NetworkAuthentication
Revision 14 as of 2005-04-28 23:40:25
Clear message
NetworkAuthentication
Status
Created: Date(2005-04-25T05:47:19Z) by JaneW
Priority: MediumPriority
People: MatthiasKloseLead, JimMcQuillanSecond, ShahmsKing
- Contributors: JaneW
Interested: EricHarrison
Status: BrainDump, BreezyGoal, UduBof, DistroSpecification, NewSpec
- Branch:
- Malone Bug:
- Packages:
- Depends:
- Dependents:
UduSessions: 1, 4, 8, etc
Introduction
Network Authentication -- LDAP, AD, NIS, NIS+ Directory Integration
Rationale
Scope and Use Cases
Implementation Plan
- Network auth on the client seems to be doable for breezy
- add tool the configure nsswitch.conf
- make sure the needed packages for an authentication method are installed on the system
- questions to configure the auth method are not at with Ubuntu's default priority
Data Preservation and Migration
Packages Affected
User Interface Requirements
Outstanding Issues
UDU BOF Agenda
* Client Config
- authconfig/libuser or equivalent?
- Fedora tool, but the only Fedora-only pieces should be minimal and easily portable.
- Fedora-specific parts should be restricted to pam_stack which is a relatively straightforward port to pam.d/common-*
- Doesn't fit in well with Debian policy as it modifies config files from many, many packages
- Porting might be useful as a short-term solution
- At the very least is useful as an implementation guide or roadmap for knowing which files need to be modified for each method
- start nscd
- Authentication
- modify pam.d/common-*
- modify backend-specific files
- LDAP, AD, eDirectory: /etc/ldap.conf
- NIS, NIS+
- Kerberos
- Winbind
- Authorization and user information
- modify nsswitch.conf
- backend-specifc config files should be the same as for authentication
- LDAP, AD, eDirectory: /etc/ldap.conf
- NIS, NIS+
- Winbind
- Hesiod
- Fedora has this, but it's an ugly DNS hack and can probably be dropped.
* Server Config
- some scripts
- graphical front ends
- directory-administrator
- ...
- Not implementable in Breezy timeframe, possibly Breezy+1
- Should be split into its own BOF
- NIS/YP might be doable by Breezy, but should be killed off
- NIS+?
- Kerberos?
- Winbind/Samba are currently shipped but can be a configuration nightmare (but see below)
- LDAP: currently the only option is OpenLDAP which is ridiculously hard to configure.
- The biggest problem is that it doesn't ship with sane defaults, or really any defaults. Adding good defaults to the slapd package is the low-hanging fruit for this.
RedHat will be releasing the Netscape Directory Server code as GPL? "Real Soon Now(tm)" which might be a better alternative.
- Samba4 will also have their own LDAP server as it is required for the Active Directory stuff they want to do. This will likely make configuring both LDAP and Samba/Winbind significantly easier.
- Both Netscape Directory Server and Samba4 "indefinite future releases".