User Account Management? 23
Jeremy Welling asks: "I work in a corporate data center with all the major Unices present. Currently we are using a third party product to manage user logins and authentication. In our goals for 2002, we want to move off that product, and the current plan is to go to NIS. Due to the inherent security holes in NIS, I am investigating using LDAP. We would also like to tie this into the NT domain logins. My question is, how difficult is this to do, what LDAP server software would be best, and what OS platform should we look at?"
Bad place to ask (Score:1)
(Psst....Linux!)
Just a guess (Score:2, Informative)
What you could have is everything that can authing against LDAP and then for NT have it authing against Samba and then samba using pam which in turn is using LDAP?
Hope this helps!
Re:Just a guess (Score:2)
I doubt it. . . Samba only handles filesharing. For the NT systems, you should still be able to auth against LDAP, Samba isn't needed, and I'm not sure if it's even useful except for filesharing purposes.
Re:Just a guess (Score:2, Informative)
What you really want to look into is all the various pam modules to modify the Linux/Unix side to go to an external source that you can configure NT to go to. The problem with lots of these is normally it is all done in the clear, so be careful.
Re:Just a guess (Score:1)
I meant have Linux/UNIX/anything else that can auth against LDAP and then have samba do the same. Then have NT auth against SAMBA.
It is prob my English that is at fault, what can I say, I could code before I could read or write English (and yea, English is my first spoken language)
LDAP by itself doesn't provide complete auth (Score:3, Informative)
Typically what people do when using LDAP for something like this
is to use LDAP for authentication (which is easy/trivial to do).
The hard part is management of authorization information.
Authentication simply tells you that a particular set of credentials
provided by a client matched the same credentials in your LDAP
server (which is what happens in any authentication system). You
assume that since these credentials should only be able to be
provided by a particular person, then the application is
"authenticated" as that user.
Authorization means what can that user do now that they have
authenticated.
You could authorize access based on group membership, where
the user's entry lies in the DIT, time of day, gender, an attribute in
their entry or a number of different routes.
So to be honest what you probably want to do is to use an existing
authentication service such as Kerberos (which already provides a
standardized means of providing authorization services) and use a
directory service to feed the user & application data to Kerberos.
novell, krb5 (Score:3, Informative)
management, I recommend using Novell Directory
Services (a nicely compatible LDAP implementation
is included, and more), in conjunction with Kerberos
v5. Keys can be kept in NDS LDAP, and auth tickets
(which make powerusers of multiple machines and
services on the network very happy because they
don't have to enter passwords every 15 seconds)
granted by krb5. I haven't tried integrating
standard krb5 and microsoft krb5-alike systems
in one network before, and can imagine that there
may be some issues that need to be finessed here,
but if you just avoid the MS implementation
altogether, you can end-run those issues.
A possible solution (Score:3, Informative)
I use OpenLDAP to store all user information. User accounts are of classes posixAccount AND sambaAccount.
I built samba with LDAP support and configured it to store all it's info in our LDAP server. I then combined two PAM modules (pam_smb_auth.so and pam_ldap.so) to let PAM enabled services to authenticate
via the Samba server. pam_ldap.so is used for
account information, pam_smb_auth.so is used
for username/password authentication.
This gives a single username/password that can be
used by anything which talks SMB or PAM. The samba
server acts as a PDC, so network signons work, users can change their passwords from the built-in windows password change tools, passwd changes
their password from the unix command line. It's
all good
I haven't bothered writing up a FAQ, mail me if
you want a more detailed explanation (danpat at au dot adaptiveinternational dot com)
eDirectory is the way to go (Score:5, Informative)
There is a PAM module available for Linux that lets you log in using NDS (eDirectory) credentials. Other *nix clients should be handled the same. For an NT client you would either need to use Zen for Desktop's Dynamic Local User or you would need to use Novell Account Management. Account Management on NT will redirect the domain into NDS. On 2000, it will synchronize with Active Directory.
The other products I mentioned can take you in other directions. DirXML is a meta-directory synchronization tool. Available conduits include Active Directory, Exchange, LDAP, GroupWise, Lotus Notes, NT Domain, JDBC, Peoplesoft, SAP HR, and Delimited Text.
NDS Authentication Services (NDS-AS) extends NDS (eDirectory) authentication redirection to other platforms, including AIX, FreeBSD, HP-UX, Linux, OS/390, Solaris, and Windows. Note that some of NDS-AS duplicates functionality found in eDirectory or Account Management.
