Difference between revisions of "LDAP Ramblings"

From New IAC Wiki
Jump to navigation Jump to search
Line 64: Line 64:
 
*shadowLastChange
 
*shadowLastChange
  
==Creating a new user==
+
 
*set password in Luma using crypt option
 
*make home directory
 
*Copy /etc/skel over
 
  
 
==Example LDAP Commands==
 
==Example LDAP Commands==

Revision as of 22:49, 5 October 2009

Intro

On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy.

Adding users manually

  1. Create ldap entry, either by web form or manually
  2. Create home directory: mkdir /home/user
  3. Copy skel files: cp /etc/skel/.* /home/user/
  4. Change permissions: chown -R user:email /home/user/

Converting mail from Athena

On athena, create .forward with the following contents:

user@iac.isu.edu, \user

And make sure the permissions are fine:

chmod o+x .
chown user:group .forward
chmod a+r .forward

Then on IAC mail:

mkdir oldmail
chmod go+rwx ./oldmail
cd oldmail
rsync -rzP root@athena.physics.isu.edu:/var/spool/mail/user ./mbox
rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/mail ./
rsync -rzP root@athena.physics.isu.edu:/home/whatever/user/Sent ./

---etc Translate the old mbox files to Maildir

mb2md -s oldmail/

This should be it, but maybe Sent needs to be copied somewhere else?



Clients

Linux Clients

Administrative users will retain entries in the local /etc/passwd and /etc/shadow files for troubleshooting access. All other users will exist in LDAP and will have individual server permissions.

Email Clients

Ideally email users can be accommodated without having local accounts. If this is not possible, the local shell can be set to disallow logins for security purposes.

Windows Clients

Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access.

Datatypes

Users

Same data for all users:

  • objectClass

Data web interface needs to display:

  • uid Username
  • uidNumber user number
  • gidNumber group number, maybe link to group name?
  • homeDirectory

Data web interface needs to modify:

  • Allow login sets loginShell to /bin/bash or /bin/false
  • mail multiple value??
  • cn Common Name
  • sn surname
  • userPassword set, not display

Data web interface does not need to display:

  • loginShell set by allow login
  • gecos set to same as cn
  • shadowLastChange


Example LDAP Commands

Create a ssh tunnel from local port 3890 to darwin.iac.isu.edu port 389

  • ssh -L 3890:localhost:389 darwin.iac.isu.edu

Search directory, simple password bind:

  • ldapsearch -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W -b dc=iac,dc=isu,dc=edu '*'

Search directory, anonymous bind:

  • ldapsearch -h localhost -x -b dc=iac,dc=isu,dc=edu '*'

Add an LDIF file:

  • ldapadd -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W < ~brian/oborn.ldif

Delete an LDAP entry:

  • ldapdelete -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -W 'uid=oborn,dc=iac,dc=isu,dc=edu'

Change an LDAP password:

  • ldappasswd -h localhost -x -D uid=oborn,ou=People,dc=iac,dc=isu,dc=edu -A -W -S

As admin, change someone else's password:

  • ldappasswd -h localhost -x -D cn=admin,dc=iac,dc=isu,dc=edu -A -W -S uid=oborn,ou=People,dc=iac,dc=isu,dc=edu

LDAP Settings

Debian LDAP VM

  • Distinguished name of the search base:"dc=iac,dc=isu,dc=edu"
  • LDAP version 3
  • Priviledged account for libpam/libnss ldap: "cn=admin,dc=iac,dc=isu,dc=edu"
  • Need to modify /etc/nsswitch.conf to use the "ldap" datasource. Example file /usr/share/doc/libnss-ldap/examples/nsswitch.ldap

The following /etc/nsswitch lines:

passwd:         compat
group:          compat
shadow:         compat
hosts:          files dns
netgroup:       nis

will be changed to:

passwd:         files ldap
group:          files ldap
#shadow line removed (only needed for pre-nsswitch compat programs?)
hosts:          files dns ldap
netgroup:       files ldap

SUSE Test

  • Base DN: dc=iac, dc=isu, dc=edu
  • Root DN: cn=Administrator, Append Base DN=true
  • Default Policy Object DN: cn=Default Password Policy, Append Base DN=true

The rest of the schema was set up by the SUSE tools SUSE /etc/nsswitch.conf file has the following relevent lines:

passwd:        compat
group:	        files ldap
services:      files ldap #probably not needed
netgroup:	files ldap
aliases:	files ldap
passwd_compat:	ldap

The line "passwd: ldap" should be able to replace the 2 passwd lines as long as you're not using the "+" NIS notation in the /etc/passwd file?

Multimaster Replication

  • Requires ntp time syncronization between replication servers.
  • Only works with OpenLDAP 2.4 (not available in current Debian/Ubuntu/SUSE repositories)
  • Probably not needed with our very infrequent writes

Resources

Books

Websites