NetworkAuthentication

Differences between revisions 33 and 34
Revision 33 as of 2005-11-03 16:58:03
Size: 5616
Editor: 196_220_103_66-WIFI_HOTSPOTS
Comment: Address comment by smurf.
Revision 34 as of 2005-11-03 21:24:36
Size: 5590
Editor: 207_220_103_66-WIFI_HOTSPOTS
Comment: Address comment by \sh
Deletions are marked like this. Additions are marked like this.
Line 77: Line 77:
   === UDU/UBZ BOF Agenda === None.

Introduction

There are many different kinds of network authentication in use today and Ubuntu should be easily configured to use any of these out of the box but without asking any questions in the default install. In order to accomplish this there should be a single utility similar to Fedora's authconfig that interfaces with package-specific configuration scripts.

Rationale

Ubuntu should easily integrate into existing network infrastructure including authentication and authorization. There is a lot of demand for easy configuration of the many different authentication methods including LDAP, Active Directory, Kerberos and NIS.

Scope and Use Cases

The goal for Dapper should be limited to client functionality.

The initial implementation should support the following use cases:

  • The system administrator has a lab of machines to install. He uses the authconfig-like utility to create a file with a set of settings. He uses the file to deploy the settings to all the machines in the computer lab.
  • The system administrator wants to use both NIS (for legacy purposes) and his new Active Directory setup for authentication and authorization. He enters the relevant configuration for each of the methods.

Implementation Plan

[Time estimates are just that, estimates. They are based on an educated guess of implementation difficulty, but without having reviewed the code.]

  • Use Fedora's "authconfig" for specific ideas and to determine details of what files need to be changed for each method.
    • Most of the changes done by "authconfig" are distribution neutral as they modify upstream configuration files.
    • PAM configuration is the only Fedora-specific aspect and that is easily adaptable to /etc/pam.d/common-*
  • Break down the 4700-line "authinfo.c" into package-specific configure scripts to fit within Ubuntu policy.
    • base-files needs a tool to modify nsswitch.conf and nsswitch.conf needs changed to be managed by maintainer scripts and not be listed in conffiles. (1 day)
    • libpam-runtime needs a script for modifying /etc/pam.d/common-*. (1 week)
    • samba needs a script for setting up winbind authentication in /etc/samba/smb.conf. (unsure, probably half a week to a week)
    • libpam-smbpass needs a script for modifying /etc/pam_smb.conf (absolutely trivial, 2 hours)
    • krb5-config and krb4-config need a script for /etc/krb5.conf and /etc/krb.conf (similar to the script for samba, so if we have the samba script, 1 day)
    • libhesiod0 needs a script for modifying /etc/hesiod.conf (trivial, 2 hours)
    • libnss-ldap needs a script for modifying /etc/libnss-ldap.conf (similar to /etc/openldap/ldap.conf, fairly simple, 4 hours)
    • libldap2 needs a script for modifying /etc/openldap/ldap.conf (fairly simple, 4 hours)
    • nis needs a script for modifying /etc/yp.conf (trivial, 2 hours)
  • Make sure the packages needed for an authentication method are installed on the system by checking for missing packages and notifying the user of the problem and how to fix it.
  • All the necessary packages are already in main.
  • No questions to configure the authentication method should be asked when installing with Ubuntu's default priority for debconf.

Data Preservation and Migration

Some packages currently package their configuration as conffiles and those packages will need to be changed to use maintainer scripts. Please see [http://www.debian.org/doc/debian-policy/ch-files.html#s-config-files Debian policy] for the explanation of the difference between conffiles and configuration files.

Obviously scripts should be written to conform to the Ubuntu guidelines of not overwriting user modifications in configuration file. By restricting the scripts to making simple and well-defined changes it should be possible to insert and remove the appropriate changes without losing user changes. "authconfig" currently manages this quite well and similar techniques can be used in the scripts.

Packages Affected

  • base-files
  • libpam-runtime
  • libpam-smbpass
  • libnss-ldap
  • samba
  • krb5-config
  • krb4-config
  • libhesiod0
  • libldap2
  • nis

User Interface Requirements

  • Client-side
    • The various pieces should be configurable through the usual "dpkg-reconfigure" where appropriate, and a higher-level package should provide a unified place to set all the relevant authentication and user information settings. The higher-level package should do this through calling dpkg-reconfigure on the relevant packages and making sure a graphical frontend is used. An interface similar to Windows' "Join this domain" should preferably be created.
  • Server-side (Dapper+1)
    • There should be an authconfig analogue for server configuration which:
      • makes the simple easy: This auth-server tool should enable simple, straightforward configuration, with all the details being handled by underlying scripts.
      • makes the difficult possible: Administrators can still modify the underlying configuration files.

Outstanding Issues

None.

CategoryUdu CategorySpec

NetworkAuthentication (last edited 2008-08-06 16:34:01 by localhost)