authentication project n.
Skip this Video
Loading SlideShow in 5 Seconds..
Authentication Project PowerPoint Presentation
Download Presentation
Authentication Project

Loading in 2 Seconds...

play fullscreen
1 / 24

Authentication Project - PowerPoint PPT Presentation

  • Uploaded on

Authentication Project. David J. N. Begley Network Analyst University of Western Sydney, Nepean. Introduction. Presentation of project design/status/issues to QUESTnet99 Conference Topics covered: overall architecture/goals software chosen (and why)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Authentication Project

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
authentication project

Authentication Project

David J. N. Begley

Network Analyst

University of Western Sydney, Nepean

  • Presentation of project design/status/issues to QUESTnet99 Conference
  • Topics covered:
    • overall architecture/goals
    • software chosen (and why)
    • DIT structure, object classes and attributes
    • problems (and where known, solutions)
    • future plans
project goals
Project Goals
  • Enforce authentication of students prior to their using computer laboratories
  • Authentication to use the same login ID and password as the student e-mail server
  • Minimise changes to existing lab infrastructure
  • Minimise impact on users, support and applications
project status
Project Status
  • Proof-of-concept demonstrated solution indeed works (with caveats)
  • Currently in testing (ironing out technical problems and establishing end-user support procedures)
  • Plan is to go “live” mid-year (July, 1999)
current situation laboratories
Current Situation: Laboratories
  • Desktop machines
    • Apple Macintosh G3, MacOS 8.5
    • Apple Macintosh 7600/200, MacOS 8.0
    • Intel x86 PC, Windows NT 4.0 Workstation
    • Novell NetWare Client on all desktops
  • Servers
    • Novell NetWare 5.0
  • Students enter login ID, but no verification
current situation e mail server
Current Situation: E-Mail Server
  • Single, centralised student e-mail server
    • Sun SPARCserver 20 MP
    • Sun Solaris 2.6
    • accounts in /etc/passwd and /etc/shadow
  • Currently enrolled students allocated an account (from student record system)
  • Students locked into a menu system, no direct Unix shell access
current situation e mail server1
Current Situation: E-Mail Server
  • Currently between 13,000 and 14,000 accounts
  • Peaks much higher (prior to account purges)
  • At most 100 simultaneous users
desired solution
Desired Solution
  • Move user/authentication information from traditional Unix flat files to NetWare NDS
  • Configure e-mail server to authenticate (and perform user lookups against) NDS
    • PAM - Pluggable Authentication Modules
    • NSS - Name Service Switch
  • Solaris applications need to be made “PAM-aware” (if not already)


NetWare 5.0

NDS Replica


MacOS 8.0/8.5


NetWare 5.0

NDS Master




Solaris 2.6



NetWare 5.0

NDS Replica

WinNT 4.0


nds for solaris
NDS for Solaris
  • Novell or Sun? (getting blood from a stone)
  • Beta site participation
  • Despite early performance/resource concerns, consensus is to implement
  • Show-stopper: six-figure licence fee
  • Previously disregarded due to staffing resources required
  • Multitude of clients (including Eudora, Netscape, Java, Perl and PHP)
  • Possible interface to Cisco/Microsoft DEN
  • NetWare 5 ships with LDAP server - retain solution design, use LDAP as protocol for communicating with NDS
product list
Product List
  • Testing/Production
    • Novell NetWare 5.0 + NDS 8
    • Sun Solaris 2.6
    • Netscape Directory SDK
    • PADL Software’s PAM_LDAP & NSS_LDAP
  • Additional Testing
    • OpenLDAP 1.2.1
tree structure
Tree Structure
  • No universal DIT design, just recommended hierarchy styles
  • OpenLDAP, AARNet X.500 Pilot names
    • 20,001 users in a single context
  • NDS tree, maximise performance (NDS 7)
    • ten containers, penultimate digit in student ID#
    • with NDS 8, experimenting with single container for all students


o=The University of Western Sydney

















object classes and attributes
Object Classes and Attributes
  • Choice driven by PAM_LDAP, NSS_LDAP
  • RFC 2307
    • Solaris 8
    • HP-UX
    • Compaq Tru64 UNIX (IASS 5.0)
    • NDS/Active Directory (?)
  • Core object classes
    • posixAccount, shadowAccount
dn: cn=n9910000,ou=Users,o=The University of Western Sydney,c=AU

ufn: n9910000,Users,The University of Western Sydney,AU

objectclass: top

objectclass: person

objectclass: organizationalPerson

objectclass: inetOrgPerson

objectclass: account

objectclass: posixAccount

objectclass: shadowAccount

fullname: Test Student #10000

givenname: Test

sn: #10000

uid: n9910000

userpassword: {crypt}gf1MpM.r02nsw

shadowlastchange: 10650

loginshell: /usr/local/bin/menu

uidnumber: 20000

gidnumber: 10

homedirectory: /home/99/n9910000

gecos: Test Student #10000

cn: n9910000

nds object classes
NDS Object Classes
  • NetWare 5 LDAP server maps NDS classes into LDAP “objectclass” equivalents
  • RFC 2307 suggests particular search patterns (for NSS functions), using particular LDAP object classes
  • New NDS object classes (subclass “User”) required to satisfy these search patterns
  • Future NDS may support RFC 2307?
problems solutions netware
Problems/Solutions - NetWare
  • LDAP slow - up to 2.5 mins per lookup
    • install NDS 8
  • NDS not recognise Unix “crypt” passwords
    • issue new passwords to all students, store as cleartext (transport to be secured with SSL)
  • Authenticated LDAP binds count toward concurrent login total
    • set maximum concurrent logins cautiously
problems solutions solaris
Problems/Solutions - Solaris
  • Solaris 2.6 PAM library broken - always returns NULL pointer to PAM-aware applications
    • recode applications to ignore appdata_ptr (i.e., to avoid using PAM API as per spec)
  • Sun aware of problem, but not willing to release a fix?
  • Solaris (2.)7 apparently fixed (unverified)
problems solutions pam nss
Problems/Solutions - PAM/NSS
  • Password changes work, but require original password (even if superuser)
    • rewrite password change tool to change password in LDAP directly as diradmin
  • Behavioural differences before/after LDAP
    • ensure PAM configured correctly
  • Command line completion for login IDs
    • tune nscd (???)
future possibilities
Future Possibilities
  • Expand authentication to other parts of the network (e.g., remote access service)
  • Integration with network directory (DEN)
  • Corporate directory (UWS-wide)
    • University “unique ID”
    • White Pages
    • “address-less e-mail”
    • e-mail routing (aliases)