Академический Документы
Профессиональный Документы
Культура Документы
Likewise Enterprise
Manny Vellon This document describes how Likewise facilitates the implementation of enterprise
Chief Technology Officer single sign-on (SSO). It explains how Kerberos-aware applications can be
Likewise Software configured to exploit the authentication infrastructure provided by Likewise. It
explains the concepts as well as outlining the specific steps that must be taken to
enable single sign-on support in applications.
The information contained in this document represents the current view of Likewise
Software on the issues discussed as of the date of publication. Because Likewise
Software must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Likewise, and Likewise Software cannot guarantee the
accuracy of any information presented after the date of publication.
These documents are for informational purposes only. LIKEWISE SOFTWARE MAKES
NO WARRANTIES, EXPRESS OR IMPLIED.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in,
or introduced into a retrieval system, or transmitted in any form, by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Likewise Software.
Likewise and the Likewise logo are either registered trademarks or trademarks of
Likewise Software in the United States and/or other countries. All other trademarks are
property of their respective owners.
Likewise Software
15395 SE 30th Place, Suite #140
Bellevue, WA 98007
USA
Table of Contents
Introduction........................................................................................... 4
What Is Single Sign-On? ...................................................................... 5
What Is Kerberos? ................................................................................ 6
How Likewise Supports SSO ............................................................... 8
Example: Open SSH ........................................................................... 10
The SSH Service Principal Name...................................................... 10
System Keytab Generation................................................................ 10
User Keytab Generation .................................................................... 11
Configuring OpenSSH....................................................................... 11
Testing SSO...................................................................................... 12
Example: Apache Tomcat .................................................................. 13
Summary ............................................................................................. 14
For More Information.......................................................................... 15
Introduction
Likewise allows Linux and UNIX computers to authenticate and authorize
users through Microsoft Active Directory. This provides many benefits:
What Is Kerberos?
Kerberos is an authentication protocol that facilitates the implementation
of SSO. It was developed at MIT in the late 1980's as part of the Athena
project. It was originally described in RFC 1510 but its modern
incarnation is described by RFC 4120. Both of these documents can be
viewed at http://www.rfc-archive.org/.
To accomplish these goals, Likewise must assure that Linux and UNIX
are properly configured for Kerberos authentication. A side benefit of this
is that Likewise assures that Kerberos is properly configured for use by
other applications.
Here's a brief list of things that Likewise does to ensure that the Kerberos
authentication infrastructure is properly configured and "healthy":
host/<server name>@<REALMNAME>
host/fozzie.mycorp.com@MYCORP.COM
Note that the Kerberos realm name is the computer's domain name
using capital letters.
2. Run the ktpass utility in Windows to associate the SSH SPN with
the service account and to generate a keytab for it.
When the user runs the ssh program and OpenSSH determines that it
will use Kerberos authentication, it will need to access a keytab for the
user so that it can obtain a service ticket for the service/computer to
which it is trying to connect. This keytab must be created using the user's
account name and password. Manually, this can be performed by using
the Linux/UNIX kinit utility. Likewise, however, does it automatically when
the user logs into the computer. On most systems, the user keytab is
placed in the /tmp directory and named krb5cc_<UID> where <UID> is
the numeric user id as assigned by the system.
Configuring OpenSSH
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Likewise will add these lines to the appropriate files, if not already
present.
Testing SSO
Summary
Enterprise single sign-on provides great user convenience. In addition to
only having to remember a single username and password, SSO also
implies that these credentials only need to be entered once.
For technical questions or support for the 30-day free trial, e-mail
support@likewisesoftware.com.
ABOUT LIKEWISE