Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
smedev:full_ldap_testing [01/12/2010 20:53] dani [Patches] |
smedev:full_ldap_testing [16/12/2012 21:10] (Version actuelle) dani [Need to be tested] |
||
---|---|---|---|
Ligne 17: | Ligne 17: | ||
Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat) | Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat) | ||
+ | |||
* Now, you can enabled LDAP auth. It's now as simple as running: | * Now, you can enabled LDAP auth. It's now as simple as running: | ||
+ | <note important> | ||
<code bash> | <code bash> | ||
/ | / | ||
Ligne 25: | Ligne 27: | ||
signal-event reboot | signal-event reboot | ||
</ | </ | ||
+ | |||
Ligne 42: | Ligne 45: | ||
===== Need to be tested ===== | ===== Need to be tested ===== | ||
- | * After enabling LDAP auth and after the post-upgrade / reboot, the directory **/ | + | * After enabling LDAP auth and after the post-upgrade / reboot, the directory **/ |
* Every users should be available, and functional (same password, mail access, samba access etc...) | * Every users should be available, and functional (same password, mail access, samba access etc...) | ||
* Every group should also be available, and group membership should be the same | * Every group should also be available, and group membership should be the same | ||
* Workstation logon (NT domain) should work for existing machines | * Workstation logon (NT domain) should work for existing machines | ||
* Adding new workstation in the domain should work | * Adding new workstation in the domain should work | ||
- | * users, groups and machine accounts should not be present in / | + | * users, groups and machine accounts should not be present in / |
* Creating/ | * Creating/ | ||
- | * backup / restore. We need to be sure the ldap dump is restored cleanly | + | * backup / restore. We need to be sure the ldap dump is restored cleanly |
- | * Initial account creation should also be tested. For this, a ISO including the modified rpms should be created. | + | * Initial account creation should also be tested. For this, a ISO with LDAP authentication enabled |
* pptp VPN should work as expected (using LDAP as backend instead of smbpasswd) | * pptp VPN should work as expected (using LDAP as backend instead of smbpasswd) | ||
Ligne 57: | Ligne 60: | ||
Some issue remains, here's a list of what I have in mind: | Some issue remains, here's a list of what I have in mind: | ||
* If ldap auth is disabled, passwords for machine accounts maybe out of sync in LDAP (and probably password of users if changed via their windows box in the domain) | * If ldap auth is disabled, passwords for machine accounts maybe out of sync in LDAP (and probably password of users if changed via their windows box in the domain) | ||
+ | * nss_ldap needs to bind as a valid LDAP user (http:// | ||
+ | * It's not possible to change LDAP passwords using the passwd command (http:// | ||
===== Future enhancements ===== | ===== Future enhancements ===== | ||
With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support | With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support | ||
+ | |||
+ | * Add smbk5pwd overlay support. This will ensure unix and samba passwords are in sync, no matter how the user update its password (http:// | ||
+ | |||
+ | * Add ppolocy support. This overlay apply password policies on passwords updates | ||
+ | |||
* pwauth used in httpd could be replaced with mod_authnz_ldap, | * pwauth used in httpd could be replaced with mod_authnz_ldap, | ||