Home
TeamSite
LDAP Auth on Solaris Fundamentals
gsumers22texas
I have a very "Basics" question concerning use of ldap authentication section in iw.cfg (on TeamSite 5.0.1 for Solaris- soon to be 5.5.2)
when you use these entries for authentication, this only authenticates username against the ldap server, correct? or also password? if also authenticating password, does this mean that the ldap server stores the "real" password? or is it on the Unix box? or on both, and then you have to guarrantee that they'll always match?
even more fundamental, I'd like a confirmation since the admin pdf don't explicitly state or refute it: if you enable ldap authentication, you do still have to have the underlying unix user accounts established, correct? (I'm assuming so to allow for permissions, groups, ownership etc that IFS is relying upon to work)
perhaps there's a whitepaper / appendix somewhere that addresses this- so far all I've been able to find in Knowledgebase was a more "business process-y" discussion of the issue (#46977) that basically said implementing ldap should be considered as an "OS-to-LDAP" issue rather than a "TeamSite-to-LDAP" issue, but didn't detail how it affects / replaces / complements the components that come into play (OS accounts, permissions, passwords, etc)
thanks for all responses
Find more posts tagged with
Comments
Migrateduser
The KB you are referring to is basically saying that you can set up your OS for user management that works best for you-- local computer, NIS, LDAP. Then TeamSite will ask the OS for authentication and the OS will then use whatever you have setup.
So, if you set up an LDAP server for your Sol 8 authentication and ldap as the only value for 'passwd' in nsswitch.conf, the users will only authenticate against this ldap. TeamSite does not care how the users are managed, but it does requires uids and gids to manage authorization in the repository.
This is why the KB says it is more of an LDAP/OS situation-- if you've set up your users to work off of LDAP w/ Sol, you can use these users with TeamSite.
gsumers22texas
hi John-
thanks for information, but can I ask for a little more clarification on some of your points? I want to make sure I'm interpreting your use of "uids" correctly-
when you say it does require "uids and gids to manage authorization in the repository", you are not referring to the TeamSite uid files located in /iw-home/conf/roles, correct? you are referring to the OS level uids and gids, right? thus, the user accounts (/home subdirectories) and groups(/etc/group and /passwd/group entires) DO need to still be established, correct? and then the TeamSite-specific uids as well
is this the correct conclusion? : TeamSite ldap authentication will authenticate password stored on the ldap server (and no matching entries needed locally on the server), but user accounts and groups are required locally on the server
tvaughan
It is kinda confusing because there is the system-level existence of users and then the application-level existence of users.
For a user to be a TeamSite user,
they must be understood by the Solaris box as being a user on the Solaris system
. It's a pre-requisite.
So, you can set up your Solaris box to authenticate via /etc/passwd, LDAP, whatever.
When a user logs in to TeamSite, here is the order of events (as I've been able to determine) they happen:
1) User "jdoe" tries enters "jdoe/abc123/editor" at the TeamSite GUI prompt
2) TeamSite looks up jdoe's uid in his Entity file (iw-home/local/entities/Data)
3) TeamSite asks Solaris: "Do you know about this uid?" (doesn't authenticate with passwd or anything)
4) TeamSite looks in the iw.cfg and finds out how it should authenticate
5) TeamSite asks its configured authentication source if "jdoe/abc123" is a valid username/passwd combination
I'm not sure exactly when role checking comes in to play, but I think it is pretty early on. . . maybe after the peek into the user's Entity file.
So, what I'm doing is configuring my Solaris 2.8 machine to authenticate in this order: files, ldap, nis. LDAP authentication is done via a pam.conf change. The only users in my /etc/passwd file are root, daemon, bin, etc.
I'm configuring my Interwoven server (/etc/iw.cfg) to ask LDAP for usernames and passwords, but leaving the roles authentication commented out. Thus, I still control my roles uid files locally.
This set up is hella confusing the first couple days you use it, but it starts to get elegant as the number of users you have scales.
Hope that helps.
Tom
P.S.-- Solaris 2.8, NDS, TeamSite 5.5.2 w/ SP1