ADTF 2016 07 06
sandoval, borst, rwallis, dattilo, buss, jtanner, gwilliam, kimn, erinmcd, mark, estradar, rjbubon, chartier, jdister, jlampe, hoekstra
Password Policy Complexity/Reset Portal Update
Status of joining workstation to AD
Ramsey: Complexity rules just about ironed out, and on update portal, figuring out enrollment requirements for users. Should be ready soon for testing prior to production rollout. Confirmation will be via e-mail (not necessarily to UCAR e-mail). Discussion of possibility for using SMS as second factor. Do we even have an SMS provider? Most phone providers provide an e-mail address that translates to SMS. ACOM has kiosks specifically for these purposes. AD admins in labs/programs will have more power to help users. Will Help Desk still be able to reset passwords? Yes.
Ramsey: Want to populate EM, V1, etc, groups in production domain for access to software. Non-staff may not have details in entries; only paid staff are being synced from PeopleDB automatically. Will groups in other OUs be changed? No. Nick: Would like to see fields in PeopleDB for POSIX uid, gid, shell, home directory… then could trigger on active/inactive. Discussion. Connection to third agenda item of workstations in AD. Mark not willing to commit SWEG to that but we can certainly talk about it.
Erin on IAM update. Are beginning to test federation with InCommon, Google Apps, etc. For InCommon, there are metadata requirements pushing us to Windows 2016 and ADFS 4.0. Ramsey and Erin are now UCAR’s federation contacts for InCommon. But Microsoft not yet supporting 2016… soon. Working with contractor Kamran Azadi. Met with F&A, ACOM, SWEG to gather requirements. Created documents for products we currently know about. Have firstname.lastname@example.org alias where you can reach IAM team. Let them know about additional products/requirements for which SSO would be desired. Meeting with groups to have them sign off on plans.
Erin asks about experience with “AD PassMon” for Mac. Could be helpful (or necessary) for AD to work with Mac. Derived from “kerbminder”. Allows Kerberos ticket to be refreshed from Active Directory. It’s free. Testing in CISL via Casper.
Still on, in theory, for late summer timeframe for flipping switch to AD vs Kerberos. Determining what to test first. Erin and Ramsey in communication with F&A team. Maybe Everbridge as low-impact test.
Status of joining all workstations to AD. Goal is still August timeframe -- make sure that all users have AD passwords. Anyone having issues? In process? Jody: Just at beginning of starting to test. Santiago was looking at Tim’s notes. Is that what everyone’s doing? Garth: Good thing is there’s only a few ways of doing it! ACOM has found it easier to use PAM than full domain binding. MMM has sent out some useful information as well. Could try to pull information all into one place on wiki. Peter curious who’s still using NIS and/or Samba. Nick okay with his script being shared. RAL phasing out NIS by fall, about 25% there. Bob and Rudy will talk with Mike Schmidt to make sure Unidata’s in the loop. Erin will also make sure Aaron Andersen is communicating with Unidata.
Heather brings up the issue of an employee going on unpaid leave that changed their status in PeopleDB/LDAP -- need to be aware of that for Active Directory. Some discussion.
Wrapped at 11:14.