advancements in linux authentication and authorisation...
TRANSCRIPT
![Page 1: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/1.jpg)
Managing an Enterprise Series
Advancements in Linux Authentication andAuthorisation using SSSD
Lawrence KearneyEnterprise Service and Integration SpecialistTTP Advisory Board Member for Higher Education, Americas
e. [email protected]. www.lawrencekearney.com
![Page 2: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/2.jpg)
SSSD origins
2Advancements in Linux Authentication and Authorisation using SSSD
Origins in the freeIPA project (Identity, Policy and Audit)
There is a freeIPA client
Red Hat originates a new client project
Narrower in scopeProvided funding and (2) dedicated developersCommercially viable software base to bubble up from the Cent OS and Fedora projects
![Page 3: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/3.jpg)
What's in a name
3Advancements in Linux Authentication and Authorisation using SSSD
SSSD package description:
Provides a set of daemons to manage access to remote directories and authentication mechanisms.
Provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.
It is also the basis to provide client auditing and policy services for projects like FreeIPA.
Thank goodness! A name change opportunity is upon us!
![Page 4: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/4.jpg)
What's in a name
4Advancements in Linux Authentication and Authorisation using SSSD
Seriously ?!
“System Security Services Daemon”
We would have very happily accepted:
“Single Sign on Service Daemon”“Simple Sign on Solution Daemon”
Even:
“Simplesmente Autenticação Serviҫos Daemon”
![Page 5: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/5.jpg)
Moving on
5Advancements in Linux Authentication and Authorisation using SSSD
What need is SSSD addressing?
PAM and NSS frameworks have scaling caveats, and are becoming legacy as identity management frameworks evolve
Linux servers currently aren't ideal federation platform candidates as a result
LDAP directories are becoming more specialised and are proliferating
Better Active Directory integration is more mission critical
![Page 6: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/6.jpg)
The usual suspects
6Advancements in Linux Authentication and Authorisation using SSSD
Local files… ticked, next
Network Information Service (NIS)… ticked, next
pam_unix nss_ldapLocal authentication, remote user storePassword managementNo session management
pam_ldap nss_ldapSecure remote user lookup and authenticationPassword managementNo session management
![Page 7: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/7.jpg)
The usual suspects
7Advancements in Linux Authentication and Authorisation using SSSD
pam_ldap pam_krb5 nss_ldap
Secure remote user lookup and authentication
Password management
Session management (SSO capable)
MIT kerberos capable
MS Windows® and Active Directory for Domains capable
![Page 8: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/8.jpg)
The usual suspects
8Advancements in Linux Authentication and Authorisation using SSSD
pam_ldap pam_krb5 pam_winbind nss_ldap
Secure remote user lookup and authentication
Password management
Session management (SSO capable)
MIT/MS Windows® kerberos capable
MS Windows® RPC capable
MS Windows® and Active Directory for Domains capable
MS Windows® file share participation
![Page 9: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/9.jpg)
The usual daemons
9Advancements in Linux Authentication and Authorisation using SSSD
Name Service Caching daemon (nscd)Next query caching for users, groups, hosts and servicesNo offline authentication but can maintain active sessions
Windows Bind daemon (winbindd)Does not require remote posix attributesRequires AD Domain joiningServes as a front end for PAM, NSS and Samba
LDAP Name Service daemon (nslcd) Simplified configuration file
Requires remote posix attributesDoes not require AD Domain joining
![Page 10: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/10.jpg)
That'll be enough rabbit holes
10Advancements in Linux Authentication and Authorisation using SSSD
Large scale deployments become complex
Workforce and administrator skill set considerations
![Page 11: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/11.jpg)
SSSD advantages
11Advancements in Linux Authentication and Authorisation using SSSD
Authentication service enhancements
Greater extensibility
Multiple concurrently available identity stores
ID collision features
SSL/TLS or SASL/GSSAPI is required
Kerberos and SSO features
Reduced server loads
Offline authentication
![Page 12: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/12.jpg)
More SSSD advantages
12Advancements in Linux Authentication and Authorisation using SSSD
Configuration consolidation
Backward compatible with legacy PAM / NSS stacks
Legacy PAM / NSS / winbindd¹ modules not required
Integrates with windbindd if necessary
Integrated service configurations (ssh, sudo, autofs etc.)
Single configuration file, reduced complexity
![Page 13: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/13.jpg)
SSSD disadvantages
13Advancements in Linux Authentication and Authorisation using SSSD
MS Windows® or Samba file shares Still require winbindd be configured and used
NFS file sharesMay still require nscd but without user and group caching
Interactions with some older linux applicationsThose that aren't flexible concerning caseThose that will only talk to legacy PAM and NSS modules
Migrating from configurations using id mapping can be more complex
![Page 14: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/14.jpg)
More SSSD disadvantages
14Advancements in Linux Authentication and Authorisation using SSSD
Seriously, if I type:
“SSSH” or “SSSL”
One more time I may scream !!
