Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
smedev:full_ldap_testing [30/11/2010 20:04] dani [How to enable LDAP auth] |
smedev:full_ldap_testing [16/12/2012 21:10] (Version actuelle) dani [Need to be tested] |
||
---|---|---|---|
Ligne 17: | Ligne 17: | ||
Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat) | Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat) | ||
+ | |||
* Now, you can enabled LDAP auth. It's now as simple as running: | * Now, you can enabled LDAP auth. It's now as simple as running: | ||
+ | <note important> | ||
<code bash> | <code bash> | ||
/ | / | ||
Ligne 26: | Ligne 28: | ||
</ | </ | ||
- | ===== Patches ===== | ||
- | Here are some patches we wrote. they are available here for review from core developers. | ||
- | * [[http:// | + | |
- | This patch change the ldap.init service script to use ldapmodify command instead of ldapadd. If no changetype is found in the ldif file, the -a argument is added (ldapmodify -a is the same as ldapadd). This change allow ldif files to modify existing entries | + | |
- | + | ||
- | * [[http:// | + | |
- | This patch is a rewrite (from Shad Lords) of the convert_ldif script. This new version is able to create the whole database, convert it on domain name change, or generate a " | + | |
- | + | ||
- | * [[http:// | + | |
- | This patch remove the occurrence of expand-template / | + | |
- | + | ||
- | * [[http:// | + | |
- | This patch simply removes the ldif templates as they are not used anymore | + | |
- | + | ||
- | * [[http:// | + | |
- | This patch replace the complex ldap-update script with a simple call to convert_ldif like this: | + | |
- | <code bash> | + | |
- | slapcat | perl / | + | |
- | </ | + | |
- | the service ldap.init is now restart during ldap-update event. | + | |
- | + | ||
- | The main goal of these patches is to remove code duplication (mainly in ldap-update script and templates). | + | |
===== Users and groups filters ===== | ===== Users and groups filters ===== | ||
If you use your LDAP database to authenticate third party applications (GLPI, eGroupware, SOGo, Linux workstations etc...) you'll want to see only your SME users and groups, and not all the system and dummy accounts. Here are the filters you can use: | If you use your LDAP database to authenticate third party applications (GLPI, eGroupware, SOGo, Linux workstations etc...) you'll want to see only your SME users and groups, and not all the system and dummy accounts. Here are the filters you can use: | ||
Ligne 64: | Ligne 45: | ||
===== Need to be tested ===== | ===== Need to be tested ===== | ||
- | * After enabling LDAP auth and after the post-upgrade / reboot, the directory **/ | + | * After enabling LDAP auth and after the post-upgrade / reboot, the directory **/ |
* Every users should be available, and functional (same password, mail access, samba access etc...) | * Every users should be available, and functional (same password, mail access, samba access etc...) | ||
* Every group should also be available, and group membership should be the same | * Every group should also be available, and group membership should be the same | ||
* Workstation logon (NT domain) should work for existing machines | * Workstation logon (NT domain) should work for existing machines | ||
* Adding new workstation in the domain should work | * Adding new workstation in the domain should work | ||
- | * users, groups and machine accounts should not be present in / | + | * users, groups and machine accounts should not be present in / |
* Creating/ | * Creating/ | ||
- | * backup / restore. We need to be sure the ldap dump is restored cleanly | + | * backup / restore. We need to be sure the ldap dump is restored cleanly |
- | * Initial account creation should also be tested. For this, a ISO including the modified rpms should be created. | + | * Initial account creation should also be tested. For this, a ISO with LDAP authentication enabled |
* pptp VPN should work as expected (using LDAP as backend instead of smbpasswd) | * pptp VPN should work as expected (using LDAP as backend instead of smbpasswd) | ||
Ligne 78: | Ligne 59: | ||
===== Unsolved Issues ===== | ===== Unsolved Issues ===== | ||
Some issue remains, here's a list of what I have in mind: | Some issue remains, here's a list of what I have in mind: | ||
- | * templates | + | * If ldap auth is disabled, passwords |
+ | * nss_ldap needs to bind as a valid LDAP user (http://bugs.contribs.org/show_bug.cgi? | ||
+ | * It's not possible to change LDAP passwords using the passwd command (http://bugs.contribs.org/ | ||
===== Future enhancements ===== | ===== Future enhancements ===== | ||
With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support | With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support | ||
+ | |||
+ | * Add smbk5pwd overlay support. This will ensure unix and samba passwords are in sync, no matter how the user update its password (http:// | ||
+ | |||
+ | * Add ppolocy support. This overlay apply password policies on passwords updates | ||
+ | |||
* pwauth used in httpd could be replaced with mod_authnz_ldap, | * pwauth used in httpd could be replaced with mod_authnz_ldap, | ||