eDirectory and Linux User Management technologies work together to provide a solution for managing user access to network resources. eDirectory user login information is stored as a property of the User object. It is viewed and modified by using Novell iManager.
Figure 1-1 The Novell iManager Window
When a user logs in to a Linux computer running Linux User Management, the request is redirected to eDirectory and checked against information in eDirectory. For this to work, the computers and eDirectory must be configured as follows:
The target workstation must be running Linux User Management software and must point to the Linux/UNIX Config object on the network.
The target workstation must have a representative Linux/UNIX Workstation object in eDirectory, created when Linux User Management components are installed.
The user must be enabled for Linux, which means that the user must be a member of a group enabled for Linux and stored in the properties of Linux/UNIX Workstation object. The Linux/UNIX Config object must specify the context of the Linux Workstation object.
User accounts residing on the Linux computer are said to be local user accounts and are stored as entries in the /etc/passwd file. User accounts in eDirectory are represented by User objects stored in the eDirectory tree.
An eDirectory User object has a rich set of properties and fields to hold user-login properties. When an eDirectory User object is extended to hold Linux user-login properties, it is said to be LUM- enabled or enabled for Linux. When enabled for Linux, a user can simply access the Linux computer (by using Telnet, SSH, or other supported method) and enter his or her username and password. The access request is redirected to find the appropriate username and login information stored in eDirectory.
When it is extended for Linux, the eDirectory User object holds Linux-related properties, such as user ID, primary group ID, primary group name, location of home directory, and preferred shell.
When a group is enabled for Linux, the group ID is stored as a property of a Linux/UNIX Workstation object. When the user attempts to log in to a Linux computer, he or she only needs to enter a username and password—no context is required. The Linux computer checks its corresponding Linux/UNIX Workstation object in eDirectory for the list of groups approved to log in. Each approved group is searched for the username of the user requesting access. When the first matching username is found, the login is allowed by using the UID, GID, password, and other login information stored in eDirectory. If the username is not found in any of the groups, the login is not allowed.
NOTE:When you Linux-enable a Group object, you can choose to enable all members of the group or you can enable specific users. Users being enabled for the first time receive the group ID as their primary ID. Users previously enabled for Linux receive the GID as a secondary GID. User objects not enabled for Linux cannot log in to a Linux computer, even if they belong to a Linux-enabled group.
In addition to the typical Linux-related properties (for example, Group ID), the eDirectory Group object extended for Linux holds some additional properties:
UamPosixWorkstationList: Lists the UNIX Workstation objects that the group has permissions to access.
Description: Displays an alternative description.
The source workstation is the computer that the user accesses the target workstation from. It is not represented as an object in eDirectory. It can be running any type of operating system, desktop, or server that supports login access protocols such as FTP, SSH, rlogin, and rsh. To log in to a target workstation, the user launches a program that provides one of the supported login access protocols and then enters the address of the target workstation.
In eDirectory, the Linux/UNIX Workstation object represents the actual computer the user logs in to. The computer, also known as the target computer, must have the following characteristics:
It is running Linux as either a server or workstation.
It is running Pluggable Authentication Module (PAM) along with Novell Linux User Management technology to redirect login requests to eDirectory (see the /etc/pam.d directory).
It stores the location of the UNIX Config object on the network (see the nam.conf file).
A Linux/UNIX Workstation object is created when Linux User Management components are installed on the target computer. The object can be placed in any Organization (O) or Organizational Unit (OU) container in the eDirectory tree.
When logging in to a target workstation, the user needs to enter only his or her username and password. The target workstation receives the login request and uses Linux User Management and PAM to redirect authentication to eDirectory and the Linux/UNIX Config object on the network. The Linux/UNIX Config object directs the request to the target computer's representative Linux/UNIX Workstation object, where the groups, usernames, and full contexts are determined.
The Linux/UNIX Workstation object holds the following set of properties:
Target workstation name. The name is Linux/UNIX Workstation appended with the host name of the target workstation (for example, Linux/UNIX Workstation - Server1).
List of eDirectory groups (names and contexts) that have access to the target workstation.
The Linux/UNIX Config object is an object in eDirectory that stores a list of the locations (contexts) indicating where Linux/UNIX Workstation objects reside on the network (in eDirectory). It also controls the range of numbers to be assigned as UIDs and GIDs when User and Group objects are created. Geographically dispersed networks might require multiple Linux/UNIX Config objects in a single tree, but basic networks need only one Linux/UNIX Config object in the eDirectory tree. The object is created during the Linux Operating System installation (by selecting Linux User Management) and should be placed in the upper containers of the eDirectory tree.