Difference between revisions of "Integrated Authentication"
m (→Sun Java System Directory Server Enterprise Edition v6: Updated servers.)
Revision as of 14:14, 29 July 2008
As part of the effort to move to a unified user information and password system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Linux and UNIX systems are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.
POSIX attributes (e.g. uid, gid, POSIX logon username) are currently manually imported by a script.
Software not critical to the direct functionality of authentication are not listed here.
Sun Java System Directory Server Enterprise Edition v6
Sun Java System Directory Server
- Sun's equivalent of slapd
- Fully integrates with nsswitch for all databases (currently only using passwd and group)
- Currently running in one-way replication on ldap1 (master) and ldap2.
Sun Java System Identity Synchronization for Windows
- Connects and synchronizes users from Active Directory to Sun LDAP server and maps specified attributes (currently only one-way from AD to Sun)
- Currently running on ldap1.
- CSL workstations currently use pam_krb5 from http://www.eyrie.org/~eagle/software/pam-krb5/.
- Solaris systems currently use pam_krb5 from the above website, but locally patched to properly implement use_authtok behavior and also to implement functionality for afs_tokens and afs_tokens_nopag options so AFS tokens can be handled in the PAM auth stack with pam_krb5 (see pam_afs2 below). This is useful to implement multi-realm auth as currently dtlogin does not appear to function with an AFS token-getting module placed in session, and xscreensaver also calls only the auth stack (so now tokens are refeshed upon screen unlock).
- This module is no longer primarily used; its code was patched into the pam_krb5 used on Solaris (see above). It is still used in the sshd-gssapi PAM stack on Solaris.
- PAM module that can set up a PAG and run a program to get AFS tokens. This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).
|Description||Active Directory||Sun LDAP|
|Description (grad year for current students)||description||description|