How to test full LDAP authentication support on SME Server 8

Many thanks to Shad Lords, and everyone else who help with bug verification, most of the patches needed to get LDAP authentication are now available in SME8.

How to enable LDAP auth

Nearly everything is ready to have LDAP authentication, the functionnality is just disabled. this will make tests a lot easier, as we don't need to maintain separate versions anymore. Here's what you need to do to enable LDAP authentication on SME8b6

WARNING: !!!!! <fc #FF0000>You should not enable this on a production server</fc>. Full LDAP authentication is still a work in progress !!!! Enabling LDAP auth will remove all your users, group, machine accounts from the standard accounts database (/etc/passwd, /etc/group, /etc/shadow, /etc/gshadow)

Update your server to the latest packages available in smeupdates-testing

yum --enablerepo=smeupdates-testing update
signal-event post-upgrade
signal-event reboot

Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat)

Now, you can enabled LDAP auth. It's now as simple as running:

This is a non reversible operation

/etc/e-smith/events/actions/ldap-update ldap-update
db configuration setprop ldap Authentication enabled
signal-event post-upgrade
signal-event reboot

Users and groups filters

If you use your LDAP database to authenticate third party applications (GLPI, eGroupware, SOGo, Linux workstations etc…) you'll want to see only your SME users and groups, and not all the system and dummy accounts. Here are the filters you can use:

for users:
- base: ou=Users,dc=domain,dc=tld
- filter: (objectClass=inetOrgPerson)
for groups:
- base: ou=Groups,dc=domain,dc=tld
- filter: (objectClass=mailboxRelatedObject)

Graphical LDAP browsers

You can install phpldapadmin (available here: http://sme-mirror.firewall-services.com/releases/7/smecontribs/i386/RPMS/smeserver-phpldapadmin-0.9.8.3-1.el4.sme.noarch.rpm) to see the content of the LDAP directory from a web browser. Other LDAP browser are available like GQ or Luma on linux

Need to be tested

After enabling LDAP auth and after the post-upgrade / reboot, the directory /etc/e-smith/ldap/init should be emtpy (which means all the scripts have been loaded successfully)
Every users should be available, and functional (same password, mail access, samba access etc…)
Every group should also be available, and group membership should be the same
Workstation logon (NT domain) should work for existing machines
Adding new workstation in the domain should work
users, groups and machine accounts should not be present in /etc/passwd, /etc/group, /etc/shadow, /etc/gshadow and /etc/samba/smbpasswd. They should only be available in LDAP
Creating/changing/removing users, groups and ibays from the server-manager should work without any error message (you can check /var/log/messages)
backup / restore. We need to be sure the ldap dump is restored cleanly
Initial account creation should also be tested. For this, a ISO with LDAP authentication enabled should be created
pptp VPN should work as expected (using LDAP as backend instead of smbpasswd)

Unsolved Issues

Some issue remains, here's a list of what I have in mind:

If ldap auth is disabled, passwords for machine accounts maybe out of sync in LDAP (and probably password of users if changed via their windows box in the domain)
nss_ldap needs to bind as a valid LDAP user (http://bugs.contribs.org/show_bug.cgi?id=6445, patch proposed)
It's not possible to change LDAP passwords using the passwd command (http://bugs.contribs.org/show_bug.cgi?id=6453, patch proposed)

Future enhancements

With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support

Add smbk5pwd overlay support. This will ensure unix and samba passwords are in sync, no matter how the user update its password (http://bugs.contribs.org/show_bug.cgi?id=6451, patch proposed)

Add ppolocy support. This overlay apply password policies on passwords updates

pwauth used in httpd could be replaced with mod_authnz_ldap, which would bring group membership support, and doesn't require setuid binary

Provide a memberOf equivalent. The memberOf attribute (available for example on AD), allows to query the list of group a user is member of with a simple ldap filter. For example a filter like this (&(objectClass=inetOrgPerson)(memberOf=cn=group1,ou=Groups,dc=domain,dc=tld)) would only return users member of the group name group1. This can be extremely useful for some applications which doesn't support posix group membership (and only support simple LDAP filters)

Support slave setup, where a SME server sync it's account on a main SME server