auth-client-config for integration with LDAPAuthentication

James Strandboge jamie at strandboge.com
Wed Jul 18 19:56:00 UTC 2007 

Hi,

As per the meeting the other day, I created the 'auth-client-config'
script to help with management of nsswitch.conf and pam.  

Summary
-------
The basic idea came from a conversation with dendrobates, where he
wanted a script that debconf (or other programs) could call and handle
the updating of pam and nsswitch.conf, ala update-inetd.

Implementation
--------------
auth-client-config is written in python (OO).  It is non-interactive cli
only.  It supports modifying nss, pam-account, pam-auth, pam-password,
and pam-session types, and any number of configurable profiles.
Profiles are configured in a configuration file (via ConfigParser) that
is simply a database of various authentication 'profiles'.  Eg, an
example entry from the database is:

[ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
pam_auth=auth       required     pam_env.so
        auth       sufficient   pam_unix.so likeauth nullok
        auth       sufficient   pam_ldap.so use_first_pass
        auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
        account    sufficient   pam_ldap.so
        account    required     pam_deny.so
pam_password=password   required     pam_cracklib.so difok=2 minlen=8
dcredit=2 ocredit=2 retry=3
        password   sufficient   pam_unix.so nullok md5 shadow
use_authtok
        password   sufficient   pam_ldap.so use_first_pass
        password   required     pam_deny.so
pam_session=session    required     pam_limits.so
        session    required     pam_unix.so
        session    optional     pam_ldap.so

As you can see, this is in the INI config style (this is what
ConfigParser supports), and for each 'key', its value is what you want
in a particular type. 

Usage
-----
To update a particular file, run auth-client-config with the type to
modify, and the profile to use.  Eg, to update nsswitch.conf with the
above ldap entry, you would run:

auth-client-config -t nss -p ldap

This will change the standard /etc/nsswitch.conf file to:
...
# pre_auth-client-config # passwd:         compat
passwd: files ldap
# pre_auth-client-config # group:          compat
group: files ldap
# pre_auth-client-config # shadow:         compat
shadow: files ldap
...

The '# pre_auth-client-config #' comment allows for users to easily back
out changes to the original, pre-auth-client-config state.

auth-client-config also supports an '-f' option for specifying a
different file to use than the default (eg /tmp/nsswitch.conf, instead
of /etc/nsswitch.conf), and also a '-n' option for a dry-run that will
not modify anything.  See the man page for all options.

Discussion
----------
I envision this being integrated with dendrobates' work, where he will
setup the various profiles for auth-client-config (see TODO for more
discussion).  The profile name will correspond to a debconf option in
his 'ldap-auth-client' package.  Eg:

Choose an authentication/authorization method:

		Ubuntu Directory
		Active Directory
		Fedora Directory Server
		Novell
		LDAP
		Local

		Ok

If the user chooses 'Active Directory' say, then debconf would run:
auth-client-config -t nss -p ad
auth-client-config -t pam_auth -p ad
auth-client-config -t pam_account -p ad
auth-client-config -t pam_password -p ad
auth-client-config -t pam_session -p ad

and auth-client-config's profiles database would have:
[ad]
...


TODO
----
1. Move some configuration from auth-client-config
into /etc/auth-client-config/acc.conf

2. Currently, the database is stored
in /etc/auth-client-config/profile.d/acc-default.  This value is hard
coded.  I plan on making auth-client-config support reading all files
from the /etc/auth-client-config/profile.d directory, so that packages
can drop in authentication profiles, and have them picked up easily.

Eg, dendrobates' 'ldap-auth-client' package might create:
/etc/auth-client-config/profile.d/ldap

and a future kerberos-auth-client might create:
/etc/auth-client-config/profile.d/kerberos

The design also supports local administrators to create their own
profiles, so that site wide network authentication roll-outs can be
better supported.  Eg, the sysadmin at ABC.com might create:
/etc/auth-client-config/profile.d/abc

Through creative use of install scripts/kickstart/etc, they can get
unattended client installs that end up with proper configuration of
network authentication.

'authtool' could also create profiles and use auth-client-config as a
backend.

User's could create different profiles for different networks, and add
these to /etc/auth-client-config/profile.d/ (maybe even for future
network-manager integration)

3. create some testing scripts for automated testing

4. testing, testing, and more testing


Download
--------
Currently the files are at:
http://www.strandboge.com/software/auth-client-config/

There is a deb file too.  This has been tested on dapper, but should
work on any system supporting python 2.4.



Take a look at the man page (or run 'auth-client-config -h').  I highly
recommend running this as non-root against non-system files until it has
received thorough testing.  If running as root, be sure to make backups
of /etc/nsswitch.conf and /etc/pam.d/common-*, and leave one root
terminal/console open (sudo is not enough!) while testing logins in
another, so you can back out the changes.  

Please feel free to give me feedback or ask questions.


Jamie Strandboge (aka 'jdstrand' on IRC)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20070718/635b0fc6/attachment.pgp>

More information about the ubuntu-server mailing list