Integrated Approach to User Account Management...Integrated Approach to User Account Management...
Transcript of Integrated Approach to User Account Management...Integrated Approach to User Account Management...
Integrated Approach to User Account Integrated Approach to User Account ManagementManagement
Kesselman, Glenn and Smith, WilliamKesselman, Glenn and Smith, WilliamLockheed Martin Mission Services Lockheed Martin Mission Services
Quest Software Public SectorQuest Software Public Sector
Mission CriticalMission CriticalEnterprise SystemsEnterprise SystemsSymposium 2006Symposium 2006
October 17, 2007October 17, 2007
https://ntrs.nasa.gov/search.jsp?R=20070031613 2020-07-29T03:42:21+00:00Z
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 2
AgendaAgenda
•• BackgroundBackground•• Analysis of OptionsAnalysis of Options•• RequirementsRequirements•• Considered ArchitecturesConsidered Architectures•• Architecture EvaluationArchitecture Evaluation•• Architecture ConclusionsArchitecture Conclusions•• BenefitsBenefits•• Then What?Then What?•• ProofProof--ofof--Concept (POC)Concept (POC)•• POC ConclusionsPOC Conclusions
-- Implementation StrategyImplementation Strategy-- Results to DateResults to Date-- ConclusionConclusion
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 3
BackgroundBackground•• Multiple Operating SystemsMultiple Operating Systems•• Systems configurations which will remain unchanged until the Systems configurations which will remain unchanged until the
Orbiter retirementOrbiter retirement•• Users with the same or different user accounts in different Users with the same or different user accounts in different
domainsdomains•• Migration from Network Information System (NIS) style domains Migration from Network Information System (NIS) style domains
to the Active Directory (AD) styled domainsto the Active Directory (AD) styled domains•• How to deal with groups privilegesHow to deal with groups privileges
-- Using a Lockheed Martin provided tool known as ‘become’Using a Lockheed Martin provided tool known as ‘become’-- Using organizational units and personalitiesUsing organizational units and personalities-- How to roll outHow to roll out
»» Roll out with new equipmentRoll out with new equipment»» Phase in on existing equipmentPhase in on existing equipment»» Dealing with unchanged equipmentDealing with unchanged equipment
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 4
Analysis of OptionsAnalysis of Options•• Was it feasible to provide one user ID management Was it feasible to provide one user ID management
system ?system ?-- Yes, but… Yes, but…
•• What options were considered ?What options were considered ?-- Reviewed Light Weight Directory Access Protocol (LDAP) Reviewed Light Weight Directory Access Protocol (LDAP)
vendor offerings and white papersvendor offerings and white papers-- Reviewed LDAP newsgroups and Reviewed LDAP newsgroups and blogsblogs-- Identified 5 candidate architecturesIdentified 5 candidate architectures-- Industry current Industry current ““best practicesbest practices”” said 2 architectures are said 2 architectures are
consistent with industry approachesconsistent with industry approaches-- Leverage our agreements with our vendorsLeverage our agreements with our vendors
»» Questions were posted to Microsoft, Red Hat, Sun, and Quest Questions were posted to Microsoft, Red Hat, Sun, and Quest with respect to LDAPwith respect to LDAP
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 5
Security RequirementsSecurity Requirements•• User Passwords:User Passwords:
-- shallshall be protected / secured when sent over a networkbe protected / secured when sent over a network-- shallshall be protected / secured as stored on the LDAP serverbe protected / secured as stored on the LDAP server-- shallshall be defined by the user (within guidelines and constraints)be defined by the user (within guidelines and constraints)-- shallshall have a minimum and a maximum agehave a minimum and a maximum age-- shallshall be checked against a password history record to prevent be checked against a password history record to prevent
password reusepassword reuse-- shallshall generate warnings when the password nears expirationgenerate warnings when the password nears expiration-- shallshall be checked for triviality and ensure minimum standards be checked for triviality and ensure minimum standards
(defined) are met (minimum number of characters, types, etc.)(defined) are met (minimum number of characters, types, etc.)
•• Accounts Accounts shallshall be locked out with warning messages upon successive be locked out with warning messages upon successive login failures.login failures.
•• Other Other System Entry ApplicationsSystem Entry Applications (FTP, Telnet, (FTP, Telnet, rshrsh) will continue to use ) will continue to use the existing applications password policies. A followthe existing applications password policies. A follow--on study should on study should be conducted to mitigate application password policy risk acceptbe conducted to mitigate application password policy risk acceptanceance
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 6
What Were the Considered Architectures?What Were the Considered Architectures?
