Dec , IS p. 1/60 - PDF Free Download

Dec 08 2007, IS p. 1/60

Dec 08 2007, IS p. 2/60

Plan of Talk (LDAP) (CAS) (IdM) Dec 08 2007, IS p. 3/60

Dec 08 2007, IS p. 4/60

.. Dec 08 2007, IS p. 5/60

Dec 08 2007, IS p. 6/60

Dec 08 2007, IS p. 7/60

(Authentication) ID, (Directory Service) (Authorization) Dec 08 2007, IS p. 8/60

Authentication Authentication + Directory Service UNIX Login UserID + Password UserID UserID Password UidNumber, GidNumber, Home Directory Dec 08 2007, IS p. 9/60

UNIX LDAP Directory Server CAS LDAP Radius Dec 08 2007, IS p. 10/60

LDAP Sun Microsystems Directory Server IdM Dec 08 2007, IS p. 11/60

(1) WebCT IP Dec 08 2007, IS p. 12/60

(2) Dec 08 2007, IS p. 13/60

LDAP LDAP = Light weight Directory Access Protocol Unix like ( MacOSX) OpenLDAP Apache Directory Project Sun Microsystems Directory Server (20 ) Dec 08 2007, IS p. 14/60

LDAP Dec 08 2007, IS p. 15/60

LDAP dn: nagoyaunivid=,ou=user,o=nagoya-u nagidno: NagoyaUnivID: ZengakuID: fullname;lang-ja;phonetic: fullname;lang-en: fullname:: adepartmentnumber: section;lang-ja: Dec 08 2007, IS p. 16/60

LDAP 1. 2. Bind User ldapsearch -h ldaphost -D BIND-USER-DN \ -b search-base (nagoyaunivid=userid) 3. Bind User BIND ldapsearch -h ldaphost -D USER-DN \ -b search-base \ -w password (nagoyaunivid=userid) 4. BIND Dec 08 2007, IS p. 17/60

LDAP Unique LDAP Search Filter ( (nagoyaunivid=userid)(zengakuid=userid)) ( (nagoyaunivid=userid)(mail=userid)) LDAP search filter Dec 08 2007, IS p. 18/60

LDAP (ACL) Bind User Bind User LDAP Sun Directory Server ACL OpenLDAP Dec 08 2007, IS p. 19/60

DIT (UNIX/MacOSX) LDAP uidnumber, gidnumber, homedirectory, loginshell DIT DIT Dec 08 2007, IS p. 20/60

DIT ou=system-n,o=otherhosts uidnumber, gidnumber, homedirectory, loginshell userpassword parentdn DIT userpassword Dec 08 2007, IS p. 21/60

UNIX LDAP UNIX (Linux/BSD) pam-ldap, nss-ldap (?) MacOSX Directory Service LDAPv3 LDAP uid cn Windows LDAP Active Directory... Dec 08 2007, IS p. 22/60

MacOSX Server LDAP naito@math.nagoya-u.ac.jp naito-math cn: naito-math, naito@math.nagoya-u.ac.jp uid: naito-math Dec 08 2007, IS p. 23/60

Dec 08 2007, IS p. 24/60

LDAP LDAP Search Socket socket close Dec 08 2007, IS p. 25/60

CAS 2 CAS = Central Authentication Service Single Sign On (Yale University) JA-SIG CAS 2 = Central Authentication and Authorization Service CAS Authorization Dec 08 2007, IS p. 26/60

CAS Single Sign On SSL LDAP BIND USER LDAP close LDAP Dec 08 2007, IS p. 27/60

CAS 2 (1) Login Window Web Browser 1. Access 2a. Redirection 2b. Login Window Web Application https://app.foo/ CAS Server LDAP Server Cookie one-time ticket ST Web Application Web Browser 4. Redirection with TGC/ST TGC CAS Server 3a. Input User ID/Password 3b. Authentication 3c. Result LDAP Server Dec 08 2007, IS p. 28/60

CAS 2 (2) one-time ticket verify one-time ticket Web Browser 6. Response Web Application 5a. Send ST ST 5b. Validation Result CAS Server LDAP Server Dec 08 2007, IS p. 29/60

CAS 2 (3) Cookie one-time ticket Web Browser TGC ST 2. Redirection with ST Web Application CAS Server 1a. Authorization 1b. Result CAS-ACL Access Denied Page redirect one-time ticket Web Browser TGC 1. Access Invalid ST Web Application 5. Redirection 2. Send ST Invalid ST 4. Invalid CAS Server 3a. Authorization 3b. Result CAS-ACL Dec 08 2007, IS p. 30/60

