You are currently browsing the Marks IDM stuff weblog archives for May, 2007.
- Directories (1)
- Federation (1)
- Identity Management (6)
- Random Stuff (1)
- Uncategorized (8)
- December 9, 2008: Strong Authentication
- April 27, 2008: ID Card Stuff
- March 26, 2008: OSS IDM System - Some Thoughts
- October 9, 2007: Role Based Access in the Enterprise
- September 11, 2007: Open Source IDM Solutions
- September 4, 2007: Marks Apple Hickory BBQ Ribs from the grill.
- August 16, 2007: OpenSuse 10.2 Network install in 6 easy steps.
- May 29, 2007: So, I posted my Resume
- May 11, 2007: This is actually pretty cool.
- May 11, 2007: Started PAM module list
Archive for May 2007
So, I posted my Resume
May 29, 2007 by mabatche.
I poseted my resume like everyone else does. Nothing special. I’ve been with the same company for 10 years and recently was wondering if there is anything else out there. Don’t get me wrong, I actually like my job. But you never know unless you look. So, here is the resume. Its a work in progress, this is just the first draft, so if it isn’t all that pretty, i apologize. 
Mark.
Posted in Uncategorized | No Comments »
This is actually pretty cool.
May 11, 2007 by mabatche.
A few days ago, I put up a little article asking where my open source IDM solution was. Looking across someone elses blog, I was directed to this link here.
Its a very cool mapping tool used to create a map of known open source IDM projects and their status. I found this very helpful. Maybe you will as well.
Posted in Identity Management, Uncategorized | 1 Comment »
Started PAM module list
May 11, 2007 by mabatche.
I just started putting together a list of all the pam modules I can find that are open source. It can be found here.
I’ve been getting a bit frustrated at finding some of these. Many of these are very useful! And it would be nice to a one place to go to find out about some of these… Sooo.. im starting this little list and updating it as i come across them.
Mark.
Posted in Directories, Identity Management, Uncategorized | 1 Comment »
The Trouble with Non-Native Authentication
May 7, 2007 by mabatche.
Recently, I’ve been working on a project which is intended to replace access/authorization mechanisms on Solaris/Linux servers with PAM_LDAP. (see www.padl.org ). Getting PAM-LDAP to work has actually proven to be a relatively easy thing to do. (We happen to be using Novell’s eDirectory as the LDAP environment for it). But, we have been running in to multiple problems when it comes to non pam aware applications running on our servers.Heres an example. IBM DB2. Technically, it looks up users/user access information from /etc/passwd and from /etc/groups. This is all well and good. But, on some older isntances of it, it doesn’t necessarily seem to adhere to the standards that nss_ldap uses for lookups. Which leaves us in a scenario where we have to maintain a local copy of the account on the solaris servers in order for DB2 to function correctly. Now, this completely defeats the idea behind using a central directory for access/authorization. Whats the point in having one, if you have to also maintain local accounts for non-system level users on the server as well? An Idea -
For anyone who has ever worked in a Novell shop you are most likely all to familiar with this same problem only from a different angle. When the Novell client is installed on a windows workstation, there had to be a mechanism for local users (or domain users for that matter) to be authenticated to a workstation as well as the eDirectory user. In Microsoft’s wisdom, they are assuming that everything is windows, and no third-party matters. Novell got around this with what they used to call (I have no idea if its still called this) “Dynamic Local User”. What it would do, is upon login, if you had never logged into that machine before, it would create a local account for you with whatever security specific policies you had assigned to that user. Then, you had the option (via policy) to make that a non-volatile user (meaning it would never be deleted unless someone deleted it) or make it a volatile user (meaning upon logout, the user would be cleaned up from the workstation and all was good). This worked surprisingly well. Now, of course one thing Novell had on their side was that they knew the users password upon login, and could sync it up. It was also a fairly small use case. (meaning it was really intended for workstation and the types of things they would be doing).
Now, I realize that a server (especially one of the unix variety) is a very different beast from a workstation. But, what I was wondering is if this is possible for a unix box?
I’ve seen some stuff out there that has some of this functionality, but nothing that really got me going yet.
Has anyone every run across software (maybe a pam module) that supports this type of functionalty? I have seem pam_mkhomdir before and even used it. That is sort of a dynamic provision for the home directory on unix. But what about the user?
Anyone?
Posted in Uncategorized | No Comments »