Forgot your password?
typodupeerror
Unix Operating Systems Software

User Account Management? 23

Posted by Cliff
from the managing-users-across-a-heterogenous-network dept.
Jeremy Welling asks: "I work in a corporate data center with all the major Unices present. Currently we are using a third party product to manage user logins and authentication. In our goals for 2002, we want to move off that product, and the current plan is to go to NIS. Due to the inherent security holes in NIS, I am investigating using LDAP. We would also like to tie this into the NT domain logins. My question is, how difficult is this to do, what LDAP server software would be best, and what OS platform should we look at?"
This discussion has been archived. No new comments can be posted.

User Account Management?

Comments Filter:
  • That's like walking into a Buddhist temple and asking what the best way to enlightenment is.

    (Psst....Linux!)

  • Just a guess (Score:2, Informative)

    But couldn't you use GNU/Linux and Samba to do this?

    What you could have is everything that can authing against LDAP and then for NT have it authing against Samba and then samba using pam which in turn is using LDAP?

    Hope this helps!
    • Using Samba to tell me whether or not I am allowed to log into a Unix box?

      I doubt it. . . Samba only handles filesharing. For the NT systems, you should still be able to auth against LDAP, Samba isn't needed, and I'm not sure if it's even useful except for filesharing purposes.
      • Re:Just a guess (Score:2, Informative)

        You use a PAM modules that looks in a smbpassword file and authenticates you against that. Essentially it implements NT password protocol for Linux. It isn't pretty, but it works. I have used it to authentice NT users against Samba, and to authenticate Linux users against NT.

        What you really want to look into is all the various pam modules to modify the Linux/Unix side to go to an external source that you can configure NT to go to. The problem with lots of these is normally it is all done in the clear, so be careful.

      • No, I think you mis-understand me.

        I meant have Linux/UNIX/anything else that can auth against LDAP and then have samba do the same. Then have NT auth against SAMBA.

        It is prob my English that is at fault, what can I say, I could code before I could read or write English (and yea, English is my first spoken language)
  • by Rampant Atrocity (559341) on Wednesday February 20, 2002 @08:09PM (#3041054)
    (a professional [mailto] speaks on the issue)

    Typically what people do when using LDAP for something like this
    is to use LDAP for authentication (which is easy/trivial to do).

    The hard part is management of authorization information.
    Authentication simply tells you that a particular set of credentials
    provided by a client matched the same credentials in your LDAP
    server (which is what happens in any authentication system). You
    assume that since these credentials should only be able to be
    provided by a particular person, then the application is
    "authenticated" as that user.

    Authorization means what can that user do now that they have
    authenticated.

    You could authorize access based on group membership, where
    the user's entry lies in the DIT, time of day, gender, an attribute in
    their entry or a number of different routes.

    So to be honest what you probably want to do is to use an existing
    authentication service such as Kerberos (which already provides a
    standardized means of providing authorization services) and use a
    directory service to feed the user & application data to Kerberos.

  • novell, krb5 (Score:3, Informative)

    by aminorex (141494) on Wednesday February 20, 2002 @08:31PM (#3041162) Homepage Journal
    For good cross-platform consolidation of access
    management, I recommend using Novell Directory
    Services (a nicely compatible LDAP implementation
    is included, and more), in conjunction with Kerberos
    v5. Keys can be kept in NDS LDAP, and auth tickets
    (which make powerusers of multiple machines and
    services on the network very happy because they
    don't have to enter passwords every 15 seconds)
    granted by krb5. I haven't tried integrating
    standard krb5 and microsoft krb5-alike systems
    in one network before, and can imagine that there
    may be some issues that need to be finessed here,
    but if you just avoid the MS implementation
    altogether, you can end-run those issues.
  • A possible solution (Score:3, Informative)

    by danpat (119101) on Wednesday February 20, 2002 @09:03PM (#3041281) Homepage
    I've recently solved a problem possibly similar to this where I work. We have a mixture of Debian GNU/Linux, Solaris, w2k, and win98 machines.

    I use OpenLDAP to store all user information. User accounts are of classes posixAccount AND sambaAccount.

    I built samba with LDAP support and configured it to store all it's info in our LDAP server. I then combined two PAM modules (pam_smb_auth.so and pam_ldap.so) to let PAM enabled services to authenticate
    via the Samba server. pam_ldap.so is used for
    account information, pam_smb_auth.so is used
    for username/password authentication.

