High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Service
Service
Service
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Directory Service
A is similar to a dictionary, it manages names and the information
associated with this names.
A directory service is a software system that stores, organizes and
provides access to information in a directory.
The core standard for directory services is X.500 released in 1980s by
the ITU and ISO.
Today, many people speak about LDAP Servers or LDAP Clients. This
refers to directory servers implementing the Lightweight Directory
Access Protocol.
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Referrals
are links within and among directory servers.
Directory Server 1
Directory Server 2
dn: ou=grpA,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
ou: gruppeA
ref: ldap://ldap-grpa.example.com/ou=grpA,dc=example,dc=com
Directory Service
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
dc=com
dc=example
ou=emea
dc=com
dc=example
ou=emea
ou=depB
ou=networks
ou=protocols
ou=hosts
ou=services
ou=people
ou=groups
ou=depA
ou=depB
ou=networks
ou=protocols
ou=hosts
ou=services
ou=people
ou=groups
Directory Service
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Directory Service
Optimized for massive parallel read access
Can be extended by custom schemata to store more than
accounts, policies and names service information
Supported by all major operating systems for example IBM AIX,
Linux, BSD, IBM z/OS, Microsoft Windows
Supported by wide range of application software for example
IBM WebSphere, IBM DB2, Pluggable Authentication Module
System
Problem: since LDAP is a plaintext protocol, additional
encryption is needed, by TLS for example
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Kerberos is a distributed service for authentication and not a account
management system like a directory service.
Server, User and Services are authenticated by tickets instead of
passwords. It's a ring of trust among them and the Kerberos
server.
Kerberos was developed by Steve Miller and Clifford Neuman 1978
RFC 4120 and RFC 1510 are the standard documents.
The current version is Kerebros 5.
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Kerberos Service
AS
User
Service
TGS
Authentification with Password
Ticket Granting Ticket
Service Ticket
Access to Service
with Service Ticket
(1)
(2)
(3)
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Kerberos Service
Service
Service
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Kerberos Service
Kerberos Service
user@service
admin@service
TGT
ST
AST
BServiceB
ServiceA
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Kerberos Service
Common, stable and reliable protocol
Data transport is encrypted by design
All major operating systems provide support for example IBM
AIX, Linux, BSD, Windows
Many applications support Kerberos by default for example
OpenSSH, telnet, rlogin, rsh, IBM WebSphere, IBM DB2, Mozilla
Firefox Browser, Microsoft Internet Explorer
Problem: many custom application developers do not know or
understand Kerberos and therefore they do not provide support
for this protocol
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Kerberos Service
L
DA
P
DB
Backend: Files
Backend: Directory Server
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
●
Compliance:
- logging of all logins
- mapping of functional user accounts to human user accounts
- company wide lock for accounts on all systems/services
(even system administrators)
●
High-availability by data replication
●
Load balancing with multiple server and strict data consistency
●SingleSignOn for all major services
●
Critical functional user accounts (root/hscroot) only accessible via
preauthentification as human user
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Replication
Access
Department A
Slave DS 1
Department A
Slave DS 2
Department B
Slave DS 1
Department B
Slave DS 2
Department A
Master KDC
Department A
Slave KDC
Department B
Master KDC
Department B
Slave KDC
Department A
Master DS
Department B
Master DS
Company
Master DS
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Department A
Slave DS 1
Department A
Slave DS 2
Department B
Slave DS 1
Department B
Slave DS 2
Department A
Master KDC
Department A
Slave KDC
Department B
Master KDC
Department B
Slave KDC
Department A
Client
Department B
Client
Department A
Master DS
Department B
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Directory
Server
Kerberos
Server
Userprofile
Authentication
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Master to Master
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
Master to Master
High-available
High-available Authorization
Authorization and
and Authentication
Authentication
●
UID and GID mapping across operating system boundaries
●Global versus Local Accounts
●
Global versus Local Groups
●
