auth-client-config for integration with LDAPAuthentication

Rick Clark rick.clark at canonical.com
Thu Jul 19 14:16:15 UTC 2007


AD is the next step.  I only chose ldap first, because it is easier for
me to test, and I wanted to get something into gutsy.   
I read your whitpaper at the sprint.  I noticed you had done a few
things different that clifton1, who is also working on it.  

BTW,
The last time I checked, smbmount still did not have working kerberos
support.  

On Thu, 2007-07-19 at 10:01 -0400, Peter Matulis wrote:
> Hi Server team,
> 
> The Support team receives requests for single-signon authentication with
> Active Directory on a regular basis.  So this work is a definite plus
> from the paid customer's point of view.  I've managed to implement this
> manually with the exception of mounting an AD share automatically (i.e.
> user's home share) using pam_mount.  I began to write a whitepaper on
> it.  Hopefully pam_mount can also be included in the
> 'auth-client-config' work.
> 
> I'm willing to help test the new script here in the Support office.
> 
> Thank you,
> 
> p.s. Contact me if anyone wants to help me troubleshoot my pam_mount issue.
> 
> -- 
> Peter Matulis, Ubuntu Support Analyst
> Tel: +1 514 940 8917
> Canonical Services and Support
> http://www.canonical.com/support/
> 0x34F740E8  7EFC B394 871D CA0B 6AB7 DB5E 91F8 F8EF 34F7 40E8
> 
> 
> James Strandboge wrote:
> > Hi,
> > 
> > As per the meeting the other day, I created the 'auth-client-config'
> > script to help with management of nsswitch.conf and pam.  
> > 
> > Summary
> > -------
> > The basic idea came from a conversation with dendrobates, where he
> > wanted a script that debconf (or other programs) could call and handle
> > the updating of pam and nsswitch.conf, ala update-inetd.
> > 
> > Implementation
> > --------------
> > auth-client-config is written in python (OO).  It is non-interactive cli
> > only.  It supports modifying nss, pam-account, pam-auth, pam-password,
> > and pam-session types, and any number of configurable profiles.
> > Profiles are configured in a configuration file (via ConfigParser) that
> > is simply a database of various authentication 'profiles'.  Eg, an
> > example entry from the database is:
> > 
> > [ldap]
> > nss_passwd=passwd: files ldap
> > nss_group=group: files ldap
> > nss_shadow=shadow: files ldap
> > pam_auth=auth       required     pam_env.so
> >         auth       sufficient   pam_unix.so likeauth nullok
> >         auth       sufficient   pam_ldap.so use_first_pass
> >         auth       required     pam_deny.so
> > pam_account=account    sufficient   pam_unix.so
> >         account    sufficient   pam_ldap.so
> >         account    required     pam_deny.so
> > pam_password=password   required     pam_cracklib.so difok=2 minlen=8
> > dcredit=2 ocredit=2 retry=3
> >         password   sufficient   pam_unix.so nullok md5 shadow
> > use_authtok
> >         password   sufficient   pam_ldap.so use_first_pass
> >         password   required     pam_deny.so
> > pam_session=session    required     pam_limits.so
> >         session    required     pam_unix.so
> >         session    optional     pam_ldap.so
> > 
> > As you can see, this is in the INI config style (this is what
> > ConfigParser supports), and for each 'key', its value is what you want
> > in a particular type. 
> > 
> > Usage
> > -----
> > To update a particular file, run auth-client-config with the type to
> > modify, and the profile to use.  Eg, to update nsswitch.conf with the
> > above ldap entry, you would run:
> > 
> > auth-client-config -t nss -p ldap
> > 
> > This will change the standard /etc/nsswitch.conf file to:
> > ...
> > # pre_auth-client-config # passwd:         compat
> > passwd: files ldap
> > # pre_auth-client-config # group:          compat
> > group: files ldap
> > # pre_auth-client-config # shadow:         compat
> > shadow: files ldap
> > ...
> > 
> > The '# pre_auth-client-config #' comment allows for users to easily back
> > out changes to the original, pre-auth-client-config state.
> > 
> > auth-client-config also supports an '-f' option for specifying a
> > different file to use than the default (eg /tmp/nsswitch.conf, instead
> > of /etc/nsswitch.conf), and also a '-n' option for a dry-run that will
> > not modify anything.  See the man page for all options.
> > 
> > Discussion
> > ----------
> > I envision this being integrated with dendrobates' work, where he will
> > setup the various profiles for auth-client-config (see TODO for more
> > discussion).  The profile name will correspond to a debconf option in
> > his 'ldap-auth-client' package.  Eg:
> > 
> > Choose an authentication/authorization method:
> > 
> > 		Ubuntu Directory
> > 		Active Directory
> > 		Fedora Directory Server
> > 		Novell
> > 		LDAP
> > 		Local
> > 
> > 		Ok
> > 
> > If the user chooses 'Active Directory' say, then debconf would run:
> > auth-client-config -t nss -p ad
> > auth-client-config -t pam_auth -p ad
> > auth-client-config -t pam_account -p ad
> > auth-client-config -t pam_password -p ad
> > auth-client-config -t pam_session -p ad
> > 
> > and auth-client-config's profiles database would have:
> > [ad]
> > ...
> > 
> > 
> > TODO
> > ----
> > 1. Move some configuration from auth-client-config
> > into /etc/auth-client-config/acc.conf
> > 
> > 2. Currently, the database is stored
> > in /etc/auth-client-config/profile.d/acc-default.  This value is hard
> > coded.  I plan on making auth-client-config support reading all files
> > from the /etc/auth-client-config/profile.d directory, so that packages
> > can drop in authentication profiles, and have them picked up easily.
> > 
> > Eg, dendrobates' 'ldap-auth-client' package might create:
> > /etc/auth-client-config/profile.d/ldap
> > 
> > and a future kerberos-auth-client might create:
> > /etc/auth-client-config/profile.d/kerberos
> > 
> > The design also supports local administrators to create their own
> > profiles, so that site wide network authentication roll-outs can be
> > better supported.  Eg, the sysadmin at ABC.com might create:
> > /etc/auth-client-config/profile.d/abc
> > 
> > Through creative use of install scripts/kickstart/etc, they can get
> > unattended client installs that end up with proper configuration of
> > network authentication.
> > 
> > 'authtool' could also create profiles and use auth-client-config as a
> > backend.
> > 
> > User's could create different profiles for different networks, and add
> > these to /etc/auth-client-config/profile.d/ (maybe even for future
> > network-manager integration)
> > 
> > 3. create some testing scripts for automated testing
> > 
> > 4. testing, testing, and more testing
> > 
> > 
> > Download
> > --------
> > Currently the files are at:
> > http://www.strandboge.com/software/auth-client-config/
> > 
> > There is a deb file too.  This has been tested on dapper, but should
> > work on any system supporting python 2.4.
> > 
> > 
> > 
> > Take a look at the man page (or run 'auth-client-config -h').  I highly
> > recommend running this as non-root against non-system files until it has
> > received thorough testing.  If running as root, be sure to make backups
> > of /etc/nsswitch.conf and /etc/pam.d/common-*, and leave one root
> > terminal/console open (sudo is not enough!) while testing logins in
> > another, so you can back out the changes.  
> > 
> > Please feel free to give me feedback or ask questions.
> > 
> > 
> > Jamie Strandboge (aka 'jdstrand' on IRC)
> > 
> > 
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20070719/1a0df2d1/attachment.pgp>


More information about the ubuntu-server mailing list