LDAP Users, Groups, and UNIX

Once you have a directory in place authenticating users, you may want to use it for user authentication on UNIX too. And, indeed, there is a standard Posix account object holding all information required for an account on the UNIX operating system. The standard is defined in RFC 2307, "An Approach for Using LDAP as a Network Information Service." As the title implies, LDAP gives you much more than user information. LDAP can also substitute for the whole NIS/NIS+ or DNS framework. In this section, however, we will concentrate on user accounts.

Most vendors of UNIX operating systems only offer the option of using an LDAP server as a repository for user and group information. Let us review what the LDAP server should provide to the UNIX system if the server is to be used for user and group management. Exhibit 19 shows how a standard UNIX system holds user and group information. This illustration is obviously simplified, but it will help us focus on the basic concept. The user management system uses three files for user and group management. The "passwd" file holds information about the user; the "shadow" file holds the user password; and the "groups" file holds information about the groups a user belongs to. Between the user management procedure and the three system files, there is a layer that manages access to these configuration files. If we wish to use an LDAP server for authentication, all we need to do is teach this layer to consult the LDAP server instead of the system files.

Exhibit 19: User Management in a Standard UNIX Operating System

As stated previously, most UNIX system vendors offer this layer of software. Let us briefly review how it works. Exhibit 19 shows the situation. What we want to achieve is what we called, in an abstract way, "user management" via system calls connected to a service. In Exhibit 20, this service is called PAM (pluggable authentication modules), which contacts an LDAP server over TCP/IP. This LDAP server provides authentication.

Exhibit 20: User Management Using LDAP

Now we know nearly all of the pieces depicted in Exhibit 19. The only unknown is the PAM layer providing the switch in user authentication. This PAM layer is a standard layer documented by the Open-Group. If you are interested in the original documentation, you can have a look at http://www.opengroup.org/tech/rfc/rfc86.0.html. PAM has been developed by Sun Microsystems, and the PAM layer later became a standard.

The PAM layer allows you to configure different authentication mechanisms for individual services, as seen in Exhibit 21. Each of the services contacts the generic PAM layer directly instead of contacting a dedicated authentication mechanism. From its configuration file, PAM learns which service has to use which authentication type.

Exhibit 21: Pluggable Authentication Module

This type of authentication framework has an enormous advantage. If you need a new authentication type, you simply develop an appropriate authentication mechanism, plug it into the PAM framework, and configure which services should use this authentication mechanism. As you can see from Exhibit 20, one of the authentication mechanisms available is the LDAP module.

As mentioned previously, most UNIX operating systems have an LDAP PAM module. If your operating system does not provide one, you can get it as open-source software from PADL Software Pty Ltd. The software also runs on the following operating systems:

• FreeBSD 3.x and above

• HP-UX 11

• Linux with Linux-PAM

• Mac OS X 10.2

• Solaris 2.6 and above

You can obtain software and documentation from http://www.padl.com. (Note that the name of the enterprise is LDAP backwards, read from left to right.)