![Page 15: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/15.jpg)
The SSSD configuration file
15Advancements in Linux Authentication and Authorisation using SSSD
[sssd] Global parametersservices =domains =
[nss], [pam], [sudo] Service parametersreconnection_retries =filter_users =
[domain/NAME] SSSD domain parametersid_provider =auth_provider =chpass_provider =access_provider =
SSSD Domain = Identity Provider + Authentication provider
![Page 16: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/16.jpg)
SSSD processes
16Advancements in Linux Authentication and Authorisation using SSSD
SSSD uses a parent/child process monitoring model
[sssd] Parent process, Monitor
[nss] Child process, Responder
[domain/LDAP] Child process, Provider
![Page 17: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/17.jpg)
SSSD processes
17Advancements in Linux Authentication and Authorisation using SSSD
SSSD process example:
ps -eaf | grep sssd
root 1476 1 0 /usr/sbin/sssdroot 1478 1476 0 /usr/libexec/sssd/sssd_nssroot 41279 1476 0 /usr/libexec/sssd/sssd_be --domain LDAP
pstree -A -p 1476
sssd (1476) - + - sssd_be (41279) | - sssd_nss (1478)
![Page 18: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/18.jpg)
“SSSD” architecture overview
18Advancements in Linux Authentication and Authorisation using SSSD
![Page 19: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/19.jpg)
SSSD providers
19Advancements in Linux Authentication and Authorisation using SSSD
Local Accounts are kept in a local ldb database
LDAP Relies on installed extensions of target directory
Kerberos Relies on installed extensions of target directory
AD Supports many native Active Directory features
iPA Supports trusts with Active Directory domains
IdM Integrates tightly with RHEL IdM implementations
Proxy Permits integration of other provider modules
![Page 20: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/20.jpg)
SSSD provider roles
20Advancements in Linux Authentication and Authorisation using SSSD
Id, Authentication, Access and Changing Passwords
id_provider = ldap, ipa, krb5, ad, proxy
auth_provider = ldap, ipa, krb5, ad, proxy
access_provider = permit, deny, ldap, ipa, ad, simple
chpass_provider = ldap, ipa, krb5, ad, proxy, none
• Most providers fulfill multiple roles• Different providers can, and often are be combined
![Page 21: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/21.jpg)
SSSD identity providers
21Advancements in Linux Authentication and Authorisation using SSSD
LocalEnhanced local account featuresFamiliar local user management tools
LDAPFlexible attribute mapping capabilities
KerberosSASL/GSSAPI support improves application support
ADLogin performance improvementsTrust and domain auto-discovery featuresNative schema, DNS update and security support
![Page 22: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/22.jpg)
SSSD identity provider example
22Advancements in Linux Authentication and Authorisation using SSSD
![Page 23: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/23.jpg)
SSSD identity provider example
23Advancements in Linux Authentication and Authorisation using SSSD
![Page 24: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/24.jpg)
SSSD identity provider example
24Advancements in Linux Authentication and Authorisation using SSSD
![Page 25: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/25.jpg)
SSSD deployment
25Advancements in Linux Authentication and Authorisation using SSSD
Many linux distributions are now SSSD awareAuto-configuration using native distribution utilities
Enterprise linux distributions includeRed Hat Enterprise Linux 5.6: SSSD 1.5Red Hat Enterprise Linux 6: SSSD 1.9Red Hat Enterprise Linux 7: SSSD 1.11
Suse Linux Enterprise Server 11.2: SSSD 1.9Suse Linux Enterprise Server 12: SSSD 1.11
Identify existing services that should be modifiedPAM LDAP and NSS LDAP configurationsNSCD user, group, host or service caching
![Page 26: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/26.jpg)
SSSD deployment
26Advancements in Linux Authentication and Authorisation using SSSD
Determine how posix attributes will be providedProvided by directory service or linux ID mapping
Install software on your platformTypically samba and kerberos are required for initial setup²Not all distributions package the SSSD similarly
Configure transport securityTLS/SSL for eDir over LDAPTLS/SSL for AD over LDAPSASL/GSSAPI for AD over LDAP/kerberos
Configure SSSD identity providers and access controlIdentity and access control providers can be mixed
![Page 27: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/27.jpg)
Futures
27Advancements in Linux Authentication and Authorisation using SSSD
Suse and Red Hat are aligning with AD integration needs
Would like to see the AD id provider included in SLES 11.3
SSSD 1.11
Red Hat: Realmd utility will auto-configure AD id provider
Suse: YaST Authentication client will auto-configure AD id provider
Expanded AD access control provider
NetBIOS/DNS domain name auto-discovery
Developing with 1.11
AD access control provider will include group policy support
SSSD CIFS integration
![Page 28: Advancements in Linux Authentication and Authorisation ...lawrencekearney.com/files/TTP_APAC_2014_Advancements_in_Linux... · Advancements in Linux Authentication 9 and Authorisation](https://reader034.vdocument.in/reader034/viewer/2022042917/5f5c51fdec05c30a0146e040/html5/thumbnails/28.jpg)
Managing an Enterprise Series
Thank You !
Lawrence Kearney
e. [email protected]. www.lawrencekearney.com