SlideShare a Scribd company logo
Modularity and IAM Stack
Container Strategy in UCS
Arvid Requate
Univention GmbH
requate@univention.de
From UCS Appliance to Service Oriented IAM Architecture
●
UCS Appliance: Debian based Operating System
●
Appcenter: simple domain wide deployment and integration of services
●
UCS core value lies in IAM and related APIs
●
Operation in data centers demands containerization
Goals
●
Deployment in modern data center environments and cloud services
●
Focus on service, separation from platform
●
Standardized deployment
●
Scalability and High Availability of Univention Management Stack
●
Each module shall be deployed in several instances
●
API first
●
User interfaces consume those APIs
●
Decoupling of development areas
●
Deployment on arbitrary (Linux) operating systems (with tradeoffs re: scalability)
Target platforms
●
Kubernetes as CaaS Plattform
●
Sovereign Cloudstack
●
Partner datacenters, e.g. Phoenix
●
Classic Linux Servers
●
UCS appliance (Debian)
●
Other Linux distributions
Sovereign Cloud Stack (SCS): open source reference plattform
●
CSP datacenters provide IaaS (e.g. OpenStack) and CaaS (Kubernets)
●
Sovereign Cloud Stack aims to be open source reference implementation
●
„Openstack based Distribution for CSPs“
●
Univention Management Stack shall be deployable on Kubernetes / SCS.
●
Current state:
●
Containerized OpenLDAP as default IAM backend store for Keycloak
●
Keycloak as main layer for federation between IdPs
Services oriented IAM architecture
●
The building blocks: Containerized IAM Services
●
UCS Portal
●
Univention Management Console (UMC)
●
UDM-REST API
●
SSO with federation
●
OpenLDAP
●
Provisioning
API First
●
Univention Directory Manager simplifies IAM
●
Abstracts from LDAP specific implementation details
●
UDM-REST-API as primary entry point
●
Taking the UDM Python API to a HTTP based service architecture
●
Univention Management Console (UMC) uses that REST-API
●
Access to interfaces (APIs) can be load balanced
●
Horizontal scalability
SSO: Integration of Keycloak in UCS
●
OpenID Connect & SAML in one solution
●
Federation options to external IdPs
●
LDAP „user federation“, Keycloak only holding „shadow“ accounts
●
Basic 2FA options
●
Containerized operation with HTTP configuration API
●
Keycloak 18 (Keycloak-X architecture) with UCS themed login screen
●
First class IAM component, enhancing OpenLDAP
SSO: Keycloak User Federation + Ad-Hoc provisioning
First Broker
Login Flow
Keycloak SSO
Entrypoint
MS ADFS
First User Access
SSO: Keycloak App in Appcenter
●
Keycloak container will be offered as optional app
●
Alternative to simpleSAMLphp and Kopano Konnect
●
Later: HA integration suitable as full replacement for UCS SSO
●
We need that component for the data center
●
And also directly build it into the UCS appliance
●
Goal: Keycloak as standard IdP for UCS appliance and data center
Challenges
●
Service orchestration, configuration and discovery in Kubernetes
●
LDAP schema & ACL extensions
●
Live update via cn=Config
●
Persistence of reference configuration for re-provisioning
●
Cattle vs Pet
●
Robust & efficient scaling of LDAP – Testing, testing, testing...
●
High availability for Primary: Multiprovider replication
●
UDM-Rest as sole authorized writer, UID allocator
Thanks for you attention!
Arvid Requate
Univention GmbH
requate@univention.de
Appendix (if time permits)
Rethinking service provisioning
●
UDM-REST-API as primary entry point
1) Writes to Identity Store via LDAP
2) Feeds events into queueing system
●
Containerized workers
1) Consume events from queue
2) provision Apps and external Services
●
In contrast: Listener modules used to be fed by LDAP
Rethinking LDAP replication
●
Let OpenLDAP handle replication of LDAP data natively
●
syncrepl: LDAP Content Synchronization (RFC4533)
●
Allows: High-Availability with Multiprovider replication
●
Listener/Notifier can be phased out
●
Translog
●
Listener cache

More Related Content

Similar to Modularisierung und Containerisierung von UCS

Introduction to AWS & Cloud Services
Introduction to AWS & Cloud ServicesIntroduction to AWS & Cloud Services
Introduction to AWS & Cloud Services
Ann Venkataraman
 
Day in the life event-driven workshop
Day in the life  event-driven workshopDay in the life  event-driven workshop
Day in the life event-driven workshop
Christina Lin
 
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
Getting value from IoT, Integration and Data Analytics
 
Oow2016 review-iaas-paas-13th-18thoctober
Oow2016 review-iaas-paas-13th-18thoctoberOow2016 review-iaas-paas-13th-18thoctober
Oow2016 review-iaas-paas-13th-18thoctober
Getting value from IoT, Integration and Data Analytics
 
VMware - Application Portability
VMware - Application PortabilityVMware - Application Portability
VMware - Application Portability
VMUG IT
 
