1 / 24

Authentication Project

Authentication Project. David J. N. Begley Network Analyst University of Western Sydney, Nepean. Introduction. Presentation of project design/status/issues to QUESTnet99 Conference Topics covered: overall architecture/goals software chosen (and why)

lavey
Download Presentation

Authentication Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication Project David J. N. Begley Network Analyst University of Western Sydney, Nepean

  2. Introduction • Presentation of project design/status/issues to QUESTnet99 Conference • Topics covered: • overall architecture/goals • software chosen (and why) • DIT structure, object classes and attributes • problems (and where known, solutions) • future plans

  3. Project Goals • Enforce authentication of students prior to their using computer laboratories • Authentication to use the same login ID and password as the student e-mail server • Minimise changes to existing lab infrastructure • Minimise impact on users, support and applications

  4. Project Status • Proof-of-concept demonstrated solution indeed works (with caveats) • Currently in testing (ironing out technical problems and establishing end-user support procedures) • Plan is to go “live” mid-year (July, 1999)

  5. Current Situation: Laboratories • Desktop machines • Apple Macintosh G3, MacOS 8.5 • Apple Macintosh 7600/200, MacOS 8.0 • Intel x86 PC, Windows NT 4.0 Workstation • Novell NetWare Client on all desktops • Servers • Novell NetWare 5.0 • Students enter login ID, but no verification

  6. Current Situation: E-Mail Server • Single, centralised student e-mail server • Sun SPARCserver 20 MP • Sun Solaris 2.6 • accounts in /etc/passwd and /etc/shadow • Currently enrolled students allocated an account (from student record system) • Students locked into a menu system, no direct Unix shell access

  7. Current Situation: E-Mail Server • Currently between 13,000 and 14,000 accounts • Peaks much higher (prior to account purges) • At most 100 simultaneous users

  8. Desired Solution • Move user/authentication information from traditional Unix flat files to NetWare NDS • Configure e-mail server to authenticate (and perform user lookups against) NDS • PAM - Pluggable Authentication Modules • NSS - Name Service Switch • Solaris applications need to be made “PAM-aware” (if not already)

  9. Novell NetWare 5.0 NDS Replica Apple MacOS 8.0/8.5 Novell NetWare 5.0 NDS Master PAM Directory Service Solaris 2.6 NSS Novell NetWare 5.0 NDS Replica WinNT 4.0 Workstation

  10. NDS for Solaris • Novell or Sun? (getting blood from a stone) • Beta site participation • Despite early performance/resource concerns, consensus is to implement • Show-stopper: six-figure licence fee

  11. LDAP • Previously disregarded due to staffing resources required • Multitude of clients (including Eudora, Netscape, Java, Perl and PHP) • Possible interface to Cisco/Microsoft DEN • NetWare 5 ships with LDAP server - retain solution design, use LDAP as protocol for communicating with NDS

  12. Product List • Testing/Production • Novell NetWare 5.0 + NDS 8 • Sun Solaris 2.6 • Netscape Directory SDK • PADL Software’s PAM_LDAP & NSS_LDAP • Additional Testing • OpenLDAP 1.2.1

  13. Tree Structure • No universal DIT design, just recommended hierarchy styles • OpenLDAP, AARNet X.500 Pilot names • 20,001 users in a single context • NDS tree, maximise performance (NDS 7) • ten containers, penultimate digit in student ID# • with NDS 8, experimenting with single container for all students

  14. c=AU o=The University of Western Sydney ou=Users

  15. T=ITS-DEV O=UWS OU=Nepean OU=Labs OU=0 OU=1 OU=9

  16. T=ITS-DEV O=UWS OU=Nepean OU=Labs OU=Students OU=Staff

  17. Object Classes and Attributes • Choice driven by PAM_LDAP, NSS_LDAP • RFC 2307 • Solaris 8 • HP-UX • Compaq Tru64 UNIX (IASS 5.0) • NDS/Active Directory (?) • Core object classes • posixAccount, shadowAccount

  18. dn: cn=n9910000,ou=Users,o=The University of Western Sydney,c=AU ufn: n9910000,Users,The University of Western Sydney,AU objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: account objectclass: posixAccount objectclass: shadowAccount fullname: Test Student #10000 givenname: Test sn: #10000 uid: n9910000 userpassword: {crypt}gf1MpM.r02nsw shadowlastchange: 10650 loginshell: /usr/local/bin/menu uidnumber: 20000 gidnumber: 10 homedirectory: /home/99/n9910000 gecos: Test Student #10000 cn: n9910000

  19. NDS Object Classes • NetWare 5 LDAP server maps NDS classes into LDAP “objectclass” equivalents • RFC 2307 suggests particular search patterns (for NSS functions), using particular LDAP object classes • New NDS object classes (subclass “User”) required to satisfy these search patterns • Future NDS may support RFC 2307?

  20. Problems/Solutions - NetWare • LDAP slow - up to 2.5 mins per lookup • install NDS 8 • NDS not recognise Unix “crypt” passwords • issue new passwords to all students, store as cleartext (transport to be secured with SSL) • Authenticated LDAP binds count toward concurrent login total • set maximum concurrent logins cautiously

  21. Problems/Solutions - Solaris • Solaris 2.6 PAM library broken - always returns NULL pointer to PAM-aware applications • recode applications to ignore appdata_ptr (i.e., to avoid using PAM API as per spec) • Sun aware of problem, but not willing to release a fix? • Solaris (2.)7 apparently fixed (unverified)

  22. Problems/Solutions - PAM/NSS • Password changes work, but require original password (even if superuser) • rewrite password change tool to change password in LDAP directly as diradmin • Behavioural differences before/after LDAP • ensure PAM configured correctly • Command line completion for login IDs • tune nscd (???)

  23. Future Possibilities • Expand authentication to other parts of the network (e.g., remote access service) • Integration with network directory (DEN) • Corporate directory (UWS-wide) • University “unique ID” • White Pages • “address-less e-mail” • e-mail routing (aliases)

  24. Q&A david@uws.edu.au http://www.nepean.uws.edu.au/users/david/qn99/

More Related