Ubuntu Wiki

• Launchpad Entry: enterprise-plugandplay

• Created:

• Contributors:

• Packages affected:

Summary

Support plugging into a network, authenticating and accessing network shares seamlessly and without having to modify the local setup. The system should be able to manage the different identities in a consistent manner, and this should work for different types of network setups. On top of this, automatic discovery of enterprise network services can be implemented.

Release Note

It is now easier than ever to connect to a corporate network. Just plug your computer in to the network, find the server, enter your user name and password and have instant access to your files.

Rationale

Authenticating to a company network usually requires modifying the login settings on the local computer. This is inconvenient, for example for people using laptops and travelling between different workplaces. It is also an extra burden on the system administrators, as each workstations needs to be configured before it can be used.

It can also be useful under some circumstances to authenticate to multiple networks at the same time, which (depending on server setups) can be tricky or impossible.

Use Cases

Moving to a new workplace

Bob is working as a consultant, and is about to start on a new project. The customer has set up a temporary user account on their network. Bob starts his laptop, logs in using his normal local username/password, and plugs his computer into the company network.

When Bob plugs in his computer, a notification icon pops up on the computer saying that a corporate network was found. After clicking on this icon, a box asks for user name and password. The computer authenticates on the network (for example using Kerberos) and the company network shares and printers are now shown under the Places menu.

Assumptions

• There are many different types of networks around.
• We can not force a specific authentication scheme on existing servers, so the client must be able to adapt.

Design

There are many different combinations of ways to setup an enterprise network, both for authentication, identity management and sharing of resources. The solution should be not locked to a single setup but flexible enough to handle many different cases and work across distributions (and across OS:s even).

Example server setups that should be supported:

• Old style Linux network, NIS+NFS
• Newer style network, LDAP+Kerberos+NFSv4
• Active Directory server, LDAP+Kerberos+Samba

There are several components needed to make this work:

• UI for logging in, authentication etc.
• A system for authentication, storage of credentials, and storage of information on the network(s) we are connected to.
• The system must be able to deal with multiple domains of user identities at the same time. This might be one of the trickiest issues.

Local "pseudo-users" needs to be set up on the fly for the users on the network so that for example ls shows the right results. The NFS/Samba clients need to support this on-the-fly translation in both directions.

Ideally the network configuration should be autodiscovered. For that, a standard for advertising and discovering enterprise networks needs to be established. One way which requires no extra software on the server is to have a file describing server setup placed on a web server. That way all setup that is required on the client is to point to this URL.

Implementation

1. Create a new daemon for managing the different networks and user identities, and for dynamic allocation of UID:s.

2. A new nsswitch module that ties to the above daemon so that programs can lookup the above allocated UID:s and we get consistent results across all applications.

3. Adapt the Samba and NFS clients to support this scheme.
4. Create an applet for authentication and displaying info on the different enterprise networks available.
5. Write up a standard file format for advertising/discovering enterprise networks. The applet above should be set as default handler for this file format.
6. Create a standard way to publish this file using zeroconf networking.

CategorySpec