Authentication Server

1
Authentication Server

• Idea born in interdepartmental task force
• Too many userid/password combinations for each
  user to remember
• Need central set of secure servers that all
  systems use for authentication
• Clemson University Personal ID (CUPID)
• Prototyped/tested in late 95/spring 96
• Production on July 1, 1996

2
Authentication Server
Mail
authC
UNIX
authC
Web
authC
Sun
authC
Oracle
authC
Windows NT
authC
NetWare
authC
mainframe
authC
3
Architecture
User
Authentication Server Agent
Directory Services
4
Architecture Possibilities
User
Authentication Server Agent
Directory 1
Directory 2
Directory 3
5
Client Integration - System Level
MVS
Unix
Applications
Applications
TSO
?
?
IDMS
DB2
Login
FTP
Sys
SAF
RACF API
PAM
AuthClient
AuthClient
RACF
/ETC/PASSWD
6
Client Integration - Application Level
Unix
NT
POPd
CGI
Internet Information Server (IIS)
AuthClient BIN
AuthClient DLL
7
Authentication Server

• NetWare Loadable Module (NLM) is multithreaded
• Clients use common code base
• Clients have built-in failover capability
• Communication based on TCP/IP sockets
• gt 90 successful password checks complete in less
  than 0.1 seconds
• gt 4 million requests serviced by primary server
  over a 6 week period (100,000/day)

8
AuthServ Applications
9
NDS Authentication for Large IBM Systems and
Applications
10
NDS Authentication for Unix
11
NDS for Authentication POP/IMAP
12
Firewall Authentication
User
User
User
User
Cisco PIX
AuthClient
Livingston Steel-Belted Radius
Intranet / Internet
13
NDS Web Security viaWindows NT/UNIX/???
14
NDS Authentication through Windows NT/UNIX/??? to
the Web
Application Employee Information System
(EIS) Type Web Server OS Windows NT
4.0 Server enabling app Website/Visual Basic
15
NDS Security Across the Intranet
Authentication Server
NDS
Authenticated Client
NT 4.0
AUTHAGNT .NLM
NDS
Netscape
IIS
32-bit DLL
Page request
CheckEquiv
Check Security Equivalence
Locate user object and run equivalence list
16
AuthServ as an NDS Data Gateway
Application Call tracking system Type Web Serv
er OS Windows NT 4.0 Server enabling
app Website/Visual Basic
Not Assigned BILL BROYLES CCR DAVE DAVIDC DHF DHFR
S DON JAMBO JHALL MIKE YATES
DAVIDC
17
Web Interface to Home Directories via AUTHSERV
NDS Gateway
http//www.clemson.edu/acollin
Application Personal pages Type Web Server
OS Linux Server enabling app Apache/Caldera
18
AuthServ Client Functions

• Password check
• Password change
• Resolve to fully distinguished name
• Check security equivalence
• Return group membership
• Get Effective Rights
• Others

19
WebAuth Web Single Sign-On
Only trusted web servers prompt for userid
password and set cookie in browser. Other web
servers must use the cookie to determine the
user.
CHECK
WebAuth NLM
Workstation
3rd Party WebServer
WebAuth Client
Web Browser 1
Auth Client
STORE
Redirect
Web Browser 2
DCIT Authentication WebServer
WebAuth Trusted Client
AuthAgnt NLM
NDS
20
Caldera OpenLinux and Apache

• Web gateway to NetWare file system

File Server
File Server
Browser
Caldera OpenLinux
Browser
File Server
AuthC
Browser
File Server
File Server
Browser
AuthServer
21
Web Interface to Department Pages
Application Departmental pages Type Web Server
OS Linux Server enabling app Apache/Caldera
http//dcitnds.clemson.edu/CSO/depts/maint
22
Caldera OpenLinux and Apache

• First attempt to provide web services via Novell
  made use of Novells intraNetWare Web Server 1.0
  which simply was not reliable
• Caldera OpenLinux provided robust UNIX
  connectivity to NDS and supported the industry
  standard Apache web server
• Out of the box Caldera/Apache did not provide
  home directory redirection and/or authentication
• It did however provide the source code needed to
  make these modifications

23
Caldera OpenLinux and Apache Mods

• Added a module that would link Apaches user
  directory directive to the users Novell home
  directory
• Making http//www.clemson.edu/erich point to
  EMPLOYED/USR02\USERS\U20\ERICH\PUBLIC.WWW
• Since Caldera is NDS aware, this also allows us
  to serve group web sites via their own group
  servers

24
Caldera OpenLinux and Apache Mods

• Added another module using the previously
  mentioned authentication server routines to
  provide both user and group authentication
• Makes use of standard HTACCESS format with
  additional Novell directives

