configuring novell account management with identity manager for linux and unix doug anderson product...

Configuring Novell Account Management with Identity Manager for Linux and UNIX

Doug AndersonProduct [email protected]

Boyd WilsonProduct Architect,[email protected]

Jeff BateEngineering

Randy MartinEngineering

© March 10, 2004 Novell Inc, Confidential & Proprietary2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


The one Net vision

Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.

Novell Nsure™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


Agenda

• Novell Account Management and Identity Manager Framework Overview and Roadmap

• Account Management UNIX Connectivity

• Account Management UNIX Configuration Demo

• NIS Driver for UNIX Connectivity

• NIS Driver Configuration Demo

• Futures

• Q&A


What’s Up With NAM and IDM?

Let’s clear this up now•These are complementary products, not competing products•Identity Manager is the family, and NAM is part of it•NAM is going to go from cousin to brother


How are Novell Account Management and Identity Manager Related?

• NAM has functionality not available in IDM2 (Fan-Out Drivers, Windows Standalone Mode, Authentication Redirection, Native Script Handling, password sync using standard eDir password)

• NAM also has limitations not found in IDM2 (Subscriber-Only, Different Architecture, Different Management Console)


What’s the Mission?

To make it easy for any Novell Account Management customer (and there are thousands), be it version 2.1 or 3.0, on any platform, to move forward, without losing any critical functionality, and, in fact, gaining significant functionality.


But, for today . . .

But for right now, let’s talk about how NAM works today, and how it will work in the future

Novell Account ManagementUNIX Connectivity


Account Management UNIX Connectivity

• Supports flavors of UNIX including Linux, Solaris, HP-UX and AIX.

• Supports proprietaty, /etc/passwd, NIS, and NIS+ configurations.

• Supports extendable control through shell scripting.

• Supports automatic global or pocket UID/GID management.

• Supports Samba


Account Provisioning to a Target

By permitting a collaborative unit such as a container or a group to a target system, you automate the management of all users that may be associated with the collaborative unit in the future.

Solaris App Server

AIX Mail Server

Set of LinuxWeb Servers

AIX

Solaris

LinuxServers


NAM 3.0 Principal Components

AS/400Unix

Other

Windows

390

Core Services

Agents

Event Listener

Manager Services

Object ServicesAudit Services

Certificate ServicesWeb Services

Journal Services

Platform ServiceseD

irecto

ryNovellDirXML


AS/400Unix

Other

Windows

390

NAM 3.0 Principal Components

eD

irecto

ry

Authentication

ServicesAPI

Platform Services

SystemIntercept

Platform

Services

Process

User and Group Management

Platform

Receiver

Receiver

Scripts

User Authentication

Core Services

Agents

Event Listener

Manager Services

Object ServicesAudit Services


Journal Services

SSL

SSL

SSL

NovellDirXML


Receiver Scripts

Default Scripts are delivered for each securitysystem for each platform.

May be modified or replaced by the customer.

Target system administrators already know how towrite scripts since the local scripting environmentis used on each platform (REXX, Shell Script,Windows Script, etc)

In many cases administrators already have scriptsto perform operations on their local system andthese can be plugged directly in.


Adding Users To The Directory

Authentication

ServicesAPI

eD

irecto

ryNovellDirXML

Platform Services

SystemIntercept

Platform

Services

Process

User Authentication


Platform

Receiver

Receiver

Scripts

Core Driver(s)

Manager ServicesObject ServicesAudit Services


(iManager Integration)Journal Services

Auth Redirection (agent)

SSL

1. A new user is created in eDirectory

3. Object Services creates an E-user object in the Census, associates it to the proper Platform and passes this information on to Event Journal Services

4A. The Platform Receiver requests an Access Management Event from Event Journal Services pertaining to the Platform Set that this particular platform is associated with

4B. Event Journal Services reads the information for the object specified in the Access Management Event out of eDirectory and passes it on to the Platform Receiver

5. The Platform Receiver processes the Access Management Event through a suitable script (Add User) and passes it on the local user security system

6. Event Journal Services notifies Audit Services which records the actions taken in the Audit Log

2. The Core Driver sees the change


AM Password Management3 Methods to Choose From

1. Re-Direction2. Re-Direction with Local Sync3. Replication (Event-Driven Sync)

The architecture supports 3 Authenticationmethods for a given platform:

18

AM 3.0

Agent(s)

Authentication Replication(Event-Driven Password Sync)

UNIX/Win/MF

Intercept

Application

Security e

Dir

ecto

ry

Dir

XM

L

AM

Dri

ver

PasswordChange

ID/PW

SecuritySystem

19


AM 3.0

Agent(s)

UNIX/Win/MF

Intercept

SecuritySystem

Application

Security e

Dir

ecto

ry

Dir

XM

L

AM

Dri

ver

PasswordChange

AM 3.0ID/PW

20


eD

irecto

ry

Dir

XM

L

AM

Dri

ver

AM 3.0Account

Provider

(Manager)

Platform Receiver

(Method=Replicate)

Target 1UNIX

SS

Platform Receiver

(Method=Redirect)

Target 2UNIX

SS

Platform Receiver

(Method=Replicate)

Target 3UNIX

SS

21

Samba SyncD

irX

ML

AM

Dri

ver

AM 3.0Account

Provider

(Manager)

Platform Receiver

(Method=Replicate)

Target 1UNIX

SS

Platform Receiver

(Method=Redirect)

Target 2UNIX

SS

Platform Receiver

(Method=Replicate)

Target 3UNIX

/etc/passwd

SMBPasswor

d

Account Management UNIX Configuration Demo

NIS Driver for UNIX Connectivity


NIS Driver Facts

• Version 1 released in 2003.• New deliverable now available with

Identity Manager 2.0 release.• Synchronizes user and group information

between eDirectory™ and traditional UNIX data stores such as Files, NIS(YP), and NIS+.

