| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Dec | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 | ||||
- Directories (1)
- Federation (1)
- Identity Management (6)
- Random Stuff (1)
- Uncategorized (8)
- December 9, 2008: Strong Authentication
- April 27, 2008: ID Card Stuff
- March 26, 2008: OSS IDM System - Some Thoughts
- October 9, 2007: Role Based Access in the Enterprise
- September 11, 2007: Open Source IDM Solutions
- September 4, 2007: Marks Apple Hickory BBQ Ribs from the grill.
- August 16, 2007: OpenSuse 10.2 Network install in 6 easy steps.
- May 29, 2007: So, I posted my Resume
- May 11, 2007: This is actually pretty cool.
- May 11, 2007: Started PAM module list
The Trouble with Non-Native Authentication
May 7, 2007 by mabatche.
Recently, I’ve been working on a project which is intended to replace access/authorization mechanisms on Solaris/Linux servers with PAM_LDAP. (see www.padl.org ). Getting PAM-LDAP to work has actually proven to be a relatively easy thing to do. (We happen to be using Novell’s eDirectory as the LDAP environment for it). But, we have been running in to multiple problems when it comes to non pam aware applications running on our servers.Heres an example. IBM DB2. Technically, it looks up users/user access information from /etc/passwd and from /etc/groups. This is all well and good. But, on some older isntances of it, it doesn’t necessarily seem to adhere to the standards that nss_ldap uses for lookups. Which leaves us in a scenario where we have to maintain a local copy of the account on the solaris servers in order for DB2 to function correctly. Now, this completely defeats the idea behind using a central directory for access/authorization. Whats the point in having one, if you have to also maintain local accounts for non-system level users on the server as well? An Idea -
For anyone who has ever worked in a Novell shop you are most likely all to familiar with this same problem only from a different angle. When the Novell client is installed on a windows workstation, there had to be a mechanism for local users (or domain users for that matter) to be authenticated to a workstation as well as the eDirectory user. In Microsoft’s wisdom, they are assuming that everything is windows, and no third-party matters. Novell got around this with what they used to call (I have no idea if its still called this) “Dynamic Local User”. What it would do, is upon login, if you had never logged into that machine before, it would create a local account for you with whatever security specific policies you had assigned to that user. Then, you had the option (via policy) to make that a non-volatile user (meaning it would never be deleted unless someone deleted it) or make it a volatile user (meaning upon logout, the user would be cleaned up from the workstation and all was good). This worked surprisingly well. Now, of course one thing Novell had on their side was that they knew the users password upon login, and could sync it up. It was also a fairly small use case. (meaning it was really intended for workstation and the types of things they would be doing).
Now, I realize that a server (especially one of the unix variety) is a very different beast from a workstation. But, what I was wondering is if this is possible for a unix box?
I’ve seen some stuff out there that has some of this functionality, but nothing that really got me going yet.
Has anyone every run across software (maybe a pam module) that supports this type of functionalty? I have seem pam_mkhomdir before and even used it. That is sort of a dynamic provision for the home directory on unix. But what about the user?
Anyone?
Posted in Uncategorized | No Comments »
Where’s my open source enterprise IDM solution?
April 30, 2007 by mabatche.
I’ve been doing IDM for about 6 years now. With everyone I speak with, IDM pretty much gets talked about in 2 ways.
1 - SSO/Federation solutions. Geared mostly around federation and SSO Access/Authorization. (there are actually a plethora of Opensource projects that can help tackle these problems).
2 - IDM in terms of user provisioning and profiling in the enterprise to enterprise type software. Such as Lotus Notes, Active Directory, eDirectory or even things like RACF on zOS.
For number 1, I’ve found all sorts of stuff in that space.. heres a couple of links for it…
http://www.manageability.org/blog/stuff/single-sign-on-in-java/view
http://www.techworld.com/networking/features/index.cfm?featureid=1681
For number 2 though, I have yet to find anything interesting that gets my attention. Which got me wondering why?
Im well versed in Novell’s Identity Manager product as well as have done *some* work with Sun’s product. There are also a few other companies out there that claim to do some form of IDM in this space, including Microsoft, IBM/Tivoli, CA, and then there are some smaller players.
Most of these products base everything on some sort of a directory technology. Be it eDirectory for Novell, AD for microsoft, or whatever the directory of the day is… they all have some form of directory back-end that serves as a meta-directory. In the opensource world, we have openldap which is certainly a reputable and well proven directory service. Seems to me, that it would be a relativley interesting idea to attempt to build an enterprise class IDM solution that works in conjunction with open-ldap as the back end.
I realize, I’m sort of rambling on here, so if anyone knows of any efforts going on in this space, post a comment.
I’m actually considering attempting this myself. If there is any interest, let me know!
UPDATE: from one of the little handy “Whos linking to you links” Someone pointed this out… http://www.diamelle.com/ . They appear to be working on this exact problem.. ill check it out and let everyone know.
Posted in Identity Management, Uncategorized | No Comments »