|
|
|
|
|
HELIOS Base UB User manual |
||||
The authentication Server is a new foundation service providing login authorization and user credential information for all HELIOS servers and tools. In previous versions HELIOS services worked directly against the UNIX password and group files or with NIS-based group and password maps. Over the time additional ways of storing user settings are provided, e.g. Apple's "netinfo" database, LDAP databases, Windows PDC (Primary Domain Controller) and AD (Active Directory), NIS Plus, shadow password files and so on. For multi-server environments a central server storing user information allows other services to access the information from a master server. Another benefit is that this system allows storing more than the basic user information which goes beyond the standard UNIX password and group file based settings.
The authentication server supports local host users, LDAP, NIS and Windows AD/PDC user settings and passwords for all HELIOS services and tools. It is designed to support different databases in parallel (e.g. local UNIX users, LDAP and a secondary LDAP Server) and works completely asynchronously to handle multiple requests without blocking concurrent requests. Its built-in server fail safety allows to restart the authentication service without interrupting other services. Central cashing of information speeds up lookups and ensures that all services use identical information.
The goal of the authentication server is to integrate well into different systems. Its central service allows enhancing the authentication server and stay fully compatible with all HELIOS services and tools.
- Clear text login
- UNIX crypt login
- Random number login
- LanManager login
- NTLMv1 login
- NTLMv2 login
- DHX128 login
- RSA crypted login
To support all these login methods, including passwords up to 64 characters it is required that the local user database, NIS or LDAP, stores an additional HELIOS crypted password. On a local system the HELIOS crypted password is stored in "HELIOSDIR/var/conf/passwd". HELIOS products without this additional password files are not supported and will not work. The "authutil" tool allows setting and changing passwords for local host users, and provides crypt, MD5 and HELIOS passwords to import these into an LDAP database.
The authentication server works read-only against LDAP and Windows AD/PDC. The modification of user settings is only supported against local host users, or NIS users when the server is the NIS master server. This is straightforward because LDAP and Windows AD/PDC users are managed with other tools.
The listed information is required, additional information may be used in the future. If additional information needs to be verified, the "var/authsrv/login.pl" script allows verifying additional settings, e.g. login hours to deny access if required.
PAM (Pluggable Authentication Modules) are supported on some host operating systems. HELIOS does not need or use any PAM modules. As PAM is not available on all systems and cannot support all required authentication methods (listed in 10.1.1 "Different user authentication needs") the authentication server works without any PAM support. PAM can be activated in parallel to be used by other services.
Authentication server statistics can be reported to custom applications by the "authsrv" TCP/IP connection via port "2008". See 7.6 "socket" for a description of the "socket" utility.
Lists user information (authorization; number of references; user ID; user name; full name; time in cache).
Each time a user completes a successful login, i.e. user name and password match, the authentication server calls a custom notification script with its user parameters. The script can exit with:
A custom script allows verifying additional parameters such as the remote TCP/IP address, checking if the user is already logged in from a different IP address and denying or allowing the login request. Another idea is to contact an LDAP database, to verify other information of this user account before allowing the login. If a script is available, it must be stored in "var/authsrv/login.pl". The script can be any kind of application or script but it is required to be executable, e.g. running in mode "711", and the name must be "login.pl", even if it is not Perl based. We recommend using a Perl script to stay compatible on different platforms.
my $logfile = "/tmp/logfile";
open(LOGF,">> $logfile") || die "authsrv: cannot open: $logfile $!\n";
foreach (@ARGV) {
print LOGF $_, "\t";
}
print LOGF $_, "\n";
close(LOGF);
exit 0;
The table lists the user/group database files used on a server host, e.g. Sun Solaris. Depending on the operating system an additional shadow for "/etc/security/passwd" is used. On Mac OS X all user/group information is stored in the "netinfo" database.
The authentication server supports Windows AD/PDC (Active Directory or Primary Domain Controller) for the user authentication. It works via the HELIOS implemented Windows CIFS protocol which communicates with the Windows AD/PDC using TCP/IP port 139 or 445. The Windows AD/PDC server will provide the user name and password. Additional information like group IDs are provided by a template user. Unique user IDs are automatically assigned for each user name and stored in a cache file, to be reused if the same user logs in a second time. A backup AD/PDC server can be configured and will automatically be used if the main server fails.
If local UNIX users and AD/PDC users are used in parallel it is required that the authentication order be first UNIX and then AD/PDC. For maintenance it is required to set up the user with administration group membership on the AD/PDC server, and to specify this user name and password in the authentication server setup (Fig. 78). It is required that the "admin$" sharepoint be active (it is usually always active on Windows).
Verify that a remote Windows client can login and access the "admin$" sharepoint by logging on to the AD/PDC with the user name created in the first step above.
Verify write access by copying a file into the directory. Only if this works, the next step should be completed.
Specify a local UNIX user as "template user". This user will provide the group IDs, home directory and shell (the actual user name will replace the template user name in the home directory).
