1 / 57

Authentication Server

Authentication Server. Idea born in interdepartmental task force Too many userid/password combinations for each user to remember Need central set of secure servers that all systems use for authentication Clemson University Personal ID (CUPID) Prototyped/tested in late ‘95/spring ‘96

lemuel
Download Presentation

Authentication Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication Server • Idea born in interdepartmental task force • Too many userid/password combinations for each user to remember • Need central set of secure servers that all systems use for authentication • Clemson University Personal ID (CUPID) • Prototyped/tested in late ‘95/spring ‘96 • Production on July 1, 1996

  2. Authentication Server Mail authC UNIX authC Web authC Sun authC Oracle† authC Windows NT authC NetWare authC mainframe authC

  3. AuthServ-Enabled Application Native Application System Integration Authentication Server Client Architecture User Authentication Server Agent Directory Services

  4. AuthServ-Enabled Application Native Application System Integration Authentication Server Client Architecture Possibilities User Authentication Server Agent Directory 1 Directory 2 Directory 3

  5. Client Integration - System Level MVS Unix Applications Applications ? TSO ? DB2 IDMS FTP Sys Login RACF API SAF PAM AuthClient AuthClient RACF /ETC/PASSWD

  6. Client Integration - Application Level Unix NT POPd CGI Internet Information Server (IIS) AuthClient BIN AuthClient DLL

  7. Authentication Server • NetWare Loadable Module (NLM) is multithreaded • Clients use common code base • Clients have built-in failover capability • Communication based on TCP/IP sockets • > 90% successful password checks complete in less than 0.1 seconds • > 4 million requests serviced by primary server over a 6 week period (100,000/day)

  8. AuthServ Applications

  9. NDS Authentication for Large IBM Systems and Applications

  10. NDS Authentication for Unix

  11. NDS for Authentication POP/IMAP

  12. Firewall Authentication User User User User Cisco PIX Livingston Steel-Belted Radius AuthClient Intranet / Internet

  13. NDS Web Security viaWindows NT/UNIX/???

  14. NDS Authentication through Windows NT/UNIX/??? to the Web Application: Employee Information System (EIS) Type: Web Server OS: Windows NT 4.0 Server enabling app: Website/Visual Basic

  15. Server Auth Client NDS Security Across the Intranet Authentication Server NDS Authenticated Client NT 4.0 AUTHAGNT .NLM NDS Netscape IIS 32-bit DLL Page request CheckEquiv Check Security Equivalence Locate user object and run equivalence list

  16. AuthServ as an NDS Data Gateway Application: Call tracking system Type: Web Server OS: Windows NT 4.0 Server enabling app: Website/Visual Basic Not Assigned BILL BROYLES CCR DAVE DAVIDC DHF DHFRS DON JAMBO JHALL MIKE YATES DAVIDC

  17. Web Interface to Home Directories via AUTHSERV NDS Gateway http://www.clemson.edu/~acollin Application: Personal pages Type: Web Server OS: Linux Server enabling app: Apache/Caldera

  18. AuthServ Client Functions • Password check • Password change • Resolve to fully distinguished name • Check security equivalence • Return group membership • Get Effective Rights • Others

  19. WebAuth: Web Single Sign-On Only trusted web servers prompt for userid password and set cookie in browser. Other web servers must use the cookie to determine the user. CHECK WebAuth NLM Workstation 3rd Party WebServer WebAuth Client Web Browser 1 Auth Client STORE Redirect Web Browser 2 DCIT Authentication WebServer WebAuth Trusted Client AuthAgnt NLM NDS

  20. Caldera OpenLinux and Apache • Web gateway to NetWare file system File Server File Server Browser Caldera OpenLinux Browser File Server AuthC Browser File Server File Server Browser AuthServer

  21. Web Interface to Department Pages Application: Departmental pages Type: Web Server OS: Linux Server enabling app: Apache/Caldera http://dcitnds.clemson.edu/CSO/depts/maint

  22. Caldera OpenLinux and Apache • First attempt to provide web services via Novell made use of Novell’s intraNetWare Web Server 1.0 which simply was not reliable • Caldera OpenLinux provided robust UNIX connectivity to NDS and supported the industry standard Apache web server • Out of the box Caldera/Apache did not provide home directory redirection and/or authentication • It did however provide the source code needed to make these modifications

  23. Caldera OpenLinux and Apache Mods • Added a module that would link Apache’s user directory directive to the user’s Novell home directory • Making http://www.clemson.edu/~erich point to EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW • Since Caldera is NDS aware, this also allows us to serve group web sites via their own group servers

