EasyLDAPServer

Differences between revisions 9 and 10
Revision 9 as of 2006-10-21 12:15:44
Size: 16710
Editor: 82-71-4-26
Comment: Clarity edit
Revision 10 as of 2006-10-21 12:24:56
Size: 16725
Editor: 82-71-4-26
Comment: Minor edits
Deletions are marked like this. Additions are marked like this.
Line 31: Line 31:
His application must meet the requirements of both government regulations and external auditors regarding account management and access control. In order to meet the requirements for Linux support he is willing to commit resources to supporting one other network directory service in addition to Active Directory. The Linux directory service must be well documented with clear support channels. The directory server product should also have name recognition with both the technical staff for potential customers, and with other vendors that support them. His application must meet the requirements of both government regulations and external auditors regarding account management and access control. In order to provide Linux compatibility he is willing to commit resources to supporting one other network directory service, in addition to Active Directory. The Linux directory service must be well documented with clear support channels. The directory server product should also have name recognition with both the technical staff for potential customers, and with the other vendors that support them.
Line 35: Line 35:
 * Eric is the IT administrator for a university Physics department. Both his department and several other groups within the organization independently maintain their own UNIX servers and desktop environments. The central operations team use Windows for the main facilities with Active Directory for managing user accounts, and are reluctant to permit schema changes for UNIX support. Users complain about the inconsistent settings and accounts between the various systems. The administrators meet and agree to standardise their Solaris and Linux desktops on the GNOME environment, and use the [http://live.gnome.org/Glockenspiel Glokenspiel] facilities for desktop management. A separate LDAP directory will be created that reuses account information from the Active Directory, with additional data to support GNOME desktops. A legacy NIS system will be merged into the new directory. They now need an LDAP product to implement these requirements.  * Eric is the IT administrator for a university Physics department. Both his department and several other groups within the organization independently maintain their own sets of UNIX servers and desktop environments. The central operations team use Windows for the main facilities with Active Directory for managing user accounts, and are reluctant to permit schema changes for UNIX support. Users complain about the inconsistent settings and accounts between the various systems. The administrators meet, and agree to standardise their Solaris and Linux desktops on the GNOME environment. They decide to use the [http://live.gnome.org/Glockenspiel Glokenspiel] facilities for desktop management. A separate LDAP directory will be created that reuses account information from the Active Directory, with additional data to support GNOME desktops. A legacy NIS system will be merged into the new directory. They now need an LDAP product to implement these requirements.
Line 41: Line 41:
 * Harry is the senior email administrator for a small ISP. His company already uses a proprietary LDAP product to handle host certificates, as well as store account and mail routing information for the email services that they provide to customers. The current LDAP product is only supported on a limited range of operating systems, which do not include the Debian-based platforms that his team uses for the majority of their needs. Overall the proprietary product has proven to be somewhat complex to install and maintain. He would like to simplify management and reduce costs by migrating to an open source LDAP service, preferable on a Debian-based operating system. As the LDAP services are critical to mail delivery the software must be well-maintained.  * Harry is the senior email administrator for a small ISP. His company already uses a proprietary LDAP product to handle host certificates, as well as store account and mail routing information for the email services that they provide to customers. The current LDAP product is only supported on a limited range of operating systems, which do not include the Debian-based platforms that his team uses for the majority of their needs. Overall the proprietary product has proven to be somewhat complex to install and maintain. He would like to simplify management and reduce costs by migrating to an open source LDAP service, preferable on a Debian-based operating system. The software must be well-maintained, as the LDAP services are essential to mail delivery.

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

Summary

Supply and support a standard [http://en.wikipedia.org/wiki/LDAP LDAP] directory service for Ubuntu, along with client utilities and management tools. Clearly defined backup, recovery and upgrade procedures must also exist for the datastore, due to the central role that the LDAP service may play in the management and security of many networks.

Rationale

A standard LDAP service within Ubuntu is an essential foundation for developing a wide range of other network features, and getting third-party support for them. These include:

  • Systems management applications
  • Centralized user authentication ("single sign-on")
  • Offering consistent user desktop settings across separate systems
  • Providing shared address book facilities, such as corporate directories

Any facility that involves sharing a common tree of records between separate services or multiple systems may potentially use an LDAP directory as the storage mechanism. The systems involved may be on either a private network, or the public Internet.

Use cases

  • Alice has been made responsible for the network at the small non-profit organization where she works. She already has other duties, and is not an IT professional. The organization has begun to use IT much more extensively over the past couple of years, particularly email, and the number of systems has grown over time. She and some of her colleagues have also begun to use Skype and are interested in the potential savings that VoIP provides. They are now considering purchasing their own server and upgrading the mixture of Windows systems that have accumulated. The organization has previously bought a NAS device to provide a shared file store.

