smedev:full_ldap_testing

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision
Révision précédente
smedev:full_ldap_testing [30/11/2010 20:04]
dani [How to enable LDAP auth]
smedev:full_ldap_testing [16/12/2012 21:10] (Version actuelle)
dani [Need to be tested]
Ligne 17: Ligne 17:
  
 Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat) Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat)
 +
  
   * Now, you can enabled LDAP auth. It's now as simple as running:   * Now, you can enabled LDAP auth. It's now as simple as running:
 +<note important>This is a non reversible operation</note>
 <code bash> <code bash>
 /etc/e-smith/events/actions/ldap-update ldap-update /etc/e-smith/events/actions/ldap-update ldap-update
Ligne 26: Ligne 28:
 </code> </code>
  
-===== Patches ===== 
-Here are some patches we wrote. they are available here for review from core developers. 
  
-  * [[http://repo.firewall-services.com/misc/sme_ldap_patches/e-smith-ldap-5.2.0-ldapmodify.patch|e-smith-ldap-5.2.0-ldapmodify.patch]] + 
-This patch change the ldap.init service script to use ldapmodify command instead of ldapadd. If no changetype is found in the ldif file, the -a argument is added (ldapmodify -a is the same as ldapadd). This change allow ldif files to modify existing entries +
- +
-  * [[http://repo.firewall-services.com/misc/sme_ldap_patches/e-smith-ldap-5.2.0-enhance_convert_ldif.patch|e-smith-ldap-5.2.0-enhance_convert_ldif.patch]] +
-This patch is a rewrite (from Shad Lords) of the convert_ldif script. This new version is able to create the whole database, convert it on domain name change, or generate a "diff" ldif file to update existing entries. This script reads the old ldif from stdin and write the new one on stdout. If the flag --diff is passed, the output will represent the changes needed to convert the data passed on stdin to the current schema SME wants. +
- +
-  * [[http://repo.firewall-services.com/misc/sme_ldap_patches/e-smith-ldap-5.2.0-never_expand_ldif.patch|e-smith-ldap-5.2.0-never_expand_ldif.patch]] +
-This patch remove the occurrence of expand-template /home/e-smith/ldap/ldif. This is not needed anymore as the convert_ldif script can create the database itself +
- +
-  * [[http://repo.firewall-services.com/misc/sme_ldap_patches/e-smith-ldap-5.2.0-remove_ldif_templates.patch|e-smith-ldap-5.2.0-remove_ldif_templates.patch]] +
-This patch simply removes the ldif templates as they are not used anymore +
- +
-  * [[http://repo.firewall-services.com/misc/sme_ldap_patches/e-smith-ldap-5.2.0-use_convert_ldif_in_ldap_update.patch|e-smith-ldap-5.2.0-use_convert_ldif_in_ldap_update.patch]] +
-This patch replace the complex ldap-update script with a simple call to convert_ldif like this: +
-<code bash> +
-slapcat | perl /var/service/ldap/convert_ldif --diff > /etc/e-smith/ldap/init/60system_upgrade.ldif +
-</code> +
-the service ldap.init is now restart during ldap-update event. +
- +
-The main goal of these patches is to remove code duplication (mainly in ldap-update script and templates). +
 ===== Users and groups filters ===== ===== Users and groups filters =====
 If you use your LDAP database to authenticate third party applications (GLPI, eGroupware, SOGo, Linux workstations etc...) you'll want to see only your SME users and groups, and not all the system and dummy accounts. Here are the filters you can use: If you use your LDAP database to authenticate third party applications (GLPI, eGroupware, SOGo, Linux workstations etc...) you'll want to see only your SME users and groups, and not all the system and dummy accounts. Here are the filters you can use:
Ligne 64: Ligne 45:
  
 ===== Need to be tested ===== ===== Need to be tested =====
-  * After enabling LDAP auth and after the post-upgrade / reboot, the directory **/etc/e-smith/ldap/init** should be emtpy (which means all the scripts have been loaded successfully+  * After enabling LDAP auth and after the post-upgrade / reboot, the directory **/etc/e-smith/ldap/init** should be emtpy (which means all the scripts have been loaded successfully)
   * Every users should be available, and functional (same password, mail access, samba access etc...)   * Every users should be available, and functional (same password, mail access, samba access etc...)
   * Every group should also be available, and group membership should be the same   * Every group should also be available, and group membership should be the same
   * Workstation logon (NT domain) should work for existing machines   * Workstation logon (NT domain) should work for existing machines
   * Adding new workstation in the domain should work   * Adding new workstation in the domain should work
-  * users, groups and machine accounts should not be present in /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow. They should only be available in LDAP+  * users, groups and machine accounts should not be present in /etc/passwd, /etc/group, /etc/shadow/etc/gshadow and /etc/samba/smbpasswd. They should only be available in LDAP
   * Creating/changing/removing users, groups and ibays from the server-manager should work without any error message (you can check /var/log/messages)   * Creating/changing/removing users, groups and ibays from the server-manager should work without any error message (you can check /var/log/messages)
-  * backup / restore. We need to be sure the ldap dump is restored cleanly (I've not tested this yet) +  * backup / restore. We need to be sure the ldap dump is restored cleanly 
-  * Initial account creation should also be tested. For this, a ISO including the modified rpms should be created+  * Initial account creation should also be tested. For this, a ISO with LDAP authentication enabled should be created
   * pptp VPN should work as expected (using LDAP as backend instead of smbpasswd)   * pptp VPN should work as expected (using LDAP as backend instead of smbpasswd)
  
Ligne 78: Ligne 59:
 ===== Unsolved Issues ===== ===== Unsolved Issues =====
 Some issue remains, here's a list of what I have in mind: Some issue remains, here's a list of what I have in mind:
-  * templates for /home/e-smith/db/ldap/ldif should be removed+  * If ldap auth is disabled, passwords for machine accounts maybe out of sync in LDAP (and probably password of users if changed via their windows box in the domain) 
 +  * nss_ldap needs to bind as a valid LDAP user (http://bugs.contribs.org/show_bug.cgi?id=6445, patch proposed) 
 +  * It's not possible to change LDAP passwords using the passwd command (http://bugs.contribs.org/show_bug.cgi?id=6453, patch proposed)
  
  
 ===== Future enhancements ===== ===== Future enhancements =====
 With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support
 +
 +  * Add smbk5pwd overlay support. This will ensure unix and samba passwords are in sync, no matter how the user update its password (http://bugs.contribs.org/show_bug.cgi?id=6451, patch proposed)
 +
 +  * Add ppolocy support. This overlay apply password policies on passwords updates
 +
   * pwauth used in httpd could be replaced with mod_authnz_ldap, which would bring group membership support, and doesn't require setuid binary   * pwauth used in httpd could be replaced with mod_authnz_ldap, which would bring group membership support, and doesn't require setuid binary
  
  • smedev/full_ldap_testing.1291143882.txt.gz
  • Dernière modification: 30/11/2010 20:04
  • de dani