active directory for unix systems n.
Skip this Video
Loading SlideShow in 5 Seconds..
Active Directory for Unix Systems PowerPoint Presentation
Download Presentation
Active Directory for Unix Systems

Loading in 2 Seconds...

play fullscreen
1 / 17

Active Directory for Unix Systems - PowerPoint PPT Presentation

  • Uploaded on

Active Directory for Unix Systems. An update on modifications that have been made to the AD to support POSIX/Unix systems. Stephen Roylance System Engineer, ERIS Introduction. Identification Authentication Authorization/Access Control.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Active Directory for Unix Systems

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
active directory for unix systems

Active Directoryfor Unix Systems

An update on modifications that have been made to the AD to support POSIX/Unix systems

Stephen Roylance

System Engineer, ERIS

  • Identification
  • Authentication
  • Authorization/Access Control
unix authentication origins
Unix authentication - origins
  • In the beginning there was /etc/passwd and /etc/group
  • Contained all user identification information as well as the authentication token (encrypted password)
  • System libraries implemented getpwnam/getpwuid, getgrnam/getgrgid
  • /bin/login handled authentication
system information passwd
System information – passwd

sdr : x : 501 : 504 : Steve Roylance : /home/sdr : /bin/bash


Login Shell





User ID



user’s real name and other

‘human-id’ information

Group ID


system information group
System information - group

rescomp : x : 502 : azschau,nbc0,sdr,dennis,jxu,bgr0,ajh1

Group ID


Group Name

Group members

(comma delimited list)

Group password

unix authentication now
Unix authentication – now
  • Name Service Switch: an abstraction layer for user and system identity information.
  • Pluggable Authentication Modules: an abstraction layer for user authentication
  • Defined a standard and a schema for storing NSS information in LDAP
  • Reference implementation of RFC2307 is open source provided by
  • Contains two modules, nss_ldap and pam_ldap
  • Shipped with most Linux distributions
  • Draft revision of RFC2307, implemented in current versions of nss_ldap and pam_ldap
  • Extends group schema to handle native LDAP groups
active directory
Active Directory
  • A functional, if specialized, LDAP service
  • Services for Unix 3.5 provided an RFC2307 compatible schema and tools to manage it
  • Windows server 2003 R2 added what was SFU into the base distribution as a set of optional components
  • Schema modifications for Unix are added by default when upgrading a domain to support R2 features
the hard part
The Hard Part
  • AD supporting the classes and attributes is not enough
  • They need to contain usable information
  • This requires developing a schema that is globally useful across partners
  • And extending partners’ existing management tools to populate that schema
schema users
Schema - Users
  • uidNumber:
    • A unique integer identifier for each user, derived from the internal user identifier by adding 100,000
  • gidNumber:
    • An integer that identifies the primary group for all users (constant)
  • unixHomeDirectory
    • A string of the form /PHShome/%s  where %s is the users partners domain logon ID
  • loginShell
    • /bin/PHSshell (constant string)
schema groups
Schema - Groups
  • gidNumber
    • A unique integer for each group
schema mappings
Schema - mappings
  • Services for Unix schema supports RFC2307 clients, but there are some differences
  • The client modules provide a method for translating

# RFC 2307 (AD) mappings

#nss_map_objectclass posixAccount user

#nss_map_objectclass shadowAccount user

#nss_map_attribute uid sAMAccountName

#nss_map_attribute homeDirectory unixHomeDirectory

#nss_map_attribute shadowLastChange pwdLastSet

#nss_map_objectclass posixGroup group

#nss_map_attribute uniqueMember member

#pam_login_attribute sAMAccountName

#pam_filter objectclass=User

#pam_password ad

  • By default AD supports encrypted LDAP using its own Kerberos secured protocol
  • Usable on Unix, but heavyweight
  • LDAP over SSL is also available, but requires generating and installing SSL certificates
  • Server team has deployed certificates using Verisign’s managed PKI
  • nss_ldap,pam_ldap require the certificate of the CA which can be downloaded from Verisign’s website
service account
Service Account
  • By default AD does not allow any anonymous access
  • An account is required for nss_ldap to retrieve information from AD
  • PHS has a procedure for requesting a service account with limited privileges
access control
Access Control
  • All AD groups are exposed as Unix groups
  • Managed using PAS
  • No change in how permissions are managed
  • Restrict login access using pam_filter
putting it all together
Putting it all together