Beruflich Dokumente
Kultur Dokumente
BenefitsofusingActiveDirectory
UnliketheearlierMicrosoftWindowsNT4.xDomaindirectory servicewhichusedproprietaryDCE/RPCcalls,ActiveDirectoryis basedonstandardInternetprotocols. LDAPv3fordirectorylookupandupdates. Kerberos5forauthentication(singlesignon). DNSfornameresolution. ThehopewasthatnonMicrosoftimplementationsofthese protocolscouldbeusedtoserveWindowsclientsallowingtrue competitionforprovidingtheseservices. Unfortunatelythisisnotthecase.
DatabaseBack endStore
WhymustweuseanActiveDirectoryServer?
tuseonlythestandardprotocolstoachieve Windowsclientsdon' logonservices. Mandatoryextrafeatures(likethemodifiedKerberosticketand otherdetails)aretiedintotheActiveDirectoryimplementationto enforcevendorlockin. ThepracticalresultofthisisthatifyouwanttouseWindows clientsandserversandobtainallthefunctionalityyoupaidfor thenyoumustuseaWindowsActiveDirectoryserver. ITStaffwhorecommendanActiveDirectoryrolloutwithout makingmanagementawareofthiscommitmentgoingforward aremisleadingtheirexecutivestaff.
WhymustweuseanActiveDirectoryServer?
Windowsclientsdonotallowreplacementoftheirlowlevel functionalitytoeaseintegrationwithnonWindowsdirectory servers. Asusual,itiseasiertoconfigurenonWindowssystemsto interoperatewithWindowssystemsthanvicaversa. ThefreereleaseofMicrosoftServicesforUNIXdoeshelphere, althoughtheprotocolsused(NIS)arenotassecureasusingthe nativeprotocolsofKerberosandLDAP. ActiveDirectoryserverscanhavetheirLDAPschema(theformal definitionoftheformatofthedatatheystore)extendedtoallow themtoservenonWindowsclients.
Whatdowemeanbyintegrationwithan ActiveDirectoryServer?
ForanonWindowsclienttointegratesuccessfullyintoActive Directoryweneedtwooperationstobeseamless.
AuthenticationofLinux/UNIXaccountsagainstActiveDirectory. EnumerationofLinux/UNIXuserandgroupdirectoryinformationstoredinan ActiveDirectorystore.
ForauthenticationthepreferredmethodisKerberos5(thenative Windows2000andaboveauthenticationmethod).
MicrosoftServicesforUNIX,LDAPorMSRPCcanalsobeusedhere.
ForuserandgroupenumerationintegrationLDAPisthepreferred method.
MicrosoftServicesforUNIXandMSRPCcanalsobeused.
KerberosAuthentication Integration
ActiveDirectoryServerscanbe Kerberos5KDCserversfor Linux/UNIXclients. MITorHeimdalKerberosservers cannotbecompleteKDCservers forWindowsclientsduetothe missingextradatafield. MITorHeimdalKDCserverscan besettotrustADKerberos serversiftheWindowsandUNIX useraccountsareseparatedinto separaterealms. Inamoreintegratedenvironmentit isprobablyeasiertojustuseActive DirectoryKerberosServers(as Microsoftintendedbyextending thestandard).
IntegratingWindowsAuthentication ServiceswithLinux/UNIX
Linux/UNIXsystemsstartedwithlocalfilescontainingall authenticationinformation. Sincethenastandardizedpluginarchitecturehasbeendeveloped toallowreplacementoftheauthenticationinformationvalidation (userlogons)andmaintenance(passwordchanging)withmany differentpossibletargets. PAM(PluggableAuthenticationModules)APIinventedbySun andadoptedbyLinuxandotherUNIXplatforms.
PAMPluggableAuthenticationModules
Application
PA req M ue st
PAMrequestscanbeforauth,account, passwordorsessionfunctionality.
A p p licatio n lo o k u p
PAMlibrary PAMlibrary
PAMonLinux/UNIXsystems
PAMisastandardonLinuxandmanyUNIXsystems(HPUX, Solarisandothers). OvertwentydifferentPAMmodulesexisttoprovideallmannerof authenticationservices. ThreespecificmodulesareofinterestforActiveDirectory Integration Kerberospam_krb5(http://pamkrb5.sourceforge.net) LDAPpam_ldap(http://www.padl.com) Samba/MicrosoftRPCpam_winbind( http://www.samba.org)
Kerberospam_krb5
Takestheuserscleartextpasswordandvalidatesitagainsta standardKerberos5server(ActiveDirectoryaddsextraproprietary dataintothereturnedticket,buttheclientlibrariesonLinux/UNIX ignorethisdata). ReturnsaKerberos5TicketGrantingTicket(TGT)whichcanbe usedtogetticketsforotherservices. Caremustbetakentoensuretheencryptionmethodusedby defaultbyWindows(RC4HMAC)isavailableontheLinux/UNIX Kerberossystem. Sourcecodeavailable,OpenSource/FreeSoftware.
LDAPpam_ldap
Takestheuserscleartextpasswordandvalidatesitagainstan LDAPserverbyattemptingtosetupanLDAPconnectionasthe givenusername/passwordpair. MustbesetuptouseSSL/TLSinordertosecurelyvalidatethe password(pam_krb5doesn' thavethisproblem,allkerberos exchangesaresecure). DevelopedbyPADLsoftwareavailableasOpenSource/Free Software.
