NYC LOCAL: Thursday 21 January 2010 UNIGROUP: Eric Hombo on Active Directory Integration with Unix and Linux Systems
in [FreeBSD]
|
Prev: FBSD7.2+gmirror+gjournal: spontaneous reboots on excessive diskaccess?
Next: FreeBSD Rel 8.0 build failure
From: secretary on 20 Jan 2010 00:06 <blockquote what="official UNIGROUP announcement" rsvp="registration requested, see below" entrance-fee="yes, see http://www.unigroup.org/unigroup-fees.html" location="The Cooper Union School of Engineering, see below" info="http://www.unigroup.org" edits="some paragraphs removed so notice fits in mailboxen"> Date: Sun, 17 Jan 2010 08:00:14 -0500 (EST) From: Unigroup_of_NY <unilist(a)unigroup.org> Subject: UNIGROUP Meeting 21-JAN-2010 (Thu): Active Directory Integration - Unix/Linux/Windows Unigroup is THIS Thursday... Please RSVP now if you will be attending! ==================================================================== UNIGROUP OF NEW YORK - UNIX USERS GROUP - OCTOBER 2010 ANNOUNCEMENTS ==================================================================== -------------------------------------- 1. UNIGROUP'S OCTOBER 2010 MEETING NOTICE -------------------------------------- When: THURSDAY, January 21st, 2010 (** 3rd Thursday **) Where: The Cooper Union <http://www.cooper.edu> School of Engineering (*** New Building ***) 41 Cooper Square (3rd Avenue @ 7th St, between 6th & 7th Streets) East Village, Manhattan New York City Meeting Room: 201 ** Please RSVP ** Time: 6:15 PM - 6:30 PM Registration 6:30 PM - 6:45 PM Ask the Wizard, Questions, Answers and Current Events 6:45 PM - 7:00 PM Unigroup Business and Announcements 7:00 PM - 9:30 PM Main Presentation ---------------------------------------------------- Topic: Active Directory Integration with Unix/Linux Systems ---------------------------------------------------- Speaker: Eric Hombo, Lead Escalation Support Engineer, Beyond Trust <http://www.beyondtrust.com> ------------------------------------------------------------------- INTRODUCTION: ------------- Happy New Year! Unigroup's January 2010 meeting will cover Cross-Platform Integration across Unix, Linux and Windows systems. Unigroup Elections: Unigroup holds Board of Director Elections every January. If you are a Unigroup Member and would like to run for the Unigroup Board, please contact us on or before our January 2010 meeting. Note: We are continuing to try to re-schedule our planned meeting on "The Latest in x86 Computer Architecture" to be presented by a leading PC hardware vendor. ------------------------------------------------------------------- SPECIAL INSTRUCTIONS: --------------------- To REGISTER for this event, please RSVP by using the Unigroup Registration Page: http://www.unigroup.org/unigroup-rsvp.html This will allow us to automate the registration process. (Registration will also add you to our mailing list.) Please avoid Emailed RSVPs. Please continue to check the Unigroup web site and meeting page, for any last minute updates concerning this meeting. If you registered for this meeting, please check your Email for any last minute announcements as the meeting approaches. Also make sure any anti-spam white-lists are updated to _ALLOW_ Unigroup traffic! If you block Unigroup Emails, your address will be dropped from our mailing list. Also, if you have an interest in Unigroup, be sure to receive Unigroup information DIRECTLY from Unigroup, via direct receipt of Emails and by visiting the Unigroup Web Site. NO OTHER SOURCE provides timely, accurate and complete Unigroup information. Please RSVP as soon as possible, preferably at least 2-3 days prior to the meeting date, so we can plan the food order. RSVP deadline is usually the night before the meeting day. Note: RSVP is requested for this location to make sure the guard will let you into the building. RSVP also helps us to properly plan the meeting (food, drinks, handouts, seating, etc.) and speed up your sign-in at the meeting. If you forget to RSVP prior to the meeting day, you may still be able to show up and attend our meeting, however, we cannot guarantee what building security will do if you are "not on the list". ------------------------------------------------------------------- MAIN PRESENTATION ----------------- Topic: Active Directory Integration with Unix and Linux Systems ======================================================== - Introduction - Speaker Background - BeyondTrust - History of Directory Services - Why Active Directory? - Unix/Linux Integration with AD - Demonstration - References - Regulating Identities - Identities required for auditing and accountability - Directories proliferate to store identities - Identity Management is Decentralized - Islands of Identities - Non-standard data models - The Holy Grail: Unified Directory - X.500 - LDAP v2 - LDAP v3 - Active Directory - Unified Directory - Single identity for authentication - Unified authentication - Not quite single sign-on (SSO) - Provides both authorization and authentication services in one - LDAP Schema - RFC 2307 - Why Active Directory? - Unifies authorization and authentication - Built-in scalability - Extensibility - Leverage existing infrastructure - Interoperable - Flexible - Centralized Management - AD Integration with Unix/Linux - Active Directory Services (ADS) introduced with Windows 2000 - LDAP v3 compliant - Kerberos compliant - Provides NIS capability (RFC 2307) - Windows client support built-in - Unix/Linux AD Client Solutions - Non-standard Vendor OS - Native Support - Sun Solaris/OpenSolaris - HP-UX - AIX - Linux (open source) - OpenLDAP and SAMBA/Winbind - Kerberos (MIT, Heimdal, Shishi) - Commercial - Unix/Linux Authorization: LDAP - Authorization via Name Service Switch (NSS) - Requires mapping or storing Unix attributes - SFU: Services for Unix (deprecated/unsupported) - IMU: Identity Management for Unix - DNS is integral to LDAP to locate DCs - Unix/Linux Authentication: Kerberos - Authentication via PAM - Requires common time source (NTP) - DNS is integral to locate KDCs and for host name resolution - Benefits of using AD as KDC - Kerberos Process - Kerberos: Common Problems - Segmented/Firewalled Networks - DNS resolution, NSS host order - Clock skew errors (> 300 seconds) - UDP Fragmentation - Large groups / nested groups - Applications - Applications must be "Kerberized" - A service principal must exist for each app - Requires additional integration through PAM - Procedures/Examples for: - Verify AD DNS Resolution - Setting Time (NTP) - Setting Time (NTP) - Setup Kerberos Client - Verify Computer Account in AD - Verify Kerberos Client - Create Unix Group in AD - Create Unix User in AD - Add Unix User to Unix Group in AD - Unix Group with Unix members - Verify Unix User Attributes - Configure LDAP Client - Verify LDAP Client - Verify Unix User Authorization in AD - Verify Unix User Authentication to AD - Configure PAM for Kerberos Authn - References Web Resources: -------------- Unix AD Clients: AIX: IBM Redbook - Integrating AIX into Heterogeneous LDAP Environments <http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf> Configuring AIX 5L for Kerberos Based Authentication Using Windows Kerberos Service <http://www-03.ibm.com/systems/resources/systems_p_os_aix_whitepapers_aix_kerberos2.pdf> HP-UX: LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide <http://docs.hp.com/en/J4269-90084/index.html> Configuration Guide for Kerberos Client Products on HP-UX <http://docs.hp.com/en/5991-7718/index.html> Solaris: System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) <http://docs.sun.com/app/docs/doc/816-4556> Solaris 5.11 / OpenSolaris - Project Winchester <http://hub.opensolaris.org/bin/view/Project+winchester/> Linux Debian/Ubuntu: SADMS <http://sadms.sourceforge.net/> Active Directory & Windows Server 2003/2008 R2: Identity Management for Unix <http://technet.microsoft.com/en-us/library/cc782782%28WS.10,printer%29.aspx> How the Kerberos Version 5 Authentication Protocol Works <http://technet.microsoft.com/en-us/library/cc772815%28WS.10,printer%29.aspx> Authenticate Linux Clients with Active Directory <http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx?pr=blog> BeyondTrust (formerly Symark) PowerAdvantage Product Overview <http://www.beyondtrust.com/products/padoverview.asp> ------------------------------------------------------------------- Speaker Biography: ------------------ Eric Hombo, Lead Escalation Support Engineer, Beyond Trust. Mr. Hombo holds a Bachelors degree from Whittier College in Mathematics with a minor in Computer Science, and has 21 years of varied experience from a diverse set of fields. Starting from a telecommunications background, Mr. Hombo worked to get the Whittier College campus onto the Internet in 1988 and devised a 300 computer network for Internet access, shared file storage and print sharing across the campus. From there until joining BeyondTrust as Lead Escalation Support Manager, Mr. Hombo worked with technologies including Unix systems such as Ultrix, SunOS/Solaris, and SGI, PCs from IBM and Apple, networking technologies both copper and fiber based, RARP and BGP-4 protocols, Cisco and Netcom hardware, and access methods from dialup to Fractional T-3s. His experience also includes higher education planning, support and management consulting, systems support management for one of the world's largest high tech firm's basic research lab, and corporate MIS management for one of the US's largest independent insurance brokerage firms, an Australian furniture mover and a New Zealand kiwi orchard pruner. He can say hello/welcome in a dozen different languages. ------------------------------------------------------------------- Company Biography: ------------------ BeyondTrust provides privilege authorization solutions for heterogeneous IT environments. The BeyondTrust PowerBroker reduces the risks associated with misuse of privileges and theft of proprietary data, while documenting accountability to support increasing demands of regulatory compliance required across many industries. BeyondTrust is relied on by more than half of the top ten commercial banks in the U.S., some of the largest global aerospace and defense