CAS 2 LDAP Server SSL CAS 2 server Java Servlet http redirection cookie Java script (redirect) Dec 08 2007, IS p. 31/60

CAS 2 CAS-ACL (Access Control List) cn=www,ou=cas,o=nagoya-u cas-attributes: uid,mail cas-service: https://www\.nagoya\-u\.ac\.jp/.* cas-allow: (&(uid=naito)(datetime<200801010000) (IP=133.6.0.0/16)) URL cas-service cas-allow TRUE,, Dec 08 2007, IS p. 32/60

CAS 2 Directory Service CAS-ACL (Access Control List) cn=www,ou=cas,o=nagoya-u cas-attributes: uid,mail cas-service: https://www\.nagoya\-u\.ac\.jp/.* cas-allow: (&(uid=naito)(datetime<200801010000) (IP=133.6.0.0/16)) URL cas-service, cas-attributes Dec 08 2007, IS p. 33/60

CAS 2 active-stand by Dec 08 2007, IS p. 34/60

CAS 2 cas client module Java Servlet CasClient cas = new CasClient(CAS_SERVICE_URL, CAS_LOGIN_URL) ; if (!cas.casperform(request, response)) return ; Map r = cas.getresult() ; casperform ticket verify r Perl, PHP Dec 08 2007, IS p. 35/60

CAS 2, CAS 2 CAS 2 BUG LDAP server index LDAP server Socekt tomcat CAS 2 LDAP socket Dec 08 2007, IS p. 36/60

LDAP, CAS 2 LDAP CAS 2 2003 5 5, WebCT, 2004 4 4 8 CAS 2., CAS 2 2005 3 4 7 DB, CAS 2 2006 3 3 6 CAS 2 15 11 26 (2007) (2) (2) (4) LDAP, CAS 2, 25. Dec 08 2007, IS p. 37/60

VPN radius, VPN LDAP server CAS 2 server Dec 08 2007, IS p. 38/60

Dec 08 2007, IS p. 39/60

IC (2008/04) (2007/11) (2008/04) PKI IdM (Identity Management) Dec 08 2007, IS p. 40/60

PKI SSO PKI PKI SSO PKI SSO PKI PKI Dec 08 2007, IS p. 41/60

PKI PKI (?) subscriber ID Dec 08 2007, IS p. 42/60

CAS 2 CAS 2 PKI (X.509) Web Browser AuthN by X.509 Access granded Access granted Web Application with Security Level 2 Web Application with Security Level 1 Web Browser AuthN by PIN Access denied Access granted Web Application with Security Level 2 Web Application with Security Level 1 Dec 08 2007, IS p. 43/60

CAS 2 CAS 2 PKI (X.509) Web Browser TGC with Level 2 ST 2. Redirection 1. Access with client certificate Web Application with Security Level 2 CAS Server PKI Web Browser TGC with Level 1 1. Access 2. Redirection to obtain client certification Web Application with Security Level 2 CAS Server Dec 08 2007, IS p. 44/60

IdM, Role,... (Provision) (Properfate) (Use) (Maintain) (Deprovision) Dec 08 2007, IS p. 45/60

IdM Dec 08 2007, IS p. 46/60

IdM Establishing Identity + Provisioning,, Authentication Authorization Single Sign On Enterprise Directory, Federated Identity Dec 08 2007, IS p. 47/60

IdM Dec 08 2007, IS p. 48/60

LDAP search filter (uid=%s) ( (nagoyaunivid=%s)(zengakuid=%s)) CAS LDAP lookup filter, Dec 08 2007, IS p. 49/60

(RA/TA), Dec 08 2007, IS p. 50/60

IC Dec 08 2007, IS p. 51/60

44000 37000 11000 6000 Dec 08 2007, IS p. 52/60

,, DB Dec 08 2007, IS p. 53/60

IdM α Provisioning Dec 08 2007, IS p. 54/60

Provisioning, Dec 08 2007, IS p. 55/60

Windows CP932 Unicode Dec 08 2007, IS p. 56/60

LDAP (encoding: UTF-8) CP932 Unicode ASCII ISO-8859-15 Unicode MacOSX, Windows Vista Dec 08 2007, IS p. 57/60

Unicode Point 9089 glyph id = 14243 Unicode Point 909A glyph id = 14237 Dec 08 2007, IS p. 58/60

IdM IdM IdM, Dec 08 2007, IS p. 59/60

LDAP SSO CAS 2 PKI, IdM PKI SSO IdM Dec 08 2007, IS p. 60/60