Authetication Server advise - authentication

I was wondering.. I am setting up a authentication server for our small business as learning opportunity, but it also needs to be functional and usable.
The requirements are:
- Users login on there laptops via this server
- Users login to our NAS (Samba shares)
- Users can login to several services and servers
- I want it to give me a form of access control
- It needs to be linux/CentOS
Now I've read about Kerberos and LDAP but it's just so complicated and I have no idea if it actually does what I want it to..
Has anyone any ideas, suggestions or advise?
Thanks in advance!
Greets,
Thursten

Now I've read about Kerberos and LDAP but it's just so complicated and
I have no idea if it actually does what I want it to.
Indeed, understanding LDAP and Kerberos from scratch can be complicated. Setting what you want from ground up for the first time can be complicated, too. Implementing a solid configuration properly is even more complicated. Maintaining the configuration? Oh, this can be hard, too. :)
To make it easier and to avoid configuration mistakes, you could consider a product such as Apache Directory / ApacheDS. There should be other similar open-source and free or paid products that implement LDAP and Kerberos. That's in case you must use Linux / CentOS.
Note that Microsoft offers Active Directory as part of Windows Server. Windows Server is a paid product, but Kerberos authentication and directory service works out of the box there and are very easy to deploy (they just work). Just wanted to make a note about that in case you have doubts about Windows vs. Linux -based solution.

Related

SaaS LDAP/directory service?

I know that my Googling skills are failing me because there must be something like this: a simple, easy-to-use remotely hosted directory service (and even better, exposes the user directory through several different interfaces, and SSO).
Do you know of one and/or have one to recommend?
I am looking at Atlassian Crowd - http://www.atlassian.com/software/crowd/overview - which comes close with the pluggable interfaces, but it does not implement LDAP. It can only connect to an existing LDAP server.
This has already been discussed on ServerFault, and I think the answer given here may be a good starting point for your search. It lists
Symplified, Entic.net and eApps.

Authentication between Windows and Linux servers on two hosts but same domain - possible?

We have an issue that I can't wrap my head around regarding possible solutions.
We have a site that runs off of a Dot Net Nuke CMS, with a custom asp.net CMS powering a reviews engine aspect of it too. This is hosted on a Windows server setup on SQL servers and has its own user registry.
We are looking at a script for an add on revenue offering, and the best of breed we have found happens to be Linux-based using MySQL servers. There are some other options, but none are nearly as robust as the Linux based one.
Our quandry is two-fold:
1) If we use this script, we will need to host a linux server with a different host service (ours only does windows servers). Both server sets will point to the same domain (www.mydomain.com) and have communication between the MySQL DB on the Linux machine and the SQL DB on the Windows machine.
Is this possible...and problematic? Or is this a fairly straightforward issue to solve?
2) The larger issue if the first is a hurdle that can be cleared is we would want to share our user registry between the two databases, so the user would not be logging into each DB when going between the two environments.
This issue is more complex than my understanding of authentication and databases so I'm hoping someone can help me out or at least start me in a good direction for research.
We could go with the other script routes, but they simply don't offer the functions or features of the more difficult to implement code.
OK, you can always run MySQL on the Windows box and install cgywin to run the script in a more unix type environment. Or run xampp on a different port: http://www.apachefriends.org/en/xampp.html

keeping OpenLDAP and Active Directory in sync (windows server 08R2)

I've got a Windows Server box running AD, and a CentOS box running OpenLDAP in a mixed windows Linux network and I want to keep the two in sync. Preferably using free software/just some configuration changes. anyone know how to make these 2 authentication systems play nice? any syncing would have to be done over SSL for security reasons.
I use a home-grown perl script, which sync one-way from AD to LDAP via SSL. It is very custom and very rigid. I walked the same path 6 months back looking for tools to sync but none fits our needs. Well actually there isn't any that does sync without breaking
So my answer is get a scripting guy and give him the requirements and a months paycheck. Seriously, it is best done in-house than spend time looking for one and molding to your needs.
Perl has good libraries and has worked very well for us. We migrated from OpenLDAP to 389-DS which already has windowsSync plugin.(Hope that tempts you to switchover). :)