25
Using NDS to Secure Web Pages
NovellAuth on AuthName Novell Tree AuthType
Basic ltLimit GET POSTgt require user
gmcochr require user kellen require group
.resadmin.groups.employee.clemsonu lt/Limitgt
26
intraNetWare server B
intraNetWare server A
intraNetWare server C
AUTHAGNT.NLM
AUTHAGNT.NLM
AUTHAGNT.NLM
N D S
MAIL (Solaris)
NT Server
OpenLinux
Mainframe (MVS)
AuthClient
AuthClient
AuthClient
AuthClient
RACF
POPd
WebApp
WebApp
Web site
Apache
Eudora
TN3270
Netscape
LOGIN.EXE
User workstation (Windows 95/Windows NT and Mac
workstation)
27
Design
28
Administrator
Manager NW Server
95/98/NT Workstation
AuthAdmn Win32 App
AuthMgr NLM
Master Census
Agent NW Server N
Agent NW Server 1
Agent NW Server 2
AuthRslv NLM
AuthRslv NLM
AuthRslv NLM
AuthAgnt NLM
AuthAgnt NLM
AuthAgnt NLM
Census
Census
Census
AuthClient
29
Administrator
Manager NW Server
95/98/NT Workstation
AuthAdmn Win32 App
AuthMgr NLM
Master Census
Agent NW Servers
AuthRslv NLM
AuthAgnt NLM
Census
AuthClient
AuthClient
AuthClient
30
Census
31
Classic Tree Design-Organizational
Company
Production
Admin
RD
Mkting
Bob
Sally
Proj1
Emma
Fred
32
Classic Tree Design - Geographical
Company
LA
Europe
Mkting
Mkting
Emma
Sally
Bob
Fred
33
Clemson Tree Design
ClemsonU
Users
Organizations
34
CU - Every Person Has a Place
ClemsonU
Students
Misc.
Employee
Organizations
A
to
Z
35
CU - Every Group Has a Place
ClemsonU
Athletics
DCIT
CAFLS
CES
Users
Forestry
Research
Dean's office
36
Client32 Login
37
Novells Catalog Services

• User locatable database of directory information
• Query APIs
• The catalog object
• Snapin
• Dredger
• NetWare 5.x

.d.employee.clemsonu
38
A Tale of Two Bobs
Company
LA
Europe
Mkting
Mkting
Emma
Sally
Bob
Fred
39
Novells Catalog Services - 2 Bobs
Duplicate keys require the user to choose his
context at login time.
.mkting.New York.company
.prod.LA.company
40
Catalog Services Issues

• Catalog Object NDS Synchronization is tricky.
• Heterogeneous Systems can be fooled by the
  catalog.
• Heterogeneous Systems cannot handle duplicate
  Catalog entries.
• Only supported in NetWare 5.x
• Catalogs can only contain objects in its NDS
  tree.

41
Census - Unique Catalog Services

• Catalog Services with Rules.
• Provide for true Universal IDs.
• Trawls specified sections of Tree.
• Periodic and On-Demand Trawls.
• Can Use a Catalog as Input.
• Not an NDS object.
• Supports Multiple Trees.
• Collisions are resolved once.

42
Census Definitions
43
Big Picture
Data Flow
Client
Command Flow
Manager
Agent
NDS
Auth Config
Exception Report
Census
Administrator
Resolver
New Census
Census
44
Exceptions
45
User Bases
UBALL
FACULTY
STAFF
Agent
ALL
FACULTY
46
Mass User Management
HR
UserBases
MUM
Directory
Services
47
Requirements
48
AuthAdmin Requirements

• Windows 95/98/NT Workstation
• 64 MB RAM
• Client32

49
Manager Server Requirements

• NetWare 4.11/5.x
• P-100 or higher (recommended)
• 1 MB RAM/2000 census users (free cache buffers)
• 1 MB Disk/10,000 census users
• No local replicas required.

50
Agent Server Requirements

• NetWare 4.11/5.x
• P-166 or higher (process 25-50 concurrent
  requests with no local replicas)
• 1 MB RAM/2000 census users (free cache buffers)
• 1 MB Disk/10,000 census users
• No local replicas required.
• TCP/IP configured.

51
Benefits
52
Benefits

• Improved computing usability.
• Uniform authentication security.
• Uniform application security across systems is
  now a possibility.
• Uniform password rules.
• Easy to deploy new systems.
• Password resets are almost non-existent.

53
More Benefits

• Improved Security on some systems
• Consistency across systems and applications.
• Stronger Passwords are used on all systems.
• Allow you to leverage the strengths of
  heterogeneous systems without sacrificing
  usability and security.

54
Clients Supported - 3/17/99

• MVS RACF Version 1.9 and later
• Solaris Version 2.6 and later
• HP/UX Version 11.0 and later
• Red Hat Linux Version 4.2 and later
• Windows NT Version 4.0 and later
• Windows 95 B and Windows 98

55
Clients

• MVS - RACF
• MVS - ACF2
• Solaris
• HP/UX
• Linux
• Windows NT
• Windows 95/98
• IRIX
• AIX

• PeopleSoft
• POPd
• Livingston Radius
• PIX
• BSD
• Apache
• Open Linux
• Miscellaneous Applications

56
Comparing NDS for Solaris

• IPX only environment supported
• Pure NW 4.x environment supported
• Non-intrusive install into Solaris
• No NDS object assignments required
• No Public NDS rights assignments
• API available to Solaris apps
• Inexpensive Site license
• Multiple tree support is possible

57
Comparing NDS for Solaris

• Ensures that there are no duplicate user names
  across the entire NDS tree.
• No user migration is required.
• Does not require unique UNIX uids across the
  entire system.
• Supports multiple user UIDs across heterogeneous
  UNIX systems.
• Not a large leap.