1

Authentication ProjectAuthentication Project

David J. N. BegleyDavid J. N. BegleyNetwork AnalystNetwork Analyst

University of Western Sydney, NepeanUniversity of Western Sydney, Nepean

2

IntroductionIntroduction

Presentation of project design/status/issues Presentation of project design/status/issues to QUESTnet99 Conferenceto QUESTnet99 Conference

Topics covered:Topics covered: overall architecture/goalsoverall architecture/goals software chosen (and why)software chosen (and why) DIT structure, object classes and attributesDIT structure, object classes and attributes problems (and where known, solutions)problems (and where known, solutions) future plansfuture plans

3

Project GoalsProject Goals

Enforce authentication of students prior to Enforce authentication of students prior to their using computer laboratoriestheir using computer laboratories

Authentication to use the same login ID and Authentication to use the same login ID and password as the student e-mail serverpassword as the student e-mail server

Minimise changes to existing lab Minimise changes to existing lab infrastructureinfrastructure

Minimise impact on users, support and Minimise impact on users, support and applicationsapplications

4

Project StatusProject Status

Proof-of-concept demonstrated solution Proof-of-concept demonstrated solution indeed works (with caveats)indeed works (with caveats)

Currently in testing (ironing out technical Currently in testing (ironing out technical problems and establishing end-user support problems and establishing end-user support procedures)procedures)

Plan is to go “live” mid-year (July, 1999)Plan is to go “live” mid-year (July, 1999)

5

Current Situation: LaboratoriesCurrent Situation: Laboratories

Desktop machinesDesktop machines Apple Macintosh G3, MacOS 8.5Apple Macintosh G3, MacOS 8.5 Apple Macintosh 7600/200, MacOS 8.0Apple Macintosh 7600/200, MacOS 8.0 Intel x86 PC, Windows NT 4.0 WorkstationIntel x86 PC, Windows NT 4.0 Workstation Novell NetWare Client on all desktopsNovell NetWare Client on all desktops

ServersServers Novell NetWare 5.0Novell NetWare 5.0

Students enter login ID, but no verificationStudents enter login ID, but no verification

6

Current Situation: E-Mail ServerCurrent Situation: E-Mail Server

Single, centralised student e-mail serverSingle, centralised student e-mail server Sun SPARCserver 20 MPSun SPARCserver 20 MP Sun Solaris 2.6Sun Solaris 2.6 accounts in /etc/passwd and /etc/shadowaccounts in /etc/passwd and /etc/shadow

Currently enrolled students allocated an Currently enrolled students allocated an account (from student record system)account (from student record system)

Students locked into a menu system, no Students locked into a menu system, no direct Unix shell accessdirect Unix shell access

7

Current Situation: E-Mail ServerCurrent Situation: E-Mail Server

Currently between 13,000 and 14,000 Currently between 13,000 and 14,000 accountsaccounts

Peaks much higher (prior to account purges)Peaks much higher (prior to account purges) At most 100 simultaneous usersAt most 100 simultaneous users

8

Desired SolutionDesired Solution

Move user/authentication information from Move user/authentication information from traditional Unix flat files to NetWare NDStraditional Unix flat files to NetWare NDS

Configure e-mail server to authenticate (and Configure e-mail server to authenticate (and perform user lookups against) NDSperform user lookups against) NDS PAM - Pluggable Authentication ModulesPAM - Pluggable Authentication Modules NSS - Name Service SwitchNSS - Name Service Switch

Solaris applications need to be made Solaris applications need to be made “PAM-aware” (if not already)“PAM-aware” (if not already)

9

NovellNetWare 5.0NDS Master

NovellNetWare 5.0NDS Replica

AppleMacOS 8.0/8.5

WinNT 4.0Workstation

NovellNetWare 5.0NDS Replica

Solaris 2.6PAM

NSSDirectoryService

10

NDS for SolarisNDS for Solaris

Novell or Sun? (getting blood from a stone)Novell or Sun? (getting blood from a stone) Beta site participationBeta site participation Despite early performance/resource Despite early performance/resource

concerns, consensus is to implementconcerns, consensus is to implement Show-stopper: six-figure licence feeShow-stopper: six-figure licence fee

11

LDAPLDAP

Previously disregarded due to staffing Previously disregarded due to staffing resources requiredresources required

Multitude of clients (including Eudora, Multitude of clients (including Eudora, Netscape, Java, Perl and PHP)Netscape, Java, Perl and PHP)

Possible interface to Cisco/Microsoft DENPossible interface to Cisco/Microsoft DEN NetWare 5 ships with LDAP server - retain NetWare 5 ships with LDAP server - retain

solution design, use LDAP as protocol for solution design, use LDAP as protocol for communicating with NDScommunicating with NDS

12

Product ListProduct List

Testing/ProductionTesting/Production Novell NetWare 5.0 + NDS 8Novell NetWare 5.0 + NDS 8 Sun Solaris 2.6Sun Solaris 2.6 Netscape Directory SDKNetscape Directory SDK PADL Software’s PAM_LDAP & NSS_LDAPPADL Software’s PAM_LDAP & NSS_LDAP

Additional TestingAdditional Testing OpenLDAP 1.2.1OpenLDAP 1.2.1

13

Tree StructureTree Structure

No universal DIT design, just recommended No universal DIT design, just recommended hierarchy styleshierarchy styles

OpenLDAP, AARNet X.500 Pilot namesOpenLDAP, AARNet X.500 Pilot names 20,001 users in a single context20,001 users in a single context

