Call for help with Ubuntu Server.

Etienne Goyer etienne.goyer at canonical.com
Fri Jul 13 16:14:34 BST 2007 

Rick,

Rick Clark wrote:
> As I am sure everyone on this list knows.  Ubuntu has a long way to go
> in improving directory services clients and servers.  I would like to
> get started, but I will need help from the community, to do so.


I am thrilled someone finally take the bull by the horn and do something
to streamline network authentication in Ubuntu.  We lag *way* behind
other enterprise Linux distribution in this regard, but I am confident
we can reach parity in very short order if someone put some elbow grease
into it.

(  I wish that someone would be me, but I doubt you would like to hear
my lame excuses on the subject ... :(  )



> I would like to try to get basic ldap authentication, into Gutsy.  I
> think this should be easy to do, and will help develop the groundwork
> and community needed fro gutsy+1, when hopefully, openldap2.4 or FDS
> packages will be ready.

The choice between FDS vs. OpenLDAP will need to be debated eventually.
 I heard (correct me if wrong) that OpenLDAP 2.4 will have multi-master
replication.   That's awesome.


> Please take a look at the following spec.
> 
> https://wiki.ubuntu.com/LDAPAuthentication

Looks good.  The thing that jump at me in the first place is that
libnss-ldap and libpam-ldap need to be accepted into main ASAP.
Otherwise, critical pieces of the solution will not be officially
maintained by ubuntu-core-dev and monitored by the security team; I
think this is particularly important for something related to
authentication.  If we are serious about network authentication, we need
to send the message that we stand behind our project.

I think the current obstacle to having these into main is a race
condition between udev and libnss-ldap.  I am somewhat sketchy on the
details, but it would be worth investigating.

One issue I have with Ubuntu client that use LDAP in NSS for the group
database is that Ubuntu client rely on group membership (video, audio,
etc) to arbitrate access to hardware devices.  With other distribution,
I like to have "group: compat ldap" /etc/nsswitch.conf so that
low-numbered gid are looked up locally.  This does not work too well
with Ubuntu clients, as we cannot be expected to manage membership to
these low-numbered group in /etc/group on each client machine.  This
mean we have to have ldap *before* compat or file in the lookup order,
and manage the audio, video, plugdev, etc groups in LDAP.  I would be
curious to hear about how other Ubuntu sysadmins are dealing with that.


The spec make many mention of ldap.secret.  Personally, I have never
been much of a fan of storing administrative password in cleartext on
the filesystem, even if the permission are tight.  Fortunately, I do not
think we actually need to use this file at all.  I generally make
posixAccount and posixGroup, except for the userPassword attribute,
readable via anonymous bind.  Some people jump when I say that, but
/etc/passwd and /etc/group are world-readable after all; if the content
of these database being accessible through the network is an issue, it
is always possible to limit access based on IP (or authenticate
connection using certificate, if you are fancy).  PAM, of course, use
pam_ldap.so, which need to be configured for SSL/TLS.  Password change
use the EXOP mechanism.  That way, you can do without ldap.secret and
credentials are always encrypted in transit.  The only drawback is that
we cannot use LDAP for the shadow database (as it should not be
accessible to anonymous connections), but I doubt we want to do that anyway.

As a side note, did anybody actually looked at how LDAP authentication
is implemented in SLES and SLED ?  I did a while ago on SLES 9, and it
was very well streamlined, only a few mouse click in YaST.  Nifty.


> If anyone is willing to help, please send me a quick email.  Be sure to
> list how you can help.  i.e. packaging, scripting, testing, ... 

Poke me if you ever need to test something.  My schedule is fairly
hectic (like everybody, it seems), so I doubt I can commit much toward
the project but I really want to help whenever possible.


Are anybody on the directory team going to be at Ubuntu Live in two
weeks ?  I will.  That would be an awesome opportunity to discuss this
specs further.


Cheers,

-- 
Etienne Goyer
Senior Ubuntu System Support Analyst
Canonical, Ltd



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-directory/attachments/20070713/2be183f6/attachment.pgp

More information about the Ubuntu-directory mailing list