits
    • age
    • length
    • composition
    • reuse
  • 3 instances; Test, Prep, Prod on 4 servers; eklutna, egegik, edgar, elias

EDIR "registry" : Oracle Databases

The account, sxldap, is found on both the Linux RPTP (talkeenta cluster) to manage the OPS@SXLDAP schema and "E" box SUN UNIX servers. The People Registry performs the following functions:

  • Superset of directory data
  • Reconciliation of entities from various systems of origin
    • primarily Banner
  • Enforces business logic
  • Interacts with 3 instances; RPTQ, RPTS on the RPTP cluster (currently talkeetna)

Web Gateways

ldapgw UNIX account for EDIR/AUTHSERV

AUTHSERV: web authentication service and interface to security related functions; also interface to kerberos password/account management for kerberized directory records (e.g. password changes/resets, locking/unlocking accounts, creating guest accounts, etc.)

EDIR: white pages and interface to self service updates

iplanet UNIX account for UPDATE

UPDATE: interface called by both EDIR and AUTHSERV to perform directory updates

3 instances each; Test, Prep, PROD on 4 servers; eklutna, egegik, edgar, elias (soon to be 5th server; elfin)

Equalizer

The Equalizers balance the load for the following DNS names.

EDIR URLs

These URLs are accessed for directory information and user self-service actions.

  • edirtest.alaska.edu
  • edirprep.alaska.edu
  • edir.alaska.edu

AUTHSERV URLs

These URLs are accessed by IAM and the Help Desk to Manage EDIR LDAP entries for users when necessary.

  • authservtest.alaska.edu
  • authservprep.alaska.edu
  • authserv.alaska.edu

HTTP Ports

The equalizer balances access to ports for:

  • http
  • https
  • ldap
  • ldaps

Note: ' The URL, email-lookup.alaska.edu, is no longer used. Email information is found in the regular EDIR listing.

Historical Use of Kerberos

NOTE: Originally Kerberos synchronized LDAP password information with OIT. That implementation is no longer current and not maintained in anyway. At that time the Kerberos Realm consisted of:

  • Synchronization Command: oitsynch UNIX account
  • A password store behind iPlanet Directory
  • A directory plugin implements kerberos authentication during directory bind
  • An UPDATE interface behind AUTHSERV implements kerberos password reset/change/lock/unlock functionality
  • 3 realms: test.alaska.edu, prep.alaska.edu, prod.alaska.edu - 1 each on 3 servers: cisca, cobalt, cupola

########################################################
LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki
######################################################## 20081031 elm corrected typos