Upload
agnes-bates
View
214
Download
0
Embed Size (px)
Citation preview
1
Authentication ProjectAuthentication Project
David J. N. BegleyDavid J. N. BegleyNetwork AnalystNetwork Analyst
University of Western Sydney, NepeanUniversity of Western Sydney, Nepean
2
IntroductionIntroduction
Presentation of project design/status/issues Presentation of project design/status/issues to QUESTnet99 Conferenceto QUESTnet99 Conference
Topics covered:Topics covered: overall architecture/goalsoverall architecture/goals software chosen (and why)software chosen (and why) DIT structure, object classes and attributesDIT structure, object classes and attributes problems (and where known, solutions)problems (and where known, solutions) future plansfuture plans
3
Project GoalsProject Goals
Enforce authentication of students prior to Enforce authentication of students prior to their using computer laboratoriestheir using computer laboratories
Authentication to use the same login ID and Authentication to use the same login ID and password as the student e-mail serverpassword as the student e-mail server
Minimise changes to existing lab Minimise changes to existing lab infrastructureinfrastructure
Minimise impact on users, support and Minimise impact on users, support and applicationsapplications
4
Project StatusProject Status
Proof-of-concept demonstrated solution Proof-of-concept demonstrated solution indeed works (with caveats)indeed works (with caveats)
Currently in testing (ironing out technical Currently in testing (ironing out technical problems and establishing end-user support problems and establishing end-user support procedures)procedures)
Plan is to go “live” mid-year (July, 1999)Plan is to go “live” mid-year (July, 1999)
5
Current Situation: LaboratoriesCurrent Situation: Laboratories
Desktop machinesDesktop machines Apple Macintosh G3, MacOS 8.5Apple Macintosh G3, MacOS 8.5 Apple Macintosh 7600/200, MacOS 8.0Apple Macintosh 7600/200, MacOS 8.0 Intel x86 PC, Windows NT 4.0 WorkstationIntel x86 PC, Windows NT 4.0 Workstation Novell NetWare Client on all desktopsNovell NetWare Client on all desktops
ServersServers Novell NetWare 5.0Novell NetWare 5.0
Students enter login ID, but no verificationStudents enter login ID, but no verification
6
Current Situation: E-Mail ServerCurrent Situation: E-Mail Server
Single, centralised student e-mail serverSingle, centralised student e-mail server Sun SPARCserver 20 MPSun SPARCserver 20 MP Sun Solaris 2.6Sun Solaris 2.6 accounts in /etc/passwd and /etc/shadowaccounts in /etc/passwd and /etc/shadow
Currently enrolled students allocated an Currently enrolled students allocated an account (from student record system)account (from student record system)
Students locked into a menu system, no Students locked into a menu system, no direct Unix shell accessdirect Unix shell access
7
Current Situation: E-Mail ServerCurrent Situation: E-Mail Server
Currently between 13,000 and 14,000 Currently between 13,000 and 14,000 accountsaccounts
Peaks much higher (prior to account purges)Peaks much higher (prior to account purges) At most 100 simultaneous usersAt most 100 simultaneous users
8
Desired SolutionDesired Solution
Move user/authentication information from Move user/authentication information from traditional Unix flat files to NetWare NDStraditional Unix flat files to NetWare NDS
Configure e-mail server to authenticate (and Configure e-mail server to authenticate (and perform user lookups against) NDSperform user lookups against) NDS PAM - Pluggable Authentication ModulesPAM - Pluggable Authentication Modules NSS - Name Service SwitchNSS - Name Service Switch
Solaris applications need to be made Solaris applications need to be made “PAM-aware” (if not already)“PAM-aware” (if not already)
9
NovellNetWare 5.0NDS Master
NovellNetWare 5.0NDS Replica
AppleMacOS 8.0/8.5
WinNT 4.0Workstation
NovellNetWare 5.0NDS Replica
Solaris 2.6PAM
NSSDirectoryService
10
NDS for SolarisNDS for Solaris
Novell or Sun? (getting blood from a stone)Novell or Sun? (getting blood from a stone) Beta site participationBeta site participation Despite early performance/resource Despite early performance/resource
concerns, consensus is to implementconcerns, consensus is to implement Show-stopper: six-figure licence feeShow-stopper: six-figure licence fee
11
LDAPLDAP
Previously disregarded due to staffing Previously disregarded due to staffing resources requiredresources required
Multitude of clients (including Eudora, Multitude of clients (including Eudora, Netscape, Java, Perl and PHP)Netscape, Java, Perl and PHP)
Possible interface to Cisco/Microsoft DENPossible interface to Cisco/Microsoft DEN NetWare 5 ships with LDAP server - retain NetWare 5 ships with LDAP server - retain
solution design, use LDAP as protocol for solution design, use LDAP as protocol for communicating with NDScommunicating with NDS
12
Product ListProduct List
Testing/ProductionTesting/Production Novell NetWare 5.0 + NDS 8Novell NetWare 5.0 + NDS 8 Sun Solaris 2.6Sun Solaris 2.6 Netscape Directory SDKNetscape Directory SDK PADL Software’s PAM_LDAP & NSS_LDAPPADL Software’s PAM_LDAP & NSS_LDAP
Additional TestingAdditional Testing OpenLDAP 1.2.1OpenLDAP 1.2.1
13
Tree StructureTree Structure
No universal DIT design, just recommended No universal DIT design, just recommended hierarchy styleshierarchy styles
OpenLDAP, AARNet X.500 Pilot namesOpenLDAP, AARNet X.500 Pilot names 20,001 users in a single context20,001 users in a single context
NDS tree, maximise performance (NDS 7)NDS tree, maximise performance (NDS 7) ten containers, penultimate digit in student ID#ten containers, penultimate digit in student ID# with NDS 8, experimenting with single with NDS 8, experimenting with single
container for all studentscontainer for all students
17
Object Classes and AttributesObject Classes and Attributes
Choice driven by PAM_LDAP, NSS_LDAPChoice driven by PAM_LDAP, NSS_LDAP RFC 2307RFC 2307
Solaris 8Solaris 8 HP-UXHP-UX Compaq Tru64 UNIX (IASS 5.0)Compaq Tru64 UNIX (IASS 5.0) NDS/Active Directory (?)NDS/Active Directory (?)
