Dec , IS p. 1/60

Size: px

Start display at page:

Download "Dec , IS p. 1/60"

ひでたついせき
5 years ago
Views:

1 Dec , IS p. 1/60

2 Dec , IS p. 2/60

3 Plan of Talk (LDAP) (CAS) (IdM) Dec , IS p. 3/60

4 Dec , IS p. 4/60

5 .. Dec , IS p. 5/60

6 Dec , IS p. 6/60

7 Dec , IS p. 7/60

8 (Authentication) ID, (Directory Service) (Authorization) Dec , IS p. 8/60

9 Authentication Authentication + Directory Service UNIX Login UserID + Password UserID UserID Password UidNumber, GidNumber, Home Directory Dec , IS p. 9/60

10 UNIX LDAP Directory Server CAS LDAP Radius Dec , IS p. 10/60

11 LDAP Sun Microsystems Directory Server IdM Dec , IS p. 11/60

12 (1) WebCT IP Dec , IS p. 12/60

13 (2) Dec , IS p. 13/60

14 LDAP LDAP = Light weight Directory Access Protocol Unix like ( MacOSX) OpenLDAP Apache Directory Project Sun Microsystems Directory Server (20 ) Dec , IS p. 14/60

15 LDAP Dec , IS p. 15/60

16 LDAP dn: nagoyaunivid=,ou=user,o=nagoya-u nagidno: NagoyaUnivID: ZengakuID: fullname;lang-ja;phonetic: fullname;lang-en: fullname:: adepartmentnumber: section;lang-ja: Dec , IS p. 16/60

17 LDAP Bind User ldapsearch -h ldaphost -D BIND-USER-DN \ -b search-base (nagoyaunivid=userid) 3. Bind User BIND ldapsearch -h ldaphost -D USER-DN \ -b search-base \ -w password (nagoyaunivid=userid) 4. BIND Dec , IS p. 17/60

18 LDAP Unique LDAP Search Filter ( (nagoyaunivid=userid)(zengakuid=userid)) ( (nagoyaunivid=userid)(mail=userid)) LDAP search filter Dec , IS p. 18/60

19 LDAP (ACL) Bind User Bind User LDAP Sun Directory Server ACL OpenLDAP Dec , IS p. 19/60

20 DIT (UNIX/MacOSX) LDAP uidnumber, gidnumber, homedirectory, loginshell DIT DIT Dec , IS p. 20/60

21 DIT ou=system-n,o=otherhosts uidnumber, gidnumber, homedirectory, loginshell userpassword parentdn DIT userpassword Dec , IS p. 21/60

22 UNIX LDAP UNIX (Linux/BSD) pam-ldap, nss-ldap (?) MacOSX Directory Service LDAPv3 LDAP uid cn Windows LDAP Active Directory... Dec , IS p. 22/60

23 MacOSX Server LDAP naito-math cn: naito-math, uid: naito-math Dec , IS p. 23/60

24 Dec , IS p. 24/60

25 LDAP LDAP Search Socket socket close Dec , IS p. 25/60

26 CAS 2 CAS = Central Authentication Service Single Sign On (Yale University) JA-SIG CAS 2 = Central Authentication and Authorization Service CAS Authorization Dec , IS p. 26/60

27 CAS Single Sign On SSL LDAP BIND USER LDAP close LDAP Dec , IS p. 27/60

28 CAS 2 (1) Login Window Web Browser 1. Access 2a. Redirection 2b. Login Window Web Application CAS Server LDAP Server Cookie one-time ticket ST Web Application Web Browser 4. Redirection with TGC/ST TGC CAS Server 3a. Input User ID/Password 3b. Authentication 3c. Result LDAP Server Dec , IS p. 28/60

29 CAS 2 (2) one-time ticket verify one-time ticket Web Browser 6. Response Web Application 5a. Send ST ST 5b. Validation Result CAS Server LDAP Server Dec , IS p. 29/60

30 CAS 2 (3) Cookie one-time ticket Web Browser TGC ST 2. Redirection with ST Web Application CAS Server 1a. Authorization 1b. Result CAS-ACL Access Denied Page redirect one-time ticket Web Browser TGC 1. Access Invalid ST Web Application 5. Redirection 2. Send ST Invalid ST 4. Invalid CAS Server 3a. Authorization 3b. Result CAS-ACL Dec , IS p. 30/60

