BeoLink.org

AFS Workshop October 2008

AFS Identity Management

Fabrizio Manfredi Furuholmen

BeoLink.org

  Introduction   AFS Manager

  Introduction   Features   Demo   Next Steps

  PtServer-NG   Introduction   Architecture   Demo   Open Points

Agenda

BeoLink.org

Centrally administration “means” security and time/resource savings

PtServer

Introduction

BeoLink.org

Accounts Centralization • Enterprise Directory • Change Application • High Availability

Centralized Provisioning • Connectors for applications • Product • Identity Management

PtServer

Introduction

BeoLink.org

Distributed • You don’t need change apps • Low problem on HA • IDM with RBAC

Centralized • Real-time • Consistency View • Reuse existing Architecture

PtServer

Introduction

BeoLink.org

AFS Manager

• Graphical User Interface • Provisioning Interface ( multi mode) • Administration Task

PtServer NG

• Active Directory Integration • Directory Integration

PtServer

Introduction

BeoLink.org

AFS Manager

BeoLink.org AFS Manager

Goals

GUI • Interface for Windows Administrators • Simple to use • Complete overview of the Cell • Standard object for php scripting (CLI)

Monitoring • Volume Access Monitoring • Volume Space Usage • System Statistics

WebService Interface • Provisioning Interface for Volume, User, Group • Automatic volume layout • Re-Balance (replications, move volumes ..)

BeoLink.org

Demo …

AFS Manager

Demo

BeoLink.org AFS Manager

Architecture

Client • AJAX • Acrobat

APACHE + PHP • XML • JSON • PHP >= 5 • SQL Lite

AFS • Adm Command Line

BeoLink.org AFS Manager

Next

• Java backend ? • PHP Library • Object Cache

Code

• Automatic volume layout • Re-Balance (replications, move volumes ..)

WebService Interface

BeoLink.org

End of part 1

BeoLink.org

Ptserver NG

BeoLink.org

• Ptserver contains entries for every user and group in the cell • Ptserver allocates AFS IDs for new user, machine and group

entries and maps each ID to the corresponding name. • Ptserver generates a current protection subgroup (CPS) at the

File Server's request. The CPS lists all groups to which a user or machine belongs

Ptserver keeps user/group information

• Ubik is a single linear database • Ubik is automatically replicated across a number of servers. • Ubik is a ‘transactional’ database (supports fully distributed

changes as long as a majority of the servers are up and are synchronized together in a write quorum)

Ubik is the openAFS database

PtServer

Overview

BeoLink.org

Create Pluggable user storage • Ubik • Ldap • Windows

Create flexible user mapping • Mapping user id on existing system • Mapping group id on existing system

PtServer

Goals

BeoLink.org PtServer

Winbind

Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of an NT domain

Authentication • NTLM • ADS (Kerberos)

Users Information • Account info • ID mapping

Groups Information • Group info • ID Mapping

BeoLink.org PtServer

Architecture

Ptserver • Network Layer • AD Driver

Windbind • Cache • IDMAP Engine

IDMAP Storage • Ldap • ADS • File

Domain Controller • Samba • WinNT/Win2*

BeoLink.org

Demo … high probability of crash ..

Overview

Demo

BeoLink.org

• Single identity (single storage) • id mapping • gid mapping • Real time update • Pluggable in existing infrastructure

Advantages

• Reliability • Performance

Disvantages

PtServer

BeoLink.org

Licences • Load GPL 3 library, compatibility ?

Performance • How many request per second ?

Where to Store .. • Flags • Quota Group

PtServer

Open points ..

BeoLink.org

The End

Too Long

• For Further Questions:

• Fabrizio Manfredi • fabrizio.manfredi@gmail.com manfred.furuholmen@gmail.com

• http://www.beolink.org

Reference

BeoLink.org AD as IDM

IdMapping

IDMAP SID<->UID/GID

• LDAP • Internal (TDB) • ADS (SFU/RFC)