1 / 29

"Single-Sign-On" Solution

Implementing a SSO Solution Using Linux and OpenLDAP Shanker Balan Exocore Consulting (P) Ltd http://www.exocore.com. "Single-Sign-On" Solution. Introduction. What is "Single Sign On"? Problems with standard authentication mechanisms How does LDAP fit in? Migrating to OpenLDAP on Linux

soren
Download Presentation

"Single-Sign-On" Solution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing a SSO Solution Using Linux and OpenLDAP Shanker Balan Exocore Consulting (P) Ltd http://www.exocore.com "Single-Sign-On" Solution

  2. Introduction • What is "Single Sign On"? • Problems with standard authentication mechanisms • How does LDAP fit in? • Migrating to OpenLDAP on Linux • UNIX Authentication • Windows Authentication

  3. Single Sign On • What it means • Use the same "username" and "password" for accessing network resources • Should work across all operating systems – Windows, Linux, FreeBSD, Solaris etc • Authentication system should be network aware

  4. Standard Setup

  5. Standard Problems • Administrative nightmare • Centralized account management is difficult • Difficult to keep users and password in sync • Not scalable. Might work in small setups (<100 users) • It is not cross platform

  6. "SSO" Setup

  7. Single Sign On • Features • Single Authentication Backend • One account == One password • Password changes are universal • Users do not need to rememeber multiple login Ids/password • Accounts are allways in sync • Database Based (LDAP, RDBMS etc) • Standard API for manipulating entries • Easy to write GUI and Web frontends for administration • Very Extensible! Can handle objects like addressbook, profiles etc

  8. Single Sign On (Contd) • Database Based (Contd) • High availablity and reliability using replication • Fine grained access control lists • Highly scalable • Encryption support using SSL/TLS • Network enabled

  9. Why LDAP? • Standardized Protocol • Vendor independent • OpenLDAP, NDS, ActiveDirectory etc • Platform Independent • *NIX, Windows etc • Most applications already have LDAP support • Linux PAM, Postfix, Samba • Outlook Express, Evolution

  10. OpenLDAP on Linux • Installation • via RPMS openldap-clients-2.0.23-4 openldap-2.0.23-4 openldap-servers-2.0.23-4 openldap-devel-2.0.23-4 • TGZ from http://openldap.org/ • Start/Stop LDAP Server # service ldap start # service ldap stop # service ldap restart

  11. Configuring OpenLDAP • Edit /etc/openldap/slapd.conf (man slapd.conf) #################### # ldbm database definitions #################### database ldbm suffix "dc=exocore,dc=com" rootdn "cn=Manager,dc=exocore,dc=com" rootpw secret

  12. OpenLDAP ACLs • Access Control Lists access to attribute=userPassword by dn="cn=Manager,dc=exocore,dc=com" write by anonymous auth by self write by * none access to * by dn="cn=manager,dc=exocore,dc=com" write by * read

  13. Testing Basic Operation • Edit /etc/openldap/ldap.conf (man ldap.conf) HOST localhost BASE dc=exocore,dc=com • Start LDAP Server • Test with a simple search # ldapsearch -x • Test "bind" as "manager" # ldapsearch -x -D"cn=manager,dc=exocore,dc=com" -w secret

  14. Migrating Users • MigrationTools /usr/share/openldap/migration • See "README" and make changes to "migrate_common.ph" $DEFAULT_MAIL_DOMAIN = "exocore.com" $DEFAULT_BASE = "dc=exocore,dc=com" $EXTENDED_SCHEMA = 1; • Run "migrate_all_online.sh" • Run "ldapsearch" to list all entries # ldapsearch -x

  15. LDAP Authentication • Test user authentication #ldapsearch -x -D"uid=abc,ou=people,dc=exocore,dc=com" -w xyz • Remove non-system accounts from passwd,shadow, group and gshadow • On RedHat systems, run "authconfig" (man authconfig) # authconfig Server: <ldap server> Base DN: dc=exocore,dc=com

  16. Test Client Authentication • On non-RedHat systems, edit /etc/pam_ldap.conf and /etc/nss_ldap.conf host <ldap server> base dc=exocore,dc=com • Copy /usr/share/doc/nss_ldap-189/pam.d/* /etc/pam.d/

  17. Non-RedHat Systems • Edit /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap man nsswitch(5) • Check name service #getent passwd (lists users) #getent group (lists groups) • Try console login as "abc"

  18. UNIX Authentication • On other OS Platforms • *BSD: "portinstall security/pam_ldap" • Solaris: Ships with pam_ldap • Compile and install from http://www.padl.com • pam_ldap • nss_ldap • Works with any OS that supports PAM and NSSWITCH

  19. Windows Authentication • UNIX and Windows authentication are mutually incompatible • UNIX UIDs Vs NT RIDs • UNIX GIDs Vs NT GroupRIDs • {CRYPT} Passwords Vs NT/LM hashes • NT SIDs • Windows cannot directly autheticate against an LDAP directory • Requires a "Domain Controller"

  20. Samba Integration • Stable LDAP support from version 2.2.1 • Samba must be recompiled with LDAP support samba#./configure –with-ldap • Edit /etc/samba/smb.conf ldap admin dn = "cn=manager,dc=exocore,dc=com" ldap server = <ldap server> ldap suffix = "ou=people,dc=exocore,dc=com" pam password change = yes

  21. Migrating Samba Users • Use the Samba migration scripts in doc/samba-2.2.3a/examples/LDAP/ • See README • Edit import2_smbpasswd.pl $DN="ou=people,dc=exocore,dc=com"; $ROOTDN="cn=Manager,dc=exocore,dc=com"; $rootpw = "secret"; $LDAPSERVER="<ldap server"; • Migrate # cat smbpasswd | import2_smbpasswd.pl

  22. Are we SSO'ed yet? • Yep!!! • UNIX OS • Authentication -> PAM -> LDAP • Name Service -> NSS -> LDAP • Windows • Authentication -> Samba -> LDAP • No more /etc/passwd and /etc/smbpasswd

  23. Schema & Attributes • ObjectClasses • PosixAccount • PosixGroup • ShadowAccount • SambaAccount • Attributes • User Account: cn, uid, uidNumber, gidNumber, homeDirectory • Group Account: cn, gidNumber

  24. PosixAccount Entry

  25. PosixGroup Entry

  26. Account Management • Develop in-house web frontends for managing the LDAP database (Best!) • Graphical Tools • GQ from http://biot.com/gq/ • Directory Administrator from http://diradmin.open-it.org/ • UNIX Authtentication (posixAccount/shadowAccount) • Supports Samba (sambaAccount) • Sendmail/Postfix Mail routing (inetmailrecipient)

  27. What more can I have? • Central Addressbook. Just configure your mailer to look up the LDAP server. • Sendmail/Postfix mail routing tables • Squid user authentication • Netscape Roaming Profiles • DNS Start here: http://www.linuxdocs.org/HOWTOs/LDAP-Implementation-HOWTO/index.html

  28. Resources • URLs • http://www.openldap.org/ • http://www.padl.com/ • http://www.tldp.org/ • http://www.samba.org/

  29. Thank You! Shanker Balan <http://www.exocore.com> <http://shankerbalan.com> Questions?

More Related