•• Parallel Authentication ServersParallel Authentication Servers-- Both MS Windows and UNIX/LinuxBoth MS Windows and UNIX/Linux
•• Common Authentication ServerCommon Authentication Server-- Supports both MS Windows and UNIX/Linux Supports both MS Windows and UNIX/Linux
from a common ‘platform’from a common ‘platform’
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 7
Parallel Authentication ServersParallel Authentication Servers•• Architecture A Architecture A ▪▪ Separate ManagementSeparate Management
-- UNIX/Linux clients authenticate with a UNIX/Linux LDAP UNIX/Linux clients authenticate with a UNIX/Linux LDAP serverserver
-- Windows clients authenticate with a Windows 2003 serverWindows clients authenticate with a Windows 2003 server-- Use the Use the same user ID and password on the Windows and same user ID and password on the Windows and
UNIX/Linux systemsUNIX/Linux systems
•• Architecture B Architecture B ▪▪ SynchronizedSynchronized-- Same as Separate Management, but the LDAP database on Same as Separate Management, but the LDAP database on
the Windows and UNIX/Linux servers are synchronized by the Windows and UNIX/Linux servers are synchronized by external tools and processesexternal tools and processes
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 8
Common Authentication ServerCommon Authentication Server•• Architecture C Architecture C ▪▪ Windows AD serverWindows AD server
-- Serves both UNIX/Linux and Windows clientsServes both UNIX/Linux and Windows clients•• Architecture D Architecture D ▪▪ UNIX/Linux LDAP serverUNIX/Linux LDAP server
-- Serves both UNIX/Linux and Windows clientsServes both UNIX/Linux and Windows clients•• Architecture E Architecture E ▪▪ Vintela + Windows AD serverVintela + Windows AD server
-- Serves both UNIX/Linux and Windows clientsServes both UNIX/Linux and Windows clients-- Vintela option facilitates Kerberized authentication, simpler Vintela option facilitates Kerberized authentication, simpler
management, and strict password policy adherencemanagement, and strict password policy adherence
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 9
Parallel Architecture AParallel Architecture A
MS Windows Client
MS WindowsServer 2003Userid /
domain/password
LSASS
User DB
MS Active DirectoryLogin
LDAP
MS Kerberos V5
RFC 1510
UNIX/Linux ClientUNIX/Linux
PAMUserid /password
DUA LDAPdaemon
User DB
LDAP
Dir SvcsLogin
A
PAM = Pluggable Authentication Module DUA = Directory User Agent
LSASS = Local Security Authority Sub-SystemMicrosoft Windows copyrighted
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 10
Parallel Architecture BParallel Architecture B
MS WindowsServer 2003
UNIX/Linux
MS Windows Client
LSASSLogin
LDAP
RFC 1510
UNIX/Linux Client
PAM DUA
LDAP
Login
Userid /password
Userid /domain/password
B
LDAPdaemon
User DB
Dir Svcs
sync
hron
izat
ion
User DB
MS Active Directory
MS Kerberos V5
Microsoft Windows copyrighted
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 11
Common Architecture CCommon Architecture CWindows LDAP Deployment ArchitectureWindows LDAP Deployment Architecture
MS Windows Client
MS WindowsServer 2003Userid /
domain/password
LSASS
User DB
MS Active DirectoryLogin
LDAP
MS Kerberos V5
RFC 1510
UNIX/Linux Client
PAMUserid /password
DUA LDAPLogin
MS Windows Based Authentication
C
Microsoft Windows copyrighted
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 12
Common Architecture DCommon Architecture DLinux LDAP Deployment ArchitectureLinux LDAP Deployment Architecture
DMS Windows Client
Userid /domain/password
LSASSLoginRFC 1510 (Kerberos V5)
UNIX/Linux Client
UNIX/Linux LDAP Server
PAMUserid /password
DUA
User DB
LDAP
Login
UNIX/Linux Based Authentication
MIT Athena Kerberos V5
LDAPdaemon Dir Svcs
PADL/Samba/WinBind
Microsoft Windows copyrighted
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 13
Common Architecture ECommon Architecture EWindows LDAP Deployment ArchitectureWindows LDAP Deployment Architecture
MS Windows Client
MS WindowsServer 2003
Userid /domain/password
LSASS
User DB
MS Active DirectoryLogin
LDAP
MS Kerberos V5RFC 1510
UNIX/Linux Client
PAMUserid /password
Vintela AgentLogin
MS Windows Based Authentication
E
Vintela
Microsoft Windows copyrighted
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 14
Candidate Architecture Evaluation FactorsCandidate Architecture Evaluation Factors
•• Highly AvailableHighly Available•• SwingableSwingable (Ops to Test & back)(Ops to Test & back)•• ScalableScalable•• Secure channel to protect Secure channel to protect
authenticationauthentication•• Supports customized login Supports customized login
applicationapplication•• Cross security level information Cross security level information
