Copyright © 1999 Clemson University Research Foundation. All rights reserved. Authentication Server...
-
Upload
andrew-george -
Category
Documents
-
view
216 -
download
0
Transcript of Copyright © 1999 Clemson University Research Foundation. All rights reserved. Authentication Server...
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Authentication ServerAuthentication Server
Idea born in interdepartmental task force Too many userid/password combinations
for each user to rememberNeed central set of secure servers that all
systems use for authenticationClemson University Personal ID (CUPID)Prototyped/tested in late ‘95/spring ‘96Production on July 1, 1996
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Authentication ServerAuthentication Server
Mail authC
Web authC
mainframe authC
UNIX authC
NetWare authC
Sun authC
Windows NT authCOracle† authC
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
ArchitectureArchitecture
Directory Services
Authentication Server Agent
Authentication Server Client
System Integration
AuthServ-EnabledApplication
Native Application
User
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Architecture PossibilitiesArchitecture Possibilities
Directory 1
Authentication Server Agent
Authentication Server Client
System Integration
AuthServ-EnabledApplication
Native Application
User
Directory 2 Directory 3
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Client Integration - System LevelClient Integration - System Level
Applications
AuthClient
RACF
SAFRACF API
IDMSTSODB2?
Applications
AuthClient
/ETC/PASSWD
PAM
LoginFTPSys?
MVS Unix
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Client Integration - Application Client Integration - Application LevelLevel
NT
AuthClient DLL
CGI
Internet InformationServer (IIS)
Unix
AuthClient BIN
POPd
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Authentication ServerAuthentication Server
NetWare Loadable Module (NLM) is multithreaded
Clients use common code base Clients have built-in failover capability Communication based on TCP/IP sockets > 90% successful password checks
complete in less than 0.1 seconds > 4 million requests serviced by primary
server over a 6 week period (100,000/day)
AuthServ ApplicationsAuthServ Applications
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
NDS Authentication for Large NDS Authentication for Large IBM Systems and ApplicationsIBM Systems and Applications
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
NDS Authentication for UnixNDS Authentication for Unix
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
NDS for Authentication POP/IMAP NDS for Authentication POP/IMAP
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Firewall AuthenticationFirewall Authentication
User User User User
Cisco PIX
AuthClient
Intranet / Internet
Livingston Steel-Belted Radius
NDS Web Security viaNDS Web Security viaWindows NT/UNIX/???Windows NT/UNIX/???
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
NDS Authentication through NDS Authentication through Windows NT/UNIX/??? to the Windows NT/UNIX/??? to the WebWeb
Application:Employee InformationSystem (EIS)
Type:Web
Server OS:Windows NT 4.0
Server enabling app:Website/Visual Basic
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
NDS Security Across the IntranetNDS Security Across the Intranet
AuthenticatedClient
ServerAuthClient
AuthenticationServer
NDS
Netscape IIS32-bitDLL
AUTHAGNT.NLM
NDS
Page requestCheckEquiv
Check SecurityEquivalence
Locate user objectand run equivalencelist
NT 4.0
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
AuthServ as an NDS Data GatewayAuthServ as an NDS Data Gateway
Application:Call tracking system
Type:Web
Server OS:Windows NT 4.0
Server enabling app:Website/Visual Basic
Not AssignedBILLBROYLESCCRDAVEDAVIDCDHFDHFRSDONJAMBOJHALLMIKEYATES
DAVIDC
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Web Interface to Home Directories Web Interface to Home Directories via AUTHSERV NDS Gatewayvia AUTHSERV NDS Gateway
Application:Personal pages
Type:Web
Server OS:Linux
Server enabling app:Apache/Caldera
http://www.clemson.edu/~acollin
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
AuthServ Client FunctionsAuthServ Client Functions
Password checkPassword changeResolve to fully distinguished nameCheck security equivalenceReturn group membershipGet Effective RightsOthers
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
WebAuth: Web Single Sign-OnWebAuth: Web Single Sign-On
Workstation3rd Party
WebServerWebAuth
Client
AuthAgntNLM
NDS
WebAuthNLM
AuthClient
WebBrowser
1
WebBrowser
2
DCITAuthentication
WebServer
WebAuthTrustedClient
CHECK
STORE
Only trusted web servers prompt for userid password and set cookie in browser. Other web servers must use the cookie to determine the user.