    This gives a single username/password that can be
    used by anything which talks SMB or PAM. The samba
    server acts as a PDC, so network signons work, users can change their passwords from the built-in windows password change tools, passwd changes
    their password from the unix command line. It's
    all good :)

    I haven't bothered writing up a FAQ, mail me if
    you want a more detailed explanation (danpat at au dot adaptiveinternational dot com)
  • by AndyDeck (29830) on Wednesday February 20, 2002 @09:06PM (#3041293) Homepage Journal
    I think Novell's eDirectory [novell.com] is a possible solution. You can run eDirectory on NetWare® 5.x or above, Windows 2000, Windows NT, Solaris, Linux, or Tru64. There are other Novell products (NDS-AS, DirXML, Zen for Desktops, Novell Account Management, SecureLogin) that extend eDirectory's reach even further.

    There is a PAM module available for Linux that lets you log in using NDS (eDirectory) credentials. Other *nix clients should be handled the same. For an NT client you would either need to use Zen for Desktop's Dynamic Local User or you would need to use Novell Account Management. Account Management on NT will redirect the domain into NDS. On 2000, it will synchronize with Active Directory.

    The other products I mentioned can take you in other directions. DirXML is a meta-directory synchronization tool. Available conduits include Active Directory, Exchange, LDAP, GroupWise, Lotus Notes, NT Domain, JDBC, Peoplesoft, SAP HR, and Delimited Text.

    NDS Authentication Services (NDS-AS) extends NDS (eDirectory) authentication redirection to other platforms, including AIX, FreeBSD, HP-UX, Linux, OS/390, Solaris, and Windows. Note that some of NDS-AS duplicates functionality found in eDirectory or Account Management.

    SecureLogin is a single sign-on technology, which may be another way to solve your problem.

    To give you a bottom line answer, even if you want to ignore alternate solutions and go with a straight LDAP directory, use eDirectory. It doesn't matter which platform you run it from, Novell has demonstrated billion-user trees on several host OSes.
  • novell eDirectory (Score:3, Interesting)

    by CounterZer0 (199086) on Wednesday February 20, 2002 @09:11PM (#3041306) Homepage
    Link: <a href="http://www.novell.com/products/edirectory/"& gt;eDirectory </a> is based on LDAP - and it runs on Solaris and Linux! It's very cross platform and Novell makes another product (dirXML) that can even synch against Win2K or anything else (including text files (like, /etc/passwd!)) for anything from user management to data synch. VERY stable, and VERY robust.
  • by sclatter (65697) on Wednesday February 20, 2002 @09:24PM (#3041355) Homepage
    I'm an LDAP advocate. It is exactly the right solution for a lot of problems. It is extremely powerful and flexible, and the more I've used it the more uses I've found for it. Once you've experienced the power of a fast and reliable central repository for a spectrum of IT information you never want to go back.

    But. But.

    LDAP, to be really useful, must be a way of life. You must put it in the center of your IT universe and defer always to it. It becomes the final "owner" for all your information. I found this invaluable, as suddenly the nightmares of maintaining a thousand different instances of the same or similar data just vanish. People get really excited once they realize all that LDAP can do for them. It's so flexible and extensible that you can put almost anything in it.

    But this power comes at a pretty high up front cost in time and effort. If all you really care about is user auth it's probably not worth it. When your world revolves around LDAP, the hassles involved with getting PAM working on all your flavors of Unix and all that stuff become minor. Yes, you can get your NT domain domain to talk authenticate through it. Yes, you can get all your web servers to authenticate through it. It's not always easy, though. Often it's quite hard.

    But if you commit to it, and follow through, the dream of one password everywhere is just one of the many rewards that you will reap.

    As far as implementations, I've used Netscape/iPlanet and I've played with OpenLDAP. I used to work at Netscape so I'm biased, but I'd say spring for the iPlanet stuff if you can afford it. I found the OpenLDAP ACLs unintuitive and I heard reports that replication is unreliable.

