 My name is William Brown. I'm a senior software engineer for Sousa Labs, and I'm based in Queensland, Australia I'm a member of the three at nine directory server team Which you are probably more aware of as the LDAP server which sits underneath free up yay and Just because of my time zone and other things if you have questions I'd love to hear them, but I am in UTC plus 10 which means that I'm often not online So please send me an email if you have any questions at any time Whether it's about LDAP or the content of this talk to my email at wbrown at Sousa dot de so My talk today is about my life and how I kind of got really involved in authentication what I've been doing the last few years and so when I First became interested in authentication identity management I was actually a system administrator at the University of Adelaide as pictured here my home city and And I was in charge of managing their Red Hat directory server instances Since then a number of things that happened after working there for a number of years I think I worked at the uni for about seven years. I applied to work at Red Hat in 2015 and I was successful in that and I became a software engineer at Red Hat working on Red Hat directory server or throughout 90s and since since that time in 2018 I left Red Hat Did a few other things and then I was asked by Sousa to join them and continue my work on throughout my directory server And the thing about LDAP is that it's really kind of the linger franca of of identity and authentication You know, it's used all around the world from as mentioned universities as pictured here to telecommunications for authenticating phone handsets and cell towers to even finance where there are finance providers who authenticate Accounts and transactions through LDAP and And it's really one of those very foundational things that you kind of just know is everywhere and you know It's even a foundational part of free IPA But since I have been part of the Red Hat 389 team and now as part of the Sousa team You know, there's a lot of things that we have certainly improved in 389 DS But a lot of it feels a lot like polish, you know We have a lot of really good new CLI tools Thanks to many people in the team to get that done. We have the nice shiny new cockpit administration tools But it is core it still really just users groups passwords and So, you know, we kind of want to look at what's going on in the authentication space for for a period of time and Within open-source identity management, there's really four major identity players I'm sure there are others that exist But if you go to a a large organization and they have an open-source identity system It is very likely to be one of these four open order 389 DS or Red Hat directory server for IPA or sign before and You know, there's Not been a lot of change in these things over the last few years, you know a lot of polish a lot of improvements But realistically the latest standard, you know The most important innovation that has really come through has been in 2011 TOTP And that has now since been at free IPA a couple of years later and open LDAP I think picked up support for that last year maybe the year before But when we look at other areas of identity management and we look at proprietary and non open-source technologies We're looking at a lot of Really big differences, you know, we have things like a warth and open ID for web single sign on 2005 We have the rise of Identity as a service infrastructures like G suite octa or zero and especially in 2014 with Azure active directories Synchronization connector that was a really large step forward to helping major businesses move their identity infrastructure from on-premise into Identity as a service and then we even see further advancements beyond just the technical advancements of all of these Identity services. We also see new advances in terms of cryptographic authentication with things like Windows Hello web orphan and Apple's touch ID And a lot of these things are really actually clean slate, especially things like Azure AD Which cast off a lot of its active directory and LDAP cover us legacy And they're all gaining a lot of popularity due to their ease of use integration and how they're advancing things And so we have to ask why aren't our open source technologies keeping up? Well, a lot of them are LDAP and Kerberos focused And the thing is that the itf working group for LDAP has been defunct for a large number of years And two attempts to revive that within at least the last five or six years that i'm aware of have both failed It's also sometimes it can be a very unwelcoming place You know from mailing list comments such as quote you will be shited mocked and denigrated end quote To even things like people in the communities being brought into tears by other maintainers Just due to hostility and difficulties in working with them It's really not a place which has been attractive to people to want to work in It within these projects And of course LDAP and Kerberos are really hard to use conceptually A lot of developers already find it very hard to use LDAP And sometimes they will begrudgingly add it onto their website because that's what corporate requirements want them to do But no one really these days willingly wants to implement Kerberos You'll never for example see a web service or an implementation that has native gss api support And of course this makes devs reluctant to add these integrations and it makes it much harder for a business to justify continuing to deploy them And this has kind of led to the a little bit of stagnation Whereas on the flip side Our h2p focused and more proprietary areas have really advanced and and gone a long way into Attracting people into these identity spaces where we are currently kind of losing ground within within the more traditional areas And so for me This was a really difficult situation Because I really genuinely care about authentication, you know, you can't Become an LDAP admin at a university and then apply for a job at red hat without being, you know, somewhat passionate for this Especially given that I'm in Australia and we are not really well known for having many engineers within red hat. But anyway This was just a really Hard situation for me because I really wanted to be improving this state and I just felt like it was continually slipping past us I wanted to get to a point where I could stop saying no When people ask me questions about features and what we could support I really wanted to be able to start saying yes Why can't we have an open source identity management system that could be as good as azure ad But you can run it yourself like free rpa or samba floor Some of the supports these web first apis but also our existing infrastructure integrations that have been left behind by identities of service platforms And can we break away from this LDAP and cobra centered mindset, which is confining our thinking So in september of 2018, I decided to start a new project So I started to develop the cunny dm project which is an identity