[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Solaris User Account Management



Authentication and name resolution functions are actually handled by PADL's
pam_ldap and nss_ldap modules, which provide the interface between an
operating system's
authentication system and an LDAP directory. OpenLDAP is only one of a few
LDAP
packages that can be used with pam_ldap and nss_ldap. Therefore, these
questions are somewhat off-topic for this list, and would be better
addressed on the
pam_ldap and nss_ldap lists.

That being said, I went ahead and provided some answers to your
questions. Please take them in the context of using pam_ldap and nss_ldap
with OpenLDAP as the underlying directory provider.

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Joe Gainey
> Sent: Wednesday, July 30, 2003 12:56 PM
> To: openldap-software@OpenLDAP.org
> Subject: Solaris User Account Management
>
>
>
> I've got what should be a fairly typical situation.  I've got about 500
> or so boxes that are divided into various and sometimes overlapping
> departments.  I'm looking to figure out if LDAP will solve my user
> managment woes, so if anyone could answer the following questions and
> supply any URL's referencing the answer I would really appreciate it.
>
> All of these apply to a Solaris 8/9 envirionment
>
> 1.  Can OpenLDAP be used for login in authentication and authorization?

Authentication, yes. Authorization is a bit of a mixed bag. It depends what
you want to authorize.

> 2.  Can users be added with accounts on specific groups of machines?

Since your LDAP directory is a global user and group database,
all users and groups are known to all machines. Therefore, strictly
speaking,
all users in your LDAP directory have accounts on all machines. What it
sounds
like you'd really like to do is allow users to log in to some machines and
not
others, possibly based on group membership. There are several ways of doing
that,
ranging from the use of ACLs to the use of host attributes that specify
allowed
login hosts for a given user. The method you choose is dependent on the
choices
you make in your design.

> 3.  Can users be added with an account on a specific machine?

The answer is basically the same as above, but note that you can still have
local accounts on individual machines that do not appear in the LDAP
directory.
This leaves you with a bit of a management problem if there are a lot
of these accounts.

As an example, root accounts are typically local accounts so that
administrators
can login in the event the LDAP authentication system fails for some reason.

> 4.  Can users be added with different home directories on different
> groups of machines?

That's harder. Most folks who use LDAP for authentication also use NFS or a
similar mechanism to share file systems among machines, and the home
directory
is therefore assumed to be the same on each. One solution is to use symbolic
links to
make sure there is always a common path to user directories on all machines.

A check of the PADL or OpenLDAP archives may yield some answers that work
for you.

> 5.  Can standard solaris password aging and rules be applied to user
> accounts?

Yes, using the shadowAccount attributes.

> 6.  Can solaris be configured using the OpenLDAP and/or native LDAP
> clients to use TLS/SSL encryption?

OpenLDAP can use OpenSSL, so yes.

Solaris native clients are a mixed bag. We've seen a lot of folks replace
the Solaris 8 native PAM stuff with PADL's pam_ldap and nss_ldap modules
because of lack of SSL support in the Solaris native stuff.

I've heard reports of folks getting the Solaris 9 native pam and nss modules
using TLS to connect to an OpenLDAP directory. You might want to check the
archives to see if anyone actually reported how they accomplished that.

> 7.  Does using TLS/SSL encryption mean that account is protected from
> network sniffers?

Yes.

>
> Anyone got any experience with any of those?  All comments responces
> welcome.

Some observations:

The fact that your users do not appear to have directories that
are shared among machines begs the question of whether your numeric user
and group ids are synchronized. If not, this is an additional task you
should consider as part of this project.

Since your machines appear to be loosely federated, you might consider
keeping them
that way and managing the individual password and group files on each system
from
a central directory. That approach would allow you to have the best of both
worlds- individual variation and local storage with global control. If you
decide
to go that way Symas can provide additional information on product that does
that.

If you want to stick with open source, you will likley need to extend the
current
components to add the capabilities you need.

>
> Joe

Hope this helps...

Matthew Hardin
Symas Corporation
Packaged, certified, and supported LDAP software:
http://www.symas.net/download