  24. Caldera OpenLinux and Apache Mods • Added another module using the previously mentioned authentication server routines to provide both user and group authentication • Makes use of standard HTACCESS format with additional Novell directives

  25. Using NDS to Secure Web Pages NovellAuth on AuthName Novell Tree AuthType Basic <Limit GET POST> require user gmcochr require user kellen require group .resadmin.groups.employee.clemsonu </Limit>

  26. VTAM Onlines intraNetWare server A intraNetWare server B intraNetWare server C AUTHAGNT.NLM AUTHAGNT.NLM AUTHAGNT.NLM N D S Mainframe (MVS) NT Server OpenLinux MAIL (Solaris) AuthClient AuthClient AuthClient AuthClient POPd RACF WebApp WebApp Apache Web site TN3270 Netscape† LOGIN.EXE Eudora User workstation (Windows 95/Windows NT and Mac workstation)

  27. Design

  28. Administrator Manager NW Server ‘95/’98/NT Workstation AuthAdmn Win32 App AuthMgr NLM Master Census Agent NW Server N Agent NW Server 2 Agent NW Server 1 AuthRslv NLM AuthRslv NLM AuthRslv NLM AuthAgnt NLM AuthAgnt NLM AuthAgnt NLM Census Census Census AuthClient

  29. Administrator Manager NW Server ‘95/’98/NT Workstation AuthAdmn Win32 App AuthMgr NLM Master Census Agent NW Servers AuthRslv NLM AuthAgnt NLM Census AuthClient AuthClient AuthClient

  30. Census

  31. Corp Sales Prod Support Proj2 Actng Classic Tree Design-Organizational Company Production Admin Mkting R&D Sally Bob Proj1 Emma Fred

  32. New York Asia Prod R&D Prod R&D Classic Tree Design - Geographical Company LA Europe Mkting Mkting Emma Sally Fred Bob

  33. Clemson Tree Design ClemsonU Users Organizations

  34. A A to to Z Z CU - Every Person Has a Place ClemsonU Students Misc. Employee Organizations A to Z

  35. CU - Every Group Has a Place ClemsonU Athletics DCIT CAFLS CES Users Forestry Research Dean's office

  36. Client32 Login

  37. Novell’s Catalog Services • User locatable database of directory information • Query APIs • The catalog object • Snapin • Dredger • NetWare 5.x .d.employee.clemsonu

  38. New York Asia R&D R&D Prod Prod Bob A Tale of Two Bobs Company LA Europe Mkting Mkting Emma Sally Fred Bob

  39. bob Novell’s Catalog Services - 2 Bobs Duplicate keys require the user to choose his context at login time. .mkting.New York.company .prod.LA.company

  40. Catalog Services Issues • Catalog Object NDS Synchronization is tricky. • Heterogeneous Systems can be fooled by the catalog. • Heterogeneous Systems cannot handle duplicate Catalog entries. • Only supported in NetWare 5.x • Catalogs can only contain objects in it’s NDS tree.

  41. Census - Unique Catalog Services • Catalog Services with Rules. • Provide for true Universal IDs. • Trawls specified sections of Tree. • Periodic and On-Demand Trawls. • Can Use a Catalog as Input. • Not an NDS object. • Supports Multiple Trees. • Collisions are resolved once.

  42. Supported Objects • Org Unit • Recurse • Expand • Group (member) • Org Role (occupant) • User • Catalog Census Definitions

  43. Data Flow Client Command Flow Big Picture Manager Agent NDS Auth Config Exception Report Census Administrator Resolver New Census Census

  44. Exceptions

  45. UB=FACULTY UB=STAFF User Bases UB=ALL FACULTY STAFF Agent ALL FACULTY

  46. Mass User Management HR UserBases MUM Directory Services

  47. Requirements

  48. AuthAdmin Requirements • Windows ‘95/’98/NT Workstation • 64 MB RAM • Client32

  49. Manager Server Requirements • NetWare 4.11/5.x • P-100 or higher (recommended) • 1 MB RAM/2000 census users (free cache buffers) • 1 MB Disk/10,000 census users • No local replicas required.

  50. Agent Server Requirements • NetWare 4.11/5.x • P-166 or higher (process 25-50 concurrent requests with no local replicas) • 1 MB RAM/2000 census users (free cache buffers) • 1 MB Disk/10,000 census users • No local replicas required. • TCP/IP configured.

More Related