exchangeexchange•• Password History & AgingPassword History & Aging•• UseridUserid/Password database is /Password database is
securesecure•• User impactsUser impacts•• GUIGUI
•• Legacy (nonLegacy (non--compliant) compliant) Systems SupportSystems Support
•• Product SupportProduct Support•• Custom Pluggable Custom Pluggable
Authentication Module (PAM) Authentication Module (PAM) development frameworkdevelopment framework
•• Administration tools are Administration tools are adequateadequate
•• CustomizableCustomizable•• System administration impactsSystem administration impacts•• Administration automationAdministration automation•• InteroperableInteroperable•• CommercialCommercial--OffOff--TheThe--Shelf Shelf
COTS, COTS, COTSCOTS, COTS, COTS
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 15
Candidate Architecture ScorecardCandidate Architecture Scorecard
No Major IssuesMIssues With MitigationXIssues Have No Mitigation
A B C DScorecard
m m m mSwingablemScalable
Customizable
m m m mCustom PAM framework
POS login support
mUser impact
Secure Channel
mHighly available
m m m mCross Sec Level Info Exchange
m m m mProduct Support
N/A XInteroperable
Userid/Password DB is secure
ACA interface
m m m mAdequate Tools
m XSysadmin impactsAutomated admin
m m m mLegacy systems support
m
m
m
m
m
m
E
mPassword History & Aging
m mEstimated Engineering Effort m
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 16
Architecture ConclusionsArchitecture Conclusions•• Using a single Using a single useriduserid/password can be accomplished for a /password can be accomplished for a
single domain user (i.e. OPS only or Development only)single domain user (i.e. OPS only or Development only)•• LDAP implementation is feasible with at least 2 defined domains LDAP implementation is feasible with at least 2 defined domains
(Operations & Development/Verification)(Operations & Development/Verification)
•• The existing NASA Mission Control Center Systems (MCCS) and The existing NASA Mission Control Center Systems (MCCS) and subsystems will be supported as part of a planned equipment subsystems will be supported as part of a planned equipment replacement / upgrade, remain ‘asreplacement / upgrade, remain ‘as--is’ until an equipment is’ until an equipment replacement occurs, or be migrated as part of an approved replacement occurs, or be migrated as part of an approved change directionchange direction
•• Some existing subsystems can be supported with an upgradeSome existing subsystems can be supported with an upgrade•• The recommended architectures will meet the user password The recommended architectures will meet the user password
management requirementsmanagement requirements•• The candidate architecture D is not feasible and will not be The candidate architecture D is not feasible and will not be
pursued because the Linux LDAP server with samba and win pursued because the Linux LDAP server with samba and win bind cannot provide all the necessary services required by bind cannot provide all the necessary services required by WindowsWindows
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 17
BenefitsBenefits•• Users have 1 User Identity (ID) and fewer passwords Users have 1 User Identity (ID) and fewer passwords
for ALL of the MCCS and subsystemsfor ALL of the MCCS and subsystems•• Password policy will be uniform and consistent Password policy will be uniform and consistent
across systems and subsystemsacross systems and subsystems•• Password change interval will be uniform based upon Password change interval will be uniform based upon
a NASA Johnson Space Center approved policya NASA Johnson Space Center approved policy•• This is / was This is / was NOTNOT Single Sign On (SSO)Single Sign On (SSO)
-- Requesting access to another system or subsystem Requesting access to another system or subsystem WILLWILLrequire the user to provide their User ID and passwordrequire the user to provide their User ID and password
-- The candidate LDAP architectures do not preclude moving The candidate LDAP architectures do not preclude moving to SSO in the futureto SSO in the future
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 18
POC ScopePOC Scope•• Then What? DO ProofThen What? DO Proof--OfOf--Concept (POC)Concept (POC)
-- Validate security requirementsValidate security requirementspassword syntax, management, expiration, password syntax, management, expiration,
history, etc.history, etc.-- Explore mixed architecture to ensure that a Explore mixed architecture to ensure that a
consolidated single product type LDAP server consolidated single product type LDAP server implementation is viable, or prove that the implementation is viable, or prove that the parallel candidate architecture deployment is parallel candidate architecture deployment is required.required.
