Friday, 22 November 2013

Authentication headaches

Authentication is a pretty complex subject.  With the Iceni servers that are running at the moment we can run in two modes:

The Iceni server maintains a database of users in LDAP and all services use PAM to authenticate users, and PAM is configured to authenticate against LDAP.  The proxy server offers HTTP "Basic" authentication and "NTLM" authentication in this mode, with the proxy using Winbind for the NTLM side (the Iceni server runs Samba to become a Windows primary domain controller on the network).

Integrated with Windows:
The Iceni server maintains a database of users in LDAP, but this is not used for authentication.  The services still use PAM for authentication, but PAM is configured to authenticate against the kerberos server provided by the primary domain controller.  Additionally, Squid offers the "Negotiate" authentication method as well as "Basic" - this means the client can authenticate through kerberos (in which case, the proxy server talks directly to the PDC's kerberos server), or NTLM (the proxy server uses Samba-Winbind to authenticate against the PDC).

As you can imagine, the whole Windows integration thing is pretty messy, and is also an all-or-nothing affair - you can't choose to have certain users (such as the administrator) authenticated locally whilst having others authenticated by the PDC.

So we want to improve things with Iceni 2.  The stand alone stuff is largely unchanged, but the plan for Windows integration is to allow the local LDAP server to pass through authentication requests to another server for certain users.  It seems the way to do this is by using SASL to make the LDAP server forward authentication through to the PDC's kerberos server.  Of course, none of it is entirely straight forward. :)

No comments:

Post a Comment