Greetings, I have a large project that I hope someone could provide a little guidance on. My organization is, for simplicity sake, very unstructured. But I need to be able to authenticate people to various resources. Although SSO using things like shibboleth make some sense, I'm not sure it will cover everything that I need it to do.
To illustrate, - There is a $central campus, that hosts several services such as Email, Web Based tools, and Administrative Systems. - Some campuses only use our Administrative System, and VPN. All other pieces are handled by them internally. - Some campuses only use our Administrative System, and VPN. All other pieces are handled by their own third party vendor when needed. - Two (soon 3) campuses use our Email, Administrative System, VPN and they want to be included into more of our systems. However they have restrictions because they are partly maintained by their respective state government department. For example their network is maintained by govt. - A new campus coming soon, will eventually use all of our services, but for the foreseeable future will have split services between $central campus and external vendors. - Some campuses do everything themselves. - All campuses, could potentially have a student using any of the $central system depending on need. - Naming schemes are different amongst all campuses. The only unifying thing between all of the campuses is that the name on the front door is $COMPANY at $CAMPUS. At present their is no plan to fully integrate systems, business processes etc. Each campus is allowed to define how they want to do things. So there is a possibility that a campus may come to the $central campus and ask for everything to now be maintained by central, at any time. My goal is to define some kind of Identity management that will allow us to maintain this mess, with as few quirks as possible. I want to be able to issue a person an ID no matter where they 'live' and have it usable despite their campus policy. Their credentials shouldn't change based on who maintains the auth server that month. I realize that I may not be able to handle absolutely everything, but I at least want to have an idea how to integrate existing campuses as I'm sure it's a matter of when not if. We don't have Active Directory at $central, yet. We do have LDAP which has to be revamped anyway. I am not sure yet how our other campuses do their authentication and I really have no influence in respect to most of them. Most will not be able to maintain their own Directory, even if they were convinced that they needed one. And as with every project of this complexity, there is no budget for it. The way that it has been handled in the past is just to give any external campus user a $central account. But we have naming conflicts, no way to verify if a person still exists automagically, and just general confusion about who is who. For example Joe Cool is really an employee at $campus[4], but he has a jcool @ $central[0] account so that he can access the admin system. Too bad there is also a Joe Cool that works at $campus[0] as well, with no relation to the other. I'm currently looking at slapd-meta option for OpenLDAP which seems like it will allow for some of this (not many examples out there). However if anyone has any ideas, suggestions or offers of Beer, I'm all ears. Thanks, Damion _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