management platform developed completely in rust and it is Mine and other people's vision of what we hope is the open source identity management of the future And of course we've tried to learn a lot of lessons from the past successes and failures of both the open and proprietary technologies that I've already mentioned There's still a lot of development that needs to occur. It is still very much an alpha project It is barely two or so years Yeah, barely two and a half years old so, you know, there's still a long way to go to compete with a lot of the more major and mature projects But there's a lot of things that you would already expect from a traditional identity management system that we have today We have Unix system integration through things like pam in an s switch, which was heavily inspired by triple sd But it has a slightly different model to help improve some other performance and reliability issues that triple sd is often encounters It has full working radius support So things like if you want to have vpn or wi-fi all still work natively And you don't need to do anything else exceptional out of box It also has an all that read on the gateway Which allows viewing a subset of attributes and a subset of authentication standards in order to allow legacy applications to help transition through to some of the more newer protocols But it also has many features that are only found in some of these newer identities as service providers we have HGP first and a REST based api rather than any other protocol We have support for a lot of security features including things like password bad listing and ZX CVBN as a password quality checker We have a working recycle bin so that we can recover when people make mistakes And realistically it also just has a lot of things to make admin lives easier very simple configuration And a lot of very subtle design details in the protocols and how it's configured to really try to make it a lot Easier for an administrator to use and there's a lot more still come So one of the things that we've done for example is that the entire system is based on concurrent data structures And we even invented an entirely new transactional caching system just to be able to Use it so that we don't have to rely on other elements And because of this fully transactional design, which was inspired heavily by ZFS the file system in fact We're already close to the performance of 389 directory server without spending a lot of time optimizing So on a four core machine with a gig of ram on SSD We were able to perform 40 000 searches per second And 4 000 authentications per second already And that's the kind of numbers of operations that you would need to support say a large university's authentication requirements And this is without a lot of effort to actually do this and it's just because of the kind of designs We have where we do not have any blocking or concurrency issues due to the use of our concurrent data structures We also have things that are found in now the directory system For example We are we have a query optimizer and we plan to add a statistical analysis tooling To help hint and develop this optimizer further and in fact I've been speaking with a statistician from university Queensland about how to do this in the most effective way recently And it's even now up as a google summer of code project that is being offered through suzer We're planning to go a lot further with things like ssh management Today we already have ssh key management as you would expect to find in something like free IPA where you can upload your ssh public key and the Unix resolver will retrieve that key and distribute it onto all of the host so that you can then log into your machines But after being inspired by jeremy stotz linux conf australia 2020 talk called zero trust ssh And I highly advise you to watch that talk is absolutely unbelievable and very entertaining and very good content really watch it But after watching that talk about ssh ca's This is something that we want to add is for ephemeral host limited command limited privilege based keys being able to be issued by the cunny dm infrastructure And this is the kind of feature that you really only see in cloud identity and access management tooling these days But also devices have always been part of authentication And this is one of the philosophies that we've brought into this project And you know your devices are not something you separate from you know consider how Personal a device like your phone is and your own laptop is probably something that only you ever use that laptop is an extension of you That device is part of your authentication A lot of existing identity management is really based around this idea that the device is not it's only a username and password to prove the identity Whereas we decided that devices were part of this from day one And because of that we've put in a lot of effort in how we designed things to make sure that this was going to be viable And in fact, we even created the web or thin rust library because we there was no such library before that point in time So I had to write the whole thing myself It already supports touch id windows. Hello, you be keys and more and the support for that has Uh, actually just been wrapped up the this morning. Thanks to um The help from a contributor in the netherlands who has been doing some amazing work in in code review So that will be out in the next release But we also do things like our radius support See radius only really supports ms chat b2 now The reason for this is to do with these say phones and clients where they only will try to offer ms chat b2 So it really necessitates. We have to offer it in radius And what this means is that to negotiate that with radius. We need either ntlm passwords Or plain text and ntlm hashes are effectively md4. And so they're basically plain text anyway And of course a lot of traditional idm because it's a user to password one to one ratio The password that is often used is also the password that is used on the radius infrastructure and this weakens things in two ways The first is that it means that the password must now be stored in either ntlm or in plain text Which means that effectively the password can always be cracked and brute forced if the database was dumped Or an access control goes wrong and you can get access to those hashes But another really common issue is actually usability It's very common in an enterprise And I saw this a lot at the university of adelaide was that when a person would change their password They would forget to update on all of their devices And so they would have forgotten their laptop back in their office And then it would keep trying to join the wi-fi with their old password and cause their account to be locked out And so that would have to run around trying to find all of their devices and work out Which one was the the culprit causing their account to be locked out and where they needed to update that Whereas because we we said that devices are part of your authentication We made radius passwords