Active Directory for Unix Systems - PowerPoint PPT Presentation

1 / 17

About This Presentation

Title:

Active Directory for Unix Systems

Description:

Name Service Switch: an abstraction layer for user and system identity information. Pluggable Authentication Modules: an abstraction layer for user authentication ... – PowerPoint PPT presentation

Number of Views:32

Avg rating:3.0/5.0

Slides: 18

Provided by: brentgr

Category:

more less

Transcript and Presenter's Notes

Title: Active Directory for Unix Systems

1
Active Directoryfor Unix Systems

An update on modifications that have been made to
the partners.org AD to support POSIX/Unix systems

Stephen Roylance System Engineer,
ERIS SRoylance_at_partners.org
2
Introduction

Identification
Authentication
Authorization/Access Control

3
Unix authentication - origins

In the beginning there was /etc/passwd and
/etc/group
Contained all user identification information as
well as the authentication token (encrypted
password)
System libraries implemented getpwnam/getpwuid,
getgrnam/getgrgid
/bin/login handled authentication

4
System information passwd
sdr x 501 504 Steve Roylance /home/sdr
/bin/bash
username
Login Shell
Encrypted password
Home Directory
User ID Number
GCOS users real name and other human-id
information
Group ID Number
5
System information - group
rescomp x 502 azschau,nbc0,sdr,dennis,jxu,bg
r0,ajh1
Group ID number
Group Name
Group members (comma delimited list)
Group password
6
Unix authentication now

Name Service Switch an abstraction layer for
user and system identity information.
Pluggable Authentication Modules an abstraction
layer for user authentication

7
RFC2307

Defined a standard and a schema for storing NSS
information in LDAP
Reference implementation of RFC2307 is open
source provided by padl.com
Contains two modules, nss_ldap and pam_ldap
Shipped with most Linux distributions

8
RFC2307bis

Draft revision of RFC2307, implemented in current
versions of nss_ldap and pam_ldap
Extends group schema to handle native LDAP groups

9
Active Directory

A functional, if specialized, LDAP service
Services for Unix 3.5 provided an RFC2307
compatible schema and tools to manage it
Windows server 2003 R2 added what was SFU into
the base distribution as a set of optional
components
Schema modifications for Unix are added by
default when upgrading a domain to support R2
features

10
The Hard Part

AD supporting the classes and attributes is not
enough
They need to contain usable information
This requires developing a schema that is
globally useful across partners
And extending partners existing management tools
to populate that schema

11
Schema - Users

uidNumber
A unique integer identifier for each user,
derived from the internal user identifier by
adding 100,000
gidNumber
An integer that identifies the primary group for
all users (constant)
unixHomeDirectory
A string of the form /PHShome/s where s is
the users partners domain logon ID
loginShell
/bin/PHSshell (constant string)

12
Schema - Groups

gidNumber
A unique integer for each group

13
Schema - mappings

Services for Unix schema supports RFC2307
clients, but there are some differences
The client modules provide a method for
translating

RFC 2307 (AD) mappings nss_map_objectclass
posixAccount user nss_map_objectclass
shadowAccount user nss_map_attribute uid
sAMAccountName nss_map_attribute homeDirectory
unixHomeDirectory nss_map_attribute
shadowLastChange pwdLastSet nss_map_objectclass
posixGroup group nss_map_attribute uniqueMember
member pam_login_attribute sAMAccountName pam_fi
lter objectclassUser pam_password ad
14
SSL

By default AD supports encrypted LDAP using its
own Kerberos secured protocol
Usable on Unix, but heavyweight
LDAP over SSL is also available, but requires
generating and installing SSL certificates
Server team has deployed certificates using
Verisigns managed PKI
nss_ldap,pam_ldap require the certificate of the
CA which can be downloaded from Verisigns website

15
Service Account