• Supports IDM 2.0 Remote Loader.


NIS Driver Features

• Bi-directional password syncronization• Driver Heartbeat• Account Entitlements• Support for HP-UX• Support for MD5 passwords.

26

NIS Driver Architecture

NovelleDirector

y

IDM 2.0Engine

Subscriber

Publisher

IDM NIS Driver

FormatConverte

r

Commands

Engine

Driver’sSchema

FilesNIS+

TablesNIS

Maps

useraddusermoduserdelEtc.read changes

ypaddypmodetc.read changesread changes

NistbladmNispasswdetc.

27

NIS Subscriber Channel

SubscriberFilter

EventTransforms

AssociationProcessor

AddEvent?

EventRestrictions

Create RuleTransform

AccountRestrictions

MatchRule

CreateRule

CommandTransform

SchemaMapper

Yes

No

eDir

28

NIS Publisher Channel

CommandTransform

AddEvent?

AssociationProcessor

PublisherFilter

EventTransform

SchemaMapper

MatchRule

AccountRestrictions

CreateRule

PlacementRule

Create RuleTransform

Yes

No


NIS Driver Password Management

• Leverages IDM 2.0 password management framework.

• A PAM module on the UNIX system captures password changes and sends them to the driver.

• You must enable Universal Password in eDirectory to sync UNIX and eDirectory passwords with the driver.

• Password synchronization must be set up for the driver by using iManager.


NIS Driver Password Management

888-555-1212Telephone

MD5: ########CRYPT: **********

AuthPassword

SalesDepartment

SmithSurname

BobCN

AuthPassword eDir Attribute

•Optionally used to sync passwords between UNIX systems when Universal Password is not enabled.•Holds MD5 and CRYPT representations of UNIX password.•Use governed by AuthPassword option.• Updated by password

change on each UNIX system.

• NOT updated during user add operation.

• Recommended to be disabled if UP is enabled.


NIS Driver Password ManagementContinued..

Subscriber•Add User event in eDir sets default password in UNIX and sets the default distribution password for that user.•The default distribution password is determined by two Identity Manager script rules. •Any change in the Universal password in eDir will cause the UNIX password to be set for that user.


NIS Driver Password ManagementContinued..

Publisher•When user is created in UNIX, no password is captured until the password is set/changed the first time.•The default distribution password can be used (determined by Identity Manager scripts) to set the password when it cannot be determined.•Any modify password event in UNIX will cause the distribution password to be set to the new password.•If AuthPassword option is enabled, the AuthPassword attribute will be updated to hold MD5 and CRYPT representations of the password.

NIS Driver Configuration Demo

Futures


Facts

• The same engineering team now develops and supports the Account Management and NIS Driver deliveries in the UNIX solution space.

• There are fits for each solution today.• NIS driver is good if UNIX is authoritative for

account creations.• NAM is good if you have lots of systems to

connect or if you have not enabled Universal Password.

• Account Management and Identity Management are converging using a multiple phase approach.


IDM/NAM Convergence

• This does NOT mean simply that Account Management is going away and being converted to drivers.

• Convergence requires new functionality in the current IDM Engine and management infrastructure as well as a change in current NAM management methodologies.

• This will open up new possibilities for managing how drivers work.

• This will allow for a common management and customization infrastructure.

• Migrations from current DirXML/Identity Manager drivers and NAM implementations will be made seamless.

• No need to wait to deploy!


NAM Futures and Convergence

• The following slides constitute one phase in the convergence process.

• All current functionality is taken forward.


Component Location (Core Driver)

• The Core Driver now includes all the functionality of the former Event Listener, Manager and Agents.

• A Core Driver must be installed on the server(s) where replicas of the provisioned users and ASAM System container reside.

• The Core Driver uses a mix of DirXML and LDAP calls to accomplish its mission

• You can install more than one Core Driver for redundancy, when you upgrade, upgrade the Manager first, then the agents all to Core Drivers


Principal Components

AS/400Unix

Other

Windows

390

Core Driver(s)

Fan OutAuditing

UIDGID MgmtAuthentication

RedirectionBi-directional

Password ReplicationUP Support

IDM2 IntegrationRequires fewer

objects in eDirectory

Platform ServiceseD

irecto

ryNovellDirXML


AS/400Unix

Other

Windows

390

Principal Components

eD

irecto

ry

Authentication

ServicesAPI

Platform Services

SystemIntercept

Platform

Services

Process


Platform

Receiver

Receiver

Scripts

User Authentication

Core Driver(s)

Manager ServicesObject ServicesAudit Services


(iManager Integration)Journal ServicesAuth Redirection

(agent)

SSL

NovellDirXML


eD

irecto

ry

NovellDirXML

Core DriverManager ServicesObject ServicesAudit Services


Journal ServicesAgent Services

DirXML

LDAP/SSL

Core Driver Communications Installed on the Same System


Multiple Core Drivers

eD

irecto

ry

NovellDirXML

eD

irecto

ry

NovellDirXML

Multiple Core Drivers can watch for events in different or the same replica rings.

DirXML

LDAP/SSL

DirXML

LDAP/SSL








Component Location (Platform Services)

• Platform Services run on the target system.

• Delivery and Installation based on the Native Platform.


CoreDriver(s)

eD

irecto

ry

NovellDirXML

Platform Services – UNIX

LDAP

Security System

APIInterface

Process

InterceptsAnd

Interfaces

UNIX

APP 1

APP 2

APP 3

APP N

Question and Answer

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

configuring novell account management with identity manager for linux and unix doug anderson product...

Documents