Upload
manfred-furuholmen
View
456
Download
1
Tags:
Embed Size (px)
Citation preview
BeoLink.org
AFS Workshop October 2008
AFS Identity Management
Fabrizio Manfredi Furuholmen
BeoLink.org
Introduction AFS Manager
Introduction Features Demo Next Steps
PtServer-NG Introduction Architecture Demo Open Points
Agenda
BeoLink.org
Centrally administration “means” security and time/resource savings
PtServer
Introduction
BeoLink.org
Accounts Centralization • Enterprise Directory • Change Application • High Availability
Centralized Provisioning • Connectors for applications • Product • Identity Management
PtServer
Introduction
BeoLink.org
Distributed • You don’t need change apps • Low problem on HA • IDM with RBAC
Centralized • Real-time • Consistency View • Reuse existing Architecture
PtServer
Introduction
BeoLink.org
AFS Manager
• Graphical User Interface • Provisioning Interface ( multi mode) • Administration Task
PtServer NG
• Active Directory Integration • Directory Integration
PtServer
Introduction
BeoLink.org
AFS Manager
BeoLink.org AFS Manager
Goals
GUI • Interface for Windows Administrators • Simple to use • Complete overview of the Cell • Standard object for php scripting (CLI)
Monitoring • Volume Access Monitoring • Volume Space Usage • System Statistics
WebService Interface • Provisioning Interface for Volume, User, Group • Automatic volume layout • Re-Balance (replications, move volumes ..)
BeoLink.org
Demo …
AFS Manager
Demo
BeoLink.org AFS Manager
Architecture
Client • AJAX • Acrobat
APACHE + PHP • XML • JSON • PHP >= 5 • SQL Lite
AFS • Adm Command Line
BeoLink.org AFS Manager
Next
• Java backend ? • PHP Library • Object Cache
Code
• Automatic volume layout • Re-Balance (replications, move volumes ..)
WebService Interface
BeoLink.org
End of part 1
BeoLink.org
Ptserver NG
BeoLink.org
• Ptserver contains entries for every user and group in the cell • Ptserver allocates AFS IDs for new user, machine and group
entries and maps each ID to the corresponding name. • Ptserver generates a current protection subgroup (CPS) at the
File Server's request. The CPS lists all groups to which a user or machine belongs
Ptserver keeps user/group information
• Ubik is a single linear database • Ubik is automatically replicated across a number of servers. • Ubik is a ‘transactional’ database (supports fully distributed
changes as long as a majority of the servers are up and are synchronized together in a write quorum)
Ubik is the openAFS database
PtServer
Overview
BeoLink.org
Create Pluggable user storage • Ubik • Ldap • Windows
Create flexible user mapping • Mapping user id on existing system • Mapping group id on existing system
PtServer
Goals
BeoLink.org PtServer
Winbind
Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of an NT domain
Authentication • NTLM • ADS (Kerberos)
Users Information • Account info • ID mapping
Groups Information • Group info • ID Mapping
BeoLink.org PtServer
Architecture
Ptserver • Network Layer • AD Driver
Windbind • Cache • IDMAP Engine
IDMAP Storage • Ldap • ADS • File
Domain Controller • Samba • WinNT/Win2*
BeoLink.org
Demo … high probability of crash ..
Overview
Demo
BeoLink.org
• Single identity (single storage) • id mapping • gid mapping • Real time update • Pluggable in existing infrastructure
Advantages
• Reliability • Performance
Disvantages
PtServer
BeoLink.org
Licences • Load GPL 3 library, compatibility ?
Performance • How many request per second ?
Where to Store .. • Flags • Quota Group
PtServer
Open points ..
BeoLink.org
The End
Too Long
• For Further Questions:
• Fabrizio Manfredi • [email protected] [email protected]
• http://www.beolink.org
Reference
BeoLink.org AD as IDM
IdMapping
IDMAP SID<->UID/GID
• LDAP • Internal (TDB) • ADS (SFU/RFC)