configuring novell account management with identity manager for linux and unix doug anderson product...
TRANSCRIPT
Configuring Novell Account Management with Identity Manager for Linux and UNIX
Doug AndersonProduct [email protected]
Boyd WilsonProduct Architect,[email protected]
Jeff BateEngineering
Randy MartinEngineering
© March 10, 2004 Novell Inc, Confidential & Proprietary2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 10, 2004 Novell Inc, Confidential & Proprietary3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 10, 2004 Novell Inc, Confidential & Proprietary4
Agenda
• Novell Account Management and Identity Manager Framework Overview and Roadmap
• Account Management UNIX Connectivity
• Account Management UNIX Configuration Demo
• NIS Driver for UNIX Connectivity
• NIS Driver Configuration Demo
• Futures
• Q&A
© March 10, 2004 Novell Inc, Confidential & Proprietary5
What’s Up With NAM and IDM?
Let’s clear this up now•These are complementary products, not competing products•Identity Manager is the family, and NAM is part of it•NAM is going to go from cousin to brother
© March 10, 2004 Novell Inc, Confidential & Proprietary6
How are Novell Account Management and Identity Manager Related?
• NAM has functionality not available in IDM2 (Fan-Out Drivers, Windows Standalone Mode, Authentication Redirection, Native Script Handling, password sync using standard eDir password)
• NAM also has limitations not found in IDM2 (Subscriber-Only, Different Architecture, Different Management Console)
© March 10, 2004 Novell Inc, Confidential & Proprietary7
What’s the Mission?
To make it easy for any Novell Account Management customer (and there are thousands), be it version 2.1 or 3.0, on any platform, to move forward, without losing any critical functionality, and, in fact, gaining significant functionality.
© March 10, 2004 Novell Inc, Confidential & Proprietary8
But, for today . . .
But for right now, let’s talk about how NAM works today, and how it will work in the future
Novell Account ManagementUNIX Connectivity
© March 10, 2004 Novell Inc, Confidential & Proprietary10
Account Management UNIX Connectivity
• Supports flavors of UNIX including Linux, Solaris, HP-UX and AIX.
• Supports proprietaty, /etc/passwd, NIS, and NIS+ configurations.
• Supports extendable control through shell scripting.
• Supports automatic global or pocket UID/GID management.
• Supports Samba
© March 10, 2004 Novell Inc, Confidential & Proprietary11
Account Provisioning to a Target
By permitting a collaborative unit such as a container or a group to a target system, you automate the management of all users that may be associated with the collaborative unit in the future.
Solaris App Server
AIX Mail Server
Set of LinuxWeb Servers
AIX
Solaris
LinuxServers
© March 10, 2004 Novell Inc, Confidential & Proprietary12
NAM 3.0 Principal Components
AS/400Unix
Other
Windows
390
Core Services
Agents
Event Listener
Manager Services
Object ServicesAudit Services
Certificate ServicesWeb Services
Journal Services
Platform ServiceseD
irecto
ryNovellDirXML
© March 10, 2004 Novell Inc, Confidential & Proprietary13
AS/400Unix
Other
Windows
390
NAM 3.0 Principal Components
eD
irecto
ry
Authentication
ServicesAPI
Platform Services
SystemIntercept
Platform
Services
Process
User and Group Management
Platform
Receiver
Receiver
Scripts
User Authentication
Core Services
Agents
Event Listener
Manager Services
Object ServicesAudit Services
Certificate ServicesWeb Services
Journal Services
SSL
SSL
SSL
NovellDirXML
© March 10, 2004 Novell Inc, Confidential & Proprietary14
Receiver Scripts
Default Scripts are delivered for each securitysystem for each platform.
May be modified or replaced by the customer.
Target system administrators already know how towrite scripts since the local scripting environmentis used on each platform (REXX, Shell Script,Windows Script, etc)
In many cases administrators already have scriptsto perform operations on their local system andthese can be plugged directly in.
