LDAP Authentication 2003 IT Fall Retreat Associated Colleges of the South

Todd K. WatsonInformation Technology Services

[email protected]://tkdubs.net

LDAP Authentication

2003 IT Fall RetreatAssociated Colleges of the South

Todd K. WatsonSenior System/Network Administrator

Southwestern [email protected]



Disclosure: I am not an LDAP expert!!

● Brief background● Overview of current

technologies.● Tell what SU is doing● Rhodes will follow● Everyone else chimes

in with their plans, etc



Traditional Systems Authentication

● Unix -- /etc/passwd, /etc/shadow, NIS● Microsoft -- NT LANMan, hacks prior to NT● Apple -- “At Ease”, Multi-user (OS-9)● WWW – local passwd DB (eg. htaccess)

Kerberos was only viable existing solution for cross-platform systemand application authentication. Was complex and required specialized clients and servers, which limited choice and flexibility.



Enter LDAP.....(Lightweight Directory Access Protocol)



LDAP – The Big Picture

What's mostuseful to us inthe discussionaboutauthentication

Graph from “LDAP DirectoriesExplained” by Brian Arkills-- Published by Addison Wesley

A vendorindependent method of consolidatinginformationabout usersacross differentsystems andservices ondifferent OS`s.



Historical LDAP Authentication Problems● LDAP was originally designed as a directory,

not an authentication, server. Evolved from X.500, and was pioneered at Univ. Michigan.

● Lack of support by clients● Lack of encryption – passwords in the clear● Lack of Access Control – Authorization● LDAP v3 RFCs and vendor implementations

address these issues



Where to Start with LDAP● RESEARCH!!! -- Read and study as much as you can prior

to building your LDAP install. (references appendix later)

● LDAP has a natural mapping to your DNS space. Use this to your advantage, and avoid straying from this.

● Choose a vendor product wisely! LDAP consists of only 10 basic funtions ((un)bind, abandon, search, compare, add, modify, delete,..) so each product differs on the extras, the interface, schemas, etc.

● Make sure all of your systems and services will integrate with that vendor's LDAP implementation. (eg. Does Datatel or Banner recommend/support?)



Some LDAP Vendors/Products

Computer Associates eTrust Directory

Critical Path Live Conent and InJoin (formerly Global Dir)

IBM SecureWay

Sun SunOne Directory Server (formerly iPlanet)

Microsoft Active Directory

Novell e-Directory (formerly NDS)

OpenLDAP OpenLDAP

Oracle Internet Directory



Southwestern`s LDAP Requirements

● Unix systems, which provide POP, IMAP, SMTP

● Web services -- webmail, software downloads, timeclocks, MySU portal, Campus Notices (W&L), library catalogs, ...

● Lab computers – both Macs and PCs

● Wired and Wireless network access (via NetReg)

● Datatel WebAdvisor

● Group calendaring (currently CorpTime – now Oracle)

Unified Authentication for:

Authoritative source of data must reside on Unix server, and have a web-based management interface with multiple levels of access-control.



Southwestern Univ. Active Directory(AD)● This summer ('03) we implemented MS Active Directory on a

Win2K Advanced Server for WinXP and MacOS-X clients.– This provided seamless data storage to our Network Appliance file server (also

used via NFS to our Unix servers) from any lab computer on campus.

– MacOS-X -- we use the “Admit Mac” product by Thursby Software to allow Macs to “join the Active Directory domain”. Macs are treated just like PCs on domain with transparent Desktop and (My)Documents folder mappings like on PC.

– Currently NO synchronization between AD and Unix hosted LDAP and NIS.

– Old (pre-existing) accounts had to have new password for AD, though can reset

– New accounts are created after Unix/email account and use the same passwords

– Password changes must be done on both systems! VERY CONFUSING.....

– Account management done from Win/Mac/Linux using VNC. Plans to possibly add web scripts with Perl LDAP/ActiveDir module hooks.



Future Goals for Southwestern Univ. LDAP Infrastructure

● Unix-based product (need Enterprise stability!)

● Datatel supported (for WebAdvisor)

● **Synchronization/Replication to/from Active Directory**

● Flexibility/Extensibility. Need Access to data stores without complex API.

● Standards based – extremely important for future product integration



And now another perspective...

Doug Walkerand

Richie Trenthemfrom

Rhodes College



Discussion....●What is everyone else doing/thinking?

●Who has experience with LDAP products besides Microsoft Active Directory?

●Washington & Lee uses Novell eDirectory, but could not be here to talk about it. Ask Julie during the break how it is working for them.

●What requirements does your campus have? What are your strengths and weaknesses in playing the LDAP game?



References“LDAP Directories Explained: An

Introduction and Analysis” by Brian Arkills (Addison Wesley – 2003)

“LDAP System Administration”, by Gerald Carter (O'Reilly & Associates – 2003)

“Understanding and Deploying LDAP Directory Services (2nd Ed.)”, by Timothy Howes (Addison Wesley – 2003) [the bridge book]

● http://www.openldap.org

● http://www.kingsmountain.com

– the “LDAP RoadMap and FAQ” has many great resources

● http://perl-ldap.sourceforge.net

– Net::LDAP module provides ability to create hooks into LDAP via CGI or CLI scripts to do custom management funtions

LDAP Authentication 2003 IT Fall Retreat Associated Colleges of the South

Documents

Transcript of LDAP Authentication 2003 IT Fall Retreat Associated Colleges of the South