Authentication across Windows, Linux, and Mac
January 11, 2008 6:22 AM
How do you use a single authentication system for different kind of servers, systems, and workstations?
We're a small Web development business of less than 20 employees. Currently, we have three local servers:
Server A, using Windows Server 2003, is the "main" server for putting all of our document (including financial data) and most of our projects. For development and testing, we also host Web sites there which require a Windows server, ASP and MS SQL. It's also our main DHCP and DNS server.
Server B, Fedora Core 6, is mainly for hosting projects requiring Linux, PHP or ColdFusion, and MySQL. It's the backup DHCP and DNS server.
Server C, Windows Sever 2003 Web Edition, is for hosting projects requiring ColdFusion and Windows.
We have various kinds of workstations at the office: Windows XP, Windows Vista, Ubuntu, Fedora, and Mac OS X 10.4.
Our biggest annoyance at the moment is authentication. Every employee has a different account for everything. Windows file shares, Linux file shares, Linux shell accounts, MySQL, MS SQL...
Server A already has Active Directory set up, though I'm not too familiar with it. (I'm more of a Linux system administrator.) I tried some ways to combine all one employee's accounts together, but it just won't work. One of the ways I tried was to set up PAM on server B to use LDAP or other mechanisms supposedly supported by the server A, but it doesn't work.
Now, I'm wondering, are there any methods to make the authentication process of every service work together?
I'm not even sure where to start to set this all up. Any suggestions will be appreciated! Thanks in advance!
We're a small Web development business of less than 20 employees. Currently, we have three local servers:
Server A, using Windows Server 2003, is the "main" server for putting all of our document (including financial data) and most of our projects. For development and testing, we also host Web sites there which require a Windows server, ASP and MS SQL. It's also our main DHCP and DNS server.
Server B, Fedora Core 6, is mainly for hosting projects requiring Linux, PHP or ColdFusion, and MySQL. It's the backup DHCP and DNS server.
Server C, Windows Sever 2003 Web Edition, is for hosting projects requiring ColdFusion and Windows.
We have various kinds of workstations at the office: Windows XP, Windows Vista, Ubuntu, Fedora, and Mac OS X 10.4.
Our biggest annoyance at the moment is authentication. Every employee has a different account for everything. Windows file shares, Linux file shares, Linux shell accounts, MySQL, MS SQL...
Server A already has Active Directory set up, though I'm not too familiar with it. (I'm more of a Linux system administrator.) I tried some ways to combine all one employee's accounts together, but it just won't work. One of the ways I tried was to set up PAM on server B to use LDAP or other mechanisms supposedly supported by the server A, but it doesn't work.
Now, I'm wondering, are there any methods to make the authentication process of every service work together?
I'm not even sure where to start to set this all up. Any suggestions will be appreciated! Thanks in advance!
You can use SAMBA/Winbind and the Winbind PAM module to authenticate against Active Directory on Linux.
I'm sure there's a way to do this on OS X, but I've never gotten around to it. Apple has some docs on their support site: http://www.apple.com/itpro/articles/adintegration/
posted by kableh at 6:28 AM on January 11, 2008
I'm sure there's a way to do this on OS X, but I've never gotten around to it. Apple has some docs on their support site: http://www.apple.com/itpro/articles/adintegration/
posted by kableh at 6:28 AM on January 11, 2008
As others have said above, there are certainly ways to do it -- but I have to tell you that you definitely need to be prepared for a lot more administration effort than you might think. Having worked in, designed, and set up more multi-platform networks than I care to remember, setting up universal authentication is never easy, it's never few-steps-and-you're-done, and it's never even lots-of-steps-and-then-occasional-maintenance. It's always been a process of getting all the rickety pieces of the puzzle in place, then painstakingly configuring every client by hand to use the pieces, then doing a crapload of debugging to figure out why device A or account B isn't working, and then going to bed every night wondering which part of it will totally break with some trivial system or firmware upgrade that should otherwise have been no big deal at all. Entire days get lost working around a new version of software that doesn't use standard authentication libraries, or trying to figure out the exact combination of permissions that'll allow some specific user to have read-only access to share A but read-write access to service B.
So I guess my answer is that you certainly can use some combination of LDAP, Open Directory/Active Directory, or Samba to achieve what you want, but you certainly should take a long, hard look at whether the pain of multiple accounts and logins is so bad as to be worth the significant tradeoff of incrased effort and maintenance it'll take to maintain seamless multi-platform authentication and permissions.
posted by delfuego at 7:11 AM on January 11, 2008
So I guess my answer is that you certainly can use some combination of LDAP, Open Directory/Active Directory, or Samba to achieve what you want, but you certainly should take a long, hard look at whether the pain of multiple accounts and logins is so bad as to be worth the significant tradeoff of incrased effort and maintenance it'll take to maintain seamless multi-platform authentication and permissions.
posted by delfuego at 7:11 AM on January 11, 2008
I work in a similar environment, and we're working towards single sign-on. We have OpenLDAP & MS Active Directory. I have some Linux servers & ESX servers authenticating to our Active Directory. There are Apache modules to authenticate to Active Directory as well.
