How to test full LDAP authentication support on SME Server 8

Many thanks to Shad Lords, and everyone else who help with bug verification, most of the patches needed to get LDAP authentication are now available in SME8.

Nearly everything is ready to have LDAP authentication, the functionnality is just disabled. this will make tests a lot easier, as we don't need to maintain separate versions anymore. Here's what you need to do to enable LDAP authentication on SME8b6

WARNING: !!!!! <fc #FF0000>You should not enable this on a production server</fc>. Full LDAP authentication is still a work in progress !!!! Enabling LDAP auth will remove all your users, group, machine accounts from the standard accounts database (/etc/passwd, /etc/group, /etc/shadow, /etc/gshadow)

• Update your server to the latest packages available in smeupdates-testing

yum --enablerepo=smeupdates-testing update
signal-event post-upgrade
signal-event reboot

Once your server is rebooted, you should see all your users, groups and machine accounts in LDAP (you can use an LDAP browser, or the command slapcat)

• Now, you can enabled LDAP auth. It's now as simple as running:

/etc/e-smith/events/actions/ldap-update ldap-update
db configuration setprop ldap Authentication enabled
signal-event post-upgrade
signal-event reboot

Here are some patches we wrote. they are available here for review from core developers.

• e-smith-ldap-5.2.0-enhance_convert_ldif.patch

This patch is a rewrite (from Shad Lords) of the convert_ldif script. This new version is able to create the whole database, convert it on domain name change, or generate a “diff” ldif file to update existing entries. This script reads the old ldif from stdin and write the new one on stdout. If the flag –diff is passed, the output will represent the changes needed to convert the data passed on stdin to the current schema SME wants.

• e-smith-ldap-5.2.0-stop_expanding_ldif_templates.patch

This patch remove the occurrence of expand-template /home/e-smith