Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Difference between revisions of "Integrated Authentication"

From Livedoc - The Documentation Repository
Jump to: navigation, search
(Added info on pam_afs2.)
(Attribute Mappings: New attribute for first name.)
Line 25: Line 25:
 
|-
 
|-
 
! Password (hashed) || unicodepwd || userpassword
 
! Password (hashed) || unicodepwd || userpassword
 +
|-
 +
! First name || givenname || givenname
 
|-
 
|-
 
! Surname || sn || sn
 
! Surname || sn || sn

Revision as of 14:57, 15 August 2006

Overview

As part of the effort to move to a Single Sign On (SSO) system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Sun servers (currently used only for the thin clients in the AP Computer Science lab) are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.
POSIX attributes (uid, gid, POSIX logon username) are currently manually imported by scripts.

Components

Software not critical to the direct functionality of authentication are not listed here.

Sun Java System Directory Server Enterprise Edition v5.2 (2005Q4)

Sun Java System Directory Server

  • Sun's equivalent of slapd
  • Fully integrates with nsswitch for all databases (passwd, group, auto_home, hosts, etc.)

Sun Java System Identity Synchronization for Windows

  • Connects and synchronizes users from Active Directory to Sun LDAP server and maps specified attributes (currently only one-way)

pam_krb5

  • PAM module for authentication. Where possible, we use pam_krb5 from Debian's source repository instead of the stock Solaris 10 pam_krb5 since Solaris' pam_krb5 does not properly implement use_first_pass behavior.

pam_afs2

  • PAM module that can set up a PAG and run a program to get AFS tokens. This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).

Attribute Mappings

Description Active Directory Sun LDAP
Username samAccountName uid
Password (hashed) unicodepwd userpassword
First name givenname givenname
Surname sn sn
Full Name displayName cn
E-mail mail mail