170 likes | 321 Views
Active Directory for Unix Systems. An update on modifications that have been made to the partners.org AD to support POSIX/Unix systems. Stephen Roylance System Engineer, ERIS SRoylance@partners.org. Introduction. Identification Authentication Authorization/Access Control.
E N D
Active Directoryfor Unix Systems An update on modifications that have been made to the partners.org AD to support POSIX/Unix systems Stephen Roylance System Engineer, ERIS SRoylance@partners.org
Introduction • Identification • Authentication • Authorization/Access Control
Unix authentication - origins • In the beginning there was /etc/passwd and /etc/group • Contained all user identification information as well as the authentication token (encrypted password) • System libraries implemented getpwnam/getpwuid, getgrnam/getgrgid • /bin/login handled authentication
System information – passwd sdr : x : 501 : 504 : Steve Roylance : /home/sdr : /bin/bash username Login Shell Encrypted password Home Directory User ID Number GCOS: user’s real name and other ‘human-id’ information Group ID Number
System information - group rescomp : x : 502 : azschau,nbc0,sdr,dennis,jxu,bgr0,ajh1 Group ID number Group Name Group members (comma delimited list) Group password
Unix authentication – now • Name Service Switch: an abstraction layer for user and system identity information. • Pluggable Authentication Modules: an abstraction layer for user authentication
RFC2307 • Defined a standard and a schema for storing NSS information in LDAP • Reference implementation of RFC2307 is open source provided by padl.com • Contains two modules, nss_ldap and pam_ldap • Shipped with most Linux distributions
RFC2307bis • Draft revision of RFC2307, implemented in current versions of nss_ldap and pam_ldap • Extends group schema to handle native LDAP groups
Active Directory • A functional, if specialized, LDAP service • Services for Unix 3.5 provided an RFC2307 compatible schema and tools to manage it • Windows server 2003 R2 added what was SFU into the base distribution as a set of optional components • Schema modifications for Unix are added by default when upgrading a domain to support R2 features
The Hard Part • AD supporting the classes and attributes is not enough • They need to contain usable information • This requires developing a schema that is globally useful across partners • And extending partners’ existing management tools to populate that schema
Schema - Users • uidNumber: • A unique integer identifier for each user, derived from the internal user identifier by adding 100,000 • gidNumber: • An integer that identifies the primary group for all users (constant) • unixHomeDirectory • A string of the form /PHShome/%s where %s is the users partners domain logon ID • loginShell • /bin/PHSshell (constant string)
Schema - Groups • gidNumber • A unique integer for each group
Schema - mappings • Services for Unix schema supports RFC2307 clients, but there are some differences • The client modules provide a method for translating # RFC 2307 (AD) mappings #nss_map_objectclass posixAccount user #nss_map_objectclass shadowAccount user #nss_map_attribute uid sAMAccountName #nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup group #nss_map_attribute uniqueMember member #pam_login_attribute sAMAccountName #pam_filter objectclass=User #pam_password ad
SSL • By default AD supports encrypted LDAP using its own Kerberos secured protocol • Usable on Unix, but heavyweight • LDAP over SSL is also available, but requires generating and installing SSL certificates • Server team has deployed certificates using Verisign’s managed PKI • nss_ldap,pam_ldap require the certificate of the CA which can be downloaded from Verisign’s website
Service Account • By default AD does not allow any anonymous access • An account is required for nss_ldap to retrieve information from AD • PHS has a procedure for requesting a service account with limited privileges
Access Control • All AD groups are exposed as Unix groups • Managed using PAS • No change in how permissions are managed • Restrict login access using pam_filter
Putting it all together • http://research.partners.org/wiki/index.php/Active_Directory_on_Unix