NDS tree, maximise performance (NDS 7)NDS tree, maximise performance (NDS 7) ten containers, penultimate digit in student ID#ten containers, penultimate digit in student ID# with NDS 8, experimenting with single with NDS 8, experimenting with single

container for all studentscontainer for all students

14

o=The University of Western Sydney

ou=Users

c=AU

15

O=UWS

OU=Nepean

OU=Labs

T=ITS-DEV

OU=1 OU=9OU=0

16

O=UWS

OU=Nepean

OU=Labs

T=ITS-DEV

OU=Students OU=Staff

17

Object Classes and AttributesObject Classes and Attributes

Choice driven by PAM_LDAP, NSS_LDAPChoice driven by PAM_LDAP, NSS_LDAP RFC 2307RFC 2307

Solaris 8Solaris 8 HP-UXHP-UX Compaq Tru64 UNIX (IASS 5.0)Compaq Tru64 UNIX (IASS 5.0) NDS/Active Directory (?)NDS/Active Directory (?)

Core object classesCore object classes posixAccount, shadowAccountposixAccount, shadowAccount

18

dn: cn=n9910000,ou=Users,o=The University of Western Sydney,c=AUdn: cn=n9910000,ou=Users,o=The University of Western Sydney,c=AU

ufn: n9910000,Users,The University of Western Sydney,AUufn: n9910000,Users,The University of Western Sydney,AU

objectclass: topobjectclass: top

objectclass: personobjectclass: person

objectclass: organizationalPersonobjectclass: organizationalPerson

objectclass: inetOrgPersonobjectclass: inetOrgPerson

objectclass: accountobjectclass: account

objectclass: posixAccountobjectclass: posixAccount

objectclass: shadowAccountobjectclass: shadowAccount

fullname: Test Student #10000fullname: Test Student #10000

givenname: Testgivenname: Test

sn: #10000sn: #10000

uid: n9910000uid: n9910000

userpassword: {crypt}gf1MpM.r02nswuserpassword: {crypt}gf1MpM.r02nsw

shadowlastchange: 10650shadowlastchange: 10650

loginshell: /usr/local/bin/menuloginshell: /usr/local/bin/menu

uidnumber: 20000uidnumber: 20000

gidnumber: 10gidnumber: 10

homedirectory: /home/99/n9910000homedirectory: /home/99/n9910000

gecos: Test Student #10000gecos: Test Student #10000

cn: n9910000cn: n9910000

19

NDS Object ClassesNDS Object Classes

NetWare 5 LDAP server maps NDS classes NetWare 5 LDAP server maps NDS classes into LDAP “objectclass” equivalentsinto LDAP “objectclass” equivalents

RFC 2307 suggests particular search patterns RFC 2307 suggests particular search patterns (for NSS functions), using particular LDAP (for NSS functions), using particular LDAP object classesobject classes

New NDS object classes (subclass “User”) New NDS object classes (subclass “User”) required to satisfy these search patternsrequired to satisfy these search patterns

Future NDS may support RFC 2307?Future NDS may support RFC 2307?

20

Problems/Solutions - NetWareProblems/Solutions - NetWare

LDAP slow - up to 2.5 mins per lookupLDAP slow - up to 2.5 mins per lookup install NDS 8install NDS 8

NDS not recognise Unix “crypt” passwordsNDS not recognise Unix “crypt” passwords issue new passwords to all students, store as issue new passwords to all students, store as

cleartext (transport to be secured with SSL)cleartext (transport to be secured with SSL) Authenticated LDAP binds count toward Authenticated LDAP binds count toward

concurrent login totalconcurrent login total set maximum concurrent logins cautiouslyset maximum concurrent logins cautiously

21

Problems/Solutions - SolarisProblems/Solutions - Solaris

Solaris 2.6 PAM library broken - always Solaris 2.6 PAM library broken - always returns NULL pointer to PAM-aware returns NULL pointer to PAM-aware applicationsapplications recode applications to ignore appdata_ptr (i.e., recode applications to ignore appdata_ptr (i.e.,

to avoid using PAM API as per spec)to avoid using PAM API as per spec) Sun aware of problem, but not willing to Sun aware of problem, but not willing to

release a fix?release a fix? Solaris (2.)7 apparently fixed (unverified)Solaris (2.)7 apparently fixed (unverified)

22

Problems/Solutions - PAM/NSSProblems/Solutions - PAM/NSS

Password changes work, but require Password changes work, but require original password (even if superuser)original password (even if superuser) rewrite password change tool to change rewrite password change tool to change

password in LDAP directly as diradminpassword in LDAP directly as diradmin Behavioural differences before/after LDAPBehavioural differences before/after LDAP

ensure PAM configured correctlyensure PAM configured correctly Command line completion for login IDsCommand line completion for login IDs

tune nscd (???)tune nscd (???)

23

Future PossibilitiesFuture Possibilities

Expand authentication to other parts of the Expand authentication to other parts of the network (e.g., remote access service)network (e.g., remote access service)

Integration with network directory (DEN)Integration with network directory (DEN) Corporate directory (UWS-wide)Corporate directory (UWS-wide)

University “unique ID”University “unique ID” White PagesWhite Pages ““address-less e-mail”address-less e-mail” e-mail routing (aliases)e-mail routing (aliases)

24

Q&AQ&A

david@uws.edu.audavid@uws.edu.auhttp://www.nepean.uws.edu.au/users/david/qn99/http://www.nepean.uws.edu.au/users/david/qn99/