-- Install client and server systems, using existing Install client and server systems, using existing resources to evaluate the possible architectures resources to evaluate the possible architectures and products.and products.
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 19
POC ScopePOC Scope•• Then What?Then What?
-- Facilitate identifying products for the common Facilitate identifying products for the common approach.approach.
-- Identifying a common PAM Identifying a common PAM configurationconfiguration to to support / authenticate MCCS systems.support / authenticate MCCS systems.
-- Determine if a common schema will support all Determine if a common schema will support all intended targets.intended targets.
-- Verify that emulated environment swings are Verify that emulated environment swings are supported.supported.
-- Identify administration tools to support LDAP Identify administration tools to support LDAP environment.environment.
-- Report results of POC actions.Report results of POC actions.
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 20
POC ConclusionsPOC ConclusionsArchitecture Architecture ““BB”” –– Parallel LDAP Servers (A & B collapsed)Parallel LDAP Servers (A & B collapsed)
»» Uses Windows Active Directory (AD) for Windows/2000 and Uses Windows Active Directory (AD) for Windows/2000 and Windows/XP logon clients.Windows/XP logon clients.
»» Uses Red Hat Directory Services (RDS) for Linux, Solaris Uses Red Hat Directory Services (RDS) for Linux, Solaris and AIX logon clients.and AIX logon clients.
»» RDS interfaces with AD keep the RDS interfaces with AD keep the useriduserid/password database /password database in synchronization over a secure link.in synchronization over a secure link.
Architecture Architecture ““EE”” –– Shared LDAP Server (C a variant of E, D Shared LDAP Server (C a variant of E, D infeasible)infeasible)
»» Uses Windows Active Directory (AD) for Windows/2000 and Uses Windows Active Directory (AD) for Windows/2000 and Windows/XP logon clients.Windows/XP logon clients.
»» Linux/Unix Clients use the Vintela addLinux/Unix Clients use the Vintela add--on package to on package to authenticate using Active Directory.authenticate using Active Directory.
»» No synchronization is required No synchronization is required –– common Windows LDAP common Windows LDAP server provides one server provides one useriduserid/password database./password database.
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 21
POC ConclusionsPOC ConclusionsWith Architecture “B”, we found RDS + AD, w/sync:With Architecture “B”, we found RDS + AD, w/sync:
»» Did not support the custom operations satisfactorily;Did not support the custom operations satisfactorily;»» Password strength lies in the individual client Password strength lies in the individual client PAM’sPAM’s and can and can
varyvary based on host type;based on host type;»» Installation of the client PAM was not straightforward, but rathInstallation of the client PAM was not straightforward, but rather er
error prone;error prone;»» Some of the user logon messages are missing or very brief in Some of the user logon messages are missing or very brief in
duration.duration.
With Architecture “E”, we found Vintela + AD:With Architecture “E”, we found Vintela + AD:»» Was simple to install using Red Hat style Was simple to install using Red Hat style RPM’sRPM’s;;»» Provides the messages needed during login processing;Provides the messages needed during login processing;»» Password policy was uniformly implemented by the Windows Password policy was uniformly implemented by the Windows
AD server;AD server;»» Performed well during custom operations.Performed well during custom operations.»» Most COTS oriented solutionMost COTS oriented solution
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 22
POC ConclusionsPOC Conclusions•• Bottom Line:Bottom Line:
•• Implement Architecture EImplement Architecture E
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 23
POC ConclusionsPOC Conclusions•• Implementation strategyImplementation strategy
-- Infrastructure is installed first, then subsystems are brought iInfrastructure is installed first, then subsystems are brought in n according to outside schedule factorsaccording to outside schedule factors
-- Common Common UseridUserid Phase I: Development Systems and SubsystemsPhase I: Development Systems and Subsystems»» Install new AD cluster and migrate Windows 2000/XP clients firstInstall new AD cluster and migrate Windows 2000/XP clients first»» Verify custom login on Linux workstationsVerify custom login on Linux workstations»» Migrate Linux/Unix clients nextMigrate Linux/Unix clients next»» Support LDAP testing with early adoptersSupport LDAP testing with early adopters
-- Common Common UseridUserid Phase II: Operations Systems and SubsystemsPhase II: Operations Systems and Subsystems»» Repeat installation pattern from the Development Systems domainRepeat installation pattern from the Development Systems domain»» Support LDAP authentication in equipment replacement devices (LiSupport LDAP authentication in equipment replacement devices (Linux nux
workstations and servers)workstations and servers)»» Implement Windows devices (current and new)Implement Windows devices (current and new)»» Implement on Unix clients and serversImplement on Unix clients and servers
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 24
Results to dateResults to date
•• All of the Development Domain’s workstations and All of the Development Domain’s workstations and servers are converted to using the LDAP services servers are converted to using the LDAP services based upon the Vintela agentsbased upon the Vintela agents-- Caveat:Caveat:
»» Some of the systems in the Development and Operations domain do Some of the systems in the Development and Operations domain do not support PAM and therefore are still managed separately.not support PAM and therefore are still managed separately.
