auth-client-config for integration with LDAPAuthentication
Rick Clark
rick.clark at canonical.com
Thu Jul 19 14:16:15 UTC 2007
AD is the next step. I only chose ldap first, because it is easier for
me to test, and I wanted to get something into gutsy.
I read your whitpaper at the sprint. I noticed you had done a few
things different that clifton1, who is also working on it.
BTW,
The last time I checked, smbmount still did not have working kerberos
support.
On Thu, 2007-07-19 at 10:01 -0400, Peter Matulis wrote:
> Hi Server team,
>
> The Support team receives requests for single-signon authentication with
> Active Directory on a regular basis. So this work is a definite plus
> from the paid customer's point of view. I've managed to implement this
> manually with the exception of mounting an AD share automatically (i.e.
> user's home share) using pam_mount. I began to write a whitepaper on
> it. Hopefully pam_mount can also be included in the
> 'auth-client-config' work.
>
> I'm willing to help test the new script here in the Support office.
>
> Thank you,
>
> p.s. Contact me if anyone wants to help me troubleshoot my pam_mount issue.
>
> --
> Peter Matulis, Ubuntu Support Analyst
> Tel: +1 514 940 8917
> Canonical Services and Support
> http://www.canonical.com/support/
> 0x34F740E8 7EFC B394 871D CA0B 6AB7 DB5E 91F8 F8EF 34F7 40E8
>
>
> James Strandboge wrote:
> > Hi,
> >
> > As per the meeting the other day, I created the 'auth-client-config'
> > script to help with management of nsswitch.conf and pam.
> >
> > Summary
> > -------
> > The basic idea came from a conversation with dendrobates, where he
> > wanted a script that debconf (or other programs) could call and handle
> > the updating of pam and nsswitch.conf, ala update-inetd.
> >
> > Implementation
> > --------------
> > auth-client-config is written in python (OO). It is non-interactive cli
> > only. It supports modifying nss, pam-account, pam-auth, pam-password,
> > and pam-session types, and any number of configurable profiles.
> > Profiles are configured in a configuration file (via ConfigParser) that
> > is simply a database of various authentication 'profiles'. Eg, an
> > example entry from the database is:
> >
> > [ldap]
> > nss_passwd=passwd: files ldap
> > nss_group=group: files ldap
> > nss_shadow=shadow: files ldap
> > pam_auth=auth required pam_env.so
> > auth sufficient pam_unix.so likeauth nullok
> > auth sufficient pam_ldap.so use_first_pass
> > auth required pam_deny.so
> > pam_account=account sufficient pam_unix.so
> > account sufficient pam_ldap.so
> > account required pam_deny.so
> > pam_password=password required pam_cracklib.so difok=2 minlen=8
> > dcredit=2 ocredit=2 retry=3
> > password sufficient pam_unix.so nullok md5 shadow
> > use_authtok
> > password sufficient pam_ldap.so use_first_pass
> > password required pam_deny.so
> > pam_session=session required pam_limits.so
> > session required pam_unix.so
> > session optional pam_ldap.so
> >
> > As you can see, this is in the INI config style (this is what
> > ConfigParser supports), and for each 'key', its value is what you want
> > in a particular type.
> >
> > Usage
> > -----
> > To update a particular file, run auth-client-config with the type to
> > modify, and the profile to use. Eg, to update nsswitch.conf with the
> > above ldap entry, you would run:
> >
> > auth-client-config -t nss -p ldap
> >
> > This will change the standard /etc/nsswitch.conf file to:
> > ...
> > # pre_auth-client-config # passwd: compat
> > passwd: files ldap
> > # pre_auth-client-config # group: compat
> > group: files ldap
> > # pre_auth-client-config # shadow: compat
> > shadow: files ldap
> > ...
> >
> > The '# pre_auth-client-config #' comment allows for users to easily back
> > out changes to the original, pre-auth-client-config state.
> >
> > auth-client-config also supports an '-f' option for specifying a
> > different file to use than the default (eg /tmp/nsswitch.conf, instead
> > of /etc/nsswitch.conf), and also a '-n' option for a dry-run that will
> > not modify anything. See the man page for all options.
> >
> > Discussion
> > ----------
> > I envision this being integrated with dendrobates' work, where he will
> > setup the various profiles for auth-client-config (see TODO for more
> > discussion). The profile name will correspond to a debconf option in
> > his 'ldap-auth-client' package. Eg:
> >
> > Choose an authentication/authorization method:
> >
> > Ubuntu Directory
> > Active Directory
> > Fedora Directory Server
> > Novell
> > LDAP
> > Local
> >
> > Ok
> >
> > If the user chooses 'Active Directory' say, then debconf would run:
> > auth-client-config -t nss -p ad
> > auth-client-config -t pam_auth -p ad
> > auth-client-config -t pam_account -p ad
> > auth-client-config -t pam_password -p ad
> > auth-client-config -t pam_session -p ad
> >
> > and auth-client-config's profiles database would have:
> > [ad]
> > ...
> >
> >
> > TODO
> > ----
> > 1. Move some configuration from auth-client-config
> > into /etc/auth-client-config/acc.conf
> >
> > 2. Currently, the database is stored
> > in /etc/auth-client-config/profile.d/acc-default. This value is hard
> > coded. I plan on making auth-client-config support reading all files
> > from the /etc/auth-client-config/profile.d directory, so that packages
> > can drop in authentication profiles, and have them picked up easily.
> >
> > Eg, dendrobates' 'ldap-auth-client' package might create:
> > /etc/auth-client-config/profile.d/ldap
> >
> > and a future kerberos-auth-client might create:
> > /etc/auth-client-config/profile.d/kerberos
> >
> > The design also supports local administrators to create their own
> > profiles, so that site wide network authentication roll-outs can be
> > better supported. Eg, the sysadmin at ABC.com might create:
> > /etc/auth-client-config/profile.d/abc
> >
> > Through creative use of install scripts/kickstart/etc, they can get
> > unattended client installs that end up with proper configuration of
> > network authentication.
> >
> > 'authtool' could also create profiles and use auth-client-config as a
> > backend.
> >
> > User's could create different profiles for different networks, and add
> > these to /etc/auth-client-config/profile.d/ (maybe even for future
> > network-manager integration)
> >
> > 3. create some testing scripts for automated testing
> >
> > 4. testing, testing, and more testing
> >
> >
> > Download
> > --------
> > Currently the files are at:
> > http://www.strandboge.com/software/auth-client-config/
> >
> > There is a deb file too. This has been tested on dapper, but should
> > work on any system supporting python 2.4.
> >
> >
> >
> > Take a look at the man page (or run 'auth-client-config -h'). I highly
> > recommend running this as non-root against non-system files until it has
> > received thorough testing. If running as root, be sure to make backups
> > of /etc/nsswitch.conf and /etc/pam.d/common-*, and leave one root
> > terminal/console open (sudo is not enough!) while testing logins in
> > another, so you can back out the changes.
> >
> > Please feel free to give me feedback or ask questions.
> >
> >
> > Jamie Strandboge (aka 'jdstrand' on IRC)
> >
> >
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20070719/1a0df2d1/attachment.pgp>
More information about the ubuntu-server
mailing list