NetworkAuthentication

Differences between revisions 13 and 14
Revision 13 as of 2005-04-28 23:39:51
Size: 3306
Editor: intern146
Comment:
Revision 14 as of 2005-04-28 23:40:25
Size: 3300
Editor: intern146
Comment:
Deletions are marked like this. Additions are marked like this.
Line 49: Line 49:
    * Fedora-specific parts should be restricted to pam_stack parts which is a relatively straightforward port to pam.d/common-*     * Fedora-specific parts should be restricted to pam_stack which is a relatively straightforward port to pam.d/common-*

NetworkAuthentication

Status

Introduction

Network Authentication -- LDAP, AD, NIS, NIS+ Directory Integration

Rationale

Scope and Use Cases

Implementation Plan

  • Network auth on the client seems to be doable for breezy
    • add tool the configure nsswitch.conf
    • make sure the needed packages for an authentication method are installed on the system
    • questions to configure the auth method are not at with Ubuntu's default priority

Data Preservation and Migration

Packages Affected

User Interface Requirements

Outstanding Issues

UDU BOF Agenda

* Client Config

  • authconfig/libuser or equivalent?
    • Fedora tool, but the only Fedora-only pieces should be minimal and easily portable.
    • Fedora-specific parts should be restricted to pam_stack which is a relatively straightforward port to pam.d/common-*
    • Doesn't fit in well with Debian policy as it modifies config files from many, many packages
    • Porting might be useful as a short-term solution
    • At the very least is useful as an implementation guide or roadmap for knowing which files need to be modified for each method
  • start nscd
  • Authentication
    • modify pam.d/common-*
    • modify backend-specific files
      • LDAP, AD, eDirectory: /etc/ldap.conf
      • NIS, NIS+
      • Kerberos
      • Winbind
  • Authorization and user information
    • modify nsswitch.conf
    • backend-specifc config files should be the same as for authentication
      • LDAP, AD, eDirectory: /etc/ldap.conf
      • NIS, NIS+
      • Winbind
      • Hesiod
        • Fedora has this, but it's an ugly DNS hack and can probably be dropped.

* Server Config

  • some scripts
  • graphical front ends
    • directory-administrator
    • ...
  • Not implementable in Breezy timeframe, possibly Breezy+1
  • Should be split into its own BOF
  • NIS/YP might be doable by Breezy, but should be killed off
  • NIS+?
  • Kerberos?
  • Winbind/Samba are currently shipped but can be a configuration nightmare (but see below)
  • LDAP: currently the only option is OpenLDAP which is ridiculously hard to configure.
    • The biggest problem is that it doesn't ship with sane defaults, or really any defaults. Adding good defaults to the slapd package is the low-hanging fruit for this.

    • RedHat will be releasing the Netscape Directory Server code as GPL? "Real Soon Now(tm)" which might be a better alternative.

    • Samba4 will also have their own LDAP server as it is required for the Active Directory stuff they want to do. This will likely make configuring both LDAP and Samba/Winbind significantly easier.
    • Both Netscape Directory Server and Samba4 "indefinite future releases".

UDU Pre-Work

NetworkAuthentication (last edited 2008-08-06 16:34:01 by localhost)