Sambapam_winbind
AllowsaLinux/UNIXusertoauthenticateinexactlythesameway asiftheywereloggingontoaMicrosoftmemberserverinthe Domain. RequiresaworkingSambasetup(moredetailslater). CompletelyintegratestheLinux/UNIXauthenticationmechanism intotheWindowsworldidenticaltoaWindowsserver. AllofSambaisOpenSource/FreeSoftware.
IntegratingWindowsUserDirectory ServiceswithLinux/UNIX
Linux/UNIXsystemsstartedwithonlylocaldirectorylistings(local files)andhavesincehadtodevelopstandardizedplugin architecturestoallowreplacementofthedirectoryservicewithany compatibleserver(nohiddenprotocols). NSS(NameServiceSwitch). NSSallowsuserandgrouplookupandenumerationtobedone viamanydifferentdirectoryservices.Theorderinwhichtheyare queriedcanbechanged. ThenssmodulesthatareofinterestforActiveDirectory Integrationare:
nss_ldap nss_winbind
NSSNameServiceSwitch
Application
NS r eq S ue st
NSSrequestscanlookupuser,group,or enumeratetheuserorgrouplists.
A p p licatio n lo o k u p
/etc/nsswitch.conf
NSSlibrary NSSlibrary
LDAPnss_ldap
WrittenbyPADLsoftware(asispam_ldap)thislibraryallows Linux/UNIXsystemstolookupusersandgroupsstoredinan ActiveDirectoryserver. TheActiveDirectorySchemamusthavebeenextendedfromthe standardschemabyincludingeithertheRFC2307schema (createdbyPADL)ortheschemausedbyMicrosoft' sServicesfor UNIXproduct. TheLinux/UNIXuserandgroupinformationmustalreadyexistin theActiveDirectoryaspartoftheschema. Thisrequiressomeextraadministrationtoaddtheextra informationtotheexistingActiveDirectorydata.
Sambanss_winbind
PartofthecompletesolutionprovidedbySamba(willbedescribed indetaillater). DoesnotrequireanychangestotheActiveDirectorySchema. DoesrequireaworkingSambasetupandtheLinux/UNIXmachine tohavebeenaddedasamemberserverintotheActiveDirectory.
MicrosoftServicesforUNIXnss_nis
DoesnottalkdirectlytotheActiveDirectoryServerbuttoaNIS (NetworkInformationServices)gatewayrunningonaWindows server. Aswithnss_ldap,requiresadditionstobemadetotheActive DirectorySchematoaddtheLinux/UNIX(POSIX)definitions. UsefulforolderUNIXinstallationsthatwillonlyusetheNIS protocols(regardedasinsecureinmodernUNIXsystems). s. NISprotocoldevelopedbySuninlate1980'
PADLsolution
ModifyActiveDirectorywitheithertheRFC2307schemadefinition ortheMicrosoftServicesforUNIXschema. Installpam_ldap(oralternativelypam_krb5)tohandlethe authenticationfromtheLinux/UNIXsystems. Installnss_ldaptohandlethedirectoryserviceenumerationfrom theLinux/UNIXsystems. Probablytheeasiestchoicefororganizationswithsignificant existingLinux/UNIXexperience. Secure,robustsolutionbutrequiresworktomaintain.
Servicesfor UNIXsolution
NISServer Service WindowsActive DirectoryServer (modifiedschema) CommunicationusingNIS protocoloverthenetwork. Linux/UNIX Server NISPAM NISNSS
Servicesfor UNIXsolution
UsesolderNISprotocolanolderUNIXstandard.
ModernLinux/UNIXsystemsuseeitherNISPLUS(encryptedversionofNIS)or LDAPorKerberosforpasswordverification.
NowMicrosofthasmadeServicesforUNIXavailableforfreethisis nowacompetitivesolution.
Nosourcecodeavailable,unlikeothersolutions.
GoodchoiceifanorganizationismainlyWindows,withafewolder Linux/UNIXmachinesforwhichsecurityisnotapriority.
Sambawinbind solution
winbind daemon
Linux/UNIX Server
winbindPAM winbindNSS
Sambawinbind solution
AllowsaLinux/UNIXmachinetocompletelyemulateaWindows memberserver. NochangestoActiveDirectoryschemaneededwinbindcopes withmappingWindowsusersandgroupstoLinux/UNIXusersand groups. AllowsWindowsclientsaccessingfileandprint(Samba)services ontheLinux/UNIXservertopasskerberos5ticketstoobtain service(astoaWindowsfileserver). Tosynchronizeuserandgroupmappingbetweenmultiple Linux/UNIXserversusingwinbindanexternalLDAPservermustbe used(notcompletelytransparent). UsesthesameprotocolsasWindowsserversforenumerating
Integrating Samba
p st n sh i T r u latio Re SambaDomain Controller
M em S er v b er er
Me Se m be rve r r
Conclusions
WindowsActiveDirectoryisanecessaryevilifyouhavelarge numbersofWindowsclients. renotpilotingadesktopLinuxprogram, Themoralofthisisifyou' you' repayingtoomuchforyourMicrosoftclientsoftware . OptionsarePADLOpenSourcecode,MicrosoftServicesforUNIX, orSambatoprovidenocostintegrationbetweenyourLinux/UNIX machinesandActiveDirectory. Allsolutionshavecomplexityinvolvedsetupatestenvironment todeterminewhichbestmatchesyourbusiness(nosurpriseshere ).
http://www.hp.com/linux
http://www.samba.org