Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Integrated Authentication

From Livedoc - The Documentation Repository
Revision as of 20:36, 17 July 2008 by William Yang (talk | contribs) (Sun Java System Directory Server Enterprise Edition v6: Updated servers.)
Jump to: navigation, search


As part of the effort to move to a unified user information and password system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Linux and UNIX systems are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.
POSIX attributes (e.g. uid, gid, POSIX logon username) are currently manually imported by a script.


Software not critical to the direct functionality of authentication are not listed here.

Sun Java System Directory Server Enterprise Edition v6

Sun Java System Directory Server

  • Sun's equivalent of slapd
  • Fully integrates with nsswitch for all databases (currently only using passwd and group)
  • Currently running in one-way replication on ldap1 (master) and ldap2.

Sun Java System Identity Synchronization for Windows

  • Connects and synchronizes users from Active Directory to Sun LDAP server and maps specified attributes (currently only one-way from AD to Sun)
  • Currently running on ldap1.


  • CSL workstations currently use pam_krb5 from http://www.eyrie.org/~eagle/software/pam-krb5/.
  • Solaris systems currently use pam_krb5 from the above website, but locally patched to properly implement use_authtok behavior and also to implement functionality for afs_tokens and afs_tokens_nopag options so AFS tokens can be handled in the PAM auth stack with pam_krb5 (see pam_afs2 below). This is useful to implement multi-realm auth as currently dtlogin does not appear to function with an AFS token-getting module placed in session, and xscreensaver also calls only the auth stack (so now tokens are refeshed upon screen unlock).


  • This module is no longer primarily used; its code was patched into the pam_krb5 used on Solaris (see above). It is still used in the sshd-gssapi PAM stack on Solaris.
  • PAM module that can set up a PAG and run a program to get AFS tokens. This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).

Attribute Mappings

Description Active Directory Sun LDAP
Username samAccountName uid
Password (hashed) unicodepwd userpassword
First name givenname givenname
Surname sn sn
Full Name cn cn
Display Name displayName displayName
Description (grad year for current students) description description