agencies, leading pharmaceutical companies and renowned universities. The BeyondTrust customer retention rate is over 90%. The company is headquartered in Los Angeles, California, with East Coast offices in the Greater Boston Area, and EMEA offices in London, United Kingdom. For more information about Beyond Trust, please visit: http://www.beyondtrust.com ------------------------------------------------------------------- Giveaways: ---------- Addison-Wesley Professional/Prentice Hall PTR, and O'Reilly have been kind enough to provide us with review copies of some of their books, which we will continue to raffle off as giveaways at our meetings. The publishers always ask that the persons receiving the books provide a review and/or feedback about their books. Unigroup would like to thank both companies for the support provided by their User Group programs. As always, all of the books will be available for review at the start of the meeting. We have some Solaris Related CD-ROMs from our friends at the local NYC Sun Microsystems Office. ------------------------------------------------------------------- Fee Schedule: ------------- Unigroup is a Professional Technical Organization and User Group, and its members pay a yearly membership fee. For Unigroup members, there is usually no additional charges (ie. no meeting fees) during their membership year. Non-members who wish to attend Unigroup meetings are usually required to pay a "Single Meeting Fee". Yearly Membership (includes all meetings): $ 50.00 Student Yearly Membership (with current! ID): $ 25.00 Non-Member Single Meeting: $ 20.00 Non-Member Student Single Meeting (with! ID): $ 5.00 * Payment Methods: Cash, Check, American Express. ! Students: We are looking for proof that you are currently enrolled in classes (rather than working full-time), and as such, your Student ID should show a CURRENT date. We have been presented Student IDs containing NO dates whatsoever, and in the current environment, perpetual/non-expiring access to university facilities just does not feel right. If your ID contains no date, please bring additional proof of current enrollment. Thanks, NOTE: Simply receiving Unigroup Email Announcements does NOT indicate membership in Unigroup. ------------------------------------------------------------------- Food: ----- Complimentary Food and Refreshments will be served. This includes "wraps" such as turkey, roast beef, chicken, tuna and grilled vegetables as well as assorted salads (potato, tossed, pasta, etc), cookies, brownies, bottled water and assorted SOFT beverages. ------------------------------------------------------------------- Directions: ----------- The Cooper Union <http://www.cooper.edu> School of Engineering (*** New Building ***) 41 Cooper Square (3rd Avenue @ 7th St, between 6th & 7th Streets) East Village, Manhattan New York City Meeting Room: 201 Located on the East side of Cooper Square. Look for the new building with the non-traditional appearance. Entrance is at the corner of 3rd Avenue and 7 Street. Building lobby sign-in is required at the guard's desk. Enter the building, check in with the guard at the lobby for directions to Unigroup and Room 104 (1st Floor). Nearest mass transit stations are: '6' to Astor Place (stops right at The Cooper Union), then walk 1 block East and 1 block South. 'R' to 8th Street, then walk about 2 blocks East then 1 block South. '4/5/6/R/N/Q' to Union Square, then walk South and East. 'B/D/F/V' to Broadway-Lafayette, then walk North and East. Free street parking in the area becomes available at 6pm. There are also parking lots on Broadway, at (or just south of) Astor Place (8th Street). ----- Please mark this meeting on your calendar and join us! Please tell your friends about Unigroup! ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- < ... /> ========================================================================= = For Unigroup Information, Events and Meeting Announcements be sure to = = visit our World Wide Web Home Page: = = http://www.unigroup.org = ========================================================================= For further information or to get on the Unigroup Electronic Mail Mailing List send an EMail message to: unilist (-a_t-) unigroup.org To contact the Board of Directors of Unigroup, send an EMail message to: uniboard (-a_t-) unigroup.org If you have recently attended a meeting and you are not receiving Email announcements, please send us an Email and we will make corrections to our lists. Please Email the Board with any suggestions, especially potential meeting topics and speakers. Unigroup welcomes contributions and content suggestions for our newsletter. Unigroup is a volunteer organization and we need your assistance! Please let us know if you can help! ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- -Rob Weiner Unigroup Executive Director unilist (-a_t-) unigroup.org http://www.unigroup.org </blockquote> Distributed poC TINC: Jay Sulzberger <secretary(a)lxny.org> Corresponding Secretary LXNY LXNY is New York's Free Computing Organization. http://www.lxny.org |