Hey, wondering if anyone is successfully connecting to Uniobjects on a Linux server (a recent Redhat release), using AD authentication? I'm working with a customer that does not want to use any local accounts at all to connect to Unidata (i.e. the accounts should not be in /etc/passwd or added locally with useradd, they must be AD accounts). I'm not sure if uniobjects uses PAM and can do that kind of auth.
If you are using AD auth with Uniobjects, is the account you're using allowed to login to the server via ssh? That's the second requirement - they don't want someone with a service account password using it to login. I know on windows, Uniobjects requires the account to have the "log on locally" privilege.
Grateful to hear of anyone's experiences with this (especially if it's a positive "yes it works!") or pointers to docs I may have missed :-)
------------------------------
Ian McGowan
Principal Consultant
Rocket Forum Shared Account
------------------------------
Ian,
The Pluggable Authentication Module (PAM) will give you transparent support of any host O/S verification methodology. Once AD is configured then it should 'just work'.
I would always recommend keeping a backup of a few local users for emergency use if the AD controller should become unavailable for some reason, it is also worth noting that AD access tines and verification speed can be an issue if the network becomes slow.
Once the authentication method works for the O/S the U2 database will still use the the standard O/S user-validation API and this in turn will use PAM however it is configured to validate the user(s)..
Regards
JJ
------------------------------
John Jenkins
Thame, Oxfordshire
------------------------------
Hey, wondering if anyone is successfully connecting to Uniobjects on a Linux server (a recent Redhat release), using AD authentication? I'm working with a customer that does not want to use any local accounts at all to connect to Unidata (i.e. the accounts should not be in /etc/passwd or added locally with useradd, they must be AD accounts). I'm not sure if uniobjects uses PAM and can do that kind of auth.
If you are using AD auth with Uniobjects, is the account you're using allowed to login to the server via ssh? That's the second requirement - they don't want someone with a service account password using it to login. I know on windows, Uniobjects requires the account to have the "log on locally" privilege.
Grateful to hear of anyone's experiences with this (especially if it's a positive "yes it works!") or pointers to docs I may have missed :-)
------------------------------
Ian McGowan
Principal Consultant
Rocket Forum Shared Account
------------------------------
@Ian McGowan
in RHEL there is the "System Security Services" package - (package name is "sssd") - which allows the RHEL server to be joined to an AD domain.
The setup of sssd does allow for non-local AD users to login and be able to interact, so you should be able to achieve what the customer wants.
On RHEL the file access permissions are used as the data access control, so your database files will need to be setup to allow AD users/groups to access the servers.
The sssd package can be setup to respect AD's server access rights, so if the AD admins deny access for a specific user the user cannot login.
We use sssd with the user override functionality to map AD users to local users, giving AD authentication and local user access checks.
------------------------------
Gregor Scott
Software Architect
Pentana Solutions Pty Ltd
Mount Waverley VIC AU
------------------------------
@Ian McGowan
in RHEL there is the "System Security Services" package - (package name is "sssd") - which allows the RHEL server to be joined to an AD domain.
The setup of sssd does allow for non-local AD users to login and be able to interact, so you should be able to achieve what the customer wants.
On RHEL the file access permissions are used as the data access control, so your database files will need to be setup to allow AD users/groups to access the servers.
The sssd package can be setup to respect AD's server access rights, so if the AD admins deny access for a specific user the user cannot login.
We use sssd with the user override functionality to map AD users to local users, giving AD authentication and local user access checks.
------------------------------
Gregor Scott
Software Architect
Pentana Solutions Pty Ltd
Mount Waverley VIC AU
------------------------------
Gregor, thanks, that's good information. I was using sssd to override the user's primary group, that's a really interesting idea to use it to map an AD user to a local user (asking ChatGPT to explain how to do that now :). Things are working fine for interactive users, it's just with service accounts there's a problem, and I don't have any AD access to troubleshoot that side of things. Thanks again!
------------------------------
Ian McGowan
Principal Consultant
Rocket Forum Shared Account
------------------------------
Ian,
The Pluggable Authentication Module (PAM) will give you transparent support of any host O/S verification methodology. Once AD is configured then it should 'just work'.
I would always recommend keeping a backup of a few local users for emergency use if the AD controller should become unavailable for some reason, it is also worth noting that AD access tines and verification speed can be an issue if the network becomes slow.
Once the authentication method works for the O/S the U2 database will still use the the standard O/S user-validation API and this in turn will use PAM however it is configured to validate the user(s)..
Regards
JJ
------------------------------
John Jenkins
Thame, Oxfordshire
------------------------------
John, thanks for confirming, that is helpful - I was worried that unirpcd was only doing traditional unix local account security. It's reassuring to hear that it should work through PAM and be the same for service accounts as interactive users. I think the problem may be that the AD account is not configured to login via ssh (the customer doesn't want a service account used for an interactive login). May have to ask them to turn that off and do something klugey like add "exit" to the .bash_profile to prevent interactive use. Thanks again, appreciate the assist!
------------------------------
Ian McGowan
Principal Consultant
Rocket Forum Shared Account
------------------------------
