copyright © 1999 clemson university research foundation. all rights reserved. authentication server...

Copyright © 1999 Clemson University Research Foundation. All rights reserved.

Authentication ServerAuthentication Server

Idea born in interdepartmental task force Too many userid/password combinations

for each user to rememberNeed central set of secure servers that all

systems use for authenticationClemson University Personal ID (CUPID)Prototyped/tested in late ‘95/spring ‘96Production on July 1, 1996



Mail authC

Web authC

mainframe authC

UNIX authC

NetWare authC

Sun authC

Windows NT authCOracle† authC


ArchitectureArchitecture

Directory Services

Authentication Server Agent

Authentication Server Client

System Integration

AuthServ-EnabledApplication

Native Application

User


Architecture PossibilitiesArchitecture Possibilities

Directory 1

Authentication Server Agent

Authentication Server Client

System Integration

AuthServ-EnabledApplication

Native Application

User

Directory 2 Directory 3


Client Integration - System LevelClient Integration - System Level

Applications

AuthClient

RACF

SAFRACF API

IDMSTSODB2?

Applications

AuthClient

/ETC/PASSWD

PAM

LoginFTPSys?

MVS Unix


Client Integration - Application Client Integration - Application LevelLevel

NT

AuthClient DLL

CGI

Internet InformationServer (IIS)

Unix

AuthClient BIN

POPd



NetWare Loadable Module (NLM) is multithreaded

Clients use common code base Clients have built-in failover capability Communication based on TCP/IP sockets > 90% successful password checks

complete in less than 0.1 seconds > 4 million requests serviced by primary

server over a 6 week period (100,000/day)

AuthServ ApplicationsAuthServ Applications


NDS Authentication for Large NDS Authentication for Large IBM Systems and ApplicationsIBM Systems and Applications


NDS Authentication for UnixNDS Authentication for Unix


NDS for Authentication POP/IMAP NDS for Authentication POP/IMAP


Firewall AuthenticationFirewall Authentication

User User User User

Cisco PIX

AuthClient

Intranet / Internet

Livingston Steel-Belted Radius

NDS Web Security viaNDS Web Security viaWindows NT/UNIX/???Windows NT/UNIX/???


NDS Authentication through NDS Authentication through Windows NT/UNIX/??? to the Windows NT/UNIX/??? to the WebWeb

Application:Employee InformationSystem (EIS)

Type:Web

Server OS:Windows NT 4.0

Server enabling app:Website/Visual Basic


NDS Security Across the IntranetNDS Security Across the Intranet

AuthenticatedClient

ServerAuthClient

AuthenticationServer

NDS

Netscape IIS32-bitDLL

AUTHAGNT.NLM

NDS

Page requestCheckEquiv

Check SecurityEquivalence

Locate user objectand run equivalencelist

NT 4.0


AuthServ as an NDS Data GatewayAuthServ as an NDS Data Gateway

Application:Call tracking system

Type:Web

Server OS:Windows NT 4.0

Server enabling app:Website/Visual Basic

Not AssignedBILLBROYLESCCRDAVEDAVIDCDHFDHFRSDONJAMBOJHALLMIKEYATES

DAVIDC


Web Interface to Home Directories Web Interface to Home Directories via AUTHSERV NDS Gatewayvia AUTHSERV NDS Gateway

Application:Personal pages

Type:Web

Server OS:Linux

Server enabling app:Apache/Caldera

http://www.clemson.edu/~acollin


AuthServ Client FunctionsAuthServ Client Functions

Password checkPassword changeResolve to fully distinguished nameCheck security equivalenceReturn group membershipGet Effective RightsOthers


WebAuth: Web Single Sign-OnWebAuth: Web Single Sign-On

Workstation3rd Party

WebServerWebAuth

Client

AuthAgntNLM

NDS

WebAuthNLM

AuthClient

WebBrowser

1

WebBrowser

2

DCITAuthentication

WebServer

WebAuthTrustedClient

CHECK

STORE

Only trusted web servers prompt for userid password and set cookie in browser. Other web servers must use the cookie to determine the user.

