BeoLink.org AFS Workshop October 2008 AFS Identity Management Fabrizio Manfredi Furuholmen
BeoLink.org
AFS Workshop October 2008
AFS Identity Management
Fabrizio Manfredi Furuholmen
BeoLink.org
Introduction AFS Manager
Introduction Features Demo Next Steps
PtServer-NG Introduction Architecture Demo Open Points
Agenda
BeoLink.org
Centrally administration “means” security and time/resource savings
PtServer
Introduction
BeoLink.org
Accounts Centralization • Enterprise Directory • Change Application • High Availability
Centralized Provisioning • Connectors for applications • Product • Identity Management
PtServer
Introduction
BeoLink.org
Distributed • You don’t need change apps • Low problem on HA • IDM with RBAC
Centralized • Real-time • Consistency View • Reuse existing Architecture
PtServer
Introduction
BeoLink.org
AFS Manager
• Graphical User Interface • Provisioning Interface ( multi mode) • Administration Task
PtServer NG
• Active Directory Integration • Directory Integration
PtServer
Introduction
BeoLink.org
AFS Manager
BeoLink.org AFS Manager
Goals
GUI • Interface for Windows Administrators • Simple to use • Complete overview of the Cell • Standard object for php scripting (CLI)
Monitoring • Volume Access Monitoring • Volume Space Usage • System Statistics
WebService Interface • Provisioning Interface for Volume, User, Group • Automatic volume layout • Re-Balance (replications, move volumes ..)
BeoLink.org
Demo …
AFS Manager
Demo
BeoLink.org AFS Manager
Architecture
Client • AJAX • Acrobat
APACHE + PHP • XML • JSON • PHP >= 5 • SQL Lite
AFS • Adm Command Line
BeoLink.org AFS Manager
Next
• Java backend ? • PHP Library • Object Cache
Code
• Automatic volume layout • Re-Balance (replications, move volumes ..)
WebService Interface
BeoLink.org
End of part 1
BeoLink.org
Ptserver NG
BeoLink.org
• Ptserver contains entries for every user and group in the cell • Ptserver allocates AFS IDs for new user, machine and group
entries and maps each ID to the corresponding name. • Ptserver generates a current protection subgroup (CPS) at the
File Server's request. The CPS lists all groups to which a user or machine belongs
Ptserver keeps user/group information
• Ubik is a single linear database • Ubik is automatically replicated across a number of servers. • Ubik is a ‘transactional’ database (supports fully distributed
changes as long as a majority of the servers are up and are synchronized together in a write quorum)
Ubik is the openAFS database
PtServer
Overview
BeoLink.org
Create Pluggable user storage • Ubik • Ldap • Windows
Create flexible user mapping • Mapping user id on existing system • Mapping group id on existing system
PtServer
Goals
BeoLink.org PtServer
Winbind
Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of an NT domain
Authentication • NTLM • ADS (Kerberos)
Users Information • Account info • ID mapping
Groups Information • Group info • ID Mapping
BeoLink.org PtServer
Architecture
Ptserver • Network Layer • AD Driver
Windbind • Cache • IDMAP Engine
IDMAP Storage • Ldap • ADS • File
Domain Controller • Samba • WinNT/Win2*
BeoLink.org
Demo … high probability of crash ..
Overview
Demo
BeoLink.org
• Single identity (single storage) • id mapping • gid mapping • Real time update • Pluggable in existing infrastructure
Advantages
• Reliability • Performance
Disvantages
PtServer
BeoLink.org
Licences • Load GPL 3 library, compatibility ?
Performance • How many request per second ?
Where to Store .. • Flags • Quota Group
PtServer
Open points ..
BeoLink.org
The End
Too Long
• For Further Questions:
• Fabrizio Manfredi • [email protected] [email protected]
• http://www.beolink.org
Reference
BeoLink.org AD as IDM
IdMapping
IDMAP SID<->UID/GID
• LDAP • Internal (TDB) • ADS (SFU/RFC)