    A final caveat. If you do choose LDAP, and you choose to make it a central part of your IT infrastructure, make this your mantra: "Read often, write seldom". LDAP is *NOT* a database. Let me repeat. LDAP is *NOT A DATABASE*. When people realize everything you can put into LDAP the first thing they want to do is try to make believe it's Oracle. Try to use it for write intensive applications and the only person more miserable than your users will be you.

    Good Luck! :-)
  • What we do (Score:2, Informative)

    We use Netscape's LDAP servers, NIS+ on Solaris and SiteMinder (NT -> Unix bridge) to manage our authentication needs. NT Administration and Unix Administration can be handled via web form interface to the LDAP servers. The changes replicate across platforms. It works fairly well.
  • openLDAP (Score:2, Informative)

    by nadie (536363)

    I just went to a presentation from my local LUG about this very thing. It was by the IT guy from the local university (ubc) who did exactly that. They have a mix of Solaris and Linux and Windows and he setup a unified ldap thing so that they could get rid of NIS.

    He promised to put the details up here [ece.ubc.ca] in a week or so. In the meantime, get openLDAP and the pam modules from padl.com

    He said that all the schemas are there in the source, and that this is the way of the future.

  • krb5/ldap... (Score:3, Interesting)

    by Raleel (30913) on Wednesday February 20, 2002 @11:57PM (#3042147)
    so, I'm pretty sure this is the right approach for my site as well, as it will allow a lot of crossplatform-ability.

    The stick in the mud here seems to be Irix along with afs...we can do integrated logins on linux and sun, due to pam, but irix has no pam.

    Anyone found a solution here?
    • The stick in the mud here seems to be Irix along with afs...we can do integrated logins on linux and sun, due to pam, but irix has no pam.

      Rumor has it that IRIX 6.5 has support for LDAP authentication. Try the nsd(1M) and ldap(7P) man pages, for starters.

      At least in theory, this might allow you to use NDS or some other robust LDAP implementation to provide login authentication to your IRIX systems.
  • I also work in a large Data center. Earlier this year we had a similar problem. We already used Active Directory for LDAP. We bought MS Services for Unix, which includes a NIS server. It works really well, actually. NDS was a great solution, but was a bit cost prohibitive. We had also looked at PAM but not all the OSs supported them.
  • SelectAccess [baltimore.com] is something I've used before. Based around LDAP, provides plugins for authentication on practically anything.
  • I'm currently trying to do the same:

    there's a nice HOWTO [idealx.org] about samba-ldap-windows domain logons.

    Then new linux distros like SuSE 7.3 or the latest RedHat automate the usage of ldap for user authentication.

    Quentin
  • There was a study done 2 years ago (http://www.novell.com/news/press/archive/2000/02/ pr00026.html) comparing Active Directory, eDirectory, and iPlanet. eDirectory was the best performer. At that time, eDirectory was at version 8.0. There have been 2 major releases since then. 8.5 came out summer of 2000, and 8.6 came out when Netware 6 was released. I assume things have only gotten better.

    FYI, eDirectory 8.7 should be out in April/May.
    • Almost forgot,

      there are supposed to be "hot new ldap features" eDirectory 8.7, "including ACL support using LDAP, LDAP extension for events, Persistent search, Dynamic Groups, Extensible Match, Start TLS, and SASL support for more authentication options."

      This info is from http://www.novellbrainshare.com/portal/eventguide/ sessions.jsp. It's under the session info for session IO307.
  • With my neighbour, we have a total of 9 machines: Solaris, Irix, Linux and Windows (XP and 2000). We managed to have centralized logins AND centralized home directories on all the systems. Here is how we did it:

    We tried Kerberos, NIS and LDAP. We got the best results with LDAP.

    First of all you need a server. An old box (like a 200MHz) will be far enough. We installed: LDAP, Samba and Samba-TNG. The last two because of Windows: Samba-TNG can act as a domain controller. Here are the main problems we encountered:

    IRIX: you have to get one of the latest versions (6.5.13+), and change in the file /var/ns/ldap.conf

    USERPASSWORD{{CRYPT\}}{}

    to

    USERPASSWORD{{crypt\}}{}

    Windows is the hardest one because the little changes you have to do depend on the service packs you installed. It's usually a key in the registry you have to modify.

    Another good thing about LDAP is the fact that you can have two LDAP servers running and slurpd does the data synchronization, so when one server goes down you still can log in.

System checkpoint complete.

Working...