Authentication Services addresses several issues that affect NIS viability in modern computing environments. The NIS protocol is not secure and is not well-adopted on non-Unix platforms. Traditionally, the underlying NIS data store is file-based, leading to issues with scalability, data extensibility, and accessibility. Authentication Services supports re-hosting NIS data in Active Directory and provides tools to securely access the NIS maps stored in Active Directory.
Authentication Services provides a NIS proxy agent (vasypd) that runs on each Unix host. This proxy acts as a local NIS server, providing NIS data to the local host using information retrieved securely from Active Directory using Kerberized LDAP. NIS data is cached locally to reduce load on Active Directory. With Authentication Services, the NIS wire protocols are eliminated. NIS traffic only occurs on the loopback device. This increases network security without the need for NIS+.
Authentication Services allows you to transition to Kerberos-based authentication for Unix users, eliminating a variety of security risks and providing better manageability and interoperability. If there are no identity conflicts, both the user's identity and configuration can be transitioned. Otherwise, you can accomplish the migration in steps, starting with upgrading to Kerberos and then reconciling and consolidating the user's identities.
The use of standards, such as RFC-2307, as the native store for Unix identity information dovetails nicely with standard Unix practices. Authentication Services is designed to naturally integrate with the majority of real world Windows, Unix, and Linux deployments.
The schema definitions of choice for most Authentication Services users is a subset of the IETF RFC 2307 schema for Unix user attributes. RFC 2307 is a cross-platform standard designed to promote interoperability between Unix systems and LDAP-based directories. (Authentication Services also recognizes the Microsoft SFU schema as well as allowing custom schema definitions.)
With Microsoft Windows Server 2003 R2, Microsoft has embraced the RFC 2307 standard, and is now including the RFC 2307 attribute definition as part of the default Active Directory schema. This means that when you install Windows 2003 R2 (or later), support for Unix attribute information is automatically included and forms part of the baseline Active Directory schema definition.
Authentication Services supports all NIS map objects defined in RFC 2307 as well as the ability to store custom NIS data. RFC 2307 provides classes for six standard NIS maps:
Authentication Services supports these RFC 2307 standard maps and their representative classes.
|Map name||RFC 2307 object class|
These objects are generally created inside a container or organizational unit.
All other NIS maps are represented using the generic map classes provided in RFC 2307. These classes are nisMap and nisObject. A nisMap is a container object that holds nisObject objects. Set the nisMapName attribute of the nisMap object and nisObject objects it contains to the name of the imported NIS map. A nisObject represents a key-value pair where cn is the key attribute and nisMapEntry is the value.
The RFC 2307 specification assumes that the cn attribute is multivalued. In Active Directory, the cn attribute is single-valued. This means that you must create aliases as separate objects.
NIS is case-sensitive and Active Directory is case-insensitive. Some aliases for certain NIS map entries are the same keys except all capitalized. Active Directory cannot distinguish between names that differ only by case.