auth-client-config for integration with LDAPAuthentication
Rick Clark
rick.clark at ubuntu.com
Wed Jul 18 21:23:57 UTC 2007
James,
Wow, quick work. It looks good. You, myself, ajmitch, StephanBuys, and
anyone else interested should get together on irc, and discuss, what
functionality belongs where, and what we want to get done for gutsy.
There is still some configuration that needs to be done, i.e debconf for
ldap.conf and I want to make sure that we aren't stepping on each others
toes.
Rick
On Wed, 2007-07-18 at 15:56 -0400, James Strandboge wrote:
> Hi,
>
> As per the meeting the other day, I created the 'auth-client-config'
> script to help with management of nsswitch.conf and pam.
>
> Summary
> -------
> The basic idea came from a conversation with dendrobates, where he
> wanted a script that debconf (or other programs) could call and handle
> the updating of pam and nsswitch.conf, ala update-inetd.
>
> Implementation
> --------------
> auth-client-config is written in python (OO). It is non-interactive cli
> only. It supports modifying nss, pam-account, pam-auth, pam-password,
> and pam-session types, and any number of configurable profiles.
> Profiles are configured in a configuration file (via ConfigParser) that
> is simply a database of various authentication 'profiles'. Eg, an
> example entry from the database is:
>
> [ldap]
> nss_passwd=passwd: files ldap
> nss_group=group: files ldap
> nss_shadow=shadow: files ldap
> pam_auth=auth required pam_env.so
> auth sufficient pam_unix.so likeauth nullok
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
> pam_account=account sufficient pam_unix.so
> account sufficient pam_ldap.so
> account required pam_deny.so
> pam_password=password required pam_cracklib.so difok=2 minlen=8
> dcredit=2 ocredit=2 retry=3
> password sufficient pam_unix.so nullok md5 shadow
> use_authtok
> password sufficient pam_ldap.so use_first_pass
> password required pam_deny.so
> pam_session=session required pam_limits.so
> session required pam_unix.so
> session optional pam_ldap.so
>
> As you can see, this is in the INI config style (this is what
> ConfigParser supports), and for each 'key', its value is what you want
> in a particular type.
>
> Usage
> -----
> To update a particular file, run auth-client-config with the type to
> modify, and the profile to use. Eg, to update nsswitch.conf with the
> above ldap entry, you would run:
>
> auth-client-config -t nss -p ldap
>
> This will change the standard /etc/nsswitch.conf file to:
> ...
> # pre_auth-client-config # passwd: compat
> passwd: files ldap
> # pre_auth-client-config # group: compat
> group: files ldap
> # pre_auth-client-config # shadow: compat
> shadow: files ldap
> ...
>
> The '# pre_auth-client-config #' comment allows for users to easily back
> out changes to the original, pre-auth-client-config state.
>
> auth-client-config also supports an '-f' option for specifying a
> different file to use than the default (eg /tmp/nsswitch.conf, instead
> of /etc/nsswitch.conf), and also a '-n' option for a dry-run that will
> not modify anything. See the man page for all options.
>
> Discussion
> ----------
> I envision this being integrated with dendrobates' work, where he will
> setup the various profiles for auth-client-config (see TODO for more
> discussion). The profile name will correspond to a debconf option in
> his 'ldap-auth-client' package. Eg:
>
> Choose an authentication/authorization method:
>
> Ubuntu Directory
> Active Directory
> Fedora Directory Server
> Novell
> LDAP
> Local
>
> Ok
>
> If the user chooses 'Active Directory' say, then debconf would run:
> auth-client-config -t nss -p ad
> auth-client-config -t pam_auth -p ad
> auth-client-config -t pam_account -p ad
> auth-client-config -t pam_password -p ad
> auth-client-config -t pam_session -p ad
>
> and auth-client-config's profiles database would have:
> [ad]
> ...
>
>
> TODO
> ----
> 1. Move some configuration from auth-client-config
> into /etc/auth-client-config/acc.conf
>
> 2. Currently, the database is stored
> in /etc/auth-client-config/profile.d/acc-default. This value is hard
> coded. I plan on making auth-client-config support reading all files
> from the /etc/auth-client-config/profile.d directory, so that packages
> can drop in authentication profiles, and have them picked up easily.
>
> Eg, dendrobates' 'ldap-auth-client' package might create:
> /etc/auth-client-config/profile.d/ldap
>
> and a future kerberos-auth-client might create:
> /etc/auth-client-config/profile.d/kerberos
>
> The design also supports local administrators to create their own
> profiles, so that site wide network authentication roll-outs can be
> better supported. Eg, the sysadmin at ABC.com might create:
> /etc/auth-client-config/profile.d/abc
>
> Through creative use of install scripts/kickstart/etc, they can get
> unattended client installs that end up with proper configuration of
> network authentication.
>
> 'authtool' could also create profiles and use auth-client-config as a
> backend.
>
> User's could create different profiles for different networks, and add
> these to /etc/auth-client-config/profile.d/ (maybe even for future
> network-manager integration)
>
> 3. create some testing scripts for automated testing
>
> 4. testing, testing, and more testing
>
>
> Download
> --------
> Currently the files are at:
> http://www.strandboge.com/software/auth-client-config/
>
> There is a deb file too. This has been tested on dapper, but should
> work on any system supporting python 2.4.
>
>
>
> Take a look at the man page (or run 'auth-client-config -h'). I highly
> recommend running this as non-root against non-system files until it has
> received thorough testing. If running as root, be sure to make backups
> of /etc/nsswitch.conf and /etc/pam.d/common-*, and leave one root
> terminal/console open (sudo is not enough!) while testing logins in
> another, so you can back out the changes.
>
> Please feel free to give me feedback or ask questions.
>
>
> Jamie Strandboge (aka 'jdstrand' on IRC)
>
>
--
Rick Clark
Technical Lead, Ubuntu Server Team
email: rick.clark at ubuntu.com
irc: dendrobates on freenode
http://www.ubuntu.com
More information about the ubuntu-server
mailing list