PSUMAC102: Penn State Central Auth In- Depth

Transcription

1 PSUMAC102: Penn State Central Auth In- Depth

2 The Penn State Auth Environment It s a bit messy One of three options: Use Access Accounts and the infrastructure surrounding that Do your own thing Combine the two

3 Penn State s Access Account Auth Environment MIT Kerberos V5 IBM Tivoli Directory LDAP V6 Custom Web Applications IBM GPFS FileSystem V3.2 Access WinAD

4 Kerberos Infrastructure is MIT Kerberos V 4 KDCs (Master and Replicas) 1 is off-site for geographic redundancy

5 Kerberos (dce.psu.edu) Realm name is dce.psu.edu Note the lowercase name

6 Kerberos (dce.psu.edu) Contain passwords for all PSU Faculty, Students and Staff (Penn State Access Accounts) web-based tool (work.psu.edu) for changing passwords web-based tool (work.psu.edu) for provisioning service (and user) keytabs

7 Penn State s Access Account Auth Environment MIT Kerberos V5 IBM Tivoli Directory LDAP V6 Custom Web Applications IBM GPFS FileSystem V3.2 Access WinAD

8 LDAP IBM Tivoli Directory Server 6.x Master, multiple replicas Multiple addresses Multiple load-balanced systems

9 LDAP ldap.psu.edu 2 back-end systems for general inquiries advertised publicly limited to 200 returns per query

10 LDAP dirapps.aset.psu.edu 2 back-end systems programmatic interface not advertised publicly (admins and programmers) limited to 1000 returns per query

11 LDAP Third interface not advertised used only for internal systems and emergency failover geographically distributed

12 LDAP Numerous attributes available for AuthZ decisions Some commonly used attributes are: EduPerson Primary Affiliation UMG or Service group membership Department Admin Area

13 LDAP LDAP Groups and Membership Course groups (protected by FERPA) Service groups psu.facstaff, psu.up.staff, psu.up.faculty umg/services. User Managed Groups

14 LDAP User Managed Groups (UMGs) LDAP group created and managed by a user Personal groups ownership limit 30 Functional groups ownership limit 50

15 Penn State s Access Account Auth Environment MIT Kerberos V5 IBM Tivoli Directory LDAP V6 Custom Web Applications IBM GPFS FileSystem V3.2 Access WinAD

16 Active Directory Penn State Windows Active Directory (WinAD) AKA ACCESS.PSU.EDU Forest

17 Active Directory Windows Server 2003 Functional Level 2003, 2008 & 2008r2 Domain Controllers Present Strong Infrastructure for University-wide demand With geographic separation of DCs

18 Active Directory Contains shadow users and groups from ldap including UMGs! For PSU Access passwords, the WinAD has a oneway trust to Kerberos

19 Active Directory ITS maintains the environment, it s yours to control Organization Unit (OU) based delegation OU admins have full control over their own OU Other AD options available

20 The Mac Perspective Macs can join the AD Manage Macs with the same tools as Windows Use your OU admin account on both Mac & PC Network PASS Home Folders - Go Off-line auth - Negative MCX - coming?

21 Penn State s Access Account Auth Environment MIT Kerberos V5 IBM Tivoli Directory LDAP V6 Custom Web Applications IBM GPFS FileSystem V3.2 Access WinAD

22 Custom Web Apps Demo!

23 Main methods of integration PSU Kerberos and PSU LDAP OD Master with PSU Kerberos Active Directory

24 PSU Kerberos + PSU LDAP Pros Quick and Easy Implementation/Deployment Local servers not necessary Simple architecture Fire and forget Cons No local control Requires network at all times No persistence

25 OD Master with PSU Kerberos Pros More local control Persistence (if desired) Closest to the Apple way (MCX, etc) Cons You re in charge of LDAP (lose central info) More work for set up

26 Active Directory Pros Quick integration for Windows admins Admin Macs with AD Admin account All systems authn through the same method Cons Still very experimental, not officially supported Lack of MCX support...for now Lack of persistence...for now

27 Bringing your site in (primer for lab) Kerberos LDAP Active Directory

28 Integrating Your Macs with dce.psu.edu Kerberos Clients Services /Library/Preferences/ edu.mit.kerberos /Library/Preferences/ edu.mit.kerberos /etc/krb5.keytab $service.config

29 Tools of the Trade kt_util scp/sftp Keytab Generator PASS serveradmin nano/vi edu.mit.kerberos /etc/authorization

30 PSU LDAP Bind to directory using Directory Utility /Applications/Utilities/Directory Utility (10.5-) /System/Library/CoreServices/Directory Utility (10.6+) Use attributes to make decisions many places you can do this! Does not work WITH an OD Master

31 OD Master LDAP Bind to directory using Directory Utility /Applications/Utilities/Directory Utility (10.5-) /System/Library/CoreServices/Directory Utility (10.6+) Use attributes to make decisions many places you can do this! Does not work WITH PSU LDAP

32 PSU Active Directory Bind to AD (ACCESS.PSU.EDU) Edit /Library/Preferences/DirectoryService/ ActiveDirectory.plist flip AD Generate AuthAuthority from True to False Enable Active Directory Authentication Edit /Library/Preferences/edu.mit.Kerberos Edit /etc/authorization REBOOT!!!

33 PSU Active Directory OR... Use the PSU AD Join Script for Macs Warning: this script is experimental. I am not responsible if Velociraptors escape from your Mac and eat you if you run it *Velociraptor comic Randall Munroe, xkcd.com

34 End of PSUMAC102 Questions?