Linux - AD authentication is actually fairly easy; once you want to add authorization to the mix, and doing any sort of GPO/AD management of those Linux servers is when it gets tricky. There are third party products out there to assist, but they aren't cheap (Centrify, Centeris). Here's a link with some information. In our solution, I don't use Winbind. I create local users on each Linux machine that match AD accounts; the authentication happens in AD though. We'll be using Puppet for configuration management of the Linux servers, centralizing the user administration. FWIW, Red Hat/Fedora installs usually have system-config-authentication that configures this automagically for you (after a few prompts).
I've read Mac's can authenticate to Active Directory too, and this is something I'll have to tackle as well.
Beyond that - you could look into a password synchronization product, like P-synch; or look into more expensive solutions, like using Novell e-Directory. Any way you look at it, you are looking at more administration work (and possibly money).
posted by bxg at 7:14 AM on January 11, 2008
Linux - AD authentication is actually fairly easy; once you want to add authorization to the mix, and doing any sort of GPO/AD management of those Linux servers is when it gets tricky. There are third party products out there to assist, but they aren't cheap (Centrify, Centeris). Here's a link with some information. In our solution, I don't use Winbind. I create local users on each Linux machine that match AD accounts; the authentication happens in AD though. We'll be using Puppet for configuration management of the Linux servers, centralizing the user administration. FWIW, Red Hat/Fedora installs usually have system-config-authentication that configures this automagically for you (after a few prompts).
I've read Mac's can authenticate to Active Directory too, and this is something I'll have to tackle as well.
Beyond that - you could look into a password synchronization product, like P-synch; or look into more expensive solutions, like using Novell e-Directory. Any way you look at it, you are looking at more administration work (and possibly money).
posted by bxg at 7:14 AM on January 11, 2008
I don't think you really want a single source for authentication in your environment. In fact, I don't think you want to have the same server that's hosting your financial data and databases to also be running ASP or any other public services. You really should separate those things. At my small web development company (also about 20 employees), we have a LAN that hosts internal stuff, a DMZ that hosts external stuff, and a firewall server that separates the LAN, DMZ and public zones. We use Active Directory inside the LAN, but other, separate authentication systems within the DMZ.
This sounds complicated, but it isn't really that hard to set up, and frankly it's a must - you could easily get sued by your clients for failing to meet due diligence requirements if they lose any proprietary information because of your current network security. And that would suck.
For a firewall, there are plenty of cheap turnkey solutions. We started out using the free version of Smoothwall, which was perfectly sufficient until we needed VPN functionality. It took about a day for me to set up, with very little previous experience.
posted by me & my monkey at 7:25 AM on January 11, 2008
This sounds complicated, but it isn't really that hard to set up, and frankly it's a must - you could easily get sued by your clients for failing to meet due diligence requirements if they lose any proprietary information because of your current network security. And that would suck.
For a firewall, there are plenty of cheap turnkey solutions. We started out using the free version of Smoothwall, which was perfectly sufficient until we needed VPN functionality. It took about a day for me to set up, with very little previous experience.
posted by me & my monkey at 7:25 AM on January 11, 2008
This is what Cisco's Secure ACS is designed for. You are talking about a NAC, network access control.
A NAC is a centralized point for AAA (access, authorization and accounting), most NAC solutions are there to point everything at and then query an other database(s) for the validity of the credentials. This other database(s) can be AD, an internal database to the product or say a two factor system from RSA, these are just examples.
There are other products beyond Cisco's, it just happens to be the one I have the most experience with. I would not be surprised to find there is a FOSS product out there either, but in principle NAC's enable single sign on and they enable you to control where that sign on can be used and for what at a very granular level.
Establishing these kinds of set ups early help you down the road when the business decides that PCI or SAS are important to them or their business partners.
posted by iamabot at 8:59 AM on January 11, 2008
A NAC is a centralized point for AAA (access, authorization and accounting), most NAC solutions are there to point everything at and then query an other database(s) for the validity of the credentials. This other database(s) can be AD, an internal database to the product or say a two factor system from RSA, these are just examples.
There are other products beyond Cisco's, it just happens to be the one I have the most experience with. I would not be surprised to find there is a FOSS product out there either, but in principle NAC's enable single sign on and they enable you to control where that sign on can be used and for what at a very granular level.
Establishing these kinds of set ups early help you down the road when the business decides that PCI or SAS are important to them or their business partners.
posted by iamabot at 8:59 AM on January 11, 2008
This thread is closed to new comments.
posted by bleucube at 6:27 AM on January 11, 2008