= Overview of Enterprise Directory Architecture = Original author: Beth Mercer - 20081031 The University of Alaska Enterprise Directory and Authentication Service are comprised of the following four architectural components: * EDIR Directories * EDIR "registry" * Web Gateways * Equalizer == EDIR Directory : SUN LDAP iPlanet Directories == The account, ''iplanet'', is found on both the Linux IDMP Cluster and "E" box SUN UNIX servers. === IDMP Cluster Functions and Instances === * Source of information for web gateways * Source of identity for authentication service * Enforces uniqueness via LDIF updates * BannerID * UASystemID * UASystemLegacyID * UID * mailAlternateAddress * Stores daily transaction log files for daily LDAP processing * Stores daily access logs for EDIR authenticated services * One active Instance; Prod on IDMP-3 * Two inactive instances; Prep (IDMP-0), Test (IDMP-1) === "E" Box Functions and Instances === * Enforces uniqueness via Web Edits * Enforces limited password logic via Web Edits * age * length * composition * reuse * 3 instances; Test, Prep, Prod on 4 servers; eklutna, egegik, edgar, elias == EDIR "registry" : Oracle Databases == The account, ''sxldap'', is found on both the Linux RPTP (talkeenta cluster) to manage the OPS@SXLDAP schema and "E" box SUN UNIX servers. The People Registry performs the following functions: * Superset of directory data * Reconciliation of entities from various systems of origin * primarily Banner * Enforces business logic * Interacts with 3 instances; RPTQ, RPTS on the RPTP cluster (currently talkeetna) == Web Gateways == ldapgw UNIX account for EDIR/AUTHSERV AUTHSERV: web authentication service and interface to security related functions; also interface to kerberos password/account management for kerberized directory records (e.g. password changes/resets, locking/unlocking accounts, creating guest accounts, etc.) EDIR: white pages and interface to self service updates iplanet UNIX account for UPDATE UPDATE: interface called by both EDIR and AUTHSERV to perform directory updates 3 instances each; Test, Prep, PROD on 4 servers; eklutna, egegik, edgar, elias (soon to be 5th server; elfin) == Equalizer == The Equalizers balance the load for the following DNS names. === EDIR URLs === These URLs are accessed for directory information and user self-service actions. * edirtest.alaska.edu * edirprep.alaska.edu * edir.alaska.edu === AUTHSERV URLs === These URLs are accessed by IAM and the Help Desk to Manage EDIR LDAP entries for users when necessary. * authservtest.alaska.edu * authservprep.alaska.edu * authserv.alaska.edu ==== HTTP Ports ==== The equalizer balances access to ports for: * http * https * ldap * ldaps '''Note: '''' The URL, email-lookup.alaska.edu, is no longer used. Email information is found in the regular EDIR listing. == Historical Use of Kerberos == '''NOTE:''' Originally Kerberos synchronized LDAP password information with OIT. That implementation is no longer current and not maintained in anyway. At that time the Kerberos Realm consisted of: * Synchronization Command: oitsynch UNIX account * A password store behind iPlanet Directory * A directory plugin implements kerberos authentication during directory bind * An UPDATE interface behind AUTHSERV implements kerberos password reset/change/lock/unlock functionality * 3 realms: test.alaska.edu, prep.alaska.edu, prod.alaska.edu - 1 each on 3 servers: cisca, cobalt, cupola ########################################################[[br]] LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki[[br]] ######################################################## 20081031 elm corrected typos