Agile Integration Workshop
Agile Integration WorkshopAgile Integration Workshop
Agile Integration Workshop
Judy Breedlove
 
.NET Core Apps: Design & Development
.NET Core Apps: Design & Development.NET Core Apps: Design & Development
.NET Core Apps: Design & Development
GlobalLogic Ukraine
 
Beyond the Brokers: A Tour of the Kafka Ecosystem
Beyond the Brokers: A Tour of the Kafka EcosystemBeyond the Brokers: A Tour of the Kafka Ecosystem
Beyond the Brokers: A Tour of the Kafka Ecosystem
confluent
 
Beyond the brokers - A tour of the Kafka ecosystem
Beyond the brokers - A tour of the Kafka ecosystemBeyond the brokers - A tour of the Kafka ecosystem
Beyond the brokers - A tour of the Kafka ecosystem
Damien Gasparina
 
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan GoksuSpring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
VMware Tanzu
 
Osgi based cloud system architecture - Open Cloud Engine
Osgi based cloud system architecture - Open Cloud EngineOsgi based cloud system architecture - Open Cloud Engine
Osgi based cloud system architecture - Open Cloud Engine
uEngine Solutions
 
Oow2016 review--paas-microservices-
Oow2016 review--paas-microservices-Oow2016 review--paas-microservices-
Oow2016 review--paas-microservices-
Getting value from IoT, Integration and Data Analytics
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red Hat
Amazon Web Services
 
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumarCloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Arun Kumar
 
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumarCloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Arun Kumar
 
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptxIBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
Georg Ember
 
CloudStack Overview
CloudStack OverviewCloudStack Overview
CloudStack Overview
sedukull
 
Introduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OSIntroduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OS
Steve Wong
 
Containers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen AppsContainers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen Apps
Khalid Ahmed
 
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
apidays
 

Similar to Modularisierung und Containerisierung von UCS (20)

Introduction to AWS & Cloud Services
Introduction to AWS & Cloud ServicesIntroduction to AWS & Cloud Services
Introduction to AWS & Cloud Services
 
Day in the life event-driven workshop
Day in the life  event-driven workshopDay in the life  event-driven workshop
Day in the life event-driven workshop
 
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
 
Oow2016 review-iaas-paas-13th-18thoctober
Oow2016 review-iaas-paas-13th-18thoctoberOow2016 review-iaas-paas-13th-18thoctober
Oow2016 review-iaas-paas-13th-18thoctober
 
VMware - Application Portability
VMware - Application PortabilityVMware - Application Portability
VMware - Application Portability
 
Agile Integration Workshop
Agile Integration WorkshopAgile Integration Workshop
Agile Integration Workshop
 
.NET Core Apps: Design & Development
.NET Core Apps: Design & Development.NET Core Apps: Design & Development
.NET Core Apps: Design & Development
 
Beyond the Brokers: A Tour of the Kafka Ecosystem
Beyond the Brokers: A Tour of the Kafka EcosystemBeyond the Brokers: A Tour of the Kafka Ecosystem
Beyond the Brokers: A Tour of the Kafka Ecosystem
 
Beyond the brokers - A tour of the Kafka ecosystem
Beyond the brokers - A tour of the Kafka ecosystemBeyond the brokers - A tour of the Kafka ecosystem
Beyond the brokers - A tour of the Kafka ecosystem
 
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan GoksuSpring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
 
Osgi based cloud system architecture - Open Cloud Engine
Osgi based cloud system architecture - Open Cloud EngineOsgi based cloud system architecture - Open Cloud Engine
Osgi based cloud system architecture - Open Cloud Engine
 
Oow2016 review--paas-microservices-
Oow2016 review--paas-microservices-Oow2016 review--paas-microservices-
Oow2016 review--paas-microservices-
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red Hat
 
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumarCloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumar
 
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumarCloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumar
 
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptxIBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
 
CloudStack Overview
CloudStack OverviewCloudStack Overview
CloudStack Overview
 
Introduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OSIntroduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OS
 
Containers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen AppsContainers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen Apps
 
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
 

More from Univention GmbH

Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Univention GmbH
 
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Univention GmbH
 
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention GmbH
 
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Univention GmbH
 
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Univention GmbH
 
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Univention GmbH
 
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Univention GmbH
 
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Univention GmbH
 
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Univention GmbH
 
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Univention GmbH
 
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
Univention GmbH
 
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
Univention GmbH
 
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Univention GmbH
 
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
Univention GmbH
 
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Univention GmbH
 
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Univention GmbH
 
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Univention GmbH
 
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Univention GmbH
 
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Univention GmbH
 
Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022
Univention GmbH
 

More from Univention GmbH (20)

Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
 
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
 
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
 
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
 
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
 
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
 
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
 
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
 
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
 
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
 
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
 
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
 
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
 
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
 
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
 
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
 
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
 
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
 
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
 
Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022
 

Recently uploaded

How GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdfHow GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdf
Zycus
 
