Max Planck Institute (MPI) for Human Cognitive and Brain Sciences

MPI_Logo

User

Max Planck Institute (MPI) for Human Cognitive and Brain Sciences. 600 user accounts at 3 sites. Around 200 of the roughly 1,000 hosts are Windows laptops or PCs; the rest of the devices are predominantly Linux workstations.

Requirements

  • Replacement of self-designed LDAP with Samba 3
  • Central user management of Windows and Linux clients
  • Migration in continuous operation
  • Open Source solution
  • App Center for future expansions

Solution

Univention Corporate Server (UCS) with integrated LDAP server and Samba 4 for establishment of central user management system.

Summary

Markus Then, charged with the migration of the user management from the self-designed LDAP to UCS at the Max Planck Institute, drew the following conclusion when looking back at the project: “UCS’ convenient web interface and the central user management of Windows and Linux clients above all are two aspects which are now considerably simpler in continuous operation. The upgrade path supported by UCS and the Univention support staff, who were available for assistance every step of the way, were particularly helpful during the project. Updates in the future will also be considerably simpler. One thing we would still appreciate would be the option of simpler input possibilities for new host objects with multiple interfaces in various VLANs.”

 

About the Max Planck Institute (MPI) for Human Cognitive and Brain Sciences

Research at the Max Planck Institute for Human Cognitive and Brain Sciences revolves around human cognitive abilities and cerebral processes. Among other focuses, this includes higher level brain functions such as language, emotions, and social behavior as well as plastic changes in the human brain.

IT at the MPI

The six members of the institute’s IT department ensure that the 600 user accounts at the institute’s three sites function as smoothly as possible at all times. Around 200 of the roughly 1,000 hosts in total are Windows laptops or PCs, and the rest of the devices are predominantly Linux workstations.

Open Source and Open LDAP Defined as Requirements

Prior to the update, the institute employed a self-designed OpenLDAP and Samba 3, Citrix as a central Windows service, and Kerberos as a single sign-on solution. A new Active Directory was also required for new Windows versions and terminal servers, so the IT administrators decide to the migrate the institute’s user management to Univention Corporate Server at the end of 2016. After a little research, they had identified UCS as the only technically mature product to include LDAP as the leading system and offer the capacity to provide central user management for both Windows and Linux systems. Other decisive factors which contributed to the decision were the facts that UCS is 100% Open Source, offers an easy-to-use web interface, and has its own App Center with expansions for UCS and third-party solutions alike.

Changeover in Continuous Operation Achieved with Cross-Realm Trust

Another requirement on UCS was that the migration be possible in continuous operation and without any substantial downtimes. Abrupt migration seemed too risky for the IT team, but, at the same time, a simulation would place too high demands and not achieve the desired effect. For this reason, the decision was taken to perform a migration in continuous operation with a cross-realm trust.

Technical Details – Commands udm and ldapmodify for Seamless Synchronization

Firstly, UCS was made available in parallel to the existing solutions. In productive operation, all the users and groups were synchronized every 5 minutes during a transition phase from the old LDAP version to the UCS LDAP on the basis of the commands udm and – for example, for the password hash – ldapmodify. Furthermore, the valid Kerberos keys were synchronized in UCS’ dedicated Heimdal KDC.

In the scope of the regular synchronization, the IT team identified additional factors which were subsequently integrated into the synchronization script. For example, it was determined that the UIDs and GIDs in UCS and in the old LDAP should be awarded from different value ranges so as to avoid collisions during the regular synchronization.
It was also important when setting the RID to ensure that a UCR variable established that it should also be synchronized in Samba. Otherwise the set RID would be overwritten by that awarded by Samba.

The Challenges – LDAP Kerberos Authentication

In UCS, the LDAP server is linked to Samba-Kerberos. As the MPI uses UCS’ dedicated Heimdal KDC and Samba-Kerberos and the KDC do not trust each other, a workaround was needed to export the Kerberos key for the LDAP principal from the Samba KDC and import it in the Heimdal KDC so that the keys and the realms are now identical in both KDCs. The uniting of the institute’s surprisingly extensive directory service ACLs with those of UCS without any collisions or issues also posed a minor challenge.

Plans for the Future

In the future, the plan is to expand the use of UCS further. For example, the IT team would like to connect other services currently in use based on older or more special password hashes to the UCS LDAP. There should also be the option of specifying a name for a certain interface directly on the host object via the Univention Management Console and allowing the management of VLAN IDs for assignment via a RADIUS server. Another planned project concerns a workflow for the creation of new users in which a specific user group can enter just general information on a user object and the IT department then complements it with technical attributes such as the home directory, etc.

Conclusion

Markus Then, charged with the migration of the user management from the self-designed LDAP to UCS at the Max Planck Institute, drew the following conclusion when looking back at the project: “UCS’ convenient web interface and the central user management of Windows and Linux clients above all are two aspects which are now considerably simpler in continuous operation. The upgrade path supported by UCS and the Univention support staff, who were available for assistance every step of the way, were particularly helpful during the project. Updates in the future will also be considerably simpler. One thing we would still appreciate would be the option of simpler input possibilities for new host objects with multiple interfaces in various VLANs.