smedev:full_ldap_testing

Ceci est une ancienne révision du document !


How to test full LDAP authentication support on SME Server 8

Many thanks to Shad Lords, and everyone else who help with bug verification, most of the patches needed to get LDAP authentication are now available in SME8.

Nearly everything is ready to have LDAP authentication, the functionnality is just disabled. this will make tests a lot easier, as we don't need to maintain separate versions anymore. Here's what you need to do to enable LDAP authentication on SME8b6

WARNING: !!!!! <fc #FF0000>You should not enable this on a production server</fc>. Full LDAP authentication is still a work in progress !!!! Enabling LDAP auth will remove all your users, group, machine accounts from the standard accounts database (/etc/passwd, /etc/group, /etc/shadow, /etc/gshadow)

  • Update your server to the latest packages available in smeupdates-testing
yum --enablerepo=smeupdates-testing update
signal-event post-upgrade
signal-event reboot

Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat)

This is a non reversible operation
  • Now, you can enabled LDAP auth. It's now as simple as running:
/etc/e-smith/events/actions/ldap-update ldap-update
db configuration setprop ldap Authentication enabled
signal-event post-upgrade
signal-event reboot

If you use your LDAP database to authenticate third party applications (GLPI, eGroupware, SOGo, Linux workstations etc…) you'll want to see only your SME users and groups, and not all the system and dummy accounts. Here are the filters you can use:

  • for users:
    • base: ou=Users,dc=domain,dc=tld
    • filter: (objectClass=inetOrgPerson)
  • for groups:
    • base: ou=Groups,dc=domain,dc=tld
    • filter: (objectClass=mailboxRelatedObject)

You can install phpldapadmin (available here: http://sme-mirror.firewall-services.com/releases/7/smecontribs/i386/RPMS/smeserver-phpldapadmin-0.9.8.3-1.el4.sme.noarch.rpm) to see the content of the LDAP directory from a web browser. Other LDAP browser are available like GQ or Luma on linux

  • After enabling LDAP auth and after the post-upgrade / reboot, the directory /etc/e-smith/ldap/init should be emtpy (which means all the scripts have been loaded successfully)
  • Every users should be available, and functional (same password, mail access, samba access etc…)
  • Every group should also be available, and group membership should be the same
  • Workstation logon (NT domain) should work for existing machines
  • Adding new workstation in the domain should work
  • users, groups and machine accounts should not be present in /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow. They should only be available in LDAP
  • Creating/changing/removing users, groups and ibays from the server-manager should work without any error message (you can check /var/log/messages)
  • backup / restore. We need to be sure the ldap dump is restored cleanly
  • Initial account creation should also be tested. For this, a ISO including the modified rpms should be created.
  • pptp VPN should work as expected (using LDAP as backend instead of smbpasswd)

Some issue remains, here's a list of what I have in mind:

With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support

  • Add ppolocy support. This overlay apply password policies on passwords updates
  • pwauth used in httpd could be replaced with mod_authnz_ldap, which would bring group membership support, and doesn't require setuid binary
  • Provide a memberOf equivalent. The memberOf attribute (available for example on AD), allows to query the list of group a user is member of with a simple ldap filter. For example a filter like this (&(objectClass=inetOrgPerson)(memberOf=cn=group1,ou=Groups,dc=domain,dc=tld)) would only return users member of the group name group1. This can be extremely useful for some applications which doesn't support posix group membership (and only support simple LDAP filters)
  • Support slave setup, where a SME server sync it's account on a main SME server
  • smedev/full_ldap_testing.1311607420.txt.gz
  • Dernière modification: 25/07/2011 17:23
  • de dani