Version 3 (modified by lttoth@…, 10 years ago) (diff) |
---|
Overview of Enterprise Directory Architecture
Original author: Beth Mercer - 20081031
The University of Alaska Enterprise Directory and Authentication Service are comprised of the following four architectural components:
- EDIR Directories
- EDIR "registry"
- Web Gateways
- Equalizer
EDIR Directory : SUN LDAP iPlanet Directories
The account, iplanet, is found on both the Linux IDMP Cluster and "E" boxes SUN UNIX servers.
IDMP Cluster Functions and Instances
- Source of information for web gateways
- Source of identity for authentication service
- Enforces uniqueness via LDIF updates
- BannerID
- UASystemID
- UASystemLegacyID
- UID
- mailAlternateAddress
- Stores daily transaction log files for daily LDAP processing
- Stores daily access logs for EDIR authenticated services
- One active Instance; Prod on IDMP-3
- Two inactive instances; Prep (IDMP-0), Test (IDMP-1)
"E" Box Functions and Instances
- Enforces uniqueness via Web Edits
- Enforces limited password logic via Web Edits
- age
- length
- composition
- reuse
- 3 instances; Test, Prep, Prod on 4 servers; eklutna, egegik, edgar, elias
EDIR "registry" : Oracle Databases
sxldap UNIX account and OPS$SXLDAP schema
superset of directory data reconciliation of entities from various systems of origin
(primarily Banner)
enforces business logic
3 instances; RPTT, RPTQ, RPTS on 1 server; summit
Web Gateways
ldapgw UNIX account for EDIR/AUTHSERV
AUTHSERV: web authentication service and interface to security related functions; also interface to kerberos password/account management for kerberized directory records (e.g. password changes/resets, locking/unlocking accounts, creating guest accounts, etc.)
EDIR: white pages and interface to self service updates
iplanet UNIX account for UPDATE
UPDATE: interface called by both EDIR and AUTHSERV to perform directory updates
3 instances each; Test, Prep, PROD on 4 servers; eklutna, egegik, edgar, elias (soon to be 5th server; elfin)
Equalizer
The Equalizers balance the load for the following DNS names.
EDIR URLs
These URLs are accessed for directory information and user self-service actions.
- edirtest.alaska.edu
- edirprep.alaska.edu
- edir.alaska.edu
AUTHSERV URLs
These URLs are accessed by IAM and the Help Desk to Manage EDIR LDAP entries for users when necessary.
- authservtest.alaska.edu
- authservprep.alaska.edu
- authserv.alaska.edu
HTTP Ports
The equalizer balances access to ports for:
- http
- https
- ldap
- ldaps
Note: ' The URL, email-lookup.alaska.edu, is no longer used. Email information is found in the regular EDIR listing.
Historical Use of Kerberos
NOTE: Originally Kerberos synchronized LDAP password information with OIT. That implementation is no longer current and not maintained in anyway. At that time the Kerberos Realm consisted of:
- Synchronization Command: oitsynch UNIX account
- A password store behind iPlanet Directory
- A directory plugin implements kerberos authentication during directory bind
- An UPDATE interface behind AUTHSERV implements kerberos password reset/change/lock/unlock functionality
- 3 realms: test.alaska.edu, prep.alaska.edu, prod.alaska.edu - 1 each on 3 servers: cisca, cobalt, cupola
######################################################## LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki ######################################################## 20081031 elm corrected typos