Specify a user ID range used for AD/PDC users (the user ID range needs to be larger than the total number of AD/PDC users).
Verify that the user ID range is not in use by other local host users. (Check user ID in "/etc/passwd".)
Now all HELIOS services should work with the AD/PDC user accounts. The simple login can be verified via the HELIOS "authutil" utility (see 10.2 "authutil"). If a login via "authutil" works without error messages the Windows AD/PDC authentication can be used by all HELIOS services.
Note: Once "authsrv" is restarted with AD/PDC support on changes of the primary bootserver, Admin user and password within HELIOS Admin are automatically used. No additional restart is required.
At present the primary group ID and additional group member IDs are static and will be provided by the template user. This should be supported at a later time frame.
If a Windows 2003 computer is used as AD/PDC server, you must disable the security option "Microsoft network server: Digitally sign communication (always)" in the menu Administrative Tools > Local Security Policy > Security Settings > Local Policies > Security Options.
The "authutil" utility is a batch tool for scripts. It allows displaying user and group entries, validating logins or changing and setting passwords for local host users. "authutil" can generate MD5 passwords used for virtual WebShare users (see WebShare manual), or AFP volume passwords. It also allows printing UNIX crypt and HELIOS crypted compatible passwords to be imported in an LDAP database. "authutil" has been designed for the use in scripts or for batch operations, e.g. setting passwords for local host users.
-m <method> Encrypt the password before sending it to
the authentication server. Available
encryption methods are: RSA, LM, NTLM
Additional parameters allow specifying different login methods against the authentication server, the default method is cleartext. Additional methods are: LM for LanManager, NTLM for CIFS, RSA for RSA public key crypted passwords.
-m <method> Encrypt the passwords before sending them
to the authentication server. Available
encryption methods are: RSA
Note: "root" can set passwords without knowing the old password:
# authutil passwd -n username -p newpasswordSet HELIOS password:
# authutil passwd -n username -p newpasswordThe "echo" mode is helpful when passwords are subject to be imported into a different system, e.g. an LDAP database.
Note: The MD5 password must be inserted into the "HELIOSDIR/var/webshare.passwd" file. It is much easier to set passwords e.g. within the WebShare User Administration window.
Read commands from the file <batchfile>. If <batchfile> is "-", commands are read from "stdin". If a command fails, authutil will continue with the next command from <batchfile>, unless option -e is given.
Note: Setting the password with "authutil" under Windows will only set the "HELIOSDIR/var/passwd" file and will NOT change the Windows password. Setting a password via "authutil" under Windows is only required for the use as virtual WebShare user.
The authentication server was designed to support the UNIX NIS (Network Information Service) system, which, in a network of several UNIX hosts, allows user names, group names, and passwords as well as other configuration details to be stored centrally on the NIS (formerly named "Yellow Pages") Master host. This considerably simplifies the setup of new users, particularly if they each need access to more than one host. Please note that the user configuration data maintained under NIS is only stored on the NIS Master host. You can only change it with HELIOS Admin by logging on to the authentication server on the Master host, and not one of the NIS Slaves.
Furthermore, the special NIS password and group files (e.g. "/var/yp/passwd" and "/var/yp/group") are usually stored on the Master host in a subdirectory of "/var/yp". For this reason, the configuration entry for the authentication server in the "Preferences" file allows you to specify the location of the NIS password and group files with the ypdir preference (see 16.8 "Authentication server preference keys"). These preferences only need specifying on the Master host. You can edit the NIS password and group files to set up slave users by use of the standard UNIX NIS tools in the normal way. We would like to point out, however, that HELIOS Admin is much easier to use for setting up NIS users and groups than the standard UNIX tools. You can use HELIOS Admin to set up both, HELIOS users and regular UNIX users.
The user list ("HELIOSDIR/var/conf/passwd") can also be used with the NIS system by setting up, on the NIS Master host, a second password file ("afppasswd") which contains the names of all users of the Master host and its interconnected NIS Slaves. This additional password file is located in the same directory as the NIS password and group files, e.g.: "/var/yp/afppasswd".
"HELIOSDIR/var/conf/passwd" on the Master host should only contain the "root" and system logins, terminated by "+:" in the last line.
The installation includes in "HELIOSDIR/etc" the script "ypMakefile", which contains the necessary changes required to implement the AFP user list under NIS. Enter the group- and password-related information in the file
"/var/yp/Makefile" according to the information given in "HELIOSDIR/etc/ypMakefile".
Note: You should be familiar with editing such files in order to provide proper operation of NIS administration.
The "HELIOSDIR/var/conf/passwd" file of each host in the NIS system (master and slaves) can optionally include a line containing only "+:" at the position where the NIS user and group map should be included. This usually follows entries for the "root" and the system logins only, to make sure that it is still possible to log on to the host in the case of a failure of the network connection to the Master:
| © 2005 HELIOS Software GmbH |
|
|
|
|
|
