SlideShare a Scribd company logo
Modularity and IAM Stack
Container Strategy in UCS
Arvid Requate
Univention GmbH
requate@univention.de
From UCS Appliance to Service Oriented IAM Architecture
●
UCS Appliance: Debian based Operating System
●
Appcenter: simple domain wide deployment and integration of services
●
UCS core value lies in IAM and related APIs
●
Operation in data centers demands containerization
Goals
●
Deployment in modern data center environments and cloud services
●
Focus on service, separation from platform
●
Standardized deployment
●
Scalability and High Availability of Univention Management Stack
●
Each module shall be deployed in several instances
●
API first
●
User interfaces consume those APIs
●
Decoupling of development areas
●
Deployment on arbitrary (Linux) operating systems (with tradeoffs re: scalability)
Target platforms
●
Kubernetes as CaaS Plattform
●
Sovereign Cloudstack
●
Partner datacenters, e.g. Phoenix
●
Classic Linux Servers
●
UCS appliance (Debian)
●
Other Linux distributions
Sovereign Cloud Stack (SCS): open source reference plattform
●
CSP datacenters provide IaaS (e.g. OpenStack) and CaaS (Kubernets)
●
Sovereign Cloud Stack aims to be open source reference implementation
●
„Openstack based Distribution for CSPs“
●
Univention Management Stack shall be deployable on Kubernetes / SCS.
●
Current state:
●
Containerized OpenLDAP as default IAM backend store for Keycloak
●
Keycloak as main layer for federation between IdPs
Services oriented IAM architecture
●
The building blocks: Containerized IAM Services
●
UCS Portal
●
Univention Management Console (UMC)
●
UDM-REST API
●
SSO with federation
●
OpenLDAP
●
Provisioning
API First
●
Univention Directory Manager simplifies IAM
●
Abstracts from LDAP specific implementation details
●
UDM-REST-API as primary entry point
●
Taking the UDM Python API to a HTTP based service architecture
●
Univention Management Console (UMC) uses that REST-API
●
Access to interfaces (APIs) can be load balanced
●
Horizontal scalability
SSO: Integration of Keycloak in UCS
●
OpenID Connect & SAML in one solution
●
Federation options to external IdPs
●
LDAP „user federation“, Keycloak only holding „shadow“ accounts
●
Basic 2FA options
●
Containerized operation with HTTP configuration API
●
Keycloak 18 (Keycloak-X architecture) with UCS themed login screen
●
First class IAM component, enhancing OpenLDAP
SSO: Keycloak User Federation + Ad-Hoc provisioning
First Broker
Login Flow
Keycloak SSO
Entrypoint
MS ADFS
First User Access
SSO: Keycloak App in Appcenter
●
Keycloak container will be offered as optional app
●
Alternative to simpleSAMLphp and Kopano Konnect
●
Later: HA integration suitable as full replacement for UCS SSO
●
We need that component for the data center
●
And also directly build it into the UCS appliance
●
Goal: Keycloak as standard IdP for UCS appliance and data center
Challenges
●
Service orchestration, configuration and discovery in Kubernetes
●
LDAP schema & ACL extensions
●
Live update via cn=Config
●
Persistence of reference configuration for re-provisioning
●
Cattle vs Pet
●
Robust & efficient scaling of LDAP – Testing, testing, testing...
●
High availability for Primary: Multiprovider replication
●
UDM-Rest as sole authorized writer, UID allocator
Thanks for you attention!
Arvid Requate
Univention GmbH
requate@univention.de
Appendix (if time permits)
Rethinking service provisioning
●
UDM-REST-API as primary entry point
1) Writes to Identity Store via LDAP
2) Feeds events into queueing system
●
Containerized workers
1) Consume events from queue
2) provision Apps and external Services
●
In contrast: Listener modules used to be fed by LDAP
Rethinking LDAP replication
●
Let OpenLDAP handle replication of LDAP data natively
●
syncrepl: LDAP Content Synchronization (RFC4533)
●
Allows: High-Availability with Multiprovider replication
●
Listener/Notifier can be phased out
●
Translog
●
Listener cache

More Related Content

Similar to Modularisierung und Containerisierung von UCS

Introduction to AWS & Cloud Services
Introduction to AWS & Cloud ServicesIntroduction to AWS & Cloud Services
Introduction to AWS & Cloud Services
Ann Venkataraman
 
Day in the life event-driven workshop
Day in the life  event-driven workshopDay in the life  event-driven workshop
Day in the life event-driven workshop
Christina Lin
 
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
Getting value from IoT, Integration and Data Analytics
 
Oow2016 review-iaas-paas-13th-18thoctober
Oow2016 review-iaas-paas-13th-18thoctoberOow2016 review-iaas-paas-13th-18thoctober
Oow2016 review-iaas-paas-13th-18thoctober
Getting value from IoT, Integration and Data Analytics
 
VMware - Application Portability
VMware - Application PortabilityVMware - Application Portability
VMware - Application Portability
VMUG IT
 
