Authentication

From VMIL Support Encyclopedia

Jump to: navigation, search

[edit] ITG Authentication Project

"Authentication" refers to the process of upgrading the ITG user account database, and the method by which ITG users are added and deleted. Currently the ITG user database is in two places: NIS on linux, and a Windows NT4 Primary Domain Controller (PDC) (firewalled for security reasons). Those two databases are not synchronized. The goals of the Authentication project to:

- find a replacement windows domain controller, so that we can remove NT4 domain controllers from ITG systems

- merge the above two databases into a single database, or synchronize them

- if possible, replace NIS with a more secure method of linux authentication

After much consideration and time, it was decided there were two good options:

1) Windows 2003 Server Active Directory Domain, running Services for Unix NIS

2) Apple OS X Server running Samba and LDAP

We chose to go with Apple OS X Server. The primary reason being we can replace NIS with LDAP whereas if use Windows 2003 we are stuck with NIS. Another reason for OS X is the other services they provide such as postfix, spamassassin, squirrelmail, mailman, apache, samba, NFS, etc. These are the most reliable and up-to-date open source services in the market today, and ITG staff are familiar with with. All these services currently run on linux servers, so by going with OS X we have the possibility of migrating those services to OS X in the future. An added benefit of OS X is the ease with which one can setup these services if one has little to no familiarity with the service. The OS X server manager interface is very intuitive, yet all services can also be managed via command line. We were also hesitant to throw all of the user/auth data into Windows 2003 AD, which is based on proprietary technology. OS X is based on open source technology, so we thought if the OS X route doesn't work for us long term, it's probably easier migrating away from that, than it would be to migrate away from Windows 2003 AD.

One issue is how well will zeus behave when it not longer holds the user/auth database. In both of the above scenarios zeus will not hold the user/auth information, and this is worrysome to us because zeus holds all the home directories as well as run sendmail for ITG staff. In Windows 2003 AD, we'd have to install services for UNIX (SFU), and SFU is required to be the NIS master, so zeus would lose NIS master control. With OS X Server running LDAP, zeus becomes an LDAP client. OS X based on open source seemed a better bet to us, allthough we'll want to test what happens to a linux server running sendmail when it looses connectivity to the LDAP server.

Current tasks lists for this projects are listed on a tada list: alazarev.tadalist.com. Email Alex if you want access to this list: alazarev@itg.uiuc.edu

Retrieved from "http://groke.itg.uiuc.edu/mediawiki/index.php/Authentication"
Personal tools