MPI-Active-Directory-Linux-Microsoft-Clients

Research at the Max Planck Institute for Human Cognitive and Brain Sciences revolves around human cognitive abilities and cerebral processes. Among other focuses, this includes higher level brain functions such as language, emotions, and social behavior as well as plastic changes in the human brain. For this, a flawlessly functioning IT system is essential. For this reason, in the IT department of the institute with six employees we ensure that the 600 user accounts at the institute’s three sites function as smoothly as possible at all times. Around 200 of the roughly 1,000 hosts in total are Windows laptops or PCs, and the rest of the devices are predominantly Linux workstations.

Open Source and Open LDAP Defined as Requirements

Prior to the update, we have worked in the institute with a self-designed OpenLDAP and Samba 3, Citrix as a central Windows service, and Kerberos as a single sign-on solution. A new Active Directory was also required for new Windows versions and terminal servers, so as the IT administrators we decided to the migrate the institute’s user management to UCS at the end of 2016. After a little research, our department identified UCS as the only technically mature product to include LDAP as the leading system and offer the capacity to provide central user management for both Windows and Linux systems. Other decisive factors which contributed to our decision were the facts that UCS is 100% Open Source, offers an easy-to-use web interface, and has its own App Center with expansions for UCS and third-party solutions alike.

Changeover in Continuous Operation Achieved with Cross-Realm Trust

Another requirement on UCS was that the migration be possible in continuous operation and without any substantial downtimes. Abrupt migration seemed too risky for us, but, at the same time, a simulation would place too high demands and not achieve the desired effect. For this reason, the decision was taken to perform a migration in continuous operation with a cross-realm trust.

Technical Details – Commands udm and ldapmodify for Seamless Synchronization

Firstly, UCS was made available in parallel to the existing solutions. In productive operation, all the users and groups were synchronized every five minutes during a transition phase from the old LDAP version to the UCS LDAP on the basis of the commands udm and – for example, for the password hash – ldapmodify. Furthermore, the valid Kerberos keys were synchronized in UCS’ dedicated Heimdal KDC.

In the scope of the regular synchronization, we identified additional factors which were subsequently integrated into the synchronization script. For example, it was determined that the UIDs and GIDs in UCS and in the old LDAP should be awarded from different value ranges so as to avoid collisions during the regular synchronization. It was also important when setting the RID to ensure that a UCR variable established that it should also be synchronized in Samba. Otherwise the set RID would be overwritten by that awarded by Samba.

The Challenges – LDAP Kerberos Authentication

In UCS, the LDAP server is linked to Samba-Kerberos. As the MPI uses UCS’ dedicated Heimdal KDC and Samba-Kerberos and the KDC do not trust each other, a workaround was needed to export the Kerberos key for the LDAP principal from the Samba KDC and import it in the Heimdal KDC so that the keys and the realms are now identical in both KDCs. The uniting of the institute’s surprisingly extensive directory service ACLs with those of UCS without any collisions or issues also posed a minor challenge.

Planned for the Future: Further LDAP Connections, Use of Radius and Extension of User Objects

In the future, we plan to further expand the use of UCS in the istitute. For example, other services currently in use based on older or more special password hashes are to be connected to the UCS LDAP. There should also be the option of specifying a name for a certain interface directly on the host object via the Univention Management Console and allowing the management of VLAN IDs for assignment via a RADIUS server. Another planned project concerns a workflow for the creation of new users in which a specific user group can enter just general information on a user object and we in the IT department then complement it with technical attributes such as the home directory, etc.

Conclusion: UMC and the Central User Management Make Things Easier

Looking back, it can be summed up that UCS’ convenient web interface – the UMC – and the central user management of Windows and Linux clients above all are two aspects which are now considerably simpler in continuous operation. The upgrade path supported by UCS and the Univention support staff, who were available for assistance every step of the way, were particularly helpful during the project. Updates in the future will also be considerably simpler. One thing we would still appreciate would be the option of simpler input possibilities for new host objects with multiple interfaces in various VLANs.



You can download UCS here for free:

UCS Download

Markus Then

Markus Then is responsible for IT at the Max Planck Institute for Cognitive and Neurosciences. He is responsible for the migration of user administration from a self-built LDAP to UCS.

What's your opinion? Leave a comment!

Your email address will not be published. Required fields are marked *