EMC Celerra Version 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
Abstract
Security best practices increasingly dictate the authentication of user credentials against a central directory. Doing so helps to ensure that the organization has an appropriate mechanism to manage accounts in a way that is favorable to security policies, compliance requirements, and regulations, and that helps the organization react quickly to account compromises. Celerra® DART 5.6 provides this capability for Celerra administrative (Control Station) users. This white paper discusses that functionality as well as improvements in the management of Celerra administrative users. May 2008
Copyright © 2008 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com All other trademarks used herein are the property of their respective owners. Part Number H4423 EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
2
Table of Contents Executive summary ............................................................................................ 4 Business problem ........................................................................................................................ 4 Technical problem........................................................................................................................ 4 Feature introduction ..................................................................................................................... 4 What’s new................................................................................................................................... 4
Introduction ......................................................................................................... 5 Audience ...................................................................................................................................... 5 Terminology ................................................................................................................................. 5
Detailed overview................................................................................................ 6 Architecture .................................................................................................................................. 6 User and group mapping databases ........................................................................................ 6 Authentication paths................................................................................................................. 7 User and group management................................................................................................... 8 Installing and upgrading ........................................................................................................... 9 Limitations .................................................................................................................................. 10 Compatibility with older releases ............................................................................................... 11
Conclusion ........................................................................................................ 11 References ........................................................................................................ 11
EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
3
Executive summary Business problem Security best practices increasingly dictate the authentication of user credentials against a central directory. Some customers are even finding that their security organizations are mandating this practice. Authentication against a central directory provides many benefits: •
A single place for account management
•
A single password for the user
•
The ability to rapidly disable authentication privileges across the enterprise in the event of an account compromise or terminated user
•
Compliance with internal and external regulations or security policies
Technical problem EMC® Celerra® is a repository for mission-critical, sometimes sensitive data. Losing or misusing that data can be very costly in both monetary and public relations terms. Thus, Celerra customers often (and increasingly) need directory-based authentication of users who administer the Celerra for the securityrelated reasons outlined above.
Feature introduction Celerra now has the ability to authenticate its Control Station (that is, administrative) users against any LDAPv3-capable directory server. This includes Microsoft Active Directory, Open LDAP, and iPlanet/SunOne. Further, Celerra now offers its customers the ability to manage Control Station user accounts (both local and directory-based) from Celerra Manager. A Celerra security operator privilege level is required to manage all Celerra administrative accounts. EMC recommends that all customers upgrading to or implementing a Celerra DART 5.6 or later release consider implementing this functionality in their environment. By implementing this functionality – particularly the use of domain-mapped users and role-based administration – customers will be implementing a best practice for security.
What’s new Directory-based administrative user authentication is new functionality on the Celerra DART 5.6 Control Station, adding the following features: •
Ability to map Control Station users and groups to an LDAP directory source using what are called “domain-mapped accounts”
•
Optional auto-creation of domain-mapped accounts to expedite initial setup and ease administration
•
Full integration 1 of both local Control Station users and groups and domain-mapped Control Station users and groups with the new administrative roles functionality
•
Full management of both local Control Station users and groups and domain-mapped Control Station users and groups using Celerra Manager
1
Celerra Manager and XML API only. Most CLI commands do not support role enforcement at this time. See the white paper EMC Celerra Version 5.6 Technical Primer: Role-Based Administration for Delegated Celerra Management for more information.
EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
4
Administrative user authentication also affects existing functionality. Celerra administrators can no longer create and manage Control Station user accounts using the CLI. Account management CLI commands have been hidden. This was an intentional design decision. Native Linux user management commands cannot manage the integration of accounts with roles and cannot manage directory-based accounts so they should not be used.
Introduction This white paper discusses the security drivers behind central user and group management, and the ways that Celerra supports LDAP-based central user and group management mechanisms for those users who administer the Celerra. Topics discussed will include: • Introduction to new Control Station account types •
Technical overview of the authentication process
•
Management of users and groups
•
Installation and upgrade considerations
Audience The intended audience is customers, including IT planners, storage architects, and administrators, involved in evaluating, acquiring, managing, operating, or designing an EMC networked storage environment.
