1 / 17

Active Directory for Unix Systems

Active Directory for Unix Systems. An update on modifications that have been made to the partners.org AD to support POSIX/Unix systems. Stephen Roylance System Engineer, ERIS SRoylance@partners.org. Introduction. Identification Authentication Authorization/Access Control.

shina
Download Presentation

Active Directory for Unix Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Directoryfor Unix Systems An update on modifications that have been made to the partners.org AD to support POSIX/Unix systems Stephen Roylance System Engineer, ERIS SRoylance@partners.org

  2. Introduction • Identification • Authentication • Authorization/Access Control

  3. Unix authentication - origins • In the beginning there was /etc/passwd and /etc/group • Contained all user identification information as well as the authentication token (encrypted password) • System libraries implemented getpwnam/getpwuid, getgrnam/getgrgid • /bin/login handled authentication

  4. System information – passwd sdr : x : 501 : 504 : Steve Roylance : /home/sdr : /bin/bash username Login Shell Encrypted password Home Directory User ID Number GCOS: user’s real name and other ‘human-id’ information Group ID Number

  5. System information - group rescomp : x : 502 : azschau,nbc0,sdr,dennis,jxu,bgr0,ajh1 Group ID number Group Name Group members (comma delimited list) Group password

  6. Unix authentication – now • Name Service Switch: an abstraction layer for user and system identity information. • Pluggable Authentication Modules: an abstraction layer for user authentication

  7. RFC2307 • Defined a standard and a schema for storing NSS information in LDAP • Reference implementation of RFC2307 is open source provided by padl.com • Contains two modules, nss_ldap and pam_ldap • Shipped with most Linux distributions

  8. RFC2307bis • Draft revision of RFC2307, implemented in current versions of nss_ldap and pam_ldap • Extends group schema to handle native LDAP groups

  9. Active Directory • A functional, if specialized, LDAP service • Services for Unix 3.5 provided an RFC2307 compatible schema and tools to manage it • Windows server 2003 R2 added what was SFU into the base distribution as a set of optional components • Schema modifications for Unix are added by default when upgrading a domain to support R2 features

  10. The Hard Part • AD supporting the classes and attributes is not enough • They need to contain usable information • This requires developing a schema that is globally useful across partners • And extending partners’ existing management tools to populate that schema

  11. Schema - Users • uidNumber: • A unique integer identifier for each user, derived from the internal user identifier by adding 100,000 • gidNumber: • An integer that identifies the primary group for all users (constant) • unixHomeDirectory • A string of the form /PHShome/%s  where %s is the users partners domain logon ID • loginShell • /bin/PHSshell (constant string)

  12. Schema - Groups • gidNumber • A unique integer for each group

  13. Schema - mappings • Services for Unix schema supports RFC2307 clients, but there are some differences • The client modules provide a method for translating # RFC 2307 (AD) mappings #nss_map_objectclass posixAccount user #nss_map_objectclass shadowAccount user #nss_map_attribute uid sAMAccountName #nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup group #nss_map_attribute uniqueMember member #pam_login_attribute sAMAccountName #pam_filter objectclass=User #pam_password ad

  14. SSL • By default AD supports encrypted LDAP using its own Kerberos secured protocol • Usable on Unix, but heavyweight • LDAP over SSL is also available, but requires generating and installing SSL certificates • Server team has deployed certificates using Verisign’s managed PKI • nss_ldap,pam_ldap require the certificate of the CA which can be downloaded from Verisign’s website

  15. Service Account • By default AD does not allow any anonymous access • An account is required for nss_ldap to retrieve information from AD • PHS has a procedure for requesting a service account with limited privileges

  16. Access Control • All AD groups are exposed as Unix groups • Managed using PAS • No change in how permissions are managed • Restrict login access using pam_filter

  17. Putting it all together • http://research.partners.org/wiki/index.php/Active_Directory_on_Unix

More Related