User database, authentication and authorisation

From techdocs
Revision as of 10:06, 29 August 2023 by Plinich (talk | contribs)
Jump to navigation Jump to search

Generally speaking, all users of a CSG-managed host — such as a lab computer, or a VLAB or login server — will have an account in one of CSE's user databases (UDB's). There are two of these: the Old UDB and the New UDB.

The old UDB is legacy and will/should eventually be decommissioned, however some legacy hosts will use it.

The new UDB is the old UDB's replacement based on PostgreSQL and LDAP. The contents of the two UDB's are synchronised.

Both UDB's provide:

  1. Linux account information for each user: UID, GID, home directory path/location and encrypted password
  2. A hierachical class membership structure where each user can be a member of one or more classes where such membership identifies the role(s) each user plays in the school and potentially grants access to particular resources
  3. The new UDB also contains email and mailing list management tables. These tables are loosely coupled to the account information in the UDB allowing, amongst other things, for users to create and manage their own mailing lists

Authentication

For actual people, authentication in CSG-managed systems is almost always done using UNSW's zID/zPass system via Kerberos queries to UNSW's Active Directory (AD) servers.

The UDB's, in addition to actual people accounts, maintain user accounts for non-people entities such as class accounts (such as for COMP1531, etc.), special purpose logins (such as those used during exams as part of the virtual exam environment setup on lab computers and VLAB), etc. These account are not authenticated via zID/zPass and instead, when required, use local CSE encrypted passwords stored in the UDB's. Authentication in this case will either be by an LDAP BIND operation to the CSG-maintained LDAP server, or by fetching the encrypted password from the LDAP server and doing a crypt() check against the user-supplied password.

Note that some special purpose logins, such as class accounts, may not use passwords at all and users will, instead, have their SSH keys added to the account's authorized_keys file and access will be via SSH.

Downloads

Actual-people accounts in the UDB's are created, removed and updated primarily during a nightly synchonisation with UNSW's SiMS and PiMS. SiMS is the centrally-administered Student Information Management System and PiMS is the centrally-administered People Information Management System (staff/academics).

The downloads and synch with the UDB's is performed on the CSE host Synth.

See also

  • SIMS
  • PIMS
  • Synth
Retrieved from ‘https://techdocs.cseunsw.tech/mediawiki/index.php?title=User_database,_authentication_and_authorisation&oldid=909