FOXMAN-UN Integration with Active Directory (AD) - Application Note
Introduction
FOXMAN-UN uses PAM for authentication.
During the FOXMAN-UN installation the configuration file /etc/pam.d/nem-auth is installed.
• By default, nem-auth is looking to system-auth for authentication rules.
• By default, system-auth is configured to use local server for authentication
After the FOXMAN-UN installation, the following users are created:
• The FOXMAN-UN security administrator: username to be defined during installation (e.g., nemsecadm), with group nem. The username nemsecadm is assumed in the examples of the present document.
• The DIRAC superuser: dirac with group dirac.
• To control how users are retrieved, two config variables can be added to the /opt/nem/etc/nem.conf file:
− security_enable_new_user_group_name
− security_new_user_group_name
If “security_enable_new_user_group_name” is enabled, FOXMAN-UN will propose users belonging to the group “security_new_user_group_name” to be registered as new users into its database. If not present, “security_enable_new_user_group_name” is disabled.
Existing AD users are not automatically discovered by FOXMAN-UN, which is preventing their addition to FOXMAN-UN users. A possible workaround would be to use the setting “enumerate = True” in SSSD which would make AD users visible in FOXMAN-UN user management. However, this would introduce two potential problems:
• All AD users will be visible, which may be undesirable.
• SSSD initialization is getting significantly slower, especially in large AD environments, making enumeration not recommended.
Hence the recommendation is the following:
• Disable SSSD enumeration;
• Let FOXMAN-UN retrieve all users of a specific group. This works even in the case enumeration is disabled.
• In SSSD config (as described in Integration Steps) we recommend the addition of an AD access group filter (ad_access_filter) to limit accessibility of the server to a specified AD user part of a group.