Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Difference between revisions of "Integrated Authentication"

From Livedoc - The Documentation Repository
Jump to: navigation, search
(Update, reformat, cut parts to NSS LDAP. Currently incomplete.)
Line 1: Line 1:
==Overview==
+
=Overview=
 
As part of the effort to move to a unified user information and password system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Linux and UNIX systems are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.<br />
 
As part of the effort to move to a unified user information and password system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Linux and UNIX systems are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.<br />
 
POSIX attributes (e.g. uid, gid, POSIX logon username) are currently manually imported by a script.
 
POSIX attributes (e.g. uid, gid, POSIX logon username) are currently manually imported by a script.
==Components==
 
Software not critical to the direct functionality of authentication are not listed here.
 
===Sun Java System Directory Server Enterprise Edition v6===
 
Sun Java System Directory Server
 
*Sun's equivalent of slapd
 
*Fully integrates with nsswitch for all databases (currently only using passwd and group)
 
*Currently running in one-way replication on [[ldap1]] (master) and [[ldap2]].
 
Sun Java System Identity Synchronization for Windows
 
*Connects and synchronizes users from Active Directory to Sun LDAP server and maps specified attributes (currently only one-way from AD to Sun)
 
*Currently running on [[ldap1]].
 
  
 +
=Components=
 +
==LDAP==
 +
See [[NSS LDAP]] for details and configuration.
 +
 +
==Kerberos==
 +
Microsoft Active Directory supports authentication using the Kerberos protocol.  The Kerberos realm is LOCAL.TJHSST.EDU.  For the system to authenticate to Kerberos, we use pam_krb5 (see below).
 +
===Configuration===
 +
 +
 +
==PAM==
 
===pam_krb5===
 
===pam_krb5===
 
*CSL workstations currently use pam_krb5 from http://www.eyrie.org/~eagle/software/pam-krb5/.
 
*CSL workstations currently use pam_krb5 from http://www.eyrie.org/~eagle/software/pam-krb5/.
Line 18: Line 18:
  
 
===pam_afs2===
 
===pam_afs2===
*This module is no longer primarily used; its code was patched into the pam_krb5 used on Solaris (see above).  It is still used in the sshd-gssapi PAM stack on Solaris.
+
''This module is no longer primarily used; its code was patched into the pam_krb5 used on Solaris (see above).  It is still used in the sshd-gssapi PAM session stack on Solaris as the PAM auth stack is not processed if GSSAPI is used for SSH.''
 
*PAM module that can set up a PAG and run a program to get AFS tokens.  This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).
 
*PAM module that can set up a PAG and run a program to get AFS tokens.  This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).
  
==Attribute Mappings==
+
=See Also=
{| border=1 cellpadding=4 cellspacing=0 style="margin: 0 0 1em 1em; background: #f9f9f9; border: 1px #aaaaaa solid; border-collapse: collapse; font-size: 95%; text-align:left;"
+
*[[NSS LDAP]]
|-
 
! width="100px" | Description || Active Directory || Sun LDAP
 
|-
 
! Username || samAccountName || uid
 
|-
 
! Password (hashed) || unicodepwd || userpassword
 
|-
 
! First name || givenname || givenname
 
|-
 
! Surname || sn || sn
 
|-
 
! Full Name || cn || cn
 
|-
 
! Display Name || displayName || displayName
 
|-
 
! Description (grad year for current students) || description || description
 
|}
 

Revision as of 21:31, 29 July 2008

Overview

As part of the effort to move to a unified user information and password system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Linux and UNIX systems are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.
POSIX attributes (e.g. uid, gid, POSIX logon username) are currently manually imported by a script.

Components

LDAP

See NSS LDAP for details and configuration.

Kerberos

Microsoft Active Directory supports authentication using the Kerberos protocol. The Kerberos realm is LOCAL.TJHSST.EDU. For the system to authenticate to Kerberos, we use pam_krb5 (see below).

Configuration

PAM

pam_krb5

  • CSL workstations currently use pam_krb5 from http://www.eyrie.org/~eagle/software/pam-krb5/.
  • Solaris systems currently use pam_krb5 from the above website, but locally patched to properly implement use_authtok behavior and also to implement functionality for afs_tokens and afs_tokens_nopag options so AFS tokens can be handled in the PAM auth stack with pam_krb5 (see pam_afs2 below). This is useful to implement multi-realm auth as currently dtlogin does not appear to function with an AFS token-getting module placed in session, and xscreensaver also calls only the auth stack (so now tokens are refeshed upon screen unlock).

pam_afs2

This module is no longer primarily used; its code was patched into the pam_krb5 used on Solaris (see above). It is still used in the sshd-gssapi PAM session stack on Solaris as the PAM auth stack is not processed if GSSAPI is used for SSH.

  • PAM module that can set up a PAG and run a program to get AFS tokens. This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).

See Also