31 CAS 2 LDAP Server SSL CAS 2 server Java Servlet http redirection cookie Java script (redirect) Dec , IS p. 31/60

32 CAS 2 CAS-ACL (Access Control List) cn=www,ou=cas,o=nagoya-u cas-attributes: uid,mail cas-service: cas-allow: (&(uid=naito)(datetime< ) (IP= /16)) URL cas-service cas-allow TRUE,, Dec , IS p. 32/60

33 CAS 2 Directory Service CAS-ACL (Access Control List) cn=www,ou=cas,o=nagoya-u cas-attributes: uid,mail cas-service: cas-allow: (&(uid=naito)(datetime< ) (IP= /16)) URL cas-service, cas-attributes Dec , IS p. 33/60

34 CAS 2 active-stand by Dec , IS p. 34/60

35 CAS 2 cas client module Java Servlet CasClient cas = new CasClient(CAS_SERVICE_URL, CAS_LOGIN_URL) ; if (!cas.casperform(request, response)) return ; Map r = cas.getresult() ; casperform ticket verify r Perl, PHP Dec , IS p. 35/60

36 CAS 2, CAS 2 CAS 2 BUG LDAP server index LDAP server Socekt tomcat CAS 2 LDAP socket Dec , IS p. 36/60

37 LDAP, CAS 2 LDAP CAS , WebCT, CAS 2., CAS DB, CAS CAS (2007) (2) (2) (4) LDAP, CAS 2, 25. Dec , IS p. 37/60

38 VPN radius, VPN LDAP server CAS 2 server Dec , IS p. 38/60

39 Dec , IS p. 39/60

40 IC (2008/04) (2007/11) (2008/04) PKI IdM (Identity Management) Dec , IS p. 40/60

41 PKI SSO PKI PKI SSO PKI SSO PKI PKI Dec , IS p. 41/60

42 PKI PKI (?) subscriber ID Dec , IS p. 42/60

43 CAS 2 CAS 2 PKI (X.509) Web Browser AuthN by X.509 Access granded Access granted Web Application with Security Level 2 Web Application with Security Level 1 Web Browser AuthN by PIN Access denied Access granted Web Application with Security Level 2 Web Application with Security Level 1 Dec , IS p. 43/60

44 CAS 2 CAS 2 PKI (X.509) Web Browser TGC with Level 2 ST 2. Redirection 1. Access with client certificate Web Application with Security Level 2 CAS Server PKI Web Browser TGC with Level 1 1. Access 2. Redirection to obtain client certification Web Application with Security Level 2 CAS Server Dec , IS p. 44/60

45 IdM, Role,... (Provision) (Properfate) (Use) (Maintain) (Deprovision) Dec , IS p. 45/60

46 IdM Dec , IS p. 46/60

47 IdM Establishing Identity + Provisioning,, Authentication Authorization Single Sign On Enterprise Directory, Federated Identity Dec , IS p. 47/60

48 IdM Dec , IS p. 48/60

49 LDAP search filter (uid=%s) ( (nagoyaunivid=%s)(zengakuid=%s)) CAS LDAP lookup filter, Dec , IS p. 49/60

50 (RA/TA), Dec , IS p. 50/60

51 IC Dec , IS p. 51/60

52 Dec , IS p. 52/60

53 ,, DB Dec , IS p. 53/60

54 IdM α Provisioning Dec , IS p. 54/60

55 Provisioning, Dec , IS p. 55/60

56 Windows CP932 Unicode Dec , IS p. 56/60

57 LDAP (encoding: UTF-8) CP932 Unicode ASCII ISO Unicode MacOSX, Windows Vista Dec , IS p. 57/60

58 Unicode Point 9089 glyph id = Unicode Point 909A glyph id = Dec , IS p. 58/60

59 IdM IdM IdM, Dec , IS p. 59/60

60 LDAP SSO CAS 2 PKI, IdM PKI SSO IdM Dec , IS p. 60/60

"CAS を利用した Single Sign On 環境の構築"

CAS を利用した Single Sign On 環境の構築 CAS 2 SSO Authorization 1,3, 2,3, 2, 2,3 1 2 3 Central Authentication and Authorization Service (CAS 2 ) Web Application Single Sign On Authorization CAS 2 SSO/AuthZ Jan. 30 2007, p. 1/40 Plan of Talk