User Account Management? 23
Jeremy Welling asks: "I work in a corporate data center with all the major Unices present. Currently we are using a third party product to manage user logins and authentication. In our goals for 2002, we want to move off that product, and the current plan is to go to NIS. Due to the inherent security holes in NIS, I am investigating using LDAP. We would also like to tie this into the NT domain logins. My question is, how difficult is this to do, what LDAP server software would be best, and what OS platform should we look at?"
Just a guess (Score:2, Informative)
What you could have is everything that can authing against LDAP and then for NT have it authing against Samba and then samba using pam which in turn is using LDAP?
Hope this helps!
LDAP by itself doesn't provide complete auth (Score:3, Informative)
Typically what people do when using LDAP for something like this
is to use LDAP for authentication (which is easy/trivial to do).
The hard part is management of authorization information.
Authentication simply tells you that a particular set of credentials
provided by a client matched the same credentials in your LDAP
server (which is what happens in any authentication system). You
assume that since these credentials should only be able to be
provided by a particular person, then the application is
"authenticated" as that user.
Authorization means what can that user do now that they have
authenticated.
You could authorize access based on group membership, where
the user's entry lies in the DIT, time of day, gender, an attribute in
their entry or a number of different routes.
So to be honest what you probably want to do is to use an existing
authentication service such as Kerberos (which already provides a
standardized means of providing authorization services) and use a
directory service to feed the user & application data to Kerberos.
novell, krb5 (Score:3, Informative)
management, I recommend using Novell Directory
Services (a nicely compatible LDAP implementation
is included, and more), in conjunction with Kerberos
v5. Keys can be kept in NDS LDAP, and auth tickets
(which make powerusers of multiple machines and
services on the network very happy because they
don't have to enter passwords every 15 seconds)
granted by krb5. I haven't tried integrating
standard krb5 and microsoft krb5-alike systems
in one network before, and can imagine that there
may be some issues that need to be finessed here,
but if you just avoid the MS implementation
altogether, you can end-run those issues.
A possible solution (Score:3, Informative)
I use OpenLDAP to store all user information. User accounts are of classes posixAccount AND sambaAccount.
I built samba with LDAP support and configured it to store all it's info in our LDAP server. I then combined two PAM modules (pam_smb_auth.so and pam_ldap.so) to let PAM enabled services to authenticate
via the Samba server. pam_ldap.so is used for
account information, pam_smb_auth.so is used
for username/password authentication.
This gives a single username/password that can be
used by anything which talks SMB or PAM. The samba
server acts as a PDC, so network signons work, users can change their passwords from the built-in windows password change tools, passwd changes
their password from the unix command line. It's
all good
I haven't bothered writing up a FAQ, mail me if
you want a more detailed explanation (danpat at au dot adaptiveinternational dot com)
eDirectory is the way to go (Score:5, Informative)
There is a PAM module available for Linux that lets you log in using NDS (eDirectory) credentials. Other *nix clients should be handled the same. For an NT client you would either need to use Zen for Desktop's Dynamic Local User or you would need to use Novell Account Management. Account Management on NT will redirect the domain into NDS. On 2000, it will synchronize with Active Directory.
The other products I mentioned can take you in other directions. DirXML is a meta-directory synchronization tool. Available conduits include Active Directory, Exchange, LDAP, GroupWise, Lotus Notes, NT Domain, JDBC, Peoplesoft, SAP HR, and Delimited Text.
NDS Authentication Services (NDS-AS) extends NDS (eDirectory) authentication redirection to other platforms, including AIX, FreeBSD, HP-UX, Linux, OS/390, Solaris, and Windows. Note that some of NDS-AS duplicates functionality found in eDirectory or Account Management.
SecureLogin is a single sign-on technology, which may be another way to solve your problem.
To give you a bottom line answer, even if you want to ignore alternate solutions and go with a straight LDAP directory, use eDirectory. It doesn't matter which platform you run it from, Novell has demonstrated billion-user trees on several host OSes.
What we do (Score:2, Informative)
Re:Just a guess (Score:2, Informative)
What you really want to look into is all the various pam modules to modify the Linux/Unix side to go to an external source that you can configure NT to go to. The problem with lots of these is normally it is all done in the clear, so be careful.
openLDAP (Score:2, Informative)
I just went to a presentation from my local LUG about this very thing. It was by the IT guy from the local university (ubc) who did exactly that. They have a mix of Solaris and Linux and Windows and he setup a unified ldap thing so that they could get rid of NIS.
He promised to put the details up here [ece.ubc.ca] in a week or so. In the meantime, get openLDAP and the pam modules from padl.com
He said that all the schemas are there in the source, and that this is the way of the future.