CalNetAD Planning Committee

June 11, 2002

Room 60, Barrows Hall, 10-12 PM

Updated: 06/13/2002

Agenda

1. CalNetAD status report

2. Security Subcommittee report

3. Infrastructure improvements

4. CalNet Directory integration status

5. Other Business

Notes

CalNetAD status report

Mike Blasingame reported that since the last Planning Committee meeting, the CalNetAD team has met with

• Residential and Student Services
• Graduate School of Journalism
• Institute of Industrial Relations

An OU has been created for the College of Chemistry for some of their research groups, and the Haas School of Business has joined their domain to the forest.

Haas reported that SMB and SAMBA are working fine. They have enabled client DHCP services on their domain controllers to enable replication. They are currently troubleshooting some software problems.

Approximately 140 applications for the new Active Directory position have been received and we hope to have the position filled by the end of June.

Security Subcommittee report

John Ives reported on the notes from the last meeting of the Security Subcommittee.

There was a discussion about allowing off-campus connections to CalNetAD; use of NTLMv2; IPSec; IDS testing; and Certificate Services.

John will be teaching an IIS security class on Tuesday June 18 and June 25.

Infrastructure improvements

Eric Chamberlain reported on infrastructure improvements. e-Berkeley has agreed in principal to fund smart card research and a CalNetAD certificate server.

A third DC for the CAMPUS domain has been installed at Boalt thanks to the generosity of Boalt and the help of Ryan Means.

IPSec network cards have been installed in all of the Domain Controllers.

The Okena IDS software will be installed soon. This software wraps around the OS kernal and watches in-bound and out-bound connections and looks for unusual behavior.

CalNet Directory integration status

Karl Grose reported on the CalNet Directory integration effort.

The project team has tested adding the inetorgperson schema changes. This adds the uid attribute.

The CalNet ID is used for most of the limited number of attributes that will initially be integrated between the two directories. Because of FERPA reqirements, further limitations will be imposed on use of the uid attribute for students. Access will be restricted to the uid attribute for students, and in addition, may be encrypted to further restrict linkage between student data elements.

Default OUs will be used for user accounts that have not already been created in CalNetAD. Tools will be provided for administrators to move faculty, staff, and affiliates from the default OU to their OU. The integration will not over-ride modifications to attributes such as cn.

The project team is using a tool named MetaMerge to integrate the two directories. MetaMerge is a free, java-based tool. Karl has crafted an ADSI aware connector to add the user data to Active Directory.

When the project team is ready to put the integration process into production, it will announce and apply the inetorgperson schema changes. When the schema change is complete, the team will announce the schedule (after hours) for loading user accounts into CalNetAD.

Other Business

John suggested the following changes to the Service Level Agreement:

• adding language about OU responsibility for licensing
• adding language about the CalNetAD response for machines that have been compromised.

He is suggesting a higher standard be used. During the discussion it seemed that an initial response could be coordination with CalNetAD administrators and SNS. It was also suggested that a 'Best Practices' procedure, e.g., running fdisk on the compromised machine and rebuilding it, could be developed.

John agreed to take the issue to the Security Subcommittee and develop some wording to bring back to the Planning Committee.