Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Looking for suggestion on authentication method for UNIX/Windows
Special Forums Cybersecurity Looking for suggestion on authentication method for UNIX/Windows Post 302996179 by Scrutinizer on Friday 21st of April 2017 02:50:41 AM
Old 04-21-2017
AD is essentially LDAP + Kerberos, so in itself there is nothing wrong with using AD, but it uses a proprietary schema. In order for it to be truly useful for unix/linux hosts, if you need anything more than just authentication, it would be best to import the rfc2307/rfc2307bis schema into AD. So AD can be used as LDAP for Unix/Linux hosts.

An alternative is to have two directories (AD and a separate LDAP) with some kind of sync mechanism...

Then there is the client side. With Single Signon, do you mean that you need to authenticate once and then use a ticket further on. Then you need to use (AD) Kerberos / gssapi. Some linux clients in addition can also do SSO without gssapi through sssd (also against AD), but Solaris cannot. If you mean with SSO that the password is the same for all platforms, then an alternative would be to use TLS/LDAP on Unix/Linux clients.

It all really depends on your situation..
Last edited by Scrutinizer; 04-21-2017 at 03:58 AM..
This User Gave Thanks to Scrutinizer For This Post:
solaris_1977
 

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Suggestion: Alternative OS for Windows - Totally Clueless on Unix/Linux OS

Can anyone tell me a good alternative to Windows? OS that can connect to a Windows domain and use for everyday (can use with Oracle). Easy to learn. (4 Replies)
Discussion started by: genesisX
4 Replies

2. Windows & DOS: Issues & Discussions

Windows AD for Unix authentication

I am not an expert in Unix at all. My knowledge of Unix is average. We have a couple of Unix servers, Solaris and Linux, which run mostly web servers, and Oracle databases. Currently users have multiple user IDs for Unix and AD applications. Is it possible to make use of the Windows Active... (2 Replies)
Discussion started by: speriya
2 Replies

3. AIX

AIX: How to check which authentication method we are using for a user?

In /etc/security/user, we can set which authentication method we use for each user. for example: test: admin = false rlogin = false SYSTEM = "NONE" I want to test whether SYSTEM=NONE (without ") is acceptable. How can I verify it? and How can we check which... (1 Reply)
Discussion started by: quanba
1 Replies

4. Solaris

Identify which authentication method was used at logon

Experts, Is there any way to know which authentication method the user used to login into the box? I mean, is possible to identify if an active user had logged using keys or password for example? Let me clarify: we have a script that we want to allow users to execute only if they have used... (2 Replies)
Discussion started by: fmattos
2 Replies

5. IP Networking

Cygwin remote ssh with key authentication method

Hi experts, I am not sure in which forum to submit this question. If this is not the correct place then please let me know where to submit this thread. My requirement is to invoke windows batch scripts from linux shell script. Hence, I have installed openssh in Cygwin on the windows machine.... (2 Replies)
Discussion started by: ahmedwaseem2000
2 Replies

LEARN ABOUT OPENSOLARIS

ldap

ldap(1) 							   User Commands							   ldap(1)

NAME

       ldap - LDAP as a naming repository

DESCRIPTION

       LDAP  refers  to  Lightweight Directory Access Protocol, which is an industry standard for accessing directory servers. By initializing the
       client using ldapclient(1M) and using the keyword ldap in the name service switch file, /etc/nsswitch.conf, Solaris clients can obtain nam-
       ing  information  from an LDAP server. Information such as usernames, hostnames, and passwords are stored on the LDAP server in a Directory
       Information Tree or DIT. The DIT consists of entries which in turn are composed of attributes. Each attribute has a type and  one  or  more
       values.

       Solaris	LDAP  clients  use  the  LDAP  v3 protocol to access naming information from LDAP servers. The LDAP server must support the object
       classes and attributes defined in RFC2307bis (draft), which maps the naming service model on to LDAP. As an alternate to using  the  schema
       defined	in  RFC2307bis	(draft), the system can be configured to use other schema sets and the schema mapping feature is configured to map
       between the two. Refer to the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) for more details.

