auth-client-config for integration with LDAPAuthentication
Peter Matulis
peter.matulis at canonical.com
Thu Jul 19 14:01:38 UTC 2007
Hi Server team,
The Support team receives requests for single-signon authentication with
Active Directory on a regular basis. So this work is a definite plus
from the paid customer's point of view. I've managed to implement this
manually with the exception of mounting an AD share automatically (i.e.
user's home share) using pam_mount. I began to write a whitepaper on
it. Hopefully pam_mount can also be included in the
'auth-client-config' work.
I'm willing to help test the new script here in the Support office.
Thank you,
p.s. Contact me if anyone wants to help me troubleshoot my pam_mount issue.
--
Peter Matulis, Ubuntu Support Analyst
Tel: +1 514 940 8917
Canonical Services and Support
http://www.canonical.com/support/
0x34F740E8 7EFC B394 871D CA0B 6AB7 DB5E 91F8 F8EF 34F7 40E8
James Strandboge wrote:
> Hi,
>
> As per the meeting the other day, I created the 'auth-client-config'
> script to help with management of nsswitch.conf and pam.
>
> Summary
> -------
> The basic idea came from a conversation with dendrobates, where he
> wanted a script that debconf (or other programs) could call and handle
> the updating of pam and nsswitch.conf, ala update-inetd.
>
> Implementation
> --------------
> auth-client-config is written in python (OO). It is non-interactive cli
> only. It supports modifying nss, pam-account, pam-auth, pam-password,
> and pam-session types, and any number of configurable profiles.
> Profiles are configured in a configuration file (via ConfigParser) that
> is simply a database of various authentication 'profiles'. Eg, an
> example entry from the database is:
>
> [ldap]
> nss_passwd=passwd: files ldap
> nss_group=group: files ldap
> nss_shadow=shadow: files ldap
> pam_auth=auth required pam_env.so
> auth sufficient pam_unix.so likeauth nullok
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
> pam_account=account sufficient pam_unix.so
> account sufficient pam_ldap.so
> account required pam_deny.so
> pam_password=password required pam_cracklib.so difok=2 minlen=8
> dcredit=2 ocredit=2 retry=3
> password sufficient pam_unix.so nullok md5 shadow
> use_authtok
> password sufficient pam_ldap.so use_first_pass
> password required pam_deny.so
> pam_session=session required pam_limits.so
> session required pam_unix.so
> session optional pam_ldap.so
>
> As you can see, this is in the INI config style (this is what
> ConfigParser supports), and for each 'key', its value is what you want
> in a particular type.
>
> Usage
> -----
> To update a particular file, run auth-client-config with the type to
> modify, and the profile to use. Eg, to update nsswitch.conf with the
> above ldap entry, you would run:
>
> auth-client-config -t nss -p ldap
>
> This will change the standard /etc/nsswitch.conf file to:
> ...
> # pre_auth-client-config # passwd: compat
> passwd: files ldap
> # pre_auth-client-config # group: compat
> group: files ldap
> # pre_auth-client-config # shadow: compat
> shadow: files ldap
> ...
>
> The '# pre_auth-client-config #' comment allows for users to easily back
> out changes to the original, pre-auth-client-config state.
>
> auth-client-config also supports an '-f' option for specifying a
> different file to use than the default (eg /tmp/nsswitch.conf, instead
> of /etc/nsswitch.conf), and also a '-n' option for a dry-run that will
> not modify anything. See the man page for all options.
>
> Discussion
> ----------
> I envision this being integrated with dendrobates' work, where he will
> setup the various profiles for auth-client-config (see TODO for more
> discussion). The profile name will correspond to a debconf option in
> his 'ldap-auth-client' package. Eg:
>
> Choose an authentication/authorization method:
>
> Ubuntu Directory
> Active Directory
> Fedora Directory Server
> Novell
> LDAP
> Local
>
> Ok
>
> If the user chooses 'Active Directory' say, then debconf would run:
> auth-client-config -t nss -p ad
> auth-client-config -t pam_auth -p ad
> auth-client-config -t pam_account -p ad
> auth-client-config -t pam_password -p ad
> auth-client-config -t pam_session -p ad
>
> and auth-client-config's profiles database would have:
> [ad]
> ...
>
>
> TODO
> ----
> 1. Move some configuration from auth-client-config
> into /etc/auth-client-config/acc.conf
>
> 2. Currently, the database is stored
> in /etc/auth-client-config/profile.d/acc-default. This value is hard
> coded. I plan on making auth-client-config support reading all files
> from the /etc/auth-client-config/profile.d directory, so that packages
> can drop in authentication profiles, and have them picked up easily.
>
> Eg, dendrobates' 'ldap-auth-client' package might create:
> /etc/auth-client-config/profile.d/ldap
>
> and a future kerberos-auth-client might create:
> /etc/auth-client-config/profile.d/kerberos
>
> The design also supports local administrators to create their own
> profiles, so that site wide network authentication roll-outs can be
> better supported. Eg, the sysadmin at ABC.com might create:
> /etc/auth-client-config/profile.d/abc
>
> Through creative use of install scripts/kickstart/etc, they can get
> unattended client installs that end up with proper configuration of
> network authentication.
>
> 'authtool' could also create profiles and use auth-client-config as a
> backend.
>
> User's could create different profiles for different networks, and add
> these to /etc/auth-client-config/profile.d/ (maybe even for future
> network-manager integration)
>
> 3. create some testing scripts for automated testing
>
> 4. testing, testing, and more testing
>
>
> Download
> --------
> Currently the files are at:
> http://www.strandboge.com/software/auth-client-config/
>
> There is a deb file too. This has been tested on dapper, but should
> work on any system supporting python 2.4.
>
>
>
> Take a look at the man page (or run 'auth-client-config -h'). I highly
> recommend running this as non-root against non-system files until it has
> received thorough testing. If running as root, be sure to make backups
> of /etc/nsswitch.conf and /etc/pam.d/common-*, and leave one root
> terminal/console open (sudo is not enough!) while testing logins in
> another, so you can back out the changes.
>
> Please feel free to give me feedback or ask questions.
>
>
> Jamie Strandboge (aka 'jdstrand' on IRC)
>
>
>
More information about the ubuntu-server
mailing list