Building the Ultimate Home Authentication Server
Note: This article was originally written in December 2005
In this article, we will be discussing a project I undertook that truely embodies the spirit of “Household Enterprise Computing.” This was a project to build a mostly-dedicated all-in-one authentication and authorization server for my home network. Now as it should be obvious, I don’t have your run-of-the-mill home network. As such, this server rolls together the sorts of services typically only found in large corporate and/or campus networks and spread amongst multiple machines.
Right up front, I’ll clarify the terms “authentication” and “authorization,” since they do imply different services and I did implement them differently (using Kerberos and LDAP, respectively). I should mention that these definitions came from Wikipedia.
Authentication refers to the confirmation that a user who is requesting services is a valid user of the network services requested. Authentication is accomplished via the presentation of an identity and credentials.
Authorization refers to the granting of specific types of service (including “no service”) to a user, based on their authentication, what services they are requesting, and the current system state. Authorization may be based on restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a user.
In actuality, I won’t be going into depth on each of the components of this project in this article itself. Rather, I’ll be discussing a higher level view of what I did, and what environment it sits in. For specific service configuration details, I’ll link to other articles as appropriate. The reason for this is so that I can add content incrementally, and so no single article becomes too lengthy.
The goal of this project was to bring together all of my user-facing “stuff” under a single infrastructure for user accounts. This includes a servers running Solaris, FreeBSD, and Windows (SunPCi II card inside the Solaris machine). It also includes my wireless access point, and my internet-facing Cisco router.
Prior to embarking on this project, my multi-user access servers used good ‘ole NIS. Everything else was standalone.
Heading into this project, I had the following machine ready:
- Sun Netra T1 105
- Processor: UltraSPARC-IIi 360MHz
- RAM: 256MB
- Disk: 2 x 9GB (mirrored with SVM)
- OS: Solaris 10
As such, I’ll assume you’re capable of digging up a server and installing and patching the base operating system. This writeup assumes the auth server is running Solaris 10, though you can probably still re-use the concepts and a sizable portion of the content on other operating systems.
On the auth server, I installed and configured the following software:
- LDAP - Sun Java System Directory Server 5.2 2005Q4
- Kerberos - Sun Enterprise Authentication Mechanism (SEAM)
- Support libraries:
- Windows PDC - Samba 3.0.20b
- RADIUS - FreeRadius 1.0.5
(Note: OpenLDAP and MIT KerberosV are installed just for their libraries and headers, since other open-source software typically depends on them. They are not used in any service-providing capacity in and of themeselves.)
On the client end, I configured the following systems and devices to authenticate users against the auth server:
- Solaris 10 (LDAP+Kerberos)
- FreeBSD 6.0 (LDAP+Kerberos)
- Windows 2000 (Samba)
- Linksys WAP54G WPA (RADIUS)
- Cisco IOS 12.2 (RADIUS)
(Note: Samba uses LDAP to store user information on the back-end, while my RADIUS setup actually uses both LDAP for authorization and Kerberos for authentication on the back-end.)
For the actual write-ups on how to configure all of this, I’ve split things apart into the following articles:
- Installation and Configuration of an LDAP server and a Kerberos KDC on Solaris 10, using Sun JSDS LDAP and Sun SEAM Kerberos
- Configuring user authentication against LDAP+Kerberos on Solaris 10
- Configuring user authentication against LDAP+Kerberos on FreeBSD 6.0
- Building OpenLDAP and MIT KerberosV as support libraries on Solaris 10
- Installation and configuration of Samba with LDAP (server and client)
- Installation and configuration of FreeRadius using LDAP to authenticate users on a Linksys WAP54G and a Cisco router.
- Installation and Configuration of Sendmail (with SMTP AUTH + SSL) and Cyrus IMAP (with SSL) using LDAP+Kerberos for user authentication
(Note: The the above-mentioned topics are actually a laundry list for what I feel I should have written. At this point, I doubt anything more will be documented.)