       The ldapclient(1M) utility can make a Solaris machine an LDAP client by setting up the appropriate directories,	files,	and  configuration
       information. The LDAP client caches this configuration information in local cache files. This configuration information is accessed through
       the ldap_cachemgr(1M) daemon. This daemon also refreshes the information in the configuration files from the LDAP server, providing  better
       performance and security. The ldap_cachemgr must run at all times for the proper operation of the naming services.

       There  are  two types of configuration information, the information available through a profile, and the information configured per client.
       The profile contains all the information as to how the client accesses the directory. The credential information for proxy user is  config-
       ured on a per client basis and is not downloaded through the profile.

       The  profile  contains  server-specific parameters that are required by all clients to locate the servers for the desired LDAP domain. This
       information could be the server's IP address and the search base Distinguished Name (DN), for instance. It is configured on the client from
       the  default  profile  during  client  initialization  and is periodically updated by the ldap_cachemgr daemon when the expiration time has
       elapsed.

       Client profiles can be stored on the LDAP server and can be used by the ldapclient utility to initialize an LDAP client. Using  the  client
       profile is the easiest way to configure a client machine. See ldapclient(1M).

       Credential  information	includes client-specific parameters that are used by a client. This information could be the Bind DN (LDAP "login"
       name) of the client and the password. If these parameters are required, they are manually defined during the initialization  through  ldap-
       client(1M).

       The  naming information is stored in containers on the LDAP server. A container is a non-leaf entry in the DIT that contains naming service
       information. Containers are similar to maps in NIS and tables in NIS+. A default mapping between the NIS databases and  the  containers	in
       LDAP is presented below. The location of these containers as well as their names can be overridden through the use of serviceSearchDescrip-
       tors. For more information, see ldapclient(1M).

       +--------------------+--------------------+---------------------------+
       |     Database	    |	Object Class	 |	   Container	     |
       +--------------------+--------------------+---------------------------+
       |passwd		    |posixAccount	 | ou=people,dc=...	     |
       |		    |shadowAccount	 |			     |
       +--------------------+--------------------+---------------------------+
       |group		    |posixGroup 	 | ou=Group,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |services	    |ipService		 | ou=Services,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |protocols	    |ipProtocol 	 | ou=Protocols,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |rpc		    |oncRpc		 | ou=Rpc,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |hosts		    |ipHost		 | ou=Hosts,dc=...	     |
       |ipnodes 	    |ipHost		 | ou=Hosts,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |ethers		    |ieee802Device	 | ou=Ethers,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |bootparams	    |bootableDevice	 | ou=Ethers,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |networks	    |ipNetwork		 | ou=Networks,dc=...	     |
       |netmasks	    |ipNetwork		 | ou=Networks,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |netgroup	    |nisNetgroup	 | ou=Netgroup,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |aliases 	    |mailGroup		 | ou=Aliases,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |publickey	    |nisKeyObject	 |			     |
       +--------------------+--------------------+---------------------------+
       |generic 	    |nisObject		 | nisMapName=...,dc=...     |
       +--------------------+--------------------+---------------------------+
       |printers	    |printerService	 | ou=Printers,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |auth_attr	    |SolarisAuthAttr	 | ou=SolarisAuthAttr,dc=... |
       +--------------------+--------------------+---------------------------+
       |prof_attr	    |SolarisProfAttr	 | ou=SolarisProfAttr,dc=... |
       +--------------------+--------------------+---------------------------+
       |exec_attr	    |SolarisExecAttr	 | ou=SolarisProfAttr,dc=... |
       +--------------------+--------------------+---------------------------+
       |user_attr	    |SolarisUserAttr	 | ou=people,dc=...	     |
       +--------------------+--------------------+---------------------------+
       |audit_user	    |SolarisAuditUser	 | ou=people,dc=...	     |
       +--------------------+--------------------+---------------------------+

