IdMgmtTestClientLogin

Summary

PAM and NSS configurations are defined to integrate in a Kerberos and LDAP directory test infrastructure. Disconnected mode and caching are supported. Test plans are also defined to make sure that the PAM/NSS integration is working as expected.

Release Note

Rationale

LTS releases are used in corporate environments. Making sure that the user and group management processes are working correctly and integrates well in existing Identity management infrastructures improves the quality of an LTS release.

User stories

  • Josh, a system administrator, deploys Ubuntu LTS servers in his environment. He configures the pam and nss components of his systems to use the existing Kerberos infrastructure as well as the central LDAP directory for user and group management. The setup works as expected thanks to the testing done during the development cycle.
  • Alice, a software developer, installs Ubuntu LTS on her new file server. She can use her kerberos credentials to login via ssh as well as access files via nfs from her Ubuntu desktop.
  • Brenda, Alice visual designer colleague, can store files on Alice's server via cifs using her kerberos credentials.
  • Alice keeps working on her Ubuntu laptop at home where she can login using her corporate credentials while not being connected to her company network.
  • Shawn, the IT Security officer, creates policies to make sure passwords are changed on a regular basis. He is confident that users are warned about aging passwords while expired accounts are not allowed to be used by systems included in his network.

Design

There are different options for configuring the pam and nss stack to support network identity services:

sssd (universe)

System Security Services Daemon is actively developed by Redhat. It's primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, as well as D-BUS based interfaces. It provides also a better database to store local users as well as extended user data.

A 1.0 release is targeted for December 2009 / January 2010. sssd is already available in karmic from the universe component.

WI: package sssd 1.0: TODO

WI: add pam-auth-update support to libpam-sss: TODO

WI: test sssd in the Id test environment following the test plan: TODO

openldap cache proxy

Openldap is running on the local machine and serves as a caching proxy for nss and pam requests. pam-ccreds is used to cache credentials to support disconnected mode. The pcache overlay is setup to cache nss and pam queries with a ttr of 4 minutes and ttl of 8 minutes for testing purposes.

Multiple configurations exists:

  1. nss-ldap (main) + pam-krb5 (main)
  2. nss-ldap (main) + pam-ldap (main)
  3. nss-ldapd (universe) + pam-krb5 (main)
  4. nss-ldadp (universe) + pam-ldap (main)
  5. nss-ldapd (universe) + pam-ldapd (universe)

WI: move libpam-ccreds to main: TODO WI: define caching proxy overlay configuration (ldif file for cn=config) for nss and pam information (nss-ldap+pam-ldap config): TODO WI: test nss-ldap + pam-krb5 in the Id test environment following the test plan: TODO WI: test nss-ldap + pam-ldap in the Id test environment following the test plan: TODO

Test plan

Test commands

  • NSS (User identity): 

$ getent passwd testuser

$ getent group testgroup

$ sudo -l
$ sudo -K
  • PAM (User authentication):

Login at the console.

Test cases

  1. System is online.
    • First run of test commands generates ldap connections to the remote ldap server (to be checked on the remote slapd server via connections logging - loglevel 256).
    • Second run (within TTR) of test commands should not generate any ldap connections to the remote ldap server.
    • Third run (after TTL) of test commands should generate ldap connections to the remote ldap server.
  2. System goes offline (network connection to the ldap server is broken - iptables deny rules):
    • First run (within TTL) of test commands works as expected.
    • Second run (after TTL) of test commands should:
      • pam: fail with a error message stating the id infrastructure is not available - login denied - disconnected for too long.
      • nss: immediately return with empty groups and users
  3. password policies:
    • expiration warning (grace login)
    • password needs to be changed now.
    • account deactivated - login denied - password disabled
  4. password change:
    • in connected mode:
      • policy validation:
        • short password: failure with relevant info messages
        • password history reuse: failure with relevant info messages
        • all policies are valid: success
    • in disconnected mode: failure

WI: write up complete pam+nss components test instructions in QA testcase wiki: TODO

Testing kerberized services
  • test ssh/sftp logging
  • test file services:
    • - nfsv4 - cifs

WI: write up ssh/sftp test instructions in QA testcase wiki: TODO

WI: write up file services (cifs/nfsv4) test instructions in QA testcase wiki: TODO

Implementation

See the Work Items in the blueprint.

Test/Demo Plan

Unresolved issues

BoF agenda and discussion

UDS session notes

Session 2 Goal

Making sure id mgmt client components are tested and working correctly in a reference identity environment based on openldap + MIT kerberos.

Testing login experience

1. SSSD update and testing. Integration with pam-auth-update (and auth-client-config). 2. openldap + pcache overlay testing + nss overlay (nss and pam module (universe) ). Integration with pam-auth-update (and auth-client-config):

  • test nss + pam_krb5 test nss + pam_ldap

**** 3. nss-ldap + pam_krb5 + pam_ccred + openldap + pcache (in main) 4. nss-ldap + pam_ldap + pam_ccred + openldap + pcache (in main)

pcache overlay options: time to keep the entrie in the cache: default 2 weeks. Tests:

  • - disconnected mode:
    • + login working if the id infrastructure is down + nss listing is still working correctly
    - failure mode (how long does it take to go from connected to disconnected mode): user starts system while the directory is accessible. network routing is broken before he logs in.

    - cache expiration (what happens if cache has expired and still no connection): outside the time to live (> 2 weeks) - what happens with the pam stack: need to logon the id infrastructure - disconnected login not available. failing because not connected to the network, disconnected for too long. - password policies:

    • expiration warning (grace login)
    • password needs to be changed now.
    • account deactivated - login denied - password disabled
    - password change:
    • in connected mode:
      • - policy validation:
        • + short password: failure with relevant info messages + password history reuse: failure with relevant info messages + all policies are valid: success
    • in disconnected mode: failure
    - user and group management:
    • user list, group list in disconnected mode.
    • making sure that sudo group resolution works in disconnected mode.

Review SSSD test cases.

AD TTL for 2 weeks.

Testing kerberized services
  • test ssh/sftp loging
  • test file services: nfsv4, cifs
  • test autofs [ * test mail, web, etc... ]

Implementation plan
  • use puppet recipe to create the test environement on UEC/EC2.
  • run the test (automatically) in test instances (via checkbox).

CategorySpec

IdMgmtTestClientLogin (last edited 2010-02-23 00:05:43 by ip-95-223-224-183)