NetworkDirectoryArchitecture
Launchpad Entry: server-karmic-directory-architecture
Created:
Contributors: MathiasGug
Packages affected:
Summary
This specification focuses on defining an architecture to provide user, group and host management in a centralized manner. An combination of MIT Kerberos, Openldap and ntp with a default Ubuntu DIT and deployment tasks are outlined.
Release Note
Rationale
Managing users and groups in a corporate environements is usually done via a centralized reliable infrastructure.
User stories
- Francis wants to provide a centralized infrastructure to manage user credentials. He installs a new system with Ubuntu Server Edition and deploys a new directory server.
- Olaf wants to increase the redundancy of the directory infrastructure. He starts by installing a new Ubuntu Server and deploys a replica of the existing Directory service.
Assumptions
Design
Architecture
MIT kdc + openldap + ntp
Directory
Default DIT
https://launchpad.net/openldap-dit
- Group based administration, access control through group membership.
- Each group has an Owner that can manage the group.
- Dynamic ACLs.
- Available schemas:
schema name (description) |
Freeipa 1.2.1 |
openldap-dit (revno 30) |
60ipaconfig.ldif (ipa configuration) |
X |
|
60kerberos.ldif (Novell Kerberos Schema Definitions - MIT) |
X |
|
krb5-kdc.schema (Definitions for a Kerberos V KDC schema - heimdal) |
|
X |
kerberosobject.schema |
|
X |
60radius.ldif (RADIUS attributes) |
X |
|
samba (Samba user accounts and group maps in LDAP) |
X |
X |
core.schema |
|
X |
cosine.schema |
|
X |
corba.schema |
|
X |
inetorgperson.schema |
|
X |
java.schema |
|
X |
misc.schema |
|
X |
nis.schema |
|
X |
openldap.schema |
|
X |
autofs.schema |
|
X |
samba.schema |
|
X |
kolab.schema |
|
X |
evolutionperson.schema |
|
X |
calendar.schema |
|
X |
sudo.schema |
|
X |
dnszone.schema |
|
X |
dhcp.schema |
|
X |
dyngroup.schema |
|
X |
ppolicy.schema |
|
X |
kde.schema |
|
X |
Ressources: Schema Available in DS in IPA v1
NB: kerberos.schema from upstream krb5-1.7 has one more attribute than kerberos.schema from FreeIPA:
attributetype ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
overlays
- Uid generation:
- nextUID generation overlay.
- uniq overlay: make sure that uid are unique, mgmt tools account for a failed entry creation if the uid already exists.
- password synchronisation overlay: userPassword, samba, MIT kerberos.
KDC
MIT kdc uses openldap as its data store backend.
NTP
NTP installed on both master and replica.
Replication
openldap replica using syncrepl in MirrorMode with slapo-chain + back-ldap running on local slapd to reroute write requests to the master.
Deployment
setupmaster task
- Install slapd
- load default DIT
- Install kdc
- Configure kdc to use local slapd as the backend
- Install ntp
setupreplica task
- Install slapd
Setup syncrepl in MirrorMode with slapo-chain overlay to redirect writes to master.
- Install kdc
- Configure kdc to use local slapd as the backend (??? and reroute password change requests to master kdc???)
- Configure ntp
promotetomaster task
- Turn off slapo-chain overlay.
- Enable kdc to accept password change requests.
Implementation
Openldap overlays
- Setup the uniq overlay for UID.
- Port smbkrb5 overlay to MIT kerberos.
- Port Freeipa dna slapi plugin to openldap.
Default DIT
- Package openldap-dit.
Deployment tasks
Deployment tasks can be provide as scripts or manifest for a configuration mgmt tool.
Configuration mgmt tool
- Provide a puppet manifest to take care of each task.
Scripts
- Package and update the freeipa development scripts.
Test/Demo Plan
Unresolved issues
BoF agenda and discussion
UDS discussion
= Directory Architecture = * Determine directory structure. * Integrate Kerberos * Make it easy to confiure the server to be either a master or slave. * Cache by default, partial replication on clients will be discussed during client integration discussion. * How to integrate DHCP, DNS, and Kerberos. * DHCP: not really required for the first configuration due to 3rd party patches. * Store DHCP configuration in LDAP. * Store lease information in LDAP. * DNS: possible, but for first iteration may not be useful. * 1 patch to query LDAP for every DNS request. * 1 patch to cache requests, and not need to query LDAP every time. * Kerberos * MIT Kerberos able to use LDAP for backend principal store. * Kerberos schema available. * Heimdal schema is a bit simpler. * A couple of commands are needed to both load the schema, and configure Kerberos to use LDAP. * Only one KDC is used for password changing. * One package for master KDC and another for slave KDC. * Both KDCs will have a local replica of LDAP directory. * Need to add DNS records for Kerberos. * Will have some automated method to add the records. * In a later itteration integrating into existing DNS will be addressed. * Redundant DHCP * Two servers in an active/passive mode. * New version of Kerberos will not have to rely on reverse DNS lookups. * DIT * openldap-dit * Group based administration, access control through group membership. * Each group has an Owner that can manage the group. * Dynamic ACLs. * RFC 2307 * User login supported. * Postfix table lookup. * ou=aliases * Sudoers * sudo can be configured to ignore /etc/sudoers or do a merge with fall back entries. * Authorization and Access Control * Uniqueness Overlay -- rejects commit if value is already used. * For uidNumber determine if the user already exists. * Password changes * How to change password for LDAP, Kerberos, Samba, etc. * Heimdal has the ability to sync all three through the smbkrb5 overlay. * Two Overlays * Uid generation * Password change sync. * Packages to make changes to the directory during install. * Add admin groups for paticular applications. * SASL external can map any LDAP user to a local user.
NetworkDirectoryArchitecture (last edited 2009-06-17 21:24:33 by dsl-207-112-28-12)