260 likes | 339 Views
Authentication Project. David J. N. Begley Network Analyst University of Western Sydney, Nepean. Introduction. Presentation of project design/status/issues to QUESTnet99 Conference Topics covered: overall architecture/goals software chosen (and why)
E N D
Authentication Project David J. N. Begley Network Analyst University of Western Sydney, Nepean
Introduction • Presentation of project design/status/issues to QUESTnet99 Conference • Topics covered: • overall architecture/goals • software chosen (and why) • DIT structure, object classes and attributes • problems (and where known, solutions) • future plans
Project Goals • Enforce authentication of students prior to their using computer laboratories • Authentication to use the same login ID and password as the student e-mail server • Minimise changes to existing lab infrastructure • Minimise impact on users, support and applications
Project Status • Proof-of-concept demonstrated solution indeed works (with caveats) • Currently in testing (ironing out technical problems and establishing end-user support procedures) • Plan is to go “live” mid-year (July, 1999)
Current Situation: Laboratories • Desktop machines • Apple Macintosh G3, MacOS 8.5 • Apple Macintosh 7600/200, MacOS 8.0 • Intel x86 PC, Windows NT 4.0 Workstation • Novell NetWare Client on all desktops • Servers • Novell NetWare 5.0 • Students enter login ID, but no verification
Current Situation: E-Mail Server • Single, centralised student e-mail server • Sun SPARCserver 20 MP • Sun Solaris 2.6 • accounts in /etc/passwd and /etc/shadow • Currently enrolled students allocated an account (from student record system) • Students locked into a menu system, no direct Unix shell access
Current Situation: E-Mail Server • Currently between 13,000 and 14,000 accounts • Peaks much higher (prior to account purges) • At most 100 simultaneous users
Desired Solution • Move user/authentication information from traditional Unix flat files to NetWare NDS • Configure e-mail server to authenticate (and perform user lookups against) NDS • PAM - Pluggable Authentication Modules • NSS - Name Service Switch • Solaris applications need to be made “PAM-aware” (if not already)
Novell NetWare 5.0 NDS Replica Apple MacOS 8.0/8.5 Novell NetWare 5.0 NDS Master PAM Directory Service Solaris 2.6 NSS Novell NetWare 5.0 NDS Replica WinNT 4.0 Workstation
NDS for Solaris • Novell or Sun? (getting blood from a stone) • Beta site participation • Despite early performance/resource concerns, consensus is to implement • Show-stopper: six-figure licence fee
LDAP • Previously disregarded due to staffing resources required • Multitude of clients (including Eudora, Netscape, Java, Perl and PHP) • Possible interface to Cisco/Microsoft DEN • NetWare 5 ships with LDAP server - retain solution design, use LDAP as protocol for communicating with NDS
Product List • Testing/Production • Novell NetWare 5.0 + NDS 8 • Sun Solaris 2.6 • Netscape Directory SDK • PADL Software’s PAM_LDAP & NSS_LDAP • Additional Testing • OpenLDAP 1.2.1
Tree Structure • No universal DIT design, just recommended hierarchy styles • OpenLDAP, AARNet X.500 Pilot names • 20,001 users in a single context • NDS tree, maximise performance (NDS 7) • ten containers, penultimate digit in student ID# • with NDS 8, experimenting with single container for all students
c=AU o=The University of Western Sydney ou=Users
T=ITS-DEV O=UWS OU=Nepean OU=Labs OU=0 OU=1 OU=9
T=ITS-DEV O=UWS OU=Nepean OU=Labs OU=Students OU=Staff
Object Classes and Attributes • Choice driven by PAM_LDAP, NSS_LDAP • RFC 2307 • Solaris 8 • HP-UX • Compaq Tru64 UNIX (IASS 5.0) • NDS/Active Directory (?) • Core object classes • posixAccount, shadowAccount
dn: cn=n9910000,ou=Users,o=The University of Western Sydney,c=AU ufn: n9910000,Users,The University of Western Sydney,AU objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: account objectclass: posixAccount objectclass: shadowAccount fullname: Test Student #10000 givenname: Test sn: #10000 uid: n9910000 userpassword: {crypt}gf1MpM.r02nsw shadowlastchange: 10650 loginshell: /usr/local/bin/menu uidnumber: 20000 gidnumber: 10 homedirectory: /home/99/n9910000 gecos: Test Student #10000 cn: n9910000
NDS Object Classes • NetWare 5 LDAP server maps NDS classes into LDAP “objectclass” equivalents • RFC 2307 suggests particular search patterns (for NSS functions), using particular LDAP object classes • New NDS object classes (subclass “User”) required to satisfy these search patterns • Future NDS may support RFC 2307?
Problems/Solutions - NetWare • LDAP slow - up to 2.5 mins per lookup • install NDS 8 • NDS not recognise Unix “crypt” passwords • issue new passwords to all students, store as cleartext (transport to be secured with SSL) • Authenticated LDAP binds count toward concurrent login total • set maximum concurrent logins cautiously
Problems/Solutions - Solaris • Solaris 2.6 PAM library broken - always returns NULL pointer to PAM-aware applications • recode applications to ignore appdata_ptr (i.e., to avoid using PAM API as per spec) • Sun aware of problem, but not willing to release a fix? • Solaris (2.)7 apparently fixed (unverified)
Problems/Solutions - PAM/NSS • Password changes work, but require original password (even if superuser) • rewrite password change tool to change password in LDAP directly as diradmin • Behavioural differences before/after LDAP • ensure PAM configured correctly • Command line completion for login IDs • tune nscd (???)
Future Possibilities • Expand authentication to other parts of the network (e.g., remote access service) • Integration with network directory (DEN) • Corporate directory (UWS-wide) • University “unique ID” • White Pages • “address-less e-mail” • e-mail routing (aliases)
Q&A david@uws.edu.au http://www.nepean.uws.edu.au/users/david/qn99/