Enterprise SSO & Identity management / recommendations

We've discussed SSO before. I would like to re-enhance the conversation with defined requirements, taking into consideration recent new developments.
In the past week I've been doing market research looking for answers to the following key issues:
The project should should be:
Requirements
SSO solution for web applications.
Integrates into existing developed products.
has Policy based password security (Length, Complexity, Duration and co)
Security Policy can be managed using a web interface.
Customizable user interface (the password prompt and co. screens).
Highly available (99.9%)
Scalable.
Runs on Red Hat Linux.
Nice to have
Contains user Groups & Roles.
Written in Java.
Free Software (open source) solution.
None of the solutions came up so far are "killer choice" which leads me to think I will be tooling several projects (OWASP, AcegiSecurity + X??) hence this discussion.
We are ISV delivering front-end & backend application suite. The frontend is broken into several modules which should act as autonomous unit, from client point of view he uses the "application" - which leads to this discussion regrading SSO.
I would appreciate people sharing their experience & ideas regarding the appropriete solutions.
Some solutions are interesting
CAS
Sun OpenSSO Enterprise
JBoss Identity IDM
JOSSO
Tivoli Access Manager for Enterprise Single Sign-On
Or more generally speaking this list
Thank you,
Maxim.
What about FreeIPA?
"FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 (formerly known as Fedora Directory Server), MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools."
If you focus on web applications, check out http://oauth.net/.
CAS has strong adoption, user-base, and a strong lead (who recently switched jobs, but is still comitted to the project). It is straightforward to integrate (if you're comfortable writing Java code/configuring Spring beans), and can do all your requirements, noteably:
SSO solution for web applications.
YES
Integrates into existing developed products.
YES (though some cleaner than others - but many modules are available for major products, and it supports common standards (SAML, OpenID).
has Policy based password security (Length, Complexity, Duration and co)
*YES - can easily be implemented, and some extensions to integrate with LDAP (probably the most common user store) are supported
Security Policy can be managed using a web interface.
NO - though one could be build fairly simply - if you're comfortable with development, and given that this is likely to be a non-trivial project, I'd recommend considering this a non-blocker given that the product is open-source
Customizable user interface (the password prompt and co. screens).
YES - easily customized through some basic HTML/CSS editing
Highly available (99.9%)
YES - both reliable, and can support multiple node/failover scenarios easily
Scalable.
YES - used in many high-traffic environments both intranet and internet
Runs on Red Hat Linux.
YES
Oracle Enterprise Single Sign-On is not what you're after - it requires a Windows executable to be deployed. Oracle Access Manager is closer to what you're after (though it's not free or Java-based).
The major commercial players in the Identity and Access Management (IAM) market space are CA, Oracle, IBM, Sun and Novell. None of these are free solutions but they have many of the features that you are looking for.
For free software, I recommend DACS: The Distributed Access Control System. I know that one department where I work has implemented this with great success. It doesn't have as many features the commercial IAM products but otherwise is a good solution.
I have used Tivoli Access Manager backing onto Websphere and IIS boxes - the way it writes access information into the page headers is very useful. On the downside, I didnt find the DB2 Ldap backend very scalable or reliable, and you know with IBM this isn't going to come cheap.
Also the asynchronous paths (junctions) used to identify different servers is a bit of a hack really eg http://mysite/myserver/myapp - a very bad idea and not thought through very well.

Know of SSO turnkey Appliance with ldap, radius, openid, etc?

I'm helping a typical small company that started with a couple of outsourced systems (google apps, svn/trac). added an internal jabber server (ejabber for mostly iChat clients). subscribes to a couple of webservices (e.g. highrisehq). and has a vpn service provided by a pfsense freebsd firewall.
And the net result of all this is that they're drowning in passwords and accounts.
It seems that if they had a single unified login / single signon service they could go a long way to combining these. E.g.: ldap as the master repository, radius linked to it for vpn, ejabber and even WPA2 wireless access, plugins for google app sign on, and perhaps an openid server for external websites like highrisehq.
It seems that all these tools exist separately, but does anyone know of a single box that combines them with a nice GUI and auto-updates? (e.g. like pfsense/m0n0wall for firewalls, freeNAS for storage). It doesn't have to be FOSS. A paid box would be fine too.
I figure this must exist. Microsoft's Active Directory is likely one solution but they'd rather avoid Windows if possible. There seem to be various "AAA" servers that ISPs use or for enterprise firewall/router management, but that doesn't seem quite right.
Any obvious solutions I'm missing? Thanks!
It's been over a year since you originaly asked the question, so I'm guessing you've solved your problem by now. But if someone else is interested in a possible solution I suggest the following:
First of all, I don't know of any "all in one" solution to your problem. However it's quite easy to combine three products that will solve all of your needs and provide a single source for User management and password storage.
The first thing to do is install an LDAP Directory to manage Users and Groups (and possibly other objects outside the scope of your question). This can be OpenLDAP, Apache DS, Microsoft Active Directory, etc. Basically any LDAP Server will do.
Second I recommend installing FreeRADIUS with the LDAP Directory configured as it's backend Service.
Third get a license of Atlassian Crowd. It provides OpenID and Google Apps authentication. Prices for up to 50 Users start at $10 and go all the way up to $8000 for an unlimited user license.
Installation and Configuration of the three is relatively easy. You'll probably put most work into creating your Users and Groups. You can install all three components on a single Server and end up with a box that allows you to authenticate pretty much everything from Desktop Login, over Google Apps and other Web Apps, down to VPN and even Switch, WiFi and Router Login.
Just make sure you configure your Roles and Groups wisely! Otherwise you might end up with some Sales Person being able to do administration on your Firewalls and Routers :-)
I would encourage anyone searching for this type of solution to check out the Gluu Server (http://gluu.org).
Each Gluu Server includes a SAML IDP for SAML SSO, an OpenID Connect Provider (OP) for OpenID Connect SSO, an UMA Policy Decision Point (PDP) for web access management, and a RADIUS and LDAP server.
All the components of the Gluu Server are open source (i.e. Shibboleth, OX, FreeRADIUS, OpenDJ, etc.), including the oxTrust web user interface for managing each component of the server.
For commercial implementations, Gluu will build, support, and monitor this stack of software on a clients VM.
You may not want to standardise passwords across so many apps (especially external ones), though for internal ones using an auth service like LDAP makes sense.
You could solve the issue of remembering passwords with an eSSO like Novell SecureLogin
Also you might be interested in Novell Access Manager and Novell Identity Manager
I too could use such a device, however the only one I could find was a (possibly outdated) data sheet from Infoblox. They seem to have since concentrated on automated network managment and I can't find the LDAP appliance on their current website. I guess building a linux box with the FOSS stuff mentioned above is what everyone does, but it would be great not to have power supplies, disks, fans etc. I suppose you could use something like an EEE PC and put the config on a flash card.
This is something I was looking for as well, and http://www.turnkeylinux.org/openldap looks like the solution: "appliance" installation, and it includes encrypted online backup which is easily restored to a new or replacement machine.