Redirect
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Caldera OpenLinux and ApacheCaldera OpenLinux and Apache
Web gateway to NetWare file system
Caldera OpenLinux
AuthC
Browser
Browser
Browser
Browser AuthServer
FileServer
FileServer
FileServer
FileServer
FileServer
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Web Interface to Department Web Interface to Department PagesPages
Application:Departmental pages
Type:Web
Server OS:Linux
Server enabling app:Apache/Caldera
http://dcitnds.clemson.edu/CSO/depts/maint
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Caldera OpenLinux and ApacheCaldera OpenLinux and Apache
First attempt to provide web services via Novell made use of Novell’s intraNetWare Web Server 1.0 which simply was not reliable
Caldera OpenLinux provided robust UNIX connectivity to NDS and supported the industry standard Apache web server
Out of the box Caldera/Apache did not provide home directory redirection and/or authentication– It did however provide the source code needed to
make these modifications
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Caldera OpenLinux and Apache Caldera OpenLinux and Apache ModsMods
Added a module that would link Apache’s user directory directive to the user’s Novell home directory– Making http://www.clemson.edu/~erich point to
EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW
Since Caldera is NDS aware, this also allows us to serve group web sites via their own group servers
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Added another module using the previously mentioned authentication server routines to provide both user and group authentication– Makes use of standard HTACCESS format with
additional Novell directives
Caldera OpenLinux and Apache ModsCaldera OpenLinux and Apache Mods
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Using NDS to Secure Web PagesUsing NDS to Secure Web Pages
NovellAuth onAuthName Novell TreeAuthType Basic <Limit GET POST>require user gmcochrrequire user kellenrequire group .resadmin.groups.employee.clemsonu</Limit>
NDS
intraNetWare server BintraNetWare server A
AUTHAGNT.NLM
intraNetWare server C
RACF
AuthClientAuthClient
POPd
AuthClient
Web site
WebApp
User workstation (Windows 95/Windows NT and Mac workstation)
Eudora TN3270 Netscape† LOGIN.EXE
AuthClient
Apache
WebApp
AUTHAGNT.NLM AUTHAGNT.NLM
OnlinesVTAM
MAIL (Solaris) NT Server OpenLinuxMainframe (MVS)
DesignDesign
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
AuthAdmnWin32 App
AuthRslv NLMAuthAgnt
NLM
Agent NW Server 1
Census
AuthMgrNLM
Manager NW Server
MasterCensus
AuthClient
‘95/’98/NT Workstation Administrator
AuthRslv NLMAuthAgnt
NLM
Agent NW Server 2
Census
AuthRslv NLMAuthAgnt
NLM
Agent NW Server N
Census
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
AuthAdmnWin32 App
AuthRslv NLMAuthAgnt
NLM
Agent NW Servers
Census
AuthMgrNLM
Manager NW Server
MasterCensus
‘95/’98/NT Workstation Administrator
AuthClientAuthClientAuthClient
CensusCensus
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Classic Tree Design-OrganizationalClassic Tree Design-Organizational
Corp
R&D Prod
Production Admin
Company
Sales
Proj1 Proj2
Mkting Actng Support
Bob
Emma Fred
Sally
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Classic Tree Design - GeographicalClassic Tree Design - Geographical
New York LA Europe
Company
Asia
Mkting Prod R&D
Bob Emma
Mkting Prod R&D
Fred Sally
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Clemson Tree DesignClemson Tree Design
Users Organizations
ClemsonU
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
CU - Every Person Has a PlaceCU - Every Person Has a Place
A to Z A to Z A to Z
Students Misc. Employee
ClemsonU
OrganizationsOrganizations
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
CU - Every Group Has a PlaceCU - Every Group Has a Place
UsersUsers Athletics DCIT
Forestry Research Dean's office
CAFLS CES
ClemsonU
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Client32 LoginClient32 Login
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Novell’s Catalog ServicesNovell’s Catalog Services• User locatable database of directory information
• Query APIs• The catalog object• Snapin• Dredger• NetWare 5.x
.d.employee.clemsonu
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
A Tale of Two BobsA Tale of Two Bobs
New York LA Europe
Company
Asia
Mkting Prod R&D
Bob Emma
Mkting Prod R&D
Fred Sally
Bob
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Novell’s Catalog Services - 2 BobsNovell’s Catalog Services - 2 Bobs
bob
.mkting.New York.company
.prod.LA.company
Duplicate keys require the user to choose his context at login time.
