auth-client-config for integration with LDAPAuthentication

Peter Matulis peter.matulis at canonical.com
Thu Jul 19 14:01:38 UTC 2007 

Hi Server team,

The Support team receives requests for single-signon authentication with
Active Directory on a regular basis.  So this work is a definite plus
from the paid customer's point of view.  I've managed to implement this
manually with the exception of mounting an AD share automatically (i.e.
user's home share) using pam_mount.  I began to write a whitepaper on
it.  Hopefully pam_mount can also be included in the
'auth-client-config' work.

I'm willing to help test the new script here in the Support office.

Thank you,

p.s. Contact me if anyone wants to help me troubleshoot my pam_mount issue.

-- 
Peter Matulis, Ubuntu Support Analyst
Tel: +1 514 940 8917
Canonical Services and Support
http://www.canonical.com/support/
0x34F740E8  7EFC B394 871D CA0B 6AB7 DB5E 91F8 F8EF 34F7 40E8


James Strandboge wrote:
> Hi,
> 
> As per the meeting the other day, I created the 'auth-client-config'
> script to help with management of nsswitch.conf and pam.  
> 
> Summary
> -------
> The basic idea came from a conversation with dendrobates, where he
> wanted a script that debconf (or other programs) could call and handle
> the updating of pam and nsswitch.conf, ala update-inetd.
> 
> Implementation
> --------------
> auth-client-config is written in python (OO).  It is non-interactive cli
> only.  It supports modifying nss, pam-account, pam-auth, pam-password,
> and pam-session types, and any number of configurable profiles.
> Profiles are configured in a configuration file (via ConfigParser) that
> is simply a database of various authentication 'profiles'.  Eg, an
> example entry from the database is:
> 
> [ldap]
> nss_passwd=passwd: files ldap
> nss_group=group: files ldap
> nss_shadow=shadow: files ldap
> pam_auth=auth       required     pam_env.so
>         auth       sufficient   pam_unix.so likeauth nullok
>         auth       sufficient   pam_ldap.so use_first_pass
>         auth       required     pam_deny.so
> pam_account=account    sufficient   pam_unix.so
>         account    sufficient   pam_ldap.so
>         account    required     pam_deny.so
> pam_password=password   required     pam_cracklib.so difok=2 minlen=8
> dcredit=2 ocredit=2 retry=3
>         password   sufficient   pam_unix.so nullok md5 shadow
> use_authtok
>         password   sufficient   pam_ldap.so use_first_pass
>         password   required     pam_deny.so
> pam_session=session    required     pam_limits.so
>         session    required     pam_unix.so
>         session    optional     pam_ldap.so
> 
> As you can see, this is in the INI config style (this is what
> ConfigParser supports), and for each 'key', its value is what you want
> in a particular type. 
> 
> Usage
> -----
> To update a particular file, run auth-client-config with the type to
> modify, and the profile to use.  Eg, to update nsswitch.conf with the
> above ldap entry, you would run:
> 
> auth-client-config -t nss -p ldap
> 
> This will change the standard /etc/nsswitch.conf file to:
> ...
> # pre_auth-client-config # passwd:         compat
> passwd: files ldap
> # pre_auth-client-config # group:          compat
> group: files ldap
> # pre_auth-client-config # shadow:         compat
> shadow: files ldap
> ...
> 
> The '# pre_auth-client-config #' comment allows for users to easily back
> out changes to the original, pre-auth-client-config state.
> 
> auth-client-config also supports an '-f' option for specifying a
> different file to use than the default (eg /tmp/nsswitch.conf, instead
> of /etc/nsswitch.conf), and also a '-n' option for a dry-run that will
> not modify anything.  See the man page for all options.
> 
> Discussion
> ----------
> I envision this being integrated with dendrobates' work, where he will
> setup the various profiles for auth-client-config (see TODO for more
> discussion).  The profile name will correspond to a debconf option in
> his 'ldap-auth-client' package.  Eg:
> 
> Choose an authentication/authorization method:
> 
> 		Ubuntu Directory
> 		Active Directory
> 		Fedora Directory Server
> 		Novell
> 		LDAP
> 		Local
> 
> 		Ok
> 
> If the user chooses 'Active Directory' say, then debconf would run:
> auth-client-config -t nss -p ad
> auth-client-config -t pam_auth -p ad
> auth-client-config -t pam_account -p ad
> auth-client-config -t pam_password -p ad
> auth-client-config -t pam_session -p ad
> 
> and auth-client-config's profiles database would have:
> [ad]
> ...
> 
> 
> TODO
> ----
> 1. Move some configuration from auth-client-config
> into /etc/auth-client-config/acc.conf
> 
> 2. Currently, the database is stored
> in /etc/auth-client-config/profile.d/acc-default.  This value is hard
> coded.  I plan on making auth-client-config support reading all files
> from the /etc/auth-client-config/profile.d directory, so that packages
> can drop in authentication profiles, and have them picked up easily.
> 
> Eg, dendrobates' 'ldap-auth-client' package might create:
> /etc/auth-client-config/profile.d/ldap
> 
> and a future kerberos-auth-client might create:
> /etc/auth-client-config/profile.d/kerberos
> 
> The design also supports local administrators to create their own
> profiles, so that site wide network authentication roll-outs can be
> better supported.  Eg, the sysadmin at ABC.com might create:
> /etc/auth-client-config/profile.d/abc
> 
> Through creative use of install scripts/kickstart/etc, they can get
> unattended client installs that end up with proper configuration of
> network authentication.
> 
> 'authtool' could also create profiles and use auth-client-config as a
> backend.
> 
> User's could create different profiles for different networks, and add
> these to /etc/auth-client-config/profile.d/ (maybe even for future
> network-manager integration)
> 
> 3. create some testing scripts for automated testing
> 
> 4. testing, testing, and more testing
> 
> 
> Download
> --------
> Currently the files are at:
> http://www.strandboge.com/software/auth-client-config/
> 
> There is a deb file too.  This has been tested on dapper, but should
> work on any system supporting python 2.4.
> 
> 
> 
> Take a look at the man page (or run 'auth-client-config -h').  I highly
> recommend running this as non-root against non-system files until it has
> received thorough testing.  If running as root, be sure to make backups
> of /etc/nsswitch.conf and /etc/pam.d/common-*, and leave one root
> terminal/console open (sudo is not enough!) while testing logins in
> another, so you can back out the changes.  
> 
> Please feel free to give me feedback or ask questions.
> 
> 
> Jamie Strandboge (aka 'jdstrand' on IRC)
> 
> 
>

More information about the ubuntu-server mailing list