Presentation is loading. Please wait.

Presentation is loading. Please wait.

Custom Authentication Services Jim McCusker (Yale University) Arch/VCDE F2F October 29, 2008.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Custom Authentication Services Jim McCusker (Yale University) Arch/VCDE F2F October 29, 2008."— Presentation transcript:

1 Custom Authentication Services Jim McCusker (Yale University) Arch/VCDE F2F October 29, 2008

2 Agenda Context (Single Sign On at Yale) JAAS and CSM A new LDAPLoginModule HOWTO Future Directions

3 Context (Single Sign On at Yale) Yale uses CAS (Central Authentication Service). http://www.ja-sig.org/products/cas/ CAS uses Kerberos. Kerberos doesn’t have names or email addresses (which AuthenticationService needs). Yale has an LDAP phone book with usernames, names, and email addresses. We have the technology. We have the information.

4 JAAS and CSM CSM (Common Security Module) uses JAAS (Java Authentication and Authorization Service) JAAS supports both LDAP and Kerberos for authentication. Shouldn’t this just work?

5 JAAS and CSM (cont.) No, there are some serious obstacles: CSM uses it’s own Login Module implementation for LDAP. The Login Module will fail if it can’t get username and password information from the LDAP server. The Kerberos Login Module only provides username information and authenticity, and doesn’t know about the custom CSM attributes of LN, FN, email.

6 A New LDAPLoginModule Code Change! Modified LDAPLoginModule (actually LDAPHelper) to allow configuration to just provide user information. This leaves the authentication task to Kerberos or PAM or something else. Deployed successfully and was able to authenticate using the service. Download the software at http://krauthammerlab.med.yale.edu/cabig

7 HOWTO (On Linux, at least) Set up a vanilla AuthenticationService using LDAP Download distribution http://krauthammerlab.med.yale.edu/wp-content/files/csmjaas- 1.0.ziphttp://krauthammerlab.med.yale.edu/wp-content/files/csmjaas- 1.0.zip Add csmjaas-1.0.jar to [tomcat-dir]/webapps/wsrf/WEB- INF/lib (cont.)

8 HOWTO (On Linux, at least) (cont.) Install the kerberos libraries and (on Linux) make /etc/krb5.conf look like: [libdefaults] default_realm = NET.YALE.EDU NET.YALE.EDU = { kdc = kserv2.net.yale.edu admin_server = kserv1.net.yale.edu } (cont.)

9 HOWTO (On Linux, at least) (cont.) Make ~/.java.login.config look like csmjaas- 1.0/java.login.config: AUTHNSVC{ com.sun.security.auth.module.Krb5LoginModule required; edu.yale.med.krauthammerlab.csm.LDAPLoginModule required ldapHost="ldap://directory.yale.edu:389" ldapInfoOnly="true" ldapSearchableBase="o=yale.edu" ldapUserIdLabel="uid" USER_FIRST_NAME="givenName" USER_LAST_NAME="sn" USER_EMAIL_ID="mail"; }; (cont.)

10 HOWTO (On Linux, at least) (cont.) Ask Steve Langella really nicely to add you to the training grid.

11 Future Directions Integrate the patch back into CSM. Enable Kerberos extension in installer. Use patch as an example on how to create a custom AuthenticationService LoginModule.

Download ppt "Custom Authentication Services Jim McCusker (Yale University) Arch/VCDE F2F October 29, 2008."

Similar presentations

RSDB Installation & Configuration

RSDB Installation & Configuration
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications.

® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications.
Two Factor Authentication (TFA) is a 100% Open Source, free to use security system for your Joomla site’s backend. Two Factor Authentication works in.

Two Factor Authentication (TFA) is a 100% Open Source, free to use security system for your Joomla site’s backend. Two Factor Authentication works in.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Teamcenter™ Security Services SSO

Teamcenter™ Security Services SSO
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Enterprise Single Sign On Identity management for web applications.

Enterprise Single Sign On Identity management for web applications.

Similar presentations

Ads by Google