Platform Services enables a system to utilize the core driver functions. A platform can use Authentication Services for some or all users, and can use Identity Provisioning in maintaining some or all local user accounts and groups. For a complete account redirection solution, a platform can use the Name Service Switch and Platform Services Cache Daemon for some or all users.
Some types of platforms communicate with Authentication Services using SSL, and others use DES encryption. All platform communication with Event Journal Services uses SSL.
A platform that uses SSL-based communication must have a valid certificate to communicate with the core driver for most functions. A platform that uses DES encryption must use the same DES key as defined for it in the core driver configuration.
The Identity Manager Fan-Out driver does not support authentication or password changes for eDirectory users who have a null password.
Figure 2-2 Platform Services
Management of users and groups on the platform is carried out by Receiver scripts, which are called by the Platform Receiver based on provisioning events obtained from the core driver.
The Platform Receiver connects to the Event Journal Services component of the core driver, requests provisioning events, and runs a script to carry out the appropriate platform-specific processing for the given type of event. The Platform Receiver provides failover support for connections to Event Journal Services if more than one core driver is available.
Receiver scripts are run by the Platform Receiver to process provisioning events.
The Identity Manager Fan-Out driver provides a set of fully functional base scripts in the customary scripting language for each supported platform. You can extend these base scripts as appropriate for your needs.
The Receiver script functions are
Add User
Modify User
Delete User
Delete User Pending
Enable User
Disable User
Rename User
Add User to Group
Remove User from Group
Add Group
Modify Group
Delete Group
Delete Group Pending
Rename Group
Authentication redirection is handled by the Platform Services Process, which is called by the System Intercept. The Platform Services Process is also called by applications using the AS Client API.
Platforms that use password replication receive notification of password changes in eDirectory through the Platform Receiver and send notification of local password changes detected by the password change intercept to the core driver using the Platform Services Process.
Account redirection is handled by the Platform Services Cache Daemon, which is called by the Name Service Switch. Platforms that are configured for account redirection use a local memory cache pool for account records and retrieve all account and password information from this cache.
The Platform Services Process establishes and maintains connections to core drivers for Authentication Services, and provides load balancing and failover among them. These connections are used to provide Authentication Services to the platform.
The Platform Services Cache Daemon establishes and maintains a connection to a core driver and receives event data from Event Journal Services. This data is stored away in memory cache and used to supply account information to the Name Service Switch.
The AS Client API provides a programming interface to Authentication Services. It is furnished as routines that can be called from C and Java*. The AS Client API incudes functions to
Validate a user ID/password combination
Change a user's password, given the current password
Perform an administrative password reset
Obtain the fully distinguished name for a user ID
Determine if a user has Security Equal To a given object
Determine if an object has the specified effective rights to the specified attribute of a given object
Obtain a list of members of a group
Obtain a list of security equivalences for a user
Obtain the eDirectory Home Directory attribute value for a user
Determine if a given user is in the Authentication Services Include/Exclude list
For details about using the AS Client API, see the API Developer Guide.
The System Intercept is called by the native security system for password verification and password change. Because passwords are checked using eDirectory or, on supported platforms, replicated from eDirectory, a user has the same password throughout the enterprise, regardless of the platform used.
System Intercepts are implemented using standard, vendor-provided mechanisms.
There are two methods for providing users with the same password across the platforms in your enterprise.
Password Redirection: Requests to check passwords are intercepted at the platform and redirected to objects in eDirectory. The end result is that the user has the same password on all systems.
Password Replication: Changes to passwords are intercepted and replicated between eDirectory and participating platforms. As with password redirection, the end result is that the user has the same password on all systems.
The following table shows the Authentication Services methods available for each platform OS type:
Table 2-1 Authentication Services by Operating System
Platform OS Type |
Authentication Services Method |
---|---|
z/OS |
Password redirection, Password replication (optional) |
OS/400 |
Password replication |
UNIX |
Password redirection, Password replication (optional) |
Platforms that use password redirection employ a System Intercept to gain control when a password is to be verified. The System Intercept passes the request to Authentication Services, through the Platform Services Process. Authentication Services uses the Census to identify the User or Alias object in eDirectory that corresponds to the request. Then Authentication Services verifies the password using that object and returns the result to the platform.
The System Intercepts for z/OS and UNIX systems store the password in the local security system upon a successful authentication or password change. For logins, if Authentication Services cannot be reached, the user's password is verified using the local security system.
Platforms that use password replication receive notification of password changes through the Platform Receiver.
The core driver must be notified of changes to passwords as follows:
If your eDirectory is configured to fully support Universal Password, the driver is notified of password changes in eDirectory.
If you do not use Universal Password, you must install and configure the appropriate password intercepts.
The Novell Client™ Password Intercept is installed on a Windows workstation and captures password change information from the Novell Client or an administrative utility.
The NetWare® Password Intercept is installed on NetWare systems that run an NDK application that changes passwords.
The Password Validation Program Exit is installed on an OS/400 system and captures password change information.
It is crucial that these intercepts be installed and properly configured. Otherwise replication cannot occur reliably. Properly configured, Universal Password can be used in lieu of the Novell Client Password Intercept and the NetWare Password Intercept.
When Authentication Services receives notification of a password change, it verifies the authenticity of the notification and then stores the encrypted password. This is detected by the Event Subsystem, which generates the appropriate provisioning event to notify those platforms that are authorized to receive password information.
By default, passwords are converted to lowercase before they are sent to a platform.
Account Redirection: Requests for Posix user and group information are intercepted at the platform Name Service Switch and redirected to objects in eDirectory. This information includes loginName, uidNumber, gidNumber, gecos, homeDirectory, loginShell, groupName, memberUid and passwords.
You use the platform configuration file to specify Platform Services configuration information, such as
Which users are authenticated using Authentication Services and which users are authenticated using the local security system
Which user accounts and groups are managed using Identity Provisioning and which are managed locally
Information used to locate the core driver servers.