- Directories (1)
- Federation (1)
- Identity Management (6)
- Random Stuff (1)
- Uncategorized (8)
- December 9, 2008: Strong Authentication
- April 27, 2008: ID Card Stuff
- March 26, 2008: OSS IDM System - Some Thoughts
- October 9, 2007: Role Based Access in the Enterprise
- September 11, 2007: Open Source IDM Solutions
- September 4, 2007: Marks Apple Hickory BBQ Ribs from the grill.
- August 16, 2007: OpenSuse 10.2 Network install in 6 easy steps.
- May 29, 2007: So, I posted my Resume
- May 11, 2007: This is actually pretty cool.
- May 11, 2007: Started PAM module list
The Trouble with Non-Native Authentication
Recently, I’ve been working on a project which is intended to replace access/authorization mechanisms on Solaris/Linux servers with PAM_LDAP. (see www.padl.org ). Getting PAM-LDAP to work has actually proven to be a relatively easy thing to do. (We happen to be using Novell’s eDirectory as the LDAP environment for it). But, we have been running in to multiple problems when it comes to non pam aware applications running on our servers.Heres an example. IBM DB2. Technically, it looks up users/user access information from /etc/passwd and from /etc/groups. This is all well and good. But, on some older isntances of it, it doesn’t necessarily seem to adhere to the standards that nss_ldap uses for lookups. Which leaves us in a scenario where we have to maintain a local copy of the account on the solaris servers in order for DB2 to function correctly. Now, this completely defeats the idea behind using a central directory for access/authorization. Whats the point in having one, if you have to also maintain local accounts for non-system level users on the server as well? An Idea -
For anyone who has ever worked in a Novell shop you are most likely all to familiar with this same problem only from a different angle. When the Novell client is installed on a windows workstation, there had to be a mechanism for local users (or domain users for that matter) to be authenticated to a workstation as well as the eDirectory user. In Microsoft’s wisdom, they are assuming that everything is windows, and no third-party matters. Novell got around this with what they used to call (I have no idea if its still called this) “Dynamic Local User”. What it would do, is upon login, if you had never logged into that machine before, it would create a local account for you with whatever security specific policies you had assigned to that user. Then, you had the option (via policy) to make that a non-volatile user (meaning it would never be deleted unless someone deleted it) or make it a volatile user (meaning upon logout, the user would be cleaned up from the workstation and all was good). This worked surprisingly well. Now, of course one thing Novell had on their side was that they knew the users password upon login, and could sync it up. It was also a fairly small use case. (meaning it was really intended for workstation and the types of things they would be doing).
Now, I realize that a server (especially one of the unix variety) is a very different beast from a workstation. But, what I was wondering is if this is possible for a unix box?
I’ve seen some stuff out there that has some of this functionality, but nothing that really got me going yet.
Has anyone every run across software (maybe a pam module) that supports this type of functionalty? I have seem pam_mkhomdir before and even used it. That is sort of a dynamic provision for the home directory on unix. But what about the user?
Anyone?