»» Root is managed locally (at the workstation or server).Root is managed locally (at the workstation or server).
•• Some of the Operations Domain’s workstations and Some of the Operations Domain’s workstations and servers are converted to using the LDAP servicesservers are converted to using the LDAP services-- Caveat:Caveat:
»» Some of the systems in the Operations domain do not support PAM Some of the systems in the Operations domain do not support PAM and therefore are still managed separatelyand therefore are still managed separately
»» Root is managed locally (at the workstation or server)Root is managed locally (at the workstation or server)»» RollRoll--out to the Operations Domain systems and subsystems are being out to the Operations Domain systems and subsystems are being
achieved incrementally with equipment replacements or retrofitsachieved incrementally with equipment replacements or retrofits
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 25
ConclusionConclusion
•• The implementation proceeds well with little problems.The implementation proceeds well with little problems.
•• Quest has been instrumental in the successful Quest has been instrumental in the successful implementation and problem resolution.implementation and problem resolution.-- Problems were resolved at site in some instances with fixes Problems were resolved at site in some instances with fixes
being made in hours or days during the initial testing and roll being made in hours or days during the initial testing and roll out to the Development Domainout to the Development Domain
•• For those systems that are being converted from a NIS For those systems that are being converted from a NIS based service to a PAM based service, develop a based service to a PAM based service, develop a password testing system that user’s can ‘trypassword testing system that user’s can ‘try--it’ before it’ before the ‘usethe ‘use--it’it’
•• Educate the user about this service and why it is Educate the user about this service and why it is importantimportant
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 26
ConclusionConclusion
•• Rolling out a ‘oneRolling out a ‘one--sizesize--fitsfits--all’ solution will be difficult, all’ solution will be difficult, because the size will changebecause the size will change-- For example: If implementation of LDAP services with For example: If implementation of LDAP services with
application authentication is required, then try that first befoapplication authentication is required, then try that first before re having the users change to the system.having the users change to the system.
-- Test the systems with many ‘highTest the systems with many ‘high--fidelity’ users as possiblefidelity’ users as possible»» If you have ‘vocal’ users, get them to be some of those testers If you have ‘vocal’ users, get them to be some of those testers and and
hopefully advocates.hopefully advocates.
•• We did not advertise this as a ‘single signWe did not advertise this as a ‘single sign--on’ solutionon’ solution
•• We did not advertise this as a panacea, just a step We did not advertise this as a panacea, just a step forwardforward
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 27
Active Directory simplifies the situation for Windows systems,
Diverse Systems & DirectoriesDiverse Systems & Directories
- Multiple directories- Multiple identities
- Multiple logins- Not secure
but for non-Windows systems, directories and authentication must all be managed separately
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 28
Vintela integrates disparate Unix/Linux/Java identities into one secure Active Directory environment
Vintela Authentication ServicesVintela Authentication Services
MCES 2007 October 15 – 18 2007 Glenn Kesselman and William Smith Page 29
Metadata ContentMetadata Content
Presentation MetaDataPresentation MetaData
MCES 2007, Identity Management, Account Management
Integrated Approach to User Account Management
Smith, William
ABS-1559
Leave blank or use a legend as specified in CPS-710 -http://policy.global.lmco.com/p3/lockmart/cps/legal/cps-710.html
IT environments consist of both Windows and other platforms. Providing user account management for this model has become increasingly difficult. If Microsoft’s Active Directory could be enhanced to extend a Windows identity for authentication services for Unix, Linux, Java and Macintosh systems, then an integrated approach to user account management could be realized.
Case Studies
All Attendees
Enabling Infrastructure Agility
Metadata NameMetadata Name
KeywordsEnter additional keywords to supplement search
Subject
Additional ContributorsEnter the names of people, besides the listed
presenter/author, who contributed to the content
Abstract Number
LegendIn accordance with CPS-710
Abstract
Coverage
Audience
Track