Redirect


Caldera OpenLinux and ApacheCaldera OpenLinux and Apache

Web gateway to NetWare file system

Caldera OpenLinux

AuthC

Browser

Browser

Browser

Browser AuthServer

FileServer

FileServer

FileServer

FileServer

FileServer


Web Interface to Department Web Interface to Department PagesPages

Application:Departmental pages

Type:Web

Server OS:Linux

Server enabling app:Apache/Caldera

http://dcitnds.clemson.edu/CSO/depts/maint


Caldera OpenLinux and ApacheCaldera OpenLinux and Apache

First attempt to provide web services via Novell made use of Novell’s intraNetWare Web Server 1.0 which simply was not reliable

Caldera OpenLinux provided robust UNIX connectivity to NDS and supported the industry standard Apache web server

Out of the box Caldera/Apache did not provide home directory redirection and/or authentication– It did however provide the source code needed to

make these modifications


Caldera OpenLinux and Apache Caldera OpenLinux and Apache ModsMods

Added a module that would link Apache’s user directory directive to the user’s Novell home directory– Making http://www.clemson.edu/~erich point to

EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW

Since Caldera is NDS aware, this also allows us to serve group web sites via their own group servers


Added another module using the previously mentioned authentication server routines to provide both user and group authentication– Makes use of standard HTACCESS format with

additional Novell directives

Caldera OpenLinux and Apache ModsCaldera OpenLinux and Apache Mods


Using NDS to Secure Web PagesUsing NDS to Secure Web Pages

NovellAuth onAuthName Novell TreeAuthType Basic <Limit GET POST>require user gmcochrrequire user kellenrequire group .resadmin.groups.employee.clemsonu</Limit>

NDS

intraNetWare server BintraNetWare server A

AUTHAGNT.NLM

intraNetWare server C

RACF

AuthClientAuthClient

POPd

AuthClient

Web site

WebApp

User workstation (Windows 95/Windows NT and Mac workstation)

Eudora TN3270 Netscape† LOGIN.EXE

AuthClient

Apache

WebApp

AUTHAGNT.NLM AUTHAGNT.NLM

OnlinesVTAM

MAIL (Solaris) NT Server OpenLinuxMainframe (MVS)

DesignDesign


AuthAdmnWin32 App

AuthRslv NLMAuthAgnt

NLM

Agent NW Server 1

Census

AuthMgrNLM

Manager NW Server

MasterCensus

AuthClient

‘95/’98/NT Workstation Administrator


NLM

Agent NW Server 2

Census


NLM

Agent NW Server N

Census


AuthAdmnWin32 App


NLM

Agent NW Servers

Census

AuthMgrNLM

Manager NW Server

MasterCensus

‘95/’98/NT Workstation Administrator

AuthClientAuthClientAuthClient

CensusCensus


Classic Tree Design-OrganizationalClassic Tree Design-Organizational

Corp

R&D Prod

Production Admin

Company

Sales

Proj1 Proj2

Mkting Actng Support

Bob

Emma Fred

Sally


Classic Tree Design - GeographicalClassic Tree Design - Geographical

New York LA Europe

Company

Asia

Mkting Prod R&D

Bob Emma

Mkting Prod R&D

Fred Sally


Clemson Tree DesignClemson Tree Design

Users Organizations

ClemsonU


CU - Every Person Has a PlaceCU - Every Person Has a Place

A to Z A to Z A to Z

Students Misc. Employee

ClemsonU

OrganizationsOrganizations


CU - Every Group Has a PlaceCU - Every Group Has a Place

UsersUsers Athletics DCIT

Forestry Research Dean's office

CAFLS CES

ClemsonU


Client32 LoginClient32 Login


Novell’s Catalog ServicesNovell’s Catalog Services• User locatable database of directory information

• Query APIs• The catalog object• Snapin• Dredger• NetWare 5.x

.d.employee.clemsonu


A Tale of Two BobsA Tale of Two Bobs

New York LA Europe

Company

Asia

Mkting Prod R&D

Bob Emma

Mkting Prod R&D

Fred Sally

Bob


Novell’s Catalog Services - 2 BobsNovell’s Catalog Services - 2 Bobs

bob

.mkting.New York.company

.prod.LA.company

Duplicate keys require the user to choose his context at login time.