SecureLogin is a single sign-on technology, which may be another way to solve your problem.
To give you a bottom line answer, even if you want to ignore alternate solutions and go with a straight LDAP directory, use eDirectory. It doesn't matter which platform you run it from, Novell has demonstrated billion-user trees on several host OSes.
novell eDirectory (Score:3, Interesting)
LDAP is a way of life (Score:5, Interesting)
But. But.
LDAP, to be really useful, must be a way of life. You must put it in the center of your IT universe and defer always to it. It becomes the final "owner" for all your information. I found this invaluable, as suddenly the nightmares of maintaining a thousand different instances of the same or similar data just vanish. People get really excited once they realize all that LDAP can do for them. It's so flexible and extensible that you can put almost anything in it.
But this power comes at a pretty high up front cost in time and effort. If all you really care about is user auth it's probably not worth it. When your world revolves around LDAP, the hassles involved with getting PAM working on all your flavors of Unix and all that stuff become minor. Yes, you can get your NT domain domain to talk authenticate through it. Yes, you can get all your web servers to authenticate through it. It's not always easy, though. Often it's quite hard.
But if you commit to it, and follow through, the dream of one password everywhere is just one of the many rewards that you will reap.
As far as implementations, I've used Netscape/iPlanet and I've played with OpenLDAP. I used to work at Netscape so I'm biased, but I'd say spring for the iPlanet stuff if you can afford it. I found the OpenLDAP ACLs unintuitive and I heard reports that replication is unreliable.
A final caveat. If you do choose LDAP, and you choose to make it a central part of your IT infrastructure, make this your mantra: "Read often, write seldom". LDAP is *NOT* a database. Let me repeat. LDAP is *NOT A DATABASE*. When people realize everything you can put into LDAP the first thing they want to do is try to make believe it's Oracle. Try to use it for write intensive applications and the only person more miserable than your users will be you.
Good Luck!
What we do (Score:2, Informative)
openLDAP (Score:2, Informative)
I just went to a presentation from my local LUG about this very thing. It was by the IT guy from the local university (ubc) who did exactly that. They have a mix of Solaris and Linux and Windows and he setup a unified ldap thing so that they could get rid of NIS.
He promised to put the details up here [ece.ubc.ca] in a week or so. In the meantime, get openLDAP and the pam modules from padl.com
He said that all the schemas are there in the source, and that this is the way of the future.
krb5/ldap... (Score:3, Interesting)
The stick in the mud here seems to be Irix along with afs...we can do integrated logins on linux and sun, due to pam, but irix has no pam.
Anyone found a solution here?
Re:krb5/ldap... (Score:2)
Rumor has it that IRIX 6.5 has support for LDAP authentication. Try the nsd(1M) and ldap(7P) man pages, for starters.
At least in theory, this might allow you to use NDS or some other robust LDAP implementation to provide login authentication to your IRIX systems.
MS Services for Unix (Score:1)
Have a look at this (Score:2)
right on (Score:1)
there's a nice HOWTO [idealx.org] about samba-ldap-windows domain logons.
Then new linux distros like SuSE 7.3 or the latest RedHat automate the usage of ldap for user authentication.
Quentin
eDirectory outperformed iPlanet & Active Direc (Score:1)
FYI, eDirectory 8.7 should be out in April/May.
Re:eDirectory outperformed iPlanet & Active Di (Score:1)
there are supposed to be "hot new ldap features" eDirectory 8.7, "including ACL support using LDAP, LDAP extension for events, Persistent search, Dynamic Groups, Extensible Match, Start TLS, and SASL support for more authentication options."
This info is from http://www.novellbrainshare.com/portal/eventguide
Done that! (Score:1)
We tried Kerberos, NIS and LDAP. We got the best results with LDAP.
First of all you need a server. An old box (like a 200MHz) will be far enough. We installed: LDAP, Samba and Samba-TNG. The last two because of Windows: Samba-TNG can act as a domain controller. Here are the main problems we encountered:
IRIX: you have to get one of the latest versions (6.5.13+), and change in the file
USERPASSWORD{{CRYPT\}}{}
to
USERPASSWORD{{crypt\}}{}
Windows is the hardest one because the little changes you have to do depend on the service packs you installed. It's usually a key in the registry you have to modify.
Another good thing about LDAP is the fact that you can have two LDAP servers running and slurpd does the data synchronization, so when one server goes down you still can log in.