====== How to test full LDAP authentication support on SME Server 8 ====== Many thanks to Shad Lords, and everyone else who help with bug verification, most of the patches needed to get LDAP authentication are now available in SME8. ===== How to enable LDAP auth ===== Nearly everything is ready to have LDAP authentication, the functionnality is just disabled. this will make tests a lot easier, as we don't need to maintain separate versions anymore. Here's what you need to do to enable LDAP authentication on SME8b6 **WARNING: !!!!! You should not enable this on a production server. Full LDAP authentication is still a work in progress !!!!** Enabling LDAP auth will remove all your users, group, machine accounts from the standard accounts database (/etc/passwd, /etc/group, /etc/shadow, /etc/gshadow) * Update your server to the latest packages available in smeupdates-testing yum --enablerepo=smeupdates-testing update signal-event post-upgrade signal-event reboot Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat) * Now, you can enabled LDAP auth. It's now as simple as running: This is a non reversible operation /etc/e-smith/events/actions/ldap-update ldap-update db configuration setprop ldap Authentication enabled signal-event post-upgrade signal-event reboot ===== Users and groups filters ===== If you use your LDAP database to authenticate third party applications (GLPI, eGroupware, SOGo, Linux workstations etc...) you'll want to see only your SME users and groups, and not all the system and dummy accounts. Here are the filters you can use: * for users: * base: ou=Users,dc=domain,dc=tld * filter: (objectClass=inetOrgPerson) * for groups: * base: ou=Groups,dc=domain,dc=tld * filter: (objectClass=mailboxRelatedObject) ===== Graphical LDAP browsers ===== You can install phpldapadmin (available here: http://sme-mirror.firewall-services.com/releases/7/smecontribs/i386/RPMS/smeserver-phpldapadmin-0.9.8.3-1.el4.sme.noarch.rpm) to see the content of the LDAP directory from a web browser. Other LDAP browser are available like GQ or Luma on linux ===== Need to be tested ===== * After enabling LDAP auth and after the post-upgrade / reboot, the directory **/etc/e-smith/ldap/init** should be emtpy (which means all the scripts have been loaded successfully) * Every users should be available, and functional (same password, mail access, samba access etc...) * Every group should also be available, and group membership should be the same * Workstation logon (NT domain) should work for existing machines * Adding new workstation in the domain should work * users, groups and machine accounts should not be present in /etc/passwd, /etc/group, /etc/shadow, /etc/gshadow and /etc/samba/smbpasswd. They should only be available in LDAP * Creating/changing/removing users, groups and ibays from the server-manager should work without any error message (you can check /var/log/messages) * backup / restore. We need to be sure the ldap dump is restored cleanly * Initial account creation should also be tested. For this, a ISO with LDAP authentication enabled should be created * pptp VPN should work as expected (using LDAP as backend instead of smbpasswd) ===== Unsolved Issues ===== Some issue remains, here's a list of what I have in mind: * If ldap auth is disabled, passwords for machine accounts maybe out of sync in LDAP (and probably password of users if changed via their windows box in the domain) * nss_ldap needs to bind as a valid LDAP user (http://bugs.contribs.org/show_bug.cgi?id=6445, patch proposed) * It's not possible to change LDAP passwords using the passwd command (http://bugs.contribs.org/show_bug.cgi?id=6453, patch proposed) ===== Future enhancements ===== With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support * Add smbk5pwd overlay support. This will ensure unix and samba passwords are in sync, no matter how the user update its password (http://bugs.contribs.org/show_bug.cgi?id=6451, patch proposed) * Add ppolocy support. This overlay apply password policies on passwords updates * pwauth used in httpd could be replaced with mod_authnz_ldap, which would bring group membership support, and doesn't require setuid binary * Provide a memberOf equivalent. The memberOf attribute (available for example on AD), allows to query the list of group a user is member of with a simple ldap filter. For example a filter like this (&(objectClass=inetOrgPerson)(memberOf=cn=group1,ou=Groups,dc=domain,dc=tld)) would only return users member of the group name group1. This can be extremely useful for some applications which doesn't support posix group membership (and only support simple LDAP filters) * Support slave setup, where a SME server sync it's account on a main SME server