Core object classesCore object classes posixAccount, shadowAccountposixAccount, shadowAccount
18
dn: cn=n9910000,ou=Users,o=The University of Western Sydney,c=AUdn: cn=n9910000,ou=Users,o=The University of Western Sydney,c=AU
ufn: n9910000,Users,The University of Western Sydney,AUufn: n9910000,Users,The University of Western Sydney,AU
objectclass: topobjectclass: top
objectclass: personobjectclass: person
objectclass: organizationalPersonobjectclass: organizationalPerson
objectclass: inetOrgPersonobjectclass: inetOrgPerson
objectclass: accountobjectclass: account
objectclass: posixAccountobjectclass: posixAccount
objectclass: shadowAccountobjectclass: shadowAccount
fullname: Test Student #10000fullname: Test Student #10000
givenname: Testgivenname: Test
sn: #10000sn: #10000
uid: n9910000uid: n9910000
userpassword: {crypt}gf1MpM.r02nswuserpassword: {crypt}gf1MpM.r02nsw
shadowlastchange: 10650shadowlastchange: 10650
loginshell: /usr/local/bin/menuloginshell: /usr/local/bin/menu
uidnumber: 20000uidnumber: 20000
gidnumber: 10gidnumber: 10
homedirectory: /home/99/n9910000homedirectory: /home/99/n9910000
gecos: Test Student #10000gecos: Test Student #10000
cn: n9910000cn: n9910000
19
NDS Object ClassesNDS Object Classes
NetWare 5 LDAP server maps NDS classes NetWare 5 LDAP server maps NDS classes into LDAP “objectclass” equivalentsinto LDAP “objectclass” equivalents
RFC 2307 suggests particular search patterns RFC 2307 suggests particular search patterns (for NSS functions), using particular LDAP (for NSS functions), using particular LDAP object classesobject classes
New NDS object classes (subclass “User”) New NDS object classes (subclass “User”) required to satisfy these search patternsrequired to satisfy these search patterns
Future NDS may support RFC 2307?Future NDS may support RFC 2307?
20
Problems/Solutions - NetWareProblems/Solutions - NetWare
LDAP slow - up to 2.5 mins per lookupLDAP slow - up to 2.5 mins per lookup install NDS 8install NDS 8
NDS not recognise Unix “crypt” passwordsNDS not recognise Unix “crypt” passwords issue new passwords to all students, store as issue new passwords to all students, store as
cleartext (transport to be secured with SSL)cleartext (transport to be secured with SSL) Authenticated LDAP binds count toward Authenticated LDAP binds count toward
concurrent login totalconcurrent login total set maximum concurrent logins cautiouslyset maximum concurrent logins cautiously
21
Problems/Solutions - SolarisProblems/Solutions - Solaris
Solaris 2.6 PAM library broken - always Solaris 2.6 PAM library broken - always returns NULL pointer to PAM-aware returns NULL pointer to PAM-aware applicationsapplications recode applications to ignore appdata_ptr (i.e., recode applications to ignore appdata_ptr (i.e.,
to avoid using PAM API as per spec)to avoid using PAM API as per spec) Sun aware of problem, but not willing to Sun aware of problem, but not willing to
release a fix?release a fix? Solaris (2.)7 apparently fixed (unverified)Solaris (2.)7 apparently fixed (unverified)
22
Problems/Solutions - PAM/NSSProblems/Solutions - PAM/NSS
Password changes work, but require Password changes work, but require original password (even if superuser)original password (even if superuser) rewrite password change tool to change rewrite password change tool to change
password in LDAP directly as diradminpassword in LDAP directly as diradmin Behavioural differences before/after LDAPBehavioural differences before/after LDAP
ensure PAM configured correctlyensure PAM configured correctly Command line completion for login IDsCommand line completion for login IDs
tune nscd (???)tune nscd (???)
23
Future PossibilitiesFuture Possibilities
Expand authentication to other parts of the Expand authentication to other parts of the network (e.g., remote access service)network (e.g., remote access service)
Integration with network directory (DEN)Integration with network directory (DEN) Corporate directory (UWS-wide)Corporate directory (UWS-wide)
University “unique ID”University “unique ID” White PagesWhite Pages ““address-less e-mail”address-less e-mail” e-mail routing (aliases)e-mail routing (aliases)
24
Q&AQ&A
[email protected]@uws.edu.auhttp://www.nepean.uws.edu.au/users/david/qn99/http://www.nepean.uws.edu.au/users/david/qn99/