Centralized Authorization Using a Direct Service, Part II

Wachsmann, A

doi:10.2172/826993

Title: Centralized Authorization Using a Direct Service, Part II

Technical Report · Wed Jun 09 00:00:00 EDT 2004

DOI:https://doi.org/10.2172/826993· OSTI ID:826993

Wachsmann, A

Authorization is the process of deciding if entity X is allowed to have access to resource Y. Determining the identity of X is the job of the authentication process. One task of authorization in computer networks is to define and determine which user has access to which computers in the network. On Linux, the tendency exists to create a local account for each single user who should be allowed to logon to a computer. This is typically the case because a user not only needs login privileges to a computer but also additional resources like a home directory to actually do some work. Creating a local account on every computer takes care of all this. The problem with this approach is that these local accounts can be inconsistent with each other. The same user name could have a different user ID and/or group ID on different computers. Even more problematic is when two different accounts share the same user ID and group ID on different computers: User joe on computer1 could have user ID 1234 and group ID 56 and user jane on computer2 could have the same user ID 1234 and group ID 56. This is a big security risk in case shared resources like NFS are used. These two different accounts are the same for an NFS server so that these users can wipe out each other's files. The solution to this inconsistency problem is to have only one central, authoritative data source for this kind of information and a means of providing all your computers with access to this central source. This is what a ''Directory Service'' is. The two directory services most widely used for centralizing authorization data are the Network Information Service (NIS, formerly known as Yellow Pages or YP) and Lightweight Directory Access Protocol (LDAP).

View Technical Report

Cite

Export

Save

Research Organization:: SLAC National Accelerator Lab., Menlo Park, CA (United States)

Sponsoring Organization:: USDOE Office of Science (US)

DOE Contract Number:: AC03-76SF00515

OSTI ID:: 826993

Report Number(s):: SLAC-PUB-10467; TRN: US200428%%1572

Resource Relation:: Other Information: PBD: 9 Jun 2004

Country of Publication:: United States

Language:: English

Similar Records

Centralized and Decentralized Distributed Energy Resource Access Control Implementation Considerations.

Journal Article · Thu Sep 01 00:00:00 EDT 2022 · Energies · OSTI ID:826993

Fragkos, Georgios; Johnson, Jay; Tsiropoulou, Eirini Eleni

Onshore U.S. Carbon Pipeline Deployment: Siting, Safety, and Regulation

Technical Report · Thu Jun 01 00:00:00 EDT 2023 · OSTI ID:826993

None, None

Doing Your Science While You're in Orbit

Conference · Thu Jan 01 00:00:00 EST 2009 · OSTI ID:826993

Green, Mark L; Miller, Stephen D; Vazhkudai, Sudharshan S; +1 more

Related Subjects

99 GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE
COMPUTER NETWORKS
SECURITY
ACCOUNTING
VALIDATION
IDENTIFICATION SYSTEMS

Title: Centralized Authorization Using a Direct Service, Part II

Citation Formats

Similar Records

Related Subjects