smedev:full_ldap_testing

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision
Révision précédente
smedev:full_ldap_testing [01/12/2010 20:53]
dani [Patches]
smedev:full_ldap_testing [16/12/2012 21:10] (Version actuelle)
dani [Need to be tested]
Ligne 17: Ligne 17:
  
 Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat) Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat)
 +
  
   * Now, you can enabled LDAP auth. It's now as simple as running:   * Now, you can enabled LDAP auth. It's now as simple as running:
 +<note important>This is a non reversible operation</note>
 <code bash> <code bash>
 /etc/e-smith/events/actions/ldap-update ldap-update /etc/e-smith/events/actions/ldap-update ldap-update
Ligne 25: Ligne 27:
 signal-event reboot signal-event reboot
 </code> </code>
 +
  
    
Ligne 42: Ligne 45:
  
 ===== Need to be tested ===== ===== Need to be tested =====
-  * After enabling LDAP auth and after the post-upgrade / reboot, the directory **/etc/e-smith/ldap/init** should be emtpy (which means all the scripts have been loaded successfully+  * After enabling LDAP auth and after the post-upgrade / reboot, the directory **/etc/e-smith/ldap/init** should be emtpy (which means all the scripts have been loaded successfully)
   * Every users should be available, and functional (same password, mail access, samba access etc...)   * Every users should be available, and functional (same password, mail access, samba access etc...)
   * Every group should also be available, and group membership should be the same   * Every group should also be available, and group membership should be the same
   * Workstation logon (NT domain) should work for existing machines   * Workstation logon (NT domain) should work for existing machines
   * Adding new workstation in the domain should work   * Adding new workstation in the domain should work
-  * users, groups and machine accounts should not be present in /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow. They should only be available in LDAP+  * users, groups and machine accounts should not be present in /etc/passwd, /etc/group, /etc/shadow/etc/gshadow and /etc/samba/smbpasswd. They should only be available in LDAP
   * Creating/changing/removing users, groups and ibays from the server-manager should work without any error message (you can check /var/log/messages)   * Creating/changing/removing users, groups and ibays from the server-manager should work without any error message (you can check /var/log/messages)
-  * backup / restore. We need to be sure the ldap dump is restored cleanly (I've not tested this yet) +  * backup / restore. We need to be sure the ldap dump is restored cleanly 
-  * Initial account creation should also be tested. For this, a ISO including the modified rpms should be created+  * Initial account creation should also be tested. For this, a ISO with LDAP authentication enabled should be created
   * pptp VPN should work as expected (using LDAP as backend instead of smbpasswd)   * pptp VPN should work as expected (using LDAP as backend instead of smbpasswd)
  
Ligne 57: Ligne 60:
 Some issue remains, here's a list of what I have in mind: Some issue remains, here's a list of what I have in mind:
   * If ldap auth is disabled, passwords for machine accounts maybe out of sync in LDAP (and probably password of users if changed via their windows box in the domain)   * If ldap auth is disabled, passwords for machine accounts maybe out of sync in LDAP (and probably password of users if changed via their windows box in the domain)
 +  * nss_ldap needs to bind as a valid LDAP user (http://bugs.contribs.org/show_bug.cgi?id=6445, patch proposed)
 +  * It's not possible to change LDAP passwords using the passwd command (http://bugs.contribs.org/show_bug.cgi?id=6453, patch proposed)
  
  
 ===== Future enhancements ===== ===== Future enhancements =====
 With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support
 +
 +  * Add smbk5pwd overlay support. This will ensure unix and samba passwords are in sync, no matter how the user update its password (http://bugs.contribs.org/show_bug.cgi?id=6451, patch proposed)
 +
 +  * Add ppolocy support. This overlay apply password policies on passwords updates
 +
   * pwauth used in httpd could be replaced with mod_authnz_ldap, which would bring group membership support, and doesn't require setuid binary   * pwauth used in httpd could be replaced with mod_authnz_ldap, which would bring group membership support, and doesn't require setuid binary
  
  • smedev/full_ldap_testing.1291233205.txt.gz
  • Dernière modification: 01/12/2010 20:53
  • de dani