Catalog Services IssuesCatalog Services IssuesCatalog Object NDS Synchronization is

tricky.Heterogeneous Systems can be fooled

by the catalog.Heterogeneous Systems cannot handle

duplicate Catalog entries.Only supported in NetWare 5.xCatalogs can only contain objects in

it’s NDS tree.


Census - Unique Catalog ServicesCensus - Unique Catalog Services

Catalog Services with Rules.Provide for true Universal IDs.Trawls specified sections of Tree.Periodic and On-Demand Trawls.Can Use a Catalog as Input.Not an NDS object.Supports Multiple Trees.Collisions are resolved once.


Census DefinitionsCensus Definitions

• Org Unit• Recurse• Expand

• Group (member)• Org Role (occupant)• User• Catalog

Supported Objects


Big PictureBig Picture

Agent

Resolver

Census NewCensus

Manager

CensusAdministrator

Client

AuthConfig

ExceptionReport

Data Flow

Command Flow

NDS


ExceptionsExceptions


UB=ALL

User BasesUser Bases

UB=FACULTY

UB=STAFF

FACULTYSTAFF

ALL

FACULTY

Agent


Mass User ManagementMass User Management

HR

Directory

Services

UserBases

MUM

RequirementsRequirements


AuthAdmin RequirementsAuthAdmin Requirements

Windows ‘95/’98/NT Workstation64 MB RAMClient32


Manager Server RequirementsManager Server Requirements

NetWare 4.11/5.xP-100 or higher (recommended)1 MB RAM/2000 census users (free

cache buffers)1 MB Disk/10,000 census usersNo local replicas required.


Agent Server RequirementsAgent Server Requirements

NetWare 4.11/5.xP-166 or higher (process 25-50 concurrent

requests with no local replicas)1 MB RAM/2000 census users (free cache

buffers)1 MB Disk/10,000 census usersNo local replicas required. TCP/IP configured.

BenefitsBenefits


BenefitsBenefits

Improved computing usability.Uniform authentication security.Uniform application security across

systems is now a possibility.Uniform password rules.Easy to deploy new systems.Password resets are almost non-

existent.


More BenefitsMore Benefits

Improved Security on some systemsConsistency across systems and

applications.Stronger Passwords are used on all

systems.Allow you to leverage the strengths

of heterogeneous systems without sacrificing usability and security.


Clients Supported - 3/17/99Clients Supported - 3/17/99

MVS RACF Version 1.9 and laterSolaris Version 2.6 and laterHP/UX Version 11.0 and laterRed Hat Linux Version 4.2 and laterWindows NT Version 4.0 and laterWindows 95 B and Windows 98


Clients Clients

MVS - RACF MVS - ACF2 Solaris HP/UX Linux Windows NT Windows ‘95/’98 IRIX AIX

PeopleSoft POPd Livingston Radius PIX BSD Apache Open Linux Miscellaneous

Applications


Comparing NDS for SolarisComparing NDS for Solaris

IPX only environment supportedPure NW 4.x environment supportedNon-intrusive install into SolarisNo NDS object assignments requiredNo [Public] NDS rights assignmentsAPI available to Solaris appsInexpensive Site licenseMultiple tree support is possible


Comparing NDS for SolarisComparing NDS for Solaris

Ensures that there are no duplicate user names across the entire NDS tree.

No user migration is required.Does not require unique UNIX uids

across the entire system.Supports multiple user UIDs across

heterogeneous UNIX systems.Not a large leap.

copyright © 1999 clemson university research foundation. all rights reserved. authentication server...

Documents

web interface

web services

webserver os

web security viawindows

authserv applicationscopyright

nds data gatewayapplication

reliablecaldera openlinux

departmental pagestype