LDAPAuthentication
|
Size: 5918
Comment: some reviewer comments
|
Size: 5637
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 80: | Line 80: |
| ''/etc/libnss-ldap.secret'' | ''/etc/libpam-ldap.secret'' |
| Line 94: | Line 94: |
| ''[pitti: will this also handle `nssswitch.conf` and the modification to PAM configuration and `/etc/shadow`? please give some details here]'' | === auth-client-config === nssswitch.conf and /etc/pam.d/* will be managed by a new package called auth-client-config. Templetes will be provded for different usecases, and the files will be configured accordingly. This package has already been created and is undergoing community review. Currently, there is no functionality to migrate users from files to LDAP. That must be done by hand with tools that are already packaged. (migrationtools) |
| Line 98: | Line 102: |
| Line 110: | Line 115: |
| ''[pitti: what happens with the secret files? where will this migration happen? (in `libpam-ldap`'s and `libnss-ldap`'s postinst scripts?) what are the instructions for manual migration?]'' | The ldap-auth-config postinst will prompt for a password, if necessary. That password will be hashed using the same salts as libpam-ldap.secret and libnss-ldap.secret. The hashes will be compared, if there is a difference, the user will be warned and given instructions on how to manually modify the file using the slappasswd command, but the files will be clobbered. |
| Line 112: | Line 117: |
''[pitti: please remove the boilerplate text down here]'' |
|
| Line 117: | Line 120: |
| It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during CD testing, and to show off after release. This need not be added or completed until the specification is nearing beta. |
|
| Line 123: | Line 122: |
| This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved. | |
| Line 126: | Line 124: |
Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected. |
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad Entry: ldap-authentication-client
Packages affected: [https://launchpad.net/ubuntu/+source/libpam-ldap/ libpam-ldap], [https://launchpad.net/ubuntu/+source/libnss-ldap libnss-ldap]
Summary
Currently, in Ubuntu and Debian the packages libpam-ldap and libnss-ldap create separate configuration files and secret files. A ldap-auth-config package will be created that owns /etc/ldap.conf and /etc/ldap.secret. libpam-ldap and libnss-ldap will depend on ldap-auth-config. An ldap-auth-client meta package will be created that depends on libpam-ldap, libnss-ldap. The ldap-auth-client meta source package will contain the ldap-auth-config package. The ldap-auth-config package will own the config files, and the debconf scripts that were previously in libnss-ldap and libpam-ldap.
A auth-client-config package will also be created to allow any package to configure nssswitch.conf and /etc/pam.d/*.
The main purpose of this spec is to fix the specified packages to bring them inline with the upstream authors intentions, and give Ubuntu a better base for LDAP authentication configuration ui's.
Release Note
ldap-auth-client enables simplified installation and configuration of LDAP client systems.
Rationale
It is currently difficult to configure an Ubuntu client to use LDAP for authentication. It is a good idea to put all necessary packages and configuration under one meta package, to allow easier installation and configuration. The libpam-ldap and libnss-ldap packages, diverge from the original authors intentions, and the implementations of other Linux distributions. Furthermore, the Debian packages use different naming schemes for each package. This puts Ubuntu at a competitive disadvantage and is unnecessarily complicated for our users.
Use Cases
A medium size business has existing Linux/UNIX infrastructure that uses LDAP for authentication, and wants to use Ubuntu as a desktop client, to replace Redhat. The Sys admin wants to provide simple instructions for jr admins to add clients to the network.
Bob wants to use LDAP for NSS on a SMTP server, but want to authenticate locally.
Alice configured openldap as a client in Dapper or Feisty, and wants to upgrade to Gutsy.
Assumptions
libpam-ldap and libnss-ldap, which are linked to openldap2.1, will at least be minimally useful when used with an openldap2.3 server, or other ldap implementation.
There are no packages not identified in the spec that rely on the current libpam-ldap or libnss-ldap configuration files.
Design
Implementation
libpam-ldap
Remove the following files from the package:
debian/patches/00chfn.patch : This patch modifies the location/name ldap.conf in the chfn script.
debian/patches/00chsh.patch : This patch modifies the location/name ldap.conf in the chsh script.
Modify debian/rules to prevent the following files from being created:
/etc/pam_ldap.conf
/etc/pam_ldap.secret
Modify debian/libpam-ldap.postinst to remove configuration information, which will be handled instead by ldap-auth-config.
Add ldap-auth-config dependancy to debian/control.
libnss-ldap
Remove the following files from the package:
debian/patches/00debian_conf.patch : This patch modifies the location/name ldap.conf.
Modify debian/rules to prevent the following files from being created:
/etc/libnss-ldap.conf
/etc/libpam-ldap.secret
Modify debian/libnss-ldap.postinst to remove configuration information, which will be handled instead by ldap-auth-config.
Add ldap-auth-config dependancy to debian/control.
ldap-auth-client
Create a ldap-auth-client meta package that depends on libnss-ldap and libpam-ldap.
ldap-auth-config
Create a package that will install and configure /etc/ldap.conf and /etc/ldap.secret
auth-client-config
nssswitch.conf and /etc/pam.d/* will be managed by a new package called auth-client-config. Templetes will be provded for different usecases, and the files will be configured accordingly. This package has already been created and is undergoing community review.
Currently, there is no functionality to migrate users from files to LDAP. That must be done by hand with tools that are already packaged. (migrationtools)
Migration
Migration will be difficult, due to the fact that two config files might need to be merged.
Conflict resolution
If pam_ldap.so exists in common-auth and ldap exists in nssswitch.conf and they differ:
- use pam_ldap.conf and warn
If pam_ldap.so !exist in common-auth and ldap exists in nssswitch.conf:
- use libnss-ldap.conf
If there is an error anywhere in the process: give instructions for manual migration.
The ldap-auth-config postinst will prompt for a password, if necessary. That password will be hashed using the same salts as libpam-ldap.secret and libnss-ldap.secret. The hashes will be compared, if there is a difference, the user will be warned and given instructions on how to manually modify the file using the slappasswd command, but the files will be clobbered.
Test/Demo Plan
Outstanding Issues
BoF agenda and discussion
LDAPAuthentication (last edited 2008-08-06 16:14:45 by localhost)