© March 10, 2004 Novell Inc, Confidential & Proprietary15
Adding Users To The Directory
Authentication
ServicesAPI
eD
irecto
ryNovellDirXML
Platform Services
SystemIntercept
Platform
Services
Process
User Authentication
User and Group Management
Platform
Receiver
Receiver
Scripts
Core Driver(s)
Manager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
(iManager Integration)Journal Services
Auth Redirection (agent)
SSL
1. A new user is created in eDirectory
3. Object Services creates an E-user object in the Census, associates it to the proper Platform and passes this information on to Event Journal Services
4A. The Platform Receiver requests an Access Management Event from Event Journal Services pertaining to the Platform Set that this particular platform is associated with
4B. Event Journal Services reads the information for the object specified in the Access Management Event out of eDirectory and passes it on to the Platform Receiver
5. The Platform Receiver processes the Access Management Event through a suitable script (Add User) and passes it on the local user security system
6. Event Journal Services notifies Audit Services which records the actions taken in the Audit Log
2. The Core Driver sees the change
© March 10, 2004 Novell Inc, Confidential & Proprietary16
AM Password Management3 Methods to Choose From
1. Re-Direction2. Re-Direction with Local Sync3. Replication (Event-Driven Sync)
The architecture supports 3 Authenticationmethods for a given platform:
18
AM 3.0
Agent(s)
Authentication Replication(Event-Driven Password Sync)
UNIX/Win/MF
Intercept
Application
Security e
Dir
ecto
ry
Dir
XM
L
AM
Dri
ver
PasswordChange
ID/PW
SecuritySystem
19
Authentication Replication(Event-Driven Password Sync)
AM 3.0
Agent(s)
UNIX/Win/MF
Intercept
SecuritySystem
Application
Security e
Dir
ecto
ry
Dir
XM
L
AM
Dri
ver
PasswordChange
AM 3.0ID/PW
20
Authentication Replication(Event-Driven Password Sync)
eD
irecto
ry
Dir
XM
L
AM
Dri
ver
AM 3.0Account
Provider
(Manager)
Platform Receiver
(Method=Replicate)
Target 1UNIX
SS
Platform Receiver
(Method=Redirect)
Target 2UNIX
SS
Platform Receiver
(Method=Replicate)
Target 3UNIX
SS
21
Samba SyncD
irX
ML
AM
Dri
ver
AM 3.0Account
Provider
(Manager)
Platform Receiver
(Method=Replicate)
Target 1UNIX
SS
Platform Receiver
(Method=Redirect)
Target 2UNIX
SS
Platform Receiver
(Method=Replicate)
Target 3UNIX
/etc/passwd
SMBPasswor
d
Account Management UNIX Configuration Demo
NIS Driver for UNIX Connectivity
© March 10, 2004 Novell Inc, Confidential & Proprietary24
NIS Driver Facts
• Version 1 released in 2003.• New deliverable now available with
Identity Manager 2.0 release.• Synchronizes user and group information
between eDirectory™ and traditional UNIX data stores such as Files, NIS(YP), and NIS+.
• Supports IDM 2.0 Remote Loader.
© March 10, 2004 Novell Inc, Confidential & Proprietary25
NIS Driver Features
• Bi-directional password syncronization• Driver Heartbeat• Account Entitlements• Support for HP-UX• Support for MD5 passwords.
26
NIS Driver Architecture
NovelleDirector
y
IDM 2.0Engine
Subscriber
Publisher
IDM NIS Driver
FormatConverte
r
Commands
Engine
Driver’sSchema
FilesNIS+
TablesNIS
Maps
useraddusermoduserdelEtc.read changes
ypaddypmodetc.read changesread changes
NistbladmNispasswdetc.
27
NIS Subscriber Channel
SubscriberFilter
EventTransforms
AssociationProcessor
AddEvent?
EventRestrictions
Create RuleTransform
AccountRestrictions
MatchRule
CreateRule
CommandTransform
SchemaMapper
Yes
No
eDir
28
NIS Publisher Channel
CommandTransform
AddEvent?
AssociationProcessor
PublisherFilter
EventTransform
SchemaMapper
MatchRule
AccountRestrictions
CreateRule
PlacementRule
Create RuleTransform
Yes
No
© March 10, 2004 Novell Inc, Confidential & Proprietary29
NIS Driver Password Management
• Leverages IDM 2.0 password management framework.
• A PAM module on the UNIX system captures password changes and sends them to the driver.
• You must enable Universal Password in eDirectory to sync UNIX and eDirectory passwords with the driver.
• Password synchronization must be set up for the driver by using iManager.
© March 10, 2004 Novell Inc, Confidential & Proprietary30
NIS Driver Password Management
888-555-1212Telephone
MD5: ########CRYPT: **********
AuthPassword
SalesDepartment
SmithSurname
BobCN
AuthPassword eDir Attribute
•Optionally used to sync passwords between UNIX systems when Universal Password is not enabled.•Holds MD5 and CRYPT representations of UNIX password.•Use governed by AuthPassword option.• Updated by password
change on each UNIX system.
• NOT updated during user add operation.
• Recommended to be disabled if UP is enabled.
© March 10, 2004 Novell Inc, Confidential & Proprietary31
NIS Driver Password ManagementContinued..