Agile Integration Workshop
Agile Integration WorkshopAgile Integration Workshop
Agile Integration Workshop
Judy Breedlove
 
.NET Core Apps: Design & Development
.NET Core Apps: Design & Development.NET Core Apps: Design & Development
.NET Core Apps: Design & Development
GlobalLogic Ukraine
 
Beyond the Brokers: A Tour of the Kafka Ecosystem
Beyond the Brokers: A Tour of the Kafka EcosystemBeyond the Brokers: A Tour of the Kafka Ecosystem
Beyond the Brokers: A Tour of the Kafka Ecosystem
confluent
 
Beyond the brokers - A tour of the Kafka ecosystem
Beyond the brokers - A tour of the Kafka ecosystemBeyond the brokers - A tour of the Kafka ecosystem
Beyond the brokers - A tour of the Kafka ecosystem
Damien Gasparina
 
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan GoksuSpring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
VMware Tanzu
 
Osgi based cloud system architecture - Open Cloud Engine
Osgi based cloud system architecture - Open Cloud EngineOsgi based cloud system architecture - Open Cloud Engine
Osgi based cloud system architecture - Open Cloud Engine
uEngine Solutions
 
Oow2016 review--paas-microservices-
Oow2016 review--paas-microservices-Oow2016 review--paas-microservices-
Oow2016 review--paas-microservices-
Getting value from IoT, Integration and Data Analytics
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red Hat
Amazon Web Services
 
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumarCloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Arun Kumar
 
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumarCloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Arun Kumar
 
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptxIBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
Georg Ember
 
CloudStack Overview
CloudStack OverviewCloudStack Overview
CloudStack Overview
sedukull
 
Introduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OSIntroduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OS
Steve Wong
 
Containers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen AppsContainers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen Apps
Khalid Ahmed
 
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
apidays
 

Similar to Modularisierung und Containerisierung von UCS (20)

Introduction to AWS & Cloud Services
Introduction to AWS & Cloud ServicesIntroduction to AWS & Cloud Services
Introduction to AWS & Cloud Services
 
Day in the life event-driven workshop
Day in the life  event-driven workshopDay in the life  event-driven workshop
Day in the life event-driven workshop
 
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
AMIS Oracle OpenWorld 2015 Review – part 2- Hardware & IaaS and PaaS Cloud Fo...
 
Oow2016 review-iaas-paas-13th-18thoctober
Oow2016 review-iaas-paas-13th-18thoctoberOow2016 review-iaas-paas-13th-18thoctober
Oow2016 review-iaas-paas-13th-18thoctober
 
VMware - Application Portability
VMware - Application PortabilityVMware - Application Portability
VMware - Application Portability
 
Agile Integration Workshop
Agile Integration WorkshopAgile Integration Workshop
Agile Integration Workshop
 
.NET Core Apps: Design & Development
.NET Core Apps: Design & Development.NET Core Apps: Design & Development
.NET Core Apps: Design & Development
 
Beyond the Brokers: A Tour of the Kafka Ecosystem
Beyond the Brokers: A Tour of the Kafka EcosystemBeyond the Brokers: A Tour of the Kafka Ecosystem
Beyond the Brokers: A Tour of the Kafka Ecosystem
 
Beyond the brokers - A tour of the Kafka ecosystem
Beyond the brokers - A tour of the Kafka ecosystemBeyond the brokers - A tour of the Kafka ecosystem
Beyond the brokers - A tour of the Kafka ecosystem
 
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan GoksuSpring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
Spring Cloud Services with Pivotal Cloud Foundry- Gokhan Goksu
 
Osgi based cloud system architecture - Open Cloud Engine
Osgi based cloud system architecture - Open Cloud EngineOsgi based cloud system architecture - Open Cloud Engine
Osgi based cloud system architecture - Open Cloud Engine
 
Oow2016 review--paas-microservices-
Oow2016 review--paas-microservices-Oow2016 review--paas-microservices-
Oow2016 review--paas-microservices-
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red Hat
 
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumarCloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumar
 
Cloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumarCloudexpowest opensourcecloudcomputing-1by arun kumar
Cloudexpowest opensourcecloudcomputing-1by arun kumar
 
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptxIBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
 
CloudStack Overview
CloudStack OverviewCloudStack Overview
CloudStack Overview
 
Introduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OSIntroduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OS
 
Containers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen AppsContainers as Infrastructure for New Gen Apps
Containers as Infrastructure for New Gen Apps
 
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
 

More from Univention GmbH

Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Univention GmbH
 
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Univention GmbH
 
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention GmbH
 
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Univention GmbH
 
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Univention GmbH
 
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Univention GmbH
 
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Univention GmbH
 
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Univention GmbH
 
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Univention GmbH
 
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Univention GmbH
 
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
Univention GmbH
 
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
Univention GmbH
 
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Univention GmbH
 
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
Univention GmbH
 
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Univention GmbH
 
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Univention GmbH
 
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Univention GmbH
 
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Univention GmbH
 
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Univention GmbH
 
Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022
Univention GmbH
 

More from Univention GmbH (20)

Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
 
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
 
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
 
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
 
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
 
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
 
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
 
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
 
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
 
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
 
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
 
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
 
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
 
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
 
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
 
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
 
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
 
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
 
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
 
Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022
 

Recently uploaded

Mobile app Development Services | Drona Infotech
Mobile app Development Services  | Drona InfotechMobile app Development Services  | Drona Infotech
Mobile app Development Services | Drona Infotech
Drona Infotech
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdfCodeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Semiosis Software Private Limited
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
mz5nrf0n
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 

Recently uploaded (20)

Mobile app Development Services | Drona Infotech
Mobile app Development Services  | Drona InfotechMobile app Development Services  | Drona Infotech
Mobile app Development Services | Drona Infotech
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdfCodeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdf
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 

Modularisierung und Containerisierung von UCS

  • 1. Modularity and IAM Stack Container Strategy in UCS Arvid Requate Univention GmbH requate@univention.de
  • 2. From UCS Appliance to Service Oriented IAM Architecture ● UCS Appliance: Debian based Operating System ● Appcenter: simple domain wide deployment and integration of services ● UCS core value lies in IAM and related APIs ● Operation in data centers demands containerization
  • 3. Goals ● Deployment in modern data center environments and cloud services ● Focus on service, separation from platform ● Standardized deployment ● Scalability and High Availability of Univention Management Stack ● Each module shall be deployed in several instances ● API first ● User interfaces consume those APIs ● Decoupling of development areas ● Deployment on arbitrary (Linux) operating systems (with tradeoffs re: scalability)
  • 4. Target platforms ● Kubernetes as CaaS Plattform ● Sovereign Cloudstack ● Partner datacenters, e.g. Phoenix ● Classic Linux Servers ● UCS appliance (Debian) ● Other Linux distributions
  • 5. Sovereign Cloud Stack (SCS): open source reference plattform ● CSP datacenters provide IaaS (e.g. OpenStack) and CaaS (Kubernets) ● Sovereign Cloud Stack aims to be open source reference implementation ● „Openstack based Distribution for CSPs“ ● Univention Management Stack shall be deployable on Kubernetes / SCS. ● Current state: ● Containerized OpenLDAP as default IAM backend store for Keycloak ● Keycloak as main layer for federation between IdPs
  • 6. Services oriented IAM architecture ● The building blocks: Containerized IAM Services ● UCS Portal ● Univention Management Console (UMC) ● UDM-REST API ● SSO with federation ● OpenLDAP ● Provisioning
  • 7.
  • 8.
  • 9. API First ● Univention Directory Manager simplifies IAM ● Abstracts from LDAP specific implementation details ● UDM-REST-API as primary entry point ● Taking the UDM Python API to a HTTP based service architecture ● Univention Management Console (UMC) uses that REST-API ● Access to interfaces (APIs) can be load balanced ● Horizontal scalability
  • 10.
  • 11.
  • 12. SSO: Integration of Keycloak in UCS ● OpenID Connect & SAML in one solution ● Federation options to external IdPs ● LDAP „user federation“, Keycloak only holding „shadow“ accounts ● Basic 2FA options ● Containerized operation with HTTP configuration API ● Keycloak 18 (Keycloak-X architecture) with UCS themed login screen ● First class IAM component, enhancing OpenLDAP
  • 13. SSO: Keycloak User Federation + Ad-Hoc provisioning First Broker Login Flow Keycloak SSO Entrypoint MS ADFS First User Access
  • 14. SSO: Keycloak App in Appcenter ● Keycloak container will be offered as optional app ● Alternative to simpleSAMLphp and Kopano Konnect ● Later: HA integration suitable as full replacement for UCS SSO ● We need that component for the data center ● And also directly build it into the UCS appliance ● Goal: Keycloak as standard IdP for UCS appliance and data center
  • 15. Challenges ● Service orchestration, configuration and discovery in Kubernetes ● LDAP schema & ACL extensions ● Live update via cn=Config ● Persistence of reference configuration for re-provisioning ● Cattle vs Pet ● Robust & efficient scaling of LDAP – Testing, testing, testing... ● High availability for Primary: Multiprovider replication ● UDM-Rest as sole authorized writer, UID allocator
  • 16. Thanks for you attention! Arvid Requate Univention GmbH requate@univention.de
  • 17. Appendix (if time permits)
  • 18. Rethinking service provisioning ● UDM-REST-API as primary entry point 1) Writes to Identity Store via LDAP 2) Feeds events into queueing system ● Containerized workers 1) Consume events from queue 2) provision Apps and external Services ● In contrast: Listener modules used to be fed by LDAP
  • 19. Rethinking LDAP replication ● Let OpenLDAP handle replication of LDAP data natively ● syncrepl: LDAP Content Synchronization (RFC4533) ● Allows: High-Availability with Multiprovider replication ● Listener/Notifier can be phased out ● Translog ● Listener cache