Terminology Directory server: A server that stores and organizes information about a computer network’s users and network resources, and that allows network administrators to manage users’ access to the resources. X.500 is the best-known open directory service. Proprietary directory services include Microsoft's Active Directory. Domain: A logical grouping of Microsoft Windows servers and other computers that share common security and user account information. All resources such as computers and users are domain members and have an account in the domain that uniquely identifies them. The domain administrator creates one user account for each user in the domain, and the users log in to the domain once. Users do not log in to each individual server. Domain-mapped account: A Control Station local user or group account that is mapped to a set of domain credentials. The domain credentials are used to authenticate and authorize an administrative user logging in to the Celerra system Group identifier (GID): A numeric identifier assigned to a particular group of users. LDAP-based directory: The OpenLDAP or iPlanet (also known as Sun Java System Directory Server and Sun ONE Directory Server) distributed directory servers. Lightweight Directory Access Protocol (LDAP): An industry-standard information access protocol that runs directly over TCP/IP. It is the primary access protocol for Active Directory and LDAP-based directory servers. LDAP version 3 is defined by a set of Proposed Standard documents in Internet Engineering Task Force (IETF) RFC 2251. User identifier (UID): A numeric identifier that corresponds to a particular user.
EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
5
Detailed overview Architecture When discussing administrative user authentication, it is important to understand the new user and group management concepts on the Control Station: •
Group account types – Group accounts may be either local or domain-mapped. Both result in entries in the /etc/group file, but the group file entries for domain-mapped groups are strictly to give the domain-mapped group a GID on the Control Station. Domain-mapped group membership is managed and stored only within the directory server. It is important to note that if the group account is deleted in the directory, its local domain-mapped group account will remain on the Control Station until it is deleted.
•
User account types – User accounts may be either local or domain-mapped. Both result in entries in the /etc/passwd file, but the passwd file entries for domain-mapped users are strictly to give the domain-mapped user a UID on the Control Station and to control client access (login) privileges. A domain-mapped user’s password is stored only in the directory server and its domain group membership is also stored only within the directory server. Since a domain-mapped user account may belong to a local Control Station group, it is possible for a group account in /etc/group to contain a domain-mapped user in its membership list. It is important to note that if the user account is deleted in the directory, its local domain-mapped user account will remain on the Control Station until it is deleted. All domain-mapped users must belong to at least one domain-mapped group within the directory server. Otherwise they are not permitted to log in to the Control Station (membership in a local group is not sufficient).This enables the Control Station to provide automatic domain-mapped user account creation while still controlling which domain users are permitted access.
•
Automatic account creation – There is an optional setting in the domain settings that enables Control Station domain-mapped user accounts to be created automatically when authorized domain users log in to the Control Station. When this setting is turned on, any domain user account that belongs to a domain-mapped group (which must map to a valid domain group) is permitted to log in to the Control Station. If a domain-mapped account does not already exist locally on the Control Station for that user then one will be created by the software during the login process. This is very useful in multi-Celerra environments as it allows you to control who can log in to the Celerras simply by managing one or more domain groups within the directory. Changes to a user’s domain group membership are automatically recognized by the Celerra when the user attempts to log in through one of the Celerra management interfaces. When putting a new Celerra into production you just have to set up the domain settings and add the domain-mapped group accounts. You do not need to worry about manually adding domain-mapped user accounts. Architecturally the new administrative user authentication functionality involves changes in the following areas of the Control Station: •
User and group mapping databases
•
Authentication paths for the CLI, Celerra Manager, and XML API
•
User and group management
User and group mapping databases Several new user and group mapping databases have been implemented on the Control Station. These databases store information such as whether users and groups are local or domain-mapped, what UIDs and GIDs the domain users and groups map to, and what role is associated with each group. These databases should not be edited by hand unless instructed to do so by EMC Support. EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
6
Authentication paths When a user logs in, the authentication subsystems call a Celerra utility that makes sure users and groups are authenticated either locally or against the LDAP server, whichever is appropriate. A critical part of configuring directory-based authentication is providing LDAP configuration information to this Celerra utility through the Domain Settings screen in Celerra Manager. On the Domain Settings screen you must supply which LDAP servers to use, which account to connect as, the account password (stored encrypted), and paths to user and group objects in the LDAP server. You can – and are encouraged to – use a dedicated account with a lower privilege level (such as “Domain Guest”) to connect the Control Station to the LDAP server. Consult the appendix of the Celerra Security Configuration Guide for detailed instructions on finding this information. Figure 1 on page 8 shows the typical authentication sequence for domain-mapped users who attempt to log in to the Control Station. It consists of the following basic steps: 1.
The Control Station creates a connection (binds) to the LDAP server using the account credentials supplied on the Celerra Manager Domain Settings screen.
2.
The user’s account information is retrieved.
3.
The user’s directory group membership is retrieved.
4.
The user’s credentials are validated by connecting (binding) to the directory server as the specified user account with the password supplied by the authenticating user on the login screen.
5.
The Control Station unbinds from the LDAP server.
6.
The user’s domain group membership is examined.
7.
Finally, Celerra allows login if all of the following are true. Otherwise, login is denied. Authentication (binding) has succeeded (see step 4). The user has an existing domain-mapped user account on the Control Station or automatic account creation is enabled. The user is a member (in the directory) of at least one domain-mapped group.
EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
7
Figure 1. Authentication sequence for domain-mapped users Celerra authenticates local Control Station users through the normal Linux mechanisms.
User and group management Celerra Manager supports management of all the administrative user authentication functionality through the Security >Administrators screen, as shown in Figure 2 on page 9. Further, Celerra Manager is now the only supported mechanism for managing users (both local and domain-mapped). Traditional Linux user and group management commands, such as useradd, are deprecated and should not be used for the management of login accounts.
EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
8
Figure 2. Celerra Manager offers full management of Celerra administrative users, groups, and roles under the Security >Administrators screen
Installing and upgrading Upon installation or upgrade, the DART 5.6 software creates some additional system-defined group accounts. Figure 3 shows a list of these groups. System-defined groups cannot be managed.
Figure 3. System-defined groups and their corresponding roles The following upgrade scenarios need special consideration:
EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
9
•
Prior to upgrade, ensure there are no duplicate UIDs or GIDs in the/etc/passwd and /etc/group files on the Control Station.
•
Prior to upgrade, ensure that NIS is not enabled on the Control Station. If it is enabled, then disable it. In other words, the Control Station should not be a member of a NIS domain. (Aside from the technical considerations of this functionality, the Control Station is a purpose-built machine and EMC does not recommend NIS as an authentication mechanism.)
•
Scripts used to create and manage local Control Station user accounts on the CLI will be affected. These scripts will not work after upgrade because the CLI user management commands have been intentionally removed. During upgrade planning, you should determine how your local account creation process needs to be altered. EMC strongly recommends that you look at changing to the use of domain-mapped Control Station accounts.
•
After the upgrade, all Control Station local user accounts are assigned one or more roles. The role assigned to each user account depends upon its group membership, but most local user accounts are members of the nasadmin (201) group and therefore would be assigned to the nasadmin role.
Limitations •
Native Linux account management commands (such as useradd) are no longer supported for the management of login accounts. (The exception is passwd, which is still supported for local Control Station user accounts.)
•
User account management, group account management, and role management may only be performed through Celerra Manager.
•
There are no known limits to the number of Control Station users or groups (local or domain-mapped) that may be defined, although it is anticipated that you will have fewer than 10 administrative accounts.
•
The Control Station cannot use DNS to find domain controllers at this time. LDAP servers (such as domain controllers) must be specified explicitly as a primary and a backup. Development is aware of the need for better DNS integration and hopes to change this in a future release.
•
The Control Station cannot auto-discover domain user and group paths.
•
Only two LDAP servers may be specified.
•
Domain-mapped users cannot log in if both LDAP servers are unavailable. (There is no caching of domain credentials on the Control Station.)
•
Domain-mapped users may not be added to domain-mapped groups at the Control Station. Add a domain-mapped user to a domain-mapped group at the directory server level. Once the change is reflected in the directory, it is picked up by the Control Station the next time the domain-mapped user logs in.
•
The Control Station cannot update the LDAP directory. The Control Station accesses the directory in a read-only fashion. Therefore, account properties such as passwords for domain-mapped users and groups may not be changed on the Control Station.
EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
10
Compatibility with older releases There is no interaction of this functionality with other Celerra Control Stations. This functionality is contained within the Control Station on which it is configured. Thus, no compatibility concerns exist. Older releases will use the authentication mechanisms supported in those releases.
Conclusion A widely accepted best practice for security is to centrally store and manage user account information. This model brings many benefits in computer security, administrative convenience, and user convenience. Celerra DART 5.6 now enables customers to take advantage of their LDAP-capable central user and group directories, and it provides full user management capabilities through the Celerra Manager graphical user interface. In addition to providing a mechanism for specifying domain users that have access to the Celerra management interfaces, the Celerra Control Station provides a mechanism to create and maintain lists of privileged users in the directory (using group membership) rather than in the Celerra. This automatic mapping mechanism greatly eases and simplifies user management on the Celerra – particularly in multiCelerra environments.
References Name: Celerra Security Configuration Guide Type: Technical Publication URL: See the 5.6 Celerra documentation CD Audience: Customer Technical Depth: High Name: Celerra Manager Online Help System Type: Technical Publication (Help System) URL: See the 5.6 Celerra documentation CD, or Celerra Manager Audience: Customer Technical Depth: High Name: EMC Celerra Version 5.6 Technical Primer: Role-Based Administration for Delegated Celerra Management Type: White Paper URL: http://powerlink.emc.com Audience: Customer Technical Depth: Low
EMC Celerra 5.6 Technical Primer: Directory-Based Administrative User Authentication Technology Concepts and Business Considerations
11