       The security model for clients is defined by a combination of the credential level to be used, the authentication method, and the PAM  mod-
       ules  to  be  used.  The  credential  level defines what credentials the client should use to authenticate to the directory server, and the
       authentication method defines the method of choice. Both these can be set with multiple values. The Solaris  LDAP  supports  the  following
       values for credential level :
	 anonymous
	 proxy
	 self

       The Solaris LDAP supports the following values for authentication method:
	 none
	 simple
	 sasl/CRAM-MD5
	 sasl/DIGEST-MD5
	 sasl/GSSAPI
	 tls:simple
	 tls:sasl/CRAM-MD5
	 tls:sasl/DIGEST-MD5

       When  the  credential  level is configured as self, DNS must be configured and the authentication method must be sasl/GSSAPI. The hosts and
       ipnodes in /etc/nsswitch.conf must be configured to use DNS, for example hosts: dns files and ipnodes: dns files.

       sasl/GSSAPI automatically uses GSSAPI confidentiality and integrity options, if they are configured on the directory server.

       The credential level of self enables per-user naming service lookups, or lookups that use the GSSAPI credentials of the user when  connect-
       ing to the directory server. Currently the only GSSAPI mechanism supported in this model is Kerberos V5. Kerberos must be configured before
       you can use this credential level. See kerberos(5) for details.

       More protection can be provided by means of access control, allowing the server to grant access for certain containers or  entries.  Access
       control	is  specified  by Access Control Lists (ACLs) that are defined and stored in the LDAP server. The Access Control Lists on the LDAP
       server are called Access Control Instructions (ACIs) by the the SunOne Directory Server. Each ACL or ACI specifies one  or  more  directory
       objects,  for  example,	the  cn  attribute  in a specific container, one or more clients to whom you grant or deny access, and one or more
       access rights that determine what the clients can do to or with the objects. Clients can be users or applications.  Access  rights  can	be
       specified  as  read  and  write,  for example. Refer to the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)
       regarding the restrictions on ACLs and ACIs when using LDAP as a naming repository.

       A sample nsswitch.conf(4) file called nsswitch.ldap is provided in the /etc directory. This is copied to /etc/nsswitch.conf  by	the  ldap-
       client(1M) utility. This file uses LDAP as a repository for the different databases in the nsswitch.conf file.

       The following is a list of the user commands related to LDAP:

       idsconfig(1M)	 Prepares a SunOne Directory Server to be ready to support Solaris LDAP clients.

       ldapaddent(1M)	 Creates LDAP entries from corresponding /etc files.

       ldapclient(1M)	 Initializes LDAP clients, or generates a configuration profile to be stored in the directory.

       ldaplist(1)	 Lists the contents of the LDAP naming space.

FILES

       /var/ldap/ldap_client_cred    Files that contain the LDAP configuration of the client. Do not manually modify these files. Their content is
       /var/ldap/ldap_client_file    not guaranteed to be human readable. Use ldapclient(1M) to update them.

       /etc/nsswitch.conf	     Configuration file for the name-service switch.

       /etc/nsswitch.ldap	     Sample configuration file for the name-service switch configured with LDAP and files.

       /etc/pam.conf		     PAM framework configuration file.

SEE ALSO

       ldaplist(1),  idsconfig(1M),  ldap_cachemgr(1M),  ldapaddent(1M),  ldapclient(1M),  nsswitch.conf(4),   pam.conf(4),   kerberos(5)pam_auth-
       tok_check(5),	pam_authtok_get(5),    pam_authtok_store(5),	pam_dhkeys(5),	 pam_ldap(5),	pam_passwd_auth(5),   pam_unix_account(5),
       pam_unix_auth(5), pam_unix_session(5)

       System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

NOTES

       The pam_unix(5) module is no longer supported. Similar functionality is provided  by  pam_authtok_check(5),  pam_authtok_get(5),  pam_auth-
       tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), andpam_unix_session(5).

SunOS 5.11							    28 Aug 2006 							   ldap(1)
All times are GMT -4. The time now is 03:15 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy