Saturday, March 19, 2011

The Importance of Library Level Integration in Open Source Environment

By Jonathan Flack

Open Systems Engineer, Likewise Software

As an Open Systems Engineer at Likewise Software I routinely encounter unique customer problems. Most of these problems require a clever solution which tends to be specific to the customer site.

Earlier today, however, I got a query from an Ubuntu user that really made me consider how important library level integration by application developers can be when administering an open source environment. A lot of vendors out there provide free solutions without being open source, and a lot of these solutions solve one problem or another in your environment, but it's rare to come across a piece of software that really cleanly integrates into your deployed OS in a way that provides a multitude of very clean solutions to everyday problems.

This user had a simple Linux application for which he needed to verify user authentication by simply passing the username and password to generate a pass/fail response. The application was neither pam/nsswitch integrated or GSS-enabled (built with GSSAPI support).

The user's Linux environment was already authenticating to Active Directory using Likewise Open, our open source agent which allows user authentication against Microsoft's Active Directory. As a result, I know the user would have access to a fully functional Kerberos KDC.

Anyone who has integrated Kerberos in a large environment before knows configuration can be a very painful experience. Likewise Open however, properly configures the client side kerberos and server side DNS automatically during domainjoin, so this little trip down nightmare alley is completely avoided. We are also assured that the configuration is correct.

So the only thing left to do is leverage kinit to authenticate the user against AD's KDC.

The specifics of the code in his application are not relevant, but you can see a simple example of this working using kinit from the command line:

Positive Authentication -

[root ~]# kinit joesmith@MYDOMAIN.COM
Password for joesmith@MYDOMAIN.COM: ************ <== Correct Password
[root ~]# echo $?
0

Negative Authentication -

[root ~]# kinit joesmith@MYDOMAIN.COM
Password for joesmith@MYDOMAIN.COM: *^^^***^*** <== Incorrect Password
[root ~]# echo $?
1

This shows how tools which properly integrate across multiple subsystems ease the workload on already overtasked admins. It also clarifies the importance of open-standards based integration. By integrating directly with pam, nsswitch and Kerberos, Likewise-Open allowed him to leverage existing machine configurations and his AD authentication to easily solve a problem unique to his custom application.

One of the great side benefits is knowing that any other kerberized application, like Firefox or OpenSSH, will authenticate using the user's AD credentials as well.

This kind of elegant solution has been rare in large heterogeneous environments, but more and more open source developers are striving to achieve a high level of standards based integration without forcing closed source components on their end users. This is one of the clear long-lasting benefits of the open source movement and I'm very pleased to see more companies making this as part of their products' value proposition.

No comments: