Centralized Authorization Using a Directory Service, Part II
Authorization is the process of deciding if entity X is allowed to have access to resource Y. Determining the identity of X is the job of the authentication process. One task of authorization in computer networks is to define and determine which user has access to which computers in the network. A simple example would be one line in a computer's /etc/passwd file, joe:X:1234:56:/home/joe:/bin/bash, to allow user joe access to this computer. If you want to give user joe access to several computers, you have to add this line to every computer's /etc/passwd file.
On Linux, the tendency exists to create a local account for each single user who should be allowed to log in to a computer. This typically is the case, because a user needs not only login privileges but also access to additional resources, such as a home directory to do some work. Creating a local account on every computer takes care of all this.
The problem with this local account approach is that these accounts can be inconsistent with one another. The same user name could have a different user ID and/or group ID on different computers. Even more problematic is when two different accounts share the same user ID and group ID on different computers. User joe on computer1 could have user ID 1234 and group ID 56, and user jane on computer2 could have the same user ID 1234 and group ID 56. This is a big security risk in cases where shared resources are used. These two different accounts are the same for an NFS server, so these users can wipe out each other's files.
The solution to this inconsistency problem is to have only one central, authoritative data source for this kind of information and a means of providing all your computers with access to this central source. This is what a directory service does. The two directory services most widely used for centralizing authorization data are the network information service (NIS, formerly known as yellow pages or YP) and lightweight directory access protocol (LDAP).
A few things need to be considered when it comes to deciding which directory service to use, NIS or LDAP. If your company already maintains an LDAP server, it seems simple enough to add the authorization data to it. However, usually company LDAP servers are used for white pages and similar fairly lightweight tasks. Adding the authorization task puts a significant load on an LDAP server, because every single lookup for user name, UID, GID and so on done by programs needs to be answered by it. It usually makes sense to add an additional LDAP server dedicated solely to authorization. Also, due to the many different kinds of directory queries, it is rather hard to get the performance tuning right. You need to add all necessary LDAP index definitions in your slapd.conf file in order to speed up common lookups, but you don't want to add too many index definitions. Doing so makes the LDAP back-end database files large, and everything slows down again.
LDAP is the better choice in networks that have problems with many dropped UDP packets, because it uses TCP/IP where retransmits are built into the network protocol layer. NIS, on the other hand, uses remote procedure calls (RPCs) over UDP. Every dropped packet results in a non-answered NIS query, and the NIS client needs to repeat the query. Use the command netstat -s -u at different times on different machines on your network to see whether your network suffers from this problem. You should see very few errors reported by this command.
I concentrate on NIS in this article, because it is easier to start out with and there is a fairly simple migration path to LDAP in case you see problems. PADL Software Pty, Ltd., provides a set of open-source tools to help you convert all your NIS data files to LDAP (see the on-line Resources). You still have to do the performance-tuning part, however. You have to write migration tools yourself if you want to migrate from LDAP to NIS.
An NIS server does not require a lot of hardware resources. Any machine you have around should do the job. You might want to put this new functionality on a dedicated machine, though. At the Stanford Linear Accelerator Center (SLAC), we serve, without any problems, up to 500 Linux and Solaris clients with one old Sun Netra T1 server. We have four of these NIS servers for about 700 Solaris and Linux desktop computers and another six NIS servers for about 2,500 Solaris and Linux compute servers. Our clients are spread out somewhat unevenly over the servers.
Log on to the machine where you want to install your master NIS server, and make sure the latest portmap, ypserv and yp-tools RPMs are installed. If not, download and install them now. All following commands have to be issued as root. Start the portmapper dæmon with:
# service portmap start
The next step is to define the name of your new NIS domain. This name can be anything you like, but it probably makes sense to pick one that represents your department inside your company; nis.example.com for an NIS domain for all of Example.Com or eng.example.com for the Engineering department inside of Example.Com would be good choices.
Set the NIS domain name on your master server with the command:
# domainname nis.example.com
You also have to add the line:
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Back to Backups
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Google's Abacus Project: It's All about Trust
- Secure Desktops with Qubes: Introduction
- Seeing Red and Getting Sleep
- Fancy Tricks for Changing Numeric Base
- Secure Desktops with Qubes: Installation
- Linux Mint 18
- Working with Command Arguments
- CentOS 6.8 Released
Until recently, IBM’s Power Platform was looked upon as being the system that hosted IBM’s flavor of UNIX and proprietary operating system called IBM i. These servers often are found in medium-size businesses running ERP, CRM and financials for on-premise customers. By enabling the Power platform to run the Linux OS, IBM now has positioned Power to be the platform of choice for those already running Linux that are facing scalability issues, especially customers looking at analytics, big data or cloud computing.
￼Running Linux on IBM’s Power hardware offers some obvious benefits, including improved processing speed and memory bandwidth, inherent security, and simpler deployment and management. But if you look beyond the impressive architecture, you’ll also find an open ecosystem that has given rise to a strong, innovative community, as well as an inventory of system and network management applications that really help leverage the benefits offered by running Linux on Power.Get the Guide