1 / 46

Single Sign-on

Single Sign-on Agenda Motivations for Windows Linux SSO Choosing an Architecture Implementation Strategies Walkthrough Goals of SSO Enhance user experience Improve security and compliance Reduce IdM costs

issac
Download Presentation

Single Sign-on

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Single Sign-on

  2. Agenda • Motivations for Windows Linux SSO • Choosing an Architecture • Implementation Strategies • Walkthrough

  3. Goals of SSO • Enhance user experience • Improve security and compliance • Reduce IdM costs • But getting true SSO is really, really hard. Reduced Sign On (RSO) is much more realistic.

  4. Choosing an Architecture • Enterprise SSO • Kerberos • Identity Federation • WS-Federation • SAML 2.0 • Metadirectory/Virtual Directory

  5. Enterprise SSO • Caches credentials on the local machine or on a shared server • Doesn’t require much change to infrastructure or applications • Requires creation of adapters for each application • Doesn’t reduce IdM costs that much

  6. Kerberos • Secure authentication protocol designed to provide single-signon • Standardized via RFCs and implementation • Single credential store to manage • Difficult to implement across security domains • Not designed to accommodate additional ID information

  7. Federated Identity Systems • SAML v2 • WS-Federation • Focused on Web SSO • Leaves existing identity technologies in place • Relatively new • Requires establishment and management of trust relationships

  8. Metadirectory/Virtual Directory • Doesn’t by itself produce SSO experience • Requires no change to existing application infrastructure • Potentially reduces IdM overhead • Potentially complex infrastructure

  9. Windows Authentication Mechanisms • NTLM v2 • Not terribly secure • Generally understood only by Windows resources • Kerberos v5 • Quite secure • Provided by Active Directory

  10. Linux Authentication Mechanisms • /etc/passwd, /etc/shadow • NIS, NIS+ • LDAP • Kerberos

  11. Kerberos Implementations for Linux • MIT Kerberos v5 • De-facto standard • Included with most every Linux distribution • http://web.mit.edu/kerberos/ • Heimdal • European implementation to avoid export restrictions on strong encryption • http://www.pdc.kth.se/heimdal/

  12. Linux PAM • Standard API for authentication-related functions • Pluggable modules to provide different authentication mechanisms • Configured on an application-by application basis in /etc/pam.d

  13. PAM Architecture

  14. PAM Services • Account • Does the account exist? • Authentication • Is the user who they say they are? • Password • Password policy and password change • Session • Session setup and configuration

  15. PAM Configuration • /etc/pam.d/<application name> • system-auth

  16. PAM Application Configuration

  17. PAM System Configuration

  18. Linux NSS • Name to uid mapping • Group memberships • Home directory • Shell

  19. /etc/nss.conf

  20. Samba Project • Free/Open source project that helps integrate Windows and Linux • http://www.samba.org • SMB/CIFS server and clients • NT4 PDC/BDC • Windows/Linux printing • NTLMv2 and Kerberos authentication

  21. Samba windbind • Daemon that manages domain-related communication to a DC • Includes PAM and NSS modules for integration • Added to system startup, e.g. /etc/rc.d/init.d

  22. PAM Winbind Architecture

  23. A Note on ID Mapping • Samba provides for several mechanisms • Store uid/gid and SID in local .tdb database • Store uid/gid in an LDAP store • Calculate uid/gid from SID • Store uid/gid in Active Directory

  24. AS/TGT AS/TGT Our SSO Strategy Linux client Windows client

  25. Implementing PAM winbind • Extend Active Directory to support Linux • Prep Linux environment • Build, install and configure winbindd • Configure PAM/NSS to use Active Directory

  26. Extending the Schema • RFC 2307 specifies NIS representation in LDAP • WS2K3 R2 has it built-in to user object • RFC 2307 aux class schema extension for WS2K3 • SFU schema extension for Windows 2000 • But, names and OIDs are not 2307 compliant

  27. Prep Linux Environment • # system-config-network • Make sure host name is set properly with same domain name as AD • Make sure DNS resolver is set to AD DNS namespace

  28. Building 3.0.23c winbindd • Download and install Samba source RPM 3.0.23c • # rpm –i samba-3.0.23c-4.src.rpm • Edit the /usr/src/redhat/SPECS/samba3.spec • Add idmap_ad to --with-shared-modules option • Build Samba • # rpmbuild –bb SPECS/samba3.spec • Binary RPM will be in /usr/src/redhat/RPMS/i386

  29. Remove and Reinstall Samba • Upgrade Samba • # rpm -e samba-common • # rpm -e samba-client • # rpm -e samba-swat • # rpm -e system-config-samba • # rpm -i samba-3.0.23c-4.i386.rpm

  30. Configuring PAM to Use Winbind • Make sure selinux is disabled • # system-config-securitylevel • Enable PAM winbind support • # system-config-authentication • Enable Winbind for User Information • Enable Winbind for Authentication • Add pam_mkhomedir skel=/etc/skel umask=0077 to /etc/system-auth

  31. PAM System Configuration

  32. Configuring Winbind • Configure winbind dialog • # system-config-authentication • Domain name (short) in ALL CAPS • Security model ADS • Realm is DNS name of Active Directory domain • DCs are FQ DNS host names of DC • Shell… • Edit /etc/samba/smb.conf • Add idmap backend = ad to global section • Add home directory • # mkdir /home/<DOMAINNAME> • Restart winbind daemon • # service winbind restart

  33. Making it Work • Join the machine to the domain • # net ads join -U <administrator> • Check connectivity • # wbinfo -t • List domain users • # wbinfo -u • List domain groups • # wbinfo -g

  34. Linuxifying Users and Groups • Every user must have a unique value for uidNumber attribute • Every user must have a value for gidNumber • Every group should have a unique value for gidNumber attribute • Domain Users group must have gidNumber defined

  35. Figuring Out What Went Wrong • Syslog (/var/logs/messages) • /var/logs/samba/winbind.log • Set debug level in /etc/rc.d/init.d/winbind 1-10 • # service winbind restart • Enable auth logging on the domain controller

  36. What Do You Get? • Ability to manage all users in AD • Solve the unique identifier problem while getting rid of NIS • Consolidated authentication audit logs • Ability to provide your Linux users access to Windows resources like shares and printers • Source code!

  37. What’s Missing? • Ease of installation and configuration • Authoritative support • Group Policy management of Linux • Web SSO • mod_auth_pam • mod_auth_kerb • …or ADFS and mod_auth_adfs from PING • Scalability?

  38. Centrify DirectControl • Supports 60+ platforms including Mac • Instant AD integration using Kerberos/LDAP and WS-Federation (ADFS) • Support for Apache and J2EE as well • GPO management of non-Windows platforms • Group Linux machines into Zones to organize authentication and management • No schema changes needed

  39. Vintela Authentication Services • Supports 75+ platforms • … but not Mac • Instant AD integration using Kerberos/LDAP and WS-Federation (ADFS) • Support for Apache and J2EE as well • GPO management of Linux/Unix platforms • LDAP proxy for secure LDAP connections • Linux/Unix “personalities” • Uses standard RFC 2307 schema attributes

  40. Summary • SSO Strategies • SSO Architectures • Linux Authentication • Configuring Linux to Use Active Directory Questions?

  41. Directory Experts Conference • Microsoft Identity and Access Technologies • April 21-24 • Las Vegas

  42. Thank You! Gil Kirkpatrick CTO, NetPro gilk@netpro.com www.netpro.com

More Related