Kevin Falcone: LDAP: Integrating Authentication Across Operating Systems and Applications


Kevin Falcone is speaking on LDAP: Integrating Authentication Across Operating Systems and Applications. This talk is a report on work he did as a student administrator at Northeastern University to create a single authentication authority using LDAP. This is a popular talk. There are people sitting on the floor and standing at the back and out the door.

The old system was based on NIS (Network Information Services or yp). There was no security model, the passwords were passed in the clear, and you have to use the yp tools. On the other hand it worked because its stock on Solaris and can be integrated with Linux, BSD, OS X, and even Windows.

Kevin's goal was to replace NIS with LDAP in order to increase security. LDAP can be used with SASL (Simple Authnticatino and Security Layer) or TLS using SSL certs. Moreover, the password file can be protected. The downside is that LDAP is complex, mirroring and replication are more difficult than in NIS, configuration is complex, and there are few tools for managing data. There's no standard for transfering data between different LDAP tools like OpenLDAP or iPlanet.

Kevin decided to use OpenLDAP even though he had access to a copies of iPlanet (educational institution) and the LDAP server in Lotus Notes (University standard). Of course, if he'd chosen one of those, he wouldn't be presenting here, would he? :-) He also used OpenSSL for the SSL layer (TLS). He chose TLS over SASL because of the simplicity of channel encryption. There were some systems that wouldn't support TLS, so he did use SASL (plaintext, Digest-MD5) in those cases.

There are predefined LDAP schemas for NIS which stores account data, password data, and access data. This, combined with the core schema (personal information) formed the basis for creating the data set. A set of scripts called PADL can create LDAP files from /etc/{passwd,group} and NIS data. It works great the first time, but doesn't go back and forth. Kevin ended up writing his own scripts using Net::LDAP.

Kevin created a testbed consisting of one Solaris 9 machine, multiple Debian Linux machines, an OS X machine, and multiple Windows machines. To make it work on Linux, Kevin used PAM. This talk generates some sigificant comments in geekspeak. Several comments of "did you try...." followed by some detailed discussion.

The Solaris LDAP client works with OpenLDAP and also uses PAM, similar to the way it works in Linux. The client manages the configuration files automatically, but its managing files that can be monitored outside the tool. OpenBSD doesn't come with an LDAP client out of the box, but there's one in the ports tree that works. There's no NSS, so you have to edit the /etc/passwd file to tell the machine that a user is an LDAP user. OS X was trivial. You tell it to connect to a particular LDAP server in the directory access panel and it "just works." Go figure. LDAP can be used with Windows by syncing with the Active Directory server, but leaves a problem of one way data. Again, go figure.

Conclusions:

  • LDAP is difficult to configure and implement
  • The gains in network security are significant
  • OpenLDAP libraries and Net::LDAP work well for integrating one-off applications