LDAP Authentication
2003 IT Fall Retreat
Associated Colleges of the South
Todd K. Watson
Senior System/Network Administrator
Southwestern University
tkw@southwestern.edu
Todd K. Watson
Information Technology Services
tkw@southwestern.edu
http://tkdubs.net
Disclosure: I am not an LDAP
expert!!
●
●
●
●
●
Todd K. Watson
Information Technology Services
Brief background
Overview of current
technologies.
Tell what SU is
doing
Rhodes will follow
Everyone else
chimes in with
their
tkw@southwestern.edu
http://tkdubs.net
Traditional Systems
Authentication
●
Unix -- /etc/passwd, /etc/shadow, NIS
●
Microsoft -- NT LANMan, hacks prior to NT
●
Apple -- “At Ease”, Multi-user (OS-9)
●
WWW – local passwd DB (eg. htaccess)
Kerberos was only viable existing solution for cross-platform
system
and application authentication. Was complex and required
specialized clients and servers, which limited choice and
flexibility.
tkw@southwestern.edu
Todd K. Watson
Information Technology Services
http://tkdubs.net
Enter LDAP.....
(Lightweight Directory Access Protocol)
Todd K. Watson
Information Technology Services
tkw@southwestern.edu
http://tkdubs.net
LDAP – The Big Picture
A vendor
independent
method of
consolidating
information
about users
across different
systems and
services on
different OS`s.
What's most
useful to us in
the discussion
about
authentication
Graph from “LDAP Directories
Explained” by Brian Arkills
-- Published by Addison Wesley
Todd K. Watson
Information Technology Services
tkw@southwestern.edu
http://tkdubs.net
Historical LDAP Authentication
Problems
●
LDAP was originally designed as a
directory, not an authentication, server.
Evolved from X.500, and was pioneered at
Univ. Michigan.
●
Lack of support by clients
●
Lack of encryption – passwords in the clear
●
Lack of Access Control – Authorization
LDAP v3 RFCs and vendor
tkw@southwestern.edu
Todd K.
Watson
implementations
address these issues
●
Information Technology Services
http://tkdubs.net
Where to Start with LDAP
●
●
●
RESEARCH!!! -- Read and study as much as you can
prior to building your LDAP install. (references
appendix later)
LDAP has a natural mapping to your DNS space.
Use this to your advantage, and avoid straying from
this.
Choose a vendor product wisely! LDAP consists of
only 10 basic funtions ((un)bind, abandon, search, compare, add,
modify, delete,..) so each product differs on the extras, the
interface, schemas, etc.
Make sure all of your systems and services will
integrate
with that vendor's LDAP implementation.
tkw@southwestern.edu
Todd K.
Watson
Information Technology
ServicesDatatel or Banner recommend/support?)
http://tkdubs.net
(eg. Does
●
Some LDAP Vendors/Products
Computer Associates
eTrust Directory
Critical Path
Live Conent and InJoin (formerly Global Dir)
IBM
SecureWay
Sun
SunOne Directory Server (formerly iPlanet)
Microsoft
Active Directory
Novell
e-Directory (formerly NDS)
OpenLDAP
OpenLDAP
Oracle
Internet Directory
Todd K. Watson
Information Technology Services
tkw@southwestern.edu
http://tkdubs.net
Southwestern`s LDAP
Unified Authentication Requirements
for:
●
●
Unix systems, which provide POP, IMAP, SMTP
Web services -- webmail, software downloads, timeclocks,
MySU portal, Campus Notices (W&L), library catalogs, ...
●
Lab computers – both Macs and PCs
●
Wired and Wireless network access (via NetReg)
●
Datatel WebAdvisor
●
Group calendaring (currently CorpTime – now Oracle)
Authoritative source of data must reside on Unix server, and have a we
based management interface with multiple levels of access-control.
Todd K. Watson
Information Technology Services
tkw@southwestern.edu
http://tkdubs.net
Southwestern Univ. Active Directory(AD)
●
This summer ('03) we implemented MS Active Directory on
a Win2K Advanced Server for WinXP and MacOS-X clients.
–
This provided seamless data storage to our Network Appliance file server
(also used via NFS to our Unix servers) from any lab computer on campus.
–
MacOS-X -- we use the “Admit Mac” product by Thursby Software to allow
Macs to “join the Active Directory domain”. Macs are treated just like PCs
on domain with transparent Desktop and (My)Documents folder mappings
like on PC.
–
Currently NO synchronization between AD and Unix hosted LDAP and NIS.
–
Old (pre-existing) accounts had to have new password for AD, though can
reset
–
New accounts are created after Unix/email account and use the same
passwords
–
Password changes must be done on both systems! VERY CONFUSING.....
Todd K. Watson
– Account management
Information Technology Services
tkw@southwestern.edu
http://tkdubs.net
done from Win/Mac/Linux using VNC. Plans to
Future Goals for Southwestern Univ. LDAP
Infrastructure
●
Unix-based product (need Enterprise stability!)
●
Datatel supported (for WebAdvisor)
●
●
●
**Synchronization/Replication to/from Active
Directory**
Flexibility/Extensibility. Need Access to data stores
without complex API.
Standards based – extremely important for future
product integration
Todd K. Watson
Information Technology Services
tkw@southwestern.edu
http://tkdubs.net
And now another perspective...
Doug Walker
and
Richie Trenthem
from
Rhodes College
Todd K. Watson
Information Technology Services
tkw@southwestern.edu
http://tkdubs.net
Discussion....
●
What is everyone else doing/thinking?
Who has experience with LDAP products besides
Microsoft Active Directory?
●
Washington & Lee uses Novell eDirectory, but could not
be here to talk about it. Ask Julie during the break how it
is working for them.
●
What requirements does your campus have? What are
your strengths and weaknesses in playing the LDAP
game?
●
Todd K. Watson
Information Technology Services
tkw@southwestern.edu
http://tkdubs.net
References
“LDAP Directories Explained: An
Introduction and Analysis” by Brian
Arkills (Addison Wesley – 2003)
●
●
“LDAP System Administration”, by
Gerald Carter (O'Reilly &
Associates – 2003)
“Understanding and Deploying LDAP
Directory Services (2nd Ed.)”, by
Timothy Howes (Addison Wesley –
2003) [the bridge book]
http://www.openldap.org
http://www.kingsmountain.co
m
–
●
http://perlldap.sourceforge.net
–
Todd K. Watson
Information Technology Services
the “LDAP RoadMap and
FAQ” has many great
resources
Net::LDAP module
provides ability to create
hooks into LDAP via CGI
or CLI scriptstkw@southwestern.edu
to do
http://tkdubs.net