Subscriber•Add User event in eDir sets default password in UNIX and sets the default distribution password for that user.•The default distribution password is determined by two Identity Manager script rules. •Any change in the Universal password in eDir will cause the UNIX password to be set for that user.
© March 10, 2004 Novell Inc, Confidential & Proprietary32
NIS Driver Password ManagementContinued..
Publisher•When user is created in UNIX, no password is captured until the password is set/changed the first time.•The default distribution password can be used (determined by Identity Manager scripts) to set the password when it cannot be determined.•Any modify password event in UNIX will cause the distribution password to be set to the new password.•If AuthPassword option is enabled, the AuthPassword attribute will be updated to hold MD5 and CRYPT representations of the password.
NIS Driver Configuration Demo
Futures
© March 10, 2004 Novell Inc, Confidential & Proprietary35
Facts
• The same engineering team now develops and supports the Account Management and NIS Driver deliveries in the UNIX solution space.
• There are fits for each solution today.• NIS driver is good if UNIX is authoritative for
account creations.• NAM is good if you have lots of systems to
connect or if you have not enabled Universal Password.
• Account Management and Identity Management are converging using a multiple phase approach.
© March 10, 2004 Novell Inc, Confidential & Proprietary36
IDM/NAM Convergence
• This does NOT mean simply that Account Management is going away and being converted to drivers.
• Convergence requires new functionality in the current IDM Engine and management infrastructure as well as a change in current NAM management methodologies.
• This will open up new possibilities for managing how drivers work.
• This will allow for a common management and customization infrastructure.
• Migrations from current DirXML/Identity Manager drivers and NAM implementations will be made seamless.
• No need to wait to deploy!
© March 10, 2004 Novell Inc, Confidential & Proprietary37
NAM Futures and Convergence
• The following slides constitute one phase in the convergence process.
• All current functionality is taken forward.
© March 10, 2004 Novell Inc, Confidential & Proprietary38
Component Location (Core Driver)
• The Core Driver now includes all the functionality of the former Event Listener, Manager and Agents.
• A Core Driver must be installed on the server(s) where replicas of the provisioned users and ASAM System container reside.
• The Core Driver uses a mix of DirXML and LDAP calls to accomplish its mission
• You can install more than one Core Driver for redundancy, when you upgrade, upgrade the Manager first, then the agents all to Core Drivers
© March 10, 2004 Novell Inc, Confidential & Proprietary39
Principal Components
AS/400Unix
Other
Windows
390
Core Driver(s)
Fan OutAuditing
UIDGID MgmtAuthentication
RedirectionBi-directional
Password ReplicationUP Support
IDM2 IntegrationRequires fewer
objects in eDirectory
Platform ServiceseD
irecto
ryNovellDirXML
© March 10, 2004 Novell Inc, Confidential & Proprietary40
AS/400Unix
Other
Windows
390
Principal Components
eD
irecto
ry
Authentication
ServicesAPI
Platform Services
SystemIntercept
Platform
Services
Process
User and Group Management
Platform
Receiver
Receiver
Scripts
User Authentication
Core Driver(s)
Manager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
(iManager Integration)Journal ServicesAuth Redirection
(agent)
SSL
NovellDirXML
© March 10, 2004 Novell Inc, Confidential & Proprietary41
eD
irecto
ry
NovellDirXML
Core DriverManager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
Journal ServicesAgent Services
DirXML
LDAP/SSL
Core Driver Communications Installed on the Same System
© March 10, 2004 Novell Inc, Confidential & Proprietary42
Multiple Core Drivers
eD
irecto
ry
NovellDirXML
eD
irecto
ry
NovellDirXML
Multiple Core Drivers can watch for events in different or the same replica rings.
DirXML
LDAP/SSL
DirXML
LDAP/SSL
Core DriverManager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
Journal ServicesAgent Services
Core DriverManager ServicesObject ServicesAudit Services
Certificate ServicesWeb Services
Journal ServicesAgent Services
© March 10, 2004 Novell Inc, Confidential & Proprietary43
Component Location (Platform Services)
• Platform Services run on the target system.
• Delivery and Installation based on the Native Platform.
© March 10, 2004 Novell Inc, Confidential & Proprietary44
CoreDriver(s)
eD
irecto
ry
NovellDirXML
Platform Services – UNIX
LDAP
Security System
APIInterface
Process
InterceptsAnd
Interfaces
UNIX
APP 1
APP 2
APP 3
APP N
Question and Answer
© March 10, 2004 Novell Inc, Confidential & Proprietary46
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.