JHU Upstream Information

Miscellaneous information that’s relevant for hanging around in JHU’s computing environment.

Networking

This is big enough that it needs its own document; see External Network Considerations.

NTP

JHU runs NTP servers at ntp1.jhu.edu and ntp2.jhu.edu, accessible only within the campus firewall.

DNS

JHU DNS, including glue records for acm.jhu.edu, is controlled by hostmaster@jhmi.

We use JHU CS (128.220.13.50 and blaze.cs.jhu.edu) and JHU IT (10.200.2.2 and 10.200.1.1, which have a slew of names but are ns2.johnshopkins.edu. and ns1.johnshopkins.edu. respectively) as our upstream DNS resolvers.

Note that because various DNS software (notably dnsmasq) attempt to protect against so-called “rebinding attacks”, and JHU uses RFC1918 addresses internally, we find it necessary to OK certain JHU domains:

rebind-domain-ok=/ad.jhu.edu/
rebind-domain-ok=/ntp1.jhu.edu/
rebind-domain-ok=/ntp2.jhu.edu/
rebind-domain-ok=/johnshopkins.edu/

While here, we should also mention that we serve RFC1918 addresses out of acm.jhu.edu on occasion, and that we use DNSRBLs, so add to the above:

rebind-domain-ok=/acm.jhu.edu/
rebind-domain-ok=/zen.spamhaus.org/

Kerberos

As is typical of Kerberos cross-realming, a shared secret exists for krbtgt/ACM.JHU.EDU@WIN.AD.JHU.EDU in both the JHU AD and our KDCs. They do not trust us to make names for them, so there is no krbtgt/WIN.AD.JHU.EDU@ACM.JHU.EDU shared secret; don’t be surprised.

On their side, they ran ktpass -ptype KRB5_NT_PRINCIPAL -princ krbtgt/ACM.JHU.EDU@WIN.AD.JHU.EDU -crypto AES256-SHA1 -mapuser acmrealm@WIN.AD.JHU.EDU -pass XXXX -out acm.keytab to make our keytab for us. As such, changing our cross-realm password is done by kpasswd acmrealm@WIN.AD.JHU.EDU from the command line and cpw krbtgt/ACM.JHU.EDU@WIN.AD.JHU.EDU in kadmin.

See Using JHED Identities with the ACM Systems for instructions to grab kerberos tickets from the JHU AD.

LDAP

First, you’ll need to URL escape the LDAP DN for DNS SRV record discovery. Ignore that; run this:

LDAPURI=ldap:///$(perl -MURI::Escape -e 'print uri_escape("dc=win,dc=ad,dc=jhu,dc=edu");')

(full credit to http://stackoverflow.com/questions/296536/urlencode-from-a-bash-script for that). Then, assuming you have JHU kerberos tickets as per Using JHED Identities with the ACM Systems or are logged in to Egg Shell (JHED AD Integration) using your JHED ID, run to your heart’s content searches like.:

ldapsearch -Y GSSAPI -H ${LDAPURI} -b dc=win,dc=ad,dc=jhu,dc=edu cn=${JHEDID}
ldapsearch -Y GSSAPI -H ${LDAPURI} -b dc=win,dc=ad,dc=jhu,dc=edu mailequivalentaddress=${EMAIL}

Note that the JHU directory uses cn= rather than, as we do, uid= for the object’s DN. Some other useful fields of their database include:

johnshopkinseduhopkinsid The “Hopkins ID” (that funky five character thing that ISIS shows)
jhejcardbarcode J-card barcode number
jheOLaccttype Whether the person is a student or alumnus (or something else?)
johnshopkinseduhmwbadge The other, non-barcode number on J-cards
mailequivalentaddress Email addresses and aliases associated with the account See also proxyAddresses.
manager Person’s manager’s DN

Note

Failure to set the correct search base will result not in failure but in confusing LDAP referals.

Note

You will need the correct SASL GSSAPI KRB5 implementation around on your machine. On a Debian machine, that probably means you should ensure that you have libsasl2-modules-gssapi-mit installed.

JHU AD Principles Assigned for ACM Use

Principal DN See
acmjanus CN=acmjanus,OU=ACM,OU=AuthN,DC=win,DC=ad,DC=jhu,DC=edu Integration with JHED
egg CN=EGG,OU=SERVERS,OU=CS,OU=Computers,OU=WSE,DC=win,DC=ad,DC=jhu,DC=edu Egg Shell (JHED AD Integration)

SSL

To get an SSL cert signed by JHU’s business relationship with an existing SSL CA, you’ll be interacting with http://www.it.johnshopkins.edu/services/directoryservices/SSLCertificates/index.html .

  • Generate a .key and .csr; see please-do-not.../certs/build.sh. For example, run ./build.sh foobar to get a files named foobar-YYYYMM.{key,csr} .
  • Hand the CSR to JHU. We usually select Apache/mod_ssl as the server type (this list makes no sense what so ever), and set the number of servers to 1. Set the contact name to admins@acm....
  • When you get mail, place the resulting .crt file in /afs/acm.jhu.edu/group/admins.pub/certs/ and release.
  • Use the key and crt files as appropriate to your service.

The file /afs/acm.jhu.edu/readonly/group/admins.pub/certs/jhu-cert-chain.pem contains all intermediate certificates necessary for improved client verification (notably, our nagios scripts need it, but so do some browsers and so on). If ever JHU changes from whom they are issuing certs, probably create a new file beside that one and roll over to it, or however is necessary. (As usual, see The Special Case of admins.pub for information about this path.)

Note

Be sure to have Nagios watch over the validity of your SSL certificate when it gets deployed. This will give present and future admins a heads up when things are about to expire!

Table Of Contents

Previous topic

DNS

Next topic

Shutdown Procedure

This Page