separate from your user account. They're in fact generated server side And they're stored plain text, which means that you can retrieve them arbitrarily for enrolling new devices and so Because this is not related to your main account password and that password has only the ability to authenticate to radius If that radius password is compromised The damage radius is very small But it also means that in that case when you do say you need to change your main account password You're not at risk of then having your account locked out So by improving this so that devices can just store that radius password And that gives network level authentication compared to your main account, which is a separate level of authentication We've helped to improve the user experience There's also a lot of really interesting design details in in how we've approached things like unix integration So a traditional unix system when we have home directories, you know, you might see either an nfs or a SIF server exporting home directories with something like from say slash of all homes name And then it is auto-mounted onto the client at their home directory at slash home slash name So in this example, I'm mounting my home directory at slash home w-brown But a really common example of something that goes wrong in Many businesses is people want to change their names And unless you also have a task in your identity stack that is going to go and update the nfs server to make sure that the directories have the correct names The next time I go to log in after changing my name I'm unlikely to be able to log in because my home directory will be missing And in fact, this is really common in businesses that people get told. Oh, if you ever change your name It's a hugely long arduous process. You shouldn't change unless you really have to Or people who do change their names end up in a situation with their account is broken for the rest of time while they're at that company And I don't think that's okay. People should be able to change their names and people do change their names for a lot of reasons So how can we make this work? So in cunny dm, we actually enforce that your Home directory is based on your uuid of your account and our unix modules What they do is they actually generate this directory and create the relevant sim links to give a friendly name So what this means is that the auto mount tool will auto mount based on your uuid And then you will then have a sim link for that so that you can have a much nicer way of navigating to your home If you ever change your username the next time you log in all we have to do is update that sim link and we're good to go And so You know, this is the kind of thing where we're encouraging people to want to use those uuids the primary keys And we want to make it so that people can change their names and identities at any point in time within our platform And part of the reason we go to this effort is that as a project something that which is Which we have done from the very start is we actually added a statement on ethics and rights And to read from this because it may be too small for you on your screens It says cunny dm is a project that will store process and present people's personal data This means we have a responsibility to respect the data of all people who could be using our system Many who interact indirectly or do not have a choice in this platform And what I mean by do not have a choice in this platform is for example When you go and join a workplace You don't get to tell that workplace what idm they're running you have to deal with whatever it is They're running and if that happens to be Joe's Joe's idm and it doesn't let you change your name and I ask you to have three middle names Well, that's that but this you would not be getting respected at that point And that's what we mean is that there's a lot of people who do not have that voice Within a business within an organization to raise these issues about their identity management system And we'll end up having a poor experience within the workplace if they ever do for example change their name And I don't think that's okay by having this statement on ethics and rights It means that as a project we have a responsibility that if we make a mistake We must fix it. We must make difficult engineering decisions to resolve that mistake because someone is now being treated poorly And and as a result as a project we've entered up with from the from day one a lot of Infrastructure and tooling internal of the project for data migrations Manipulations and on upgrade changes because the question is not if I make a mistake The question is when and I know that that day will come where I've made a mistake And we are going to have to do this But that is our responsibility to make difficult engineering decisions and to make things that can support the complexity and richness of human culture and social needs And so I hope that this has been like a really interesting glimpse into my life and authentication and the projects that I've worked on And kind of a quick version of the journey of how I got here And to me like I hope that if if you take one thing from this at the very least It's that idm is really exciting. You know it underpins so much of what we do in a day Every day you log into your laptop You'll log into websites that you know to buy books online. You'll log into a corporate Infrastructure every single one of us have our identities stored in an identity management platform somewhere. It affects all of us every day And so as a result idm should be able to represent all of us and it should be accessible to all of us And that's something that I'm very passionate for and and really want to improve And so that's why I started this project and it's it's really grown You know, it's now become six sub projects with seven major contributors from all around the world with more than 350 commits since sept 20 september 2019 when it was first open sourced And there's been so many other non-code contributions which have been just as valuable to to the um to the progress we've made And the sub projects for example are things like the web or then library for rust a web or then soft token concurrent data structures library the LDAP bindings for rust And now I forgot what the last one is. Oh, I compressed indexing data structure library And and that's the thing that's really cool about identity management is that it spans so many areas It spans all the way from human psychology and you know user interfaces and user experience design to computer security and system hardening and and cryptographic elements to statistics and mathematics to You know low level system concurrency and high performance computing and I think that it's such an exciting area to work in because It has so many areas for both learning across a broad range, but also the impact is so high It really does affect all of us And so I hope that you have found this interesting and and I hope that at the very least You find IDM a little bit more exciting as well. So thank you very much