She can obtain some technical help, and follow documentation if it is provided, but cannot afford the time to become a expert herself. Some of the IT professionals that she has spoken to have suggested [http://www.microsoft.com/windowsserver2003/sbs/default.mspx Microsoft Small Business Server], which includes Active Directory and Exchange. The documentation for the NAS device states that it can share accounts with either a Windows server, or with a standard LDAP directory. The total cost of standardising on Windows and Exchange would be high, and it has also been suggested that an open source solution would potentially be much more affordable. To match the facilities that Small Business Server offers Alice in an integrated way, and provide for any future small business VoIP system that she purchases, the open source server product must include an LDAP directory.

  • Bob works as the IT administrator for a medium-sized organization with multiple servers and about 50 users. The systems currently use a mixture of Windows systems in an Active Directory domain, several Macs, and some Linux servers. Many users have multiple accounts in order to access the various systems. He wants to implement single sign-on for his users. For security he would like to apply account expiry and password complexity policies, as he already can easily do for accounts within Active Directory. He would prefer to move towards an open source environment with Linux desktops, but in the short-term it not feasible to migrate all of the Windows and Mac systems to Linux. He determines that the optimum solution for his organization is to implement a Kerberos realm with a standards-compliant LDAP directory on a Linux server, and extend this LDAP directory to support Linux desktop management in future.
  • Charles is the lead developer for a software vendor that provides a specialized application for managing medical practices of various sizes. His company often provides this application preinstalled on a server that plugs into the customer's existing network. He and his colleagues are currently modernising the architecture of their application to meet new requirements, which include meeting the growing demands from customers and internal technical staff for Linux client support, and modifying the application to run on Linux servers.

His application must meet the requirements of both government regulations and external auditors regarding account management and access control. In order to provide Linux compatibility he is willing to commit resources to supporting one other network directory service, in addition to Active Directory. The Linux directory service must be well documented with clear support channels. The directory server product should also have name recognition with both the technical staff for potential customers, and with the other vendors that support them.

  • David is a member of the IT operations team at a large company, with responsibility for DNS and DHCP. As the networks grow systems are constantly added or updated, and the workload for managing the various DNS zones and DHCP scopes involved continues to increase. This now means that he must delegate some duties to other technicians. He decides that the next step is to migrate the data for DHCP and DNS into an LDAP directory. He can then work with developers to provide a Web application that enables junior staff to easily maintain the network details for systems.

  • Eric is the IT administrator for a university Physics department. Both his department and several other groups within the organization independently maintain their own sets of UNIX servers and desktop environments. The central operations team use Windows for the main facilities with Active Directory for managing user accounts, and are reluctant to permit schema changes for UNIX support. Users complain about the inconsistent settings and accounts between the various systems. The administrators meet, and agree to standardise their Solaris and Linux desktops on the GNOME environment. They decide to use the [http://live.gnome.org/Glockenspiel Glokenspiel] facilities for desktop management. A separate LDAP directory will be created that reuses account information from the Active Directory, with additional data to support GNOME desktops. A legacy NIS system will be merged into the new directory. They now need an LDAP product to implement these requirements.

  • Fraser runs a cluster of servers for a network application, and now wishes to implement a centralized configuration management facility such as [http://reductivelabs.com/projects/puppet Puppet]. He determines that he needs to deploy an LDAP service to store the data for this facility.

  • Gill is an internal developer at a college, working on modernising the student record tracking. Initial research shows that although the enrolment applications use SQL databases, LDAP enables direct integration with the network facilities that users require. She decides to set up a test LDAP service and extend the enrolment system to manage records in the directory. If the test system is successful then the approach may be put into production. As she already uses Ubuntu, she begins by looking for information on using Ubuntu Server for her development LDAP directory.
  • Harry is the senior email administrator for a small ISP. His company already uses a proprietary LDAP product to handle host certificates, as well as store account and mail routing information for the email services that they provide to customers. The current LDAP product is only supported on a limited range of operating systems, which do not include the Debian-based platforms that his team uses for the majority of their needs. Overall the proprietary product has proven to be somewhat complex to install and maintain. He would like to simplify management and reduce costs by migrating to an open source LDAP service, preferable on a Debian-based operating system. The software must be well-maintained, as the LDAP services are essential to mail delivery.

Scope

This specification only covers the LDAP service itself. Use other specifications to handle specific system management applications, configuration of client authentication, and Edubuntu configuration integration.

Related existing specifications for including a directory service in Ubuntu:

Related existing specifications for authentication facilities:

LDAP services enable system management facilities running on multiple systems to share data and maintain a consistent view of the network. For this reason, network management frameworks need to both be able to manage LDAP services, and use them for storing data:

Small networks benefit from shared user account and address book information, just as large ones do:

Integrating with Microsoft Windows networks requires that the supplied LDAP service interoperate with Active Directory:

Design

The complete system probably requires several components:

  • The LDAP service
  • A simple configuration routine to initialize the service with basic settings (debconf?)
  • LDAP schemas for supported applications
  • A means of generating a certificate for the service
  • A graphical management utility
  • A backup facility
  • Supporting documentation for administrators to be able to confidently set up services and authentication
  • (optionally) A simple Web application for lookups and testing

Note that although LDAP is often used as an authentication service and the configuration must support it, this is not best practice. Ideally authentication should be handled by a facility as Kerberos, which uses the LDAP service to store the data that it uses.

