MALT Active Directory (AD) migration task force

Maite Barroso Lopez (CERN)

Join Zoom Meeting


  • Status update of MALT authentication and authorization, in pdf or CodiMD



  • (Borja) DB, hadoop as well as DB
  • (Luca) CF, data centre & service now, hardware lifecycle
  • (Diogo) Storage, most visible are CERNbox, EOS, AFS, Samba -> how is this different to FreeIPA coord meeting
  • (Remi) Beams, 3000 devices for controls that use LDAP and AD, Linux systems plus tools (e.g. technical consoles)
  • (Andreas) CS communication systems, mostly internal monitoring tools but also telephony that is user facing
  • (Ben) Compute and monitoring, Batch, many machines to migrate to FreeIPA plus configuration. Many queries run against LDAP. Apps such as Foreman 
  • (Panos) scientific computing, CRIC (topology for WLCG), using LDAP and kerberos. Also CMS
  • (Sebastian & Siavas) replacing Pablo for CDA, windows management. Also migration from AD to FreeIPA
  • (Sotirios) IR department, web design guidelines, using LDAP for MyCERN app (retrieve bio)
  • (P Fokianos) scientific information service department, kerberos usage and web auth
  • (Joel) EP department, TBC which applications might be affected 
  • & Maite, Paolo, Mary, Julien and Hannah
  • (Roberto & Mario) FAP-BC, mostly interested in SSO but possibly other services


  • Some confusion between LDAP and SSO
  • What are we trying to restrict in terms of privacy? E.g. adding a group to a puppet managed VM, group members are expanded and visible to any user on the box. Can be authenticated but not necessarily private. We need to understand whether there is any benefit to blocking anonymous LDAP when IT users can get data in other ways. Can have ACLs for API endpoints. 
    • Consider confidentiality vs traceability
  • We need to better define the privacy problem
  • How to review with team? set up a collaboration workspace
There are minutes attached to this event. Show them.
    • 15:00 15:10
      Welcome and mandate 10m
    • 15:10 15:30
      MALT auth summary 20m
      Speakers: Hannah Short (CERN) , Paolo Tedesco (CERN)
    • 15:30 15:50
      Representative services and checklist 20m

      The way we plan to work is to ask you to propose representative services from your department that are using Active Directory (AD) in the 3 main use cases we see:
      One that uses AD for authentication (LDAP bind)
      One that runs queries
      One that uses Kerberos

      We have put together a short guide with questions to be answered for each of the 3 cases:

    • 15:50 16:00
      Q&A, next steps, next discussion 10m