Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Difference between revisions of "Integrated Authentication"

From Livedoc - The Documentation Repository
Jump to: navigation, search
m (Robot: Changing Category:Obsolete)
(Updated; never actually was too obsolete.)
Line 1: Line 1:
 
==Overview==
 
==Overview==
As part of the effort to move to a Single Sign On (SSO) system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Sun servers (currently used only for the thin clients in the AP Computer Science lab) are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.<br />
+
As part of the effort to move to a unified user information and password system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Linux and UNIX systems are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.<br />
POSIX attributes (uid, gid, POSIX logon username) are currently manually imported by scripts.
+
POSIX attributes (e.g. uid, gid, POSIX logon username) are currently manually imported by a script.
 
==Components==
 
==Components==
 
Software not critical to the direct functionality of authentication are not listed here.
 
Software not critical to the direct functionality of authentication are not listed here.
===Sun Java System Directory Server Enterprise Edition v5.2 (2005Q4)===
+
===Sun Java System Directory Server Enterprise Edition v6===
 
Sun Java System Directory Server
 
Sun Java System Directory Server
 
*Sun's equivalent of slapd
 
*Sun's equivalent of slapd
*Fully integrates with nsswitch for all databases (passwd, group, auto_home, hosts, etc.)
+
*Fully integrates with nsswitch for all databases (currently only using passwd and group)
 +
*Currently running in one-way replication on [[chuku]] (master) and [[mihr]].
 
Sun Java System Identity Synchronization for Windows
 
Sun Java System Identity Synchronization for Windows
*Connects and synchronizes users from Active Directory to Sun LDAP server and maps specified attributes (currently only one-way)
+
*Connects and synchronizes users from Active Directory to Sun LDAP server and maps specified attributes (currently only one-way from AD to Sun)
 +
*Currently running on [[chuku]].
  
 
===pam_krb5===
 
===pam_krb5===
*PAM module for authentication. Where possible, we use pam_krb5 from Debian's source repository instead of the stock Solaris 10 pam_krb5 since Solaris' pam_krb5 does not properly implement use_first_pass behavior.
+
*CSL workstations currently use pam_krb5 from http://www.eyrie.org/~eagle/software/pam-krb5/.
 +
*Solaris systems currently use pam_krb5 from the above website, but locally patched to properly implement use_authtok behavior and also to implement functionality for afs_tokens and afs_tokens_nopag options so AFS tokens can be handled in the PAM auth stack with pam_krb5 (see pam_afs2 below).  This is useful to implement multi-realm auth as currently dtlogin does not appear to function with an AFS token-getting module placed in session, and xscreensaver also calls only the auth stack (so now tokens are refeshed upon screen unlock).
  
 
===pam_afs2===
 
===pam_afs2===
 +
*This module is no longer primarily used; its code was patched into the pam_krb5 used on Solaris (see above).  It is still used in the sshd-gssapi PAM stack on Solaris.
 
*PAM module that can set up a PAG and run a program to get AFS tokens.  This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).
 
*PAM module that can set up a PAG and run a program to get AFS tokens.  This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).
  
Line 36: Line 40:
 
! Description (grad year for current students) || description || description
 
! Description (grad year for current students) || description || description
 
|}
 
|}
 
[[Category:Obsolete Page]]
 

Revision as of 15:38, 22 February 2008

Overview

As part of the effort to move to a unified user information and password system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Linux and UNIX systems are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.
POSIX attributes (e.g. uid, gid, POSIX logon username) are currently manually imported by a script.

Components

Software not critical to the direct functionality of authentication are not listed here.

Sun Java System Directory Server Enterprise Edition v6

Sun Java System Directory Server

  • Sun's equivalent of slapd
  • Fully integrates with nsswitch for all databases (currently only using passwd and group)
  • Currently running in one-way replication on chuku (master) and mihr.

Sun Java System Identity Synchronization for Windows

  • Connects and synchronizes users from Active Directory to Sun LDAP server and maps specified attributes (currently only one-way from AD to Sun)
  • Currently running on chuku.

pam_krb5

  • CSL workstations currently use pam_krb5 from http://www.eyrie.org/~eagle/software/pam-krb5/.
  • Solaris systems currently use pam_krb5 from the above website, but locally patched to properly implement use_authtok behavior and also to implement functionality for afs_tokens and afs_tokens_nopag options so AFS tokens can be handled in the PAM auth stack with pam_krb5 (see pam_afs2 below). This is useful to implement multi-realm auth as currently dtlogin does not appear to function with an AFS token-getting module placed in session, and xscreensaver also calls only the auth stack (so now tokens are refeshed upon screen unlock).

pam_afs2

  • This module is no longer primarily used; its code was patched into the pam_krb5 used on Solaris (see above). It is still used in the sshd-gssapi PAM stack on Solaris.
  • PAM module that can set up a PAG and run a program to get AFS tokens. This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).

Attribute Mappings

Description Active Directory Sun LDAP
Username samAccountName uid
Password (hashed) unicodepwd userpassword
First name givenname givenname
Surname sn sn
Full Name cn cn
Display Name displayName displayName
Description (grad year for current students) description description