Determine what software will use LDAP and Kerberos. Evaluating what software will use LDAP and Kerberos has two aspects. First, ensure every piece of software that needs to verify a user’s identity can support these protocols. This is easy in Windows, since these are the standard protocols. It’s relatively easy with UNIX, too, since you can make standard modifications to the Pluggable Authentication Module (PAM) to identify users this way. By now, most UNIX programs should be capable of turning to PAM to verify users’ identities. You direct telnet, FTP and other programs to use PAM to identify users. You then direct PAM to make use of LDAP and Kerberos.
On mainframes with z/OS, some software, such as CICS and DB2, support LDAP and Kerberos. Other software is scheduled to support them, but isn’t yet available.
The second aspect of software evaluation addresses programs that can benefit from information stored in LDAP. These include email, phone directories, print programs and others. For example, if you define printers and their locations and characteristics in the LDAP directory, a print program can ask a user to specify which nearby color printer to use.
Define your architecture for access control. To define your architecture for access control, start with the basic premise that each platform is responsible for protecting its own resources. If you allow individual users (not groups) to be granted access to individual files and resources throughout your configuration, you will end up with a spaghetti-like mess of permissions that will be difficult to clean up. You will also need a userid on each platform to perform security administration for the files and resources located on the platform.
For cross-platform security, you will want to enforce Role-Based Access Control (RBAC). Define groups that represent collections of access privileges corresponding to specified roles, such as “accounts payable clerk.” Grant each of these groups the privileges it needs on the platform where the files and resources are located. Then you can simply connect users to these groups and remove them from the groups as needed. This will entail much less overhead and confusion than permitting each individual user to each individual file or resource. Using RBAC can make it possible to avoid having a userid for security administration on each platform. This is another example of management preparation for LDAP that will benefit your organization whether or not you use LDAP.
Plan your encryption implementation. Decide which links, applications and data will need to be encrypted when passing between two platforms. Get direction from your Compliance or Legal departments to do this. You can then specify that Kerberos provide encryption only for the instances where you need it.
Finally, you will need to address a few miscellaneous tasks. Since Kerberos relies on time-of-day, you will need to synchronize the clocks across the platforms. You will also need to provide performance tuning and load balancing for servers. To avoid having a single point of failure, you will want to provide replication of both LDAP and Kerberos servers.
You will also need to conduct an overall risk assessment to ensure that connecting the various platforms doesn’t create new security exposures. Evaluate what the risk would be to other platforms if any individual platform’s security were to be broken. Ensure that passwords aren’t readable anywhere in the entire configuration.
All this work may seem daunting. However, it can be accomplished gradually. The planning, organization, standardization and security that result will benefit your organization whether or not you use LDAP and Kerberos. These benefits will be more significant as more of the computers you manage become interconnected.
“Cross-Platform Security: Recommended Solutions for Common Problems,” Enterprise Tech Journal, Winter 2012/2013 available at http://esmpubs.com/u4eqv
“Cross-Platform Security: The Role of LDAP,” Enterprise Tech Journal, May 2013 available at http://esmpubs.com/vwfm5
“Cross-Platform Security: How Kerberos Works With LDAP,” Enterprise Tech Journal, August/September 2013 available at http://esmpubs.com/s7jdx.