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
dhavalvaghelanectarb
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
alowpalsadig
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
widenerjobeyrl638
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
KrishnaveniMohan1
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
jrodriguezq3110
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
kalichargn70th171
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
Jhone kinadey
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
Softradix Technologies
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
kalichargn70th171
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
chandangoswami40933
 
Beginner's Guide to Observability@Devoxx PL 2024
Beginner's  Guide to Observability@Devoxx PL 2024Beginner's  Guide to Observability@Devoxx PL 2024
Beginner's Guide to Observability@Devoxx PL 2024
michniczscribd
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
Yara Milbes
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
Alberto Brandolini
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
sandeepmenon62
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
vaishalijagtap12
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 

Recently uploaded (20)

How GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdfHow GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdf
 
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
 
Beginner's Guide to Observability@Devoxx PL 2024
Beginner's  Guide to Observability@Devoxx PL 2024Beginner's  Guide to Observability@Devoxx PL 2024
Beginner's Guide to Observability@Devoxx PL 2024
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 

Modularisierung und Containerisierung von UCS

  • 1. Modularity and IAM Stack Container Strategy in UCS Arvid Requate Univention GmbH requate@univention.de
  • 2. From UCS Appliance to Service Oriented IAM Architecture ● UCS Appliance: Debian based Operating System ● Appcenter: simple domain wide deployment and integration of services ● UCS core value lies in IAM and related APIs ● Operation in data centers demands containerization
  • 3. Goals ● Deployment in modern data center environments and cloud services ● Focus on service, separation from platform ● Standardized deployment ● Scalability and High Availability of Univention Management Stack ● Each module shall be deployed in several instances ● API first ● User interfaces consume those APIs ● Decoupling of development areas ● Deployment on arbitrary (Linux) operating systems (with tradeoffs re: scalability)
  • 4. Target platforms ● Kubernetes as CaaS Plattform ● Sovereign Cloudstack ● Partner datacenters, e.g. Phoenix ● Classic Linux Servers ● UCS appliance (Debian) ● Other Linux distributions
  • 5. Sovereign Cloud Stack (SCS): open source reference plattform ● CSP datacenters provide IaaS (e.g. OpenStack) and CaaS (Kubernets) ● Sovereign Cloud Stack aims to be open source reference implementation ● „Openstack based Distribution for CSPs“ ● Univention Management Stack shall be deployable on Kubernetes / SCS. ● Current state: ● Containerized OpenLDAP as default IAM backend store for Keycloak ● Keycloak as main layer for federation between IdPs
  • 6. Services oriented IAM architecture ● The building blocks: Containerized IAM Services ● UCS Portal ● Univention Management Console (UMC) ● UDM-REST API ● SSO with federation ● OpenLDAP ● Provisioning
  • 7.
  • 8.
  • 9. API First ● Univention Directory Manager simplifies IAM ● Abstracts from LDAP specific implementation details ● UDM-REST-API as primary entry point ● Taking the UDM Python API to a HTTP based service architecture ● Univention Management Console (UMC) uses that REST-API ● Access to interfaces (APIs) can be load balanced ● Horizontal scalability
  • 10.
  • 11.
  • 12. SSO: Integration of Keycloak in UCS ● OpenID Connect & SAML in one solution ● Federation options to external IdPs ● LDAP „user federation“, Keycloak only holding „shadow“ accounts ● Basic 2FA options ● Containerized operation with HTTP configuration API ● Keycloak 18 (Keycloak-X architecture) with UCS themed login screen ● First class IAM component, enhancing OpenLDAP
  • 13. SSO: Keycloak User Federation + Ad-Hoc provisioning First Broker Login Flow Keycloak SSO Entrypoint MS ADFS First User Access
  • 14. SSO: Keycloak App in Appcenter ● Keycloak container will be offered as optional app ● Alternative to simpleSAMLphp and Kopano Konnect ● Later: HA integration suitable as full replacement for UCS SSO ● We need that component for the data center ● And also directly build it into the UCS appliance ● Goal: Keycloak as standard IdP for UCS appliance and data center
  • 15. Challenges ● Service orchestration, configuration and discovery in Kubernetes ● LDAP schema & ACL extensions ● Live update via cn=Config ● Persistence of reference configuration for re-provisioning ● Cattle vs Pet ● Robust & efficient scaling of LDAP – Testing, testing, testing... ● High availability for Primary: Multiprovider replication ● UDM-Rest as sole authorized writer, UID allocator
  • 16. Thanks for you attention! Arvid Requate Univention GmbH requate@univention.de
  • 17. Appendix (if time permits)
  • 18. Rethinking service provisioning ● UDM-REST-API as primary entry point 1) Writes to Identity Store via LDAP 2) Feeds events into queueing system ● Containerized workers 1) Consume events from queue 2) provision Apps and external Services ● In contrast: Listener modules used to be fed by LDAP
  • 19. Rethinking LDAP replication ● Let OpenLDAP handle replication of LDAP data natively ● syncrepl: LDAP Content Synchronization (RFC4533) ● Allows: High-Availability with Multiprovider replication ● Listener/Notifier can be phased out ● Translog ● Listener cache