1 Authentication Project David J. N. Begley Network Analyst University of Western Sydney, Nepean

2 Introduction n Presentation of project design/status/issues to QUESTnet99 Conference n Topics covered: u overall architecture/goals u software chosen (and why) u DIT structure, object classes and attributes u problems (and where known, solutions) u future plans

3 Project Goals n Enforce authentication of students prior to their using computer laboratories n Authentication to use the same login ID and password as the student server n Minimise changes to existing lab infrastructure n Minimise impact on users, support and applications

4 Project Status n Proof-of-concept demonstrated solution indeed works (with caveats) n Currently in testing (ironing out technical problems and establishing end-user support procedures) n Plan is to go “live” mid-year (July, 1999)

5 Current Situation: Laboratories n Desktop machines u Apple Macintosh G3, MacOS 8.5 u Apple Macintosh 7600/200, MacOS 8.0 u Intel x86 PC, Windows NT 4.0 Workstation u Novell NetWare Client on all desktops n Servers u Novell NetWare 5.0 n Students enter login ID, but no verification

6 Current Situation: Server n Single, centralised student server u Sun SPARCserver 20 MP u Sun Solaris 2.6 u accounts in /etc/passwd and /etc/shadow n Currently enrolled students allocated an account (from student record system) n Students locked into a menu system, no direct Unix shell access

7 Current Situation: Server n Currently between 13,000 and 14,000 accounts n Peaks much higher (prior to account purges) n At most 100 simultaneous users

8 Desired Solution n Move user/authentication information from traditional Unix flat files to NetWare NDS n Configure server to authenticate (and perform user lookups against) NDS u PAM - Pluggable Authentication Modules u NSS - Name Service Switch n Solaris applications need to be made “PAM- aware” (if not already)

9 Novell NetWare 5.0 NDS Master Novell NetWare 5.0 NDS Replica Apple MacOS 8.0/8.5 WinNT 4.0 Workstation Novell NetWare 5.0 NDS Replica Solaris 2.6 PAM NSS Directory Service

10 NDS for Solaris n Novell or Sun? (getting blood from a stone) n Beta site participation n Despite early performance/resource concerns, consensus is to implement n Show-stopper: six-figure licence fee

11 LDAP n Previously disregarded due to staffing resources required n Multitude of clients (including Eudora, Netscape, Java, Perl and PHP) n Possible interface to Cisco/Microsoft DEN n NetWare 5 ships with LDAP server - retain solution design, use LDAP as protocol for communicating with NDS

12 Product List n Testing/Production u Novell NetWare NDS 8 u Sun Solaris 2.6 u Netscape Directory SDK u PADL Software’s PAM_LDAP & NSS_LDAP n Additional Testing u OpenLDAP 1.2.1

13 Tree Structure n No universal DIT design, just recommended hierarchy styles n OpenLDAP, AARNet X.500 Pilot names u 20,001 users in a single context n NDS tree, maximise performance (NDS 7) u ten containers, penultimate digit in student ID# u with NDS 8, experimenting with single container for all students

14 o=The University of Western Sydney ou=Users c=AU

15 O=UWS OU=Nepean OU=Labs T=ITS-DEV OU=1OU=9OU=0

16 O=UWS OU=Nepean OU=Labs T=ITS-DEV OU=StudentsOU=Staff

17 Object Classes and Attributes n Choice driven by PAM_LDAP, NSS_LDAP n RFC 2307 u Solaris 8 u HP-UX u Compaq Tru64 UNIX (IASS 5.0) u NDS/Active Directory (?) n Core object classes u posixAccount, shadowAccount

18 dn: cn=n ,ou=Users,o=The University of Western Sydney,c=AU ufn: n ,Users,The University of Western Sydney,AU objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: account objectclass: posixAccount objectclass: shadowAccount fullname: Test Student #10000 givenname: Test sn: #10000 uid: n userpassword: {crypt}gf1MpM.r02nsw shadowlastchange: loginshell: /usr/local/bin/menu uidnumber: gidnumber: 10 homedirectory: /home/99/n gecos: Test Student #10000 cn: n

19 NDS Object Classes n NetWare 5 LDAP server maps NDS classes into LDAP “objectclass” equivalents n RFC 2307 suggests particular search patterns (for NSS functions), using particular LDAP object classes n New NDS object classes (subclass “User”) required to satisfy these search patterns n Future NDS may support RFC 2307?

20 Problems/Solutions - NetWare n LDAP slow - up to 2.5 mins per lookup u install NDS 8 n NDS not recognise Unix “crypt” passwords u issue new passwords to all students, store as cleartext (transport to be secured with SSL) n Authenticated LDAP binds count toward concurrent login total u set maximum concurrent logins cautiously

21 Problems/Solutions - Solaris n Solaris 2.6 PAM library broken - always returns NULL pointer to PAM-aware applications u recode applications to ignore appdata_ptr (i.e., to avoid using PAM API as per spec) n Sun aware of problem, but not willing to release a fix? n Solaris (2.)7 apparently fixed (unverified)

22 Problems/Solutions - PAM/NSS n Password changes work, but require original password (even if superuser) u rewrite password change tool to change password in LDAP directly as diradmin n Behavioural differences before/after LDAP u ensure PAM configured correctly n Command line completion for login IDs u tune nscd (???)

23 Future Possibilities n Expand authentication to other parts of the network (e.g., remote access service) n Integration with network directory (DEN) n Corporate directory (UWS-wide) u University “unique ID” u White Pages u “address-less ” u routing (aliases)

24 Q&A