NetworkDirectoryArchitecture

Summary

This specification focuses on defining an architecture to provide user, group and host management in a centralized manner. An combination of MIT Kerberos, Openldap and ntp with a default Ubuntu DIT and deployment tasks are outlined.

Release Note

Rationale

Managing users and groups in a corporate environements is usually done via a centralized reliable infrastructure.

User stories

  • Francis wants to provide a centralized infrastructure to manage user credentials. He installs a new system with Ubuntu Server Edition and deploys a new directory server.
  • Olaf wants to increase the redundancy of the directory infrastructure. He starts by installing a new Ubuntu Server and deploys a replica of the existing Directory service.

Assumptions

Design

Architecture

MIT kdc + openldap + ntp

Directory

Default DIT

https://launchpad.net/openldap-dit

  • Group based administration, access control through group membership.
    • Each group has an Owner that can manage the group.
  • Dynamic ACLs.
  • Available schemas:

schema name (description)

Freeipa 1.2.1

openldap-dit (revno 30)

60ipaconfig.ldif (ipa configuration)

X

60kerberos.ldif (Novell Kerberos Schema Definitions - MIT)

X

krb5-kdc.schema (Definitions for a Kerberos V KDC schema - heimdal)

X

kerberosobject.schema

X

60radius.ldif (RADIUS attributes)

X

samba (Samba user accounts and group maps in LDAP)

X

X

core.schema

X

cosine.schema

X

corba.schema

X

inetorgperson.schema

X

java.schema

X

misc.schema

X

nis.schema

X

openldap.schema

X

autofs.schema

X

samba.schema

X

kolab.schema

X

evolutionperson.schema

X

calendar.schema

X

sudo.schema

X

dnszone.schema

X

dhcp.schema

X

dyngroup.schema

X

ppolicy.schema

X

kde.schema

X

Ressources: Schema Available in DS in IPA v1

NB: kerberos.schema from upstream krb5-1.7 has one more attribute than kerberos.schema from FreeIPA:

attributetype ( 1.2.840.113554.1.4.1.6.1
                 NAME 'krbCanonicalName'
                 EQUALITY caseExactIA5Match
                 SUBSTR caseExactSubstringsMatch
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
                 SINGLE-VALUE)

overlays
  1. Uid generation:
    1. nextUID generation overlay.
    2. uniq overlay: make sure that uid are unique, mgmt tools account for a failed entry creation if the uid already exists.
  2. password synchronisation overlay: userPassword, samba, MIT kerberos.

KDC

MIT kdc uses openldap as its data store backend.

NTP

NTP installed on both master and replica.

Replication

openldap replica using syncrepl in MirrorMode with slapo-chain + back-ldap running on local slapd to reroute write requests to the master.

Deployment

setupmaster task

  1. Install slapd
  2. load default DIT
  3. Install kdc
  4. Configure kdc to use local slapd as the backend
  5. Install ntp

setupreplica task

  1. Install slapd
  2. Setup syncrepl in MirrorMode with slapo-chain overlay to redirect writes to master.

  3. Install kdc
  4. Configure kdc to use local slapd as the backend (??? and reroute password change requests to master kdc???)
  5. Configure ntp

promotetomaster task

  1. Turn off slapo-chain overlay.
  2. Enable kdc to accept password change requests.

Implementation

Openldap overlays

  1. Setup the uniq overlay for UID.
  2. Port smbkrb5 overlay to MIT kerberos.
  3. Port Freeipa dna slapi plugin to openldap.

Default DIT

  1. Package openldap-dit.

Deployment tasks

Deployment tasks can be provide as scripts or manifest for a configuration mgmt tool.

Configuration mgmt tool

  1. Provide a puppet manifest to take care of each task.

Scripts

  1. Package and update the freeipa development scripts.

Test/Demo Plan

Unresolved issues

BoF agenda and discussion

UDS discussion

= Directory Architecture =

 * Determine directory structure.
 
 * Integrate Kerberos
 
 * Make it easy to confiure the server to be either a master or slave.
  * Cache by default, partial replication on clients will be discussed during client integration discussion.
  
 * How to integrate DHCP, DNS, and Kerberos.
  * DHCP: not really required for the first configuration due to 3rd party patches.
   * Store DHCP configuration in LDAP.
   * Store lease information in LDAP.
   
  * DNS: possible, but for first iteration may not be useful.
   * 1 patch to query LDAP for every DNS request.
   * 1 patch to cache requests, and not need to query LDAP every time.
   
  * Kerberos
   * MIT Kerberos able to use LDAP for backend principal store.
   * Kerberos schema available.
   * Heimdal schema is a bit simpler.
   * A couple of commands are needed to both load the schema, and configure Kerberos to use LDAP.
   * Only one KDC is used for password changing.
   * One package for master KDC and another for slave KDC.
    * Both KDCs will have a local replica of LDAP directory.
   * Need to add DNS records for Kerberos.
    * Will have some automated method to add the records.
    * In a later itteration integrating into existing DNS will be addressed.
   * Redundant DHCP
    * Two servers in an active/passive mode.
   * New version of Kerberos will not have to rely on reverse DNS lookups.
   
 * DIT
  * openldap-dit
  * Group based administration, access control through group membership.
   * Each group has an Owner that can manage the group.
   * Dynamic ACLs.
  * RFC 2307
  * User login supported.
  * Postfix table lookup.
   * ou=aliases
  * Sudoers
   * sudo can be configured to ignore /etc/sudoers or do a merge with fall back entries.
   
 * Authorization and Access Control
  * Uniqueness Overlay -- rejects commit if value is already used.
  * For uidNumber determine if the user already exists.
  * Password changes
   * How to change password for LDAP, Kerberos, Samba, etc.
   * Heimdal has the ability to sync all three through the smbkrb5 overlay.
   
   
 * Two Overlays
  * Uid generation
  * Password change sync.
  
 * Packages to make changes to the directory during install.
  * Add admin groups for paticular applications.
  * SASL external can map any LDAP user to a local user.


CategorySpec

NetworkDirectoryArchitecture (last edited 2009-06-17 21:24:33 by dsl-207-112-28-12)