UNIX System Authentication

UNIX system authentication enables users to log in to SGD if they have UNIX or Linux system accounts on the SGD host.

UNIX system authentication is enabled by default.

This section includes the following topics:

• How UNIX System Authentication Works

• UNIX System Authentication and PAM

• How to Enable UNIX System Authentication

How UNIX System Authentication Works

UNIX system authentication supports the following search methods for authenticating users against a UNIX or Linux system user database and determining the user identity and profile:

• Search Unix User ID in Local Repository

• Search Unix Group ID in Local Repository

• Use Default User Profile

These search methods are described in the following sections.

Search Unix User ID in Local Repository

At the SGD login screen, the user types a user name and password. The user name can be any of the following:

• A common name, for example Indigo Jones

• A user name, for example indigo

• An email address, for example indigo@example.com

SGD searches the local repository for a user profile with a Name attribute that matches what the user typed. If there is no match, the search is repeated on the Login Name attribute, and finally on the Email Address attribute. If no user profile is found, the next authentication mechanism is tried.

If a user profile is found, the Login Name attribute of that object is treated as a UNIX or Linux system user name. This user name, and the password typed by the user, are checked against the UNIX or Linux system user database. If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds and the Login attribute for the user profile is not enabled, the user is not logged in and no further authentication mechanisms are tried. If the authentication succeeds and the Login attribute for the user profile is enabled, the user is logged in.

This search method is enabled by default.

User Identity and User Profile

The matching user profile in the local repository is used for the user identity and user profile. In the SGD datastore, the user identity is in the Local namespace. In the Administration Console, the text “(Local)” is displayed next to the user identity. On the command line, the user identity is located in .../_ens.

Search Unix Group ID in Local Repository

SGD checks the user name and password typed by the user at the login screen against the UNIX or Linux system user database.

If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds, SGD searches for the user profile. See User Identity and User Profile for details. If the Login attribute of the user profile object is not enabled, the user cannot log in and no further authentication mechanisms are tried. If the Login attribute of the user profile is enabled, the user is logged in.

This search method is enabled by default.

User Identity and User Profile

The user identity is the UNIX or Linux system user name. In the SGD datastore, the user identity is in the User namespace. In the Administration Console, the text “(UNIX)” is displayed next to the user identity. On the command line, the user identity is located in .../_user.

SGD searches the local repository for a user profile cn=gid, where gid is the UNIX system group ID of the authenticated user. If found, this is used as the user profile. If the user belongs to more than one group, the user’s primary or effective group is used. If no user profile is found in the local repository, the profile object System Objects/UNIX User Profile is used for the user profile.

Use Default User Profile

SGD checks the user name and password typed by the user at the login screen against the UNIX or Linux system user database.

If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds, the user is logged in.

This search method is disabled by default.

User Identity and User Profile

The user identity is the UNIX or Linux system user name. In the SGD datastore, the user identity is in the User namespace. In the Administration Console, the text “(UNIX)” is displayed next to the user identity. On the command line, the user identity is located in .../_user.

The profile object System Objects/UNIX User Profile is used for the user profile. All UNIX system users receive the same webtop content.

UNIX System Authentication and PAM

SGD supports Pluggable Authentication Modules (PAM). UNIX system authentication uses PAM for user authentication, account operations, and password operations.

When you install SGD on Linux platforms, the SGD installation program automatically creates PAM configuration entries for SGD by copying the current configuration for the passwd program and creating the /etc/pam.d/tarantella file.

When you install SGD on Solaris OS platforms, you must add PAM configuration entries manually. For example, you might add these entries for tarantella to the /etc/pam.conf file.

tarantella auth required pam_unix_auth.so.1
tarantella password required pam_unix_auth.so.1

How to Enable UNIX System Authentication

1. In the SGD Administration Console, display the Secure Global Desktop Authentication Configuration Wizard.

   Go to the Global Settings -> Secure Global Desktop Authentication tab and click the Change Secure Global Desktop Authentication button.

2. On the Third-Party/System Authentication step, ensure the System Authentication check box is selected.

3. On the System Authentication - Repositories step, select the Unix check box.

4. On the Unix Authentication - User Profile step, select the check box for one or more search methods for finding the user profile.

   See How UNIX System Authentication Works for details on the search methods.

5. On the Review Selections step, check the authentication configuration and click Finish.