Application Notes, Tools, and Guidance
Unix Integration and Compliance
These detailed documents, tools, and resources provide specific direction, and even software, to help implement Dell solutions for simplifying identity management with a number of popular applications, open source projects, and implementation requirements. Many of these documents, guidance, and solutions are available through the Resource Central site.
The Authentication Services product has been renamed. The update process has not been fully implemented in all the documents available from this page. Rest assured that functionality, features, and benefits remain unchanged if a document does not use the new product name.
Guidance - Sybase Adaptive Server Enterprise Configuration Guidance for Authentication Services
This document provides basic guidance on the configuration of Sybase Adaptive Server Enterprise (ASE) to enable Active Directory (AD) authentication through Authentication Services to achieve centralized authentication and transparent single sign-on for Sybase ASE accounts. Download this document
Authentication Services Single Sign-on for SAP
The Authentication Services and SAP SNC Solution provides a greatly increased level of security, identity integration, centralized auditing, data integrity and security, and user experience. The integration of Unix and Linux hosts with Active Directory through Authentication Services allows SAP client and servers to use the capabilities of the SAP SNC interface to use a common security and authentication infrastructure and to fully leverage the ability of Windows XP and Windows Professional desktops to provide a secure authentication token in the form of a Kerberos ticket, while retaining the benefits of continued deployment of SAP R/3 server solutions on Unix hosts. Download this document
Guidance - Using Vendor SSH Tools with Authentication Services
This document describes the vendor SSH tools tested by Dell against Active Directory login and single sign-on functionality with Authentication Services, and what configuration was required for them to work. Download this document
Using One Time Passwords with Authentication Services and Verisign Unified Authentication 4.1
This guide is provided to assist in the integration of Verisign Unified Authentication (UA) and the Authentication Services product. This integration guide will provide guidance on how to configure a two-factor authentication solution that leverages the benefits of your Active Directory infrastructure. Download this document
Using One Time Passwords with Authentication Services and RSA SecureID
This guide is provided to assist in the integration of RSA SecurID and Dell’s Authentication Services product. This integration guide will provide guidance on how to configure a two-factor authentication solution that leverages the benefits of your Active Directory infrastructure. Download this document
Applying Authentication Services Group Policy at the Host Level
This 'best practices' document describes how to apply an individual policy to a specific Unix server, servers, or group(s) of servers. This is the preferred method for access control. Download this document
Authentication Services Support for Windows Group Policy Settings
This document describes how Windows Group Policy settings relate to Authentication Services. Download this document
Managing Unix Application Accounts with Active Directory and Authentication Services
This 'technical note' discusses managing Unix application accounts with Active Directory as those systems have joined the AD domain through Authentication Services. Download this document
Extending MIIS 2003 to Provision Unix and Linux Accounts with Authentication Services - Application Note
This Application Note discusses using Authentication Services and Microsoft Identity Integration Server (MIIS) to automatically provision true, automated, enterprise-wide single sign-on for Unix and Linux systems. Provisioning users on Unix and Linux systems is made simple by the use of MIIS and Authentication Services. Authentication Services allows Unix and Linux platforms to integrate with Active Directory (AD) in a way comparable to the way Windows clients authenticate while MIIS 2003 is a centralized service that stores and integrates identity information for organizations with multiple directories. Download this document
Name Mapping Active Directory Authentication Services Users and Groups on a NetApp Filer
This Technical Note provides step-by-step guidance on how to configure an Authentication Services Unix client to service a NetApp Filer. Download this document
Configuring NetApp Storage System for use with Active Directory and Authentication Services
The purpose of this document is to describe the configuration necessary to allow NetApp® storage systems to leverage the Unix identity data stored by Authentication Services in Active Directory (AD). Download this document
NIS Migration to Active Directory
This Technical Note discusses migrating and managing multiple NIS domains to Active Directory using Authentication Services’ Unix Personality Management. Download this document
OpenSSH is an open-source implementation of the SSH protocol. SSH provides secure, encrypted remote login, secure file transfer, and other secure communication services. The OpenSSH project's web site is at www.openssh.org.
The OpenSSH provided by Resource Central is an adaptation of OpenSSH-portable modified to provide default single sign-on capability for Dell customers using the Authentication Services and/or Management eXtensions for SMS (VMX) products. Dell's version of OpenSSH defaults to authenticating users via the GSSAPI-with-MIC mechanism, and authenticating hosts using GSSAPI-KEX. Dell-OpenSSH works in conjunction with Authentication Services, to allow secure shell single sign-on to Unix hosts that have been joined to Active Directory domains.
Each platform package includes both the client, ssh, and the server, sshd.
Access this resource now
PuTTY from Dell is a derivative of Simon Tatham's PuTTY, an open-source Secure Shell (SSH) client for Windows. It includes:
PuTTY - easy-to-use terminal emulation client
plink - a command-line session and tunneling tool
psftp - the secure file transfer tool
pscp - an OpenSSH-compatible secure copy tool
Dell has extended PuTTY with the following features:
Active Directory (GSSAPI Kerberos) single sign-on
Dell PuTTY uses the Windows user's login credentials to automatically authenticate against a GSSAPI-enabled SSH server such as OpenSSH. Specifically, the credentials are obtained from the Microsoft Kerberos SSPI, and exchanged using the GSSKEX, gssapi-with-mic and gss-keyex mechanisms.
Group Policy control
Dell PuTTY configuration defaults can be changed using group policy, and some configuration options can be limited or locked by group policy. Access this resource now
mod_auth_vas is an Apache authentication and authorization module for use with the Apache web server, versions 1.x and 2.x.
The module uses Authentication Services to implement the HTTP SPNEGO protocol, with optional fallback to 'Basic' authentication for browsers that do not support SPNEGO. In effect, mod_auth_vas allows the Apache web server to perform Windows Integrated Authentication (single sign-on).
Browsers that can authenticate using SPNEGO automatically (without prompting for a password) include Internet Explorer and Firefox.
Samba for Authentication Services
Samba is a Unix implementation of the Microsoft Windows network filesystem protocol (CIFS or SMB). With Samba you can access Unix filesystems from Windows, and vice versa.
Our Samba solution consists of two packages:
- quest-samba - a standalone package containing the Samba server and client tools. This independent, GPL package has a default configuration that interoperates with Authentication Services through Kerberos configuration, keytab and LDAP interfaces.
- quest-vasidmap - a helper package that provides Samba servers with accurate identity information for unix-enabled Active Directory users. We recommended it be used in all installations, but it is required for servers using Authentication Services' UPM feature (Unix personality management).
These package provide Authentication Services customers with single-sign-on, authenticated CIFS service for Unix clients and servers in an Active Directory environment. Our enhancements include:
tools default to using single-signon (Kerberos/Active Directory)
simplified installation and configuration instructions
a post-install configuration script for quest-vasidmapd
Please see the installation guide for full instructions and troubleshooting.
Access this resource now
Kerberized Unix System Applications
These consist of Kerberos-enabled TELNET, FTP, RSH/RCP clients and servers packaged for Authentication Services-enabled platforms. These tools give users the benefits of single sign-on for the more traditional remote access tools.
Clients: telnet, ftp, rsh, rcp
Servers: telnetd, ftpd, rshd
Resource Central recommends the use of OpenSSH over Kerberized Apps tools where possible. OpenSSH is generally more flexible, better supported, and provides stronger security.
This software is substantially based on the apps component of Heimdal Kerberos.
Access this resource now
Sudo is a tool that allows commands to be run as root or other users, with command logging and fine-grained access controls.
Dell Sudo adds two features to the standard Sudo application: Active Directory group matching for access controls, and newgrp-style group changing.
Active Directory group matching
Dell Sudo can use Authentication Services to make access control decisions based on Active Directory group memberships – even for groups that are not Unix-enabled.
newgrp-style group changing
Dell Sudo adds the ability for users to change their primary group to any group permitted by the system administrator. This provides a more secure mechanism than newgrp by avoiding the need for shared passwords.
Access this resource now
DB2 UDB 8.2 System Authentication (db2_sys-auth)
db2_sys-auth is a security plugin for DB2 UDB 8.2 that authenticates users using PAM or AIX's LAM. With VAS, this plugin allows unix-enabled Active Directory users to use your databases.
The plugin uses getgrent calls to determine group membership (getgrset on AIX), getpwnam to validate user names, and LAM/PAM to authenticate. This means DB2 can now make use of any authentication system that provides an NSS interface for information (administrative domains on AIX), and LAM/PAM for authentication. This includes VAS, LDAP, NIS and other third-party external systems.
This plugin is suitable for DB2 UDB 8.2/9.1 Server, Client, and Groups products.
Access this resource now