The configuration and management facilities may need adaptation, in order to integrate the LDAP service with Kerberos.

Implementation

The relevant services need to support the LDAP service. These include:

  • BIND 9
  • Dovecot
  • FreeRADIUS
  • Heimdal Kerberos
  • ISC DHCP
  • MIT Kerberos
  • OpenSSH
  • OpenVPN
  • Postfix
  • Samba

In this context support may mean a combination of shipping example configuration files, shipping utilities to configure the services to use an LDAP service rather than their own private data stores or configuration files, and patching.

Code

See [http://www.fefe.de/tinyldap/ tinyldap], [http://directory.fedora.redhat.com/ Fedora Directory Server], and [http://www.openldap.org/ OpenLDAP] for existing Open Source directory servers.

Several client utilities come with Fedora Directory Server. It also has copious documentation, although this material under a licence which is probably not DFSG-compliant, since modification and commercial reproduction are not permitted. Note that the code for the related [http://www.redhat.com/solutions/rhcs/ certificate server] is not open.

The [http://www.samba.org/ Samba] project provides a schema for storing account information in an LDAP directory, which is a standard means of sharing account details across Samba services. Version 4 of Samba should include AD migration facilties, and an internal LDAP directory service to conveniently support small networks, but it may be better to use a more generic LDAP service to hold Samba information.

[http://www.venaas.no/ldap/bind-sdb/ BIND-SDB] enables BIND 9 to use an LDAP directory as a database. The [http://ldapdns.sourceforge.net/ ldapdns] 3 DNS server apparently has no dependencies on either BIND or OpenLDAP.

The [http://wiki.freeradius.org/index.php/Rlm_ldap rlm_ldap] module provides LDAP support in FreeRADIUS. See [http://wiki.freeradius.org/Rlm_krb5 rlm_krb5] for details on the Kerberos module.

[http://www.newwave.net/~masneyb/ Brian Masney's patch] enables ISC DHCP to use an LDAP backend.

[http://dev.inversepath.com/trac/openssh-lpk OpenSSH LPK] patches OpenSSH with LDAP support.

The [http://dpw.threerings.net/projects/openvpn-auth-ldap/ OpenVPN Auth-LDAP Plugin] provides OpenVPN with LDAP support.

[http://www.hula-project.org/ Hula] uses OpenLDAP, a local config setting (for testing, it doesn't scale), but will have support for connecting to an external LDAP server in the near future.

Data preservation and migration

Many organizations already use LDAP services as a central part of their network. Whichever LDAP product is chosen, there will be many users on other products who will want to interoperate or migrate. Incumbant services may be OpenLDAP, Fedora Directory Server (aka Red Hat Directory Server aka Netscape Directory Server), or proprietary products such as Microsoft Active Directory.

Some organizations still use legacy technologies such as LANMAN (NT 4.0) and NIS to share data across systems, and so migration strategies need to be presented for them as well.

Losing an LDAP database providing user account credentials would effectively break the whole network, and possibly force all of the users to reset their passwords. For this reason, upgrades must not corrupt or lose data.

Unresolved issues

  1. Need to investigate the available LDAP server products, and select one.

  2. The LDAP service probably needs to offer at least two standard configurations: Stand-alone application database (LDAP uses completely internal logins), and Network single sign-on (a separate Kerberos service uses LDAP as a data store, and mediates access to the LDAP service by Kerberized clients).

  3. It may be necessary to target one of the two Kerberos implementations in order to achieve the tight integration required between the two services to provide a workable network single sign-on facility. Both Microsoft and Apple directory products configure LDAP and Kerberos together for this reason.

  4. If LDAP is run without Kerberos then the setup process probably needs to ensure that a digital certificate exists. See [http://www.dovecot.org/ Dovecot] for an example of an application that includes the facility to generate certificates for it's own use.

  5. Determine the LDAP schemas to include in the default configuration.
  6. The existance of an LDAP service provides the possibility of using it for the backend of a certificate server. This would probably be a separate project, but planning a specification for this may prove useful for furthering this project.
  7. Determine supportable migration paths for networks using obsolete technologies. If user accounts have to be recreated then all of the users must reset their passwords, which creates a significant support issue for larger organizations.
  8. Importing from Active Directory is a must-have to enable many organizations to migrate from Windows. Need to determine what is required to enable at least a successful one-time migration.

BoF agenda and discussion

StuartEllis: [http://www.apple.com/server/macosx/features/opendirectory.html This page] introduces Apple Open Directory, which is based on OpenLDAP and MIT Kerberos. [http://developer.apple.com/opensource/dirservices/ The code] itself is under a non-free license, but the architecture and graphical utilities may be interesting for comparison purposes.

CategorySpec

EasyLDAPServer (last edited 2008-08-06 16:36:59 by localhost)