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Catalog Services IssuesCatalog Services IssuesCatalog Object NDS Synchronization is
tricky.Heterogeneous Systems can be fooled
by the catalog.Heterogeneous Systems cannot handle
duplicate Catalog entries.Only supported in NetWare 5.xCatalogs can only contain objects in
it’s NDS tree.
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Census - Unique Catalog ServicesCensus - Unique Catalog Services
Catalog Services with Rules.Provide for true Universal IDs.Trawls specified sections of Tree.Periodic and On-Demand Trawls.Can Use a Catalog as Input.Not an NDS object.Supports Multiple Trees.Collisions are resolved once.
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Census DefinitionsCensus Definitions
• Org Unit• Recurse• Expand
• Group (member)• Org Role (occupant)• User• Catalog
Supported Objects
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Big PictureBig Picture
Agent
Resolver
Census NewCensus
Manager
CensusAdministrator
Client
AuthConfig
ExceptionReport
Data Flow
Command Flow
NDS
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
ExceptionsExceptions
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
UB=ALL
User BasesUser Bases
UB=FACULTY
UB=STAFF
FACULTYSTAFF
ALL
FACULTY
Agent
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Mass User ManagementMass User Management
HR
Directory
Services
UserBases
MUM
RequirementsRequirements
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
AuthAdmin RequirementsAuthAdmin Requirements
Windows ‘95/’98/NT Workstation64 MB RAMClient32
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Manager Server RequirementsManager Server Requirements
NetWare 4.11/5.xP-100 or higher (recommended)1 MB RAM/2000 census users (free
cache buffers)1 MB Disk/10,000 census usersNo local replicas required.
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Agent Server RequirementsAgent Server Requirements
NetWare 4.11/5.xP-166 or higher (process 25-50 concurrent
requests with no local replicas)1 MB RAM/2000 census users (free cache
buffers)1 MB Disk/10,000 census usersNo local replicas required. TCP/IP configured.
BenefitsBenefits
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
BenefitsBenefits
Improved computing usability.Uniform authentication security.Uniform application security across
systems is now a possibility.Uniform password rules.Easy to deploy new systems.Password resets are almost non-
existent.
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
More BenefitsMore Benefits
Improved Security on some systemsConsistency across systems and
applications.Stronger Passwords are used on all
systems.Allow you to leverage the strengths
of heterogeneous systems without sacrificing usability and security.
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Clients Supported - 3/17/99Clients Supported - 3/17/99
MVS RACF Version 1.9 and laterSolaris Version 2.6 and laterHP/UX Version 11.0 and laterRed Hat Linux Version 4.2 and laterWindows NT Version 4.0 and laterWindows 95 B and Windows 98
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Clients Clients
MVS - RACF MVS - ACF2 Solaris HP/UX Linux Windows NT Windows ‘95/’98 IRIX AIX
PeopleSoft POPd Livingston Radius PIX BSD Apache Open Linux Miscellaneous
Applications
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Comparing NDS for SolarisComparing NDS for Solaris
IPX only environment supportedPure NW 4.x environment supportedNon-intrusive install into SolarisNo NDS object assignments requiredNo [Public] NDS rights assignmentsAPI available to Solaris appsInexpensive Site licenseMultiple tree support is possible
Copyright © 1999 Clemson University Research Foundation. All rights reserved.
Comparing NDS for SolarisComparing NDS for Solaris
Ensures that there are no duplicate user names across the entire NDS tree.
No user migration is required.Does not require unique UNIX uids
across the entire system.Supports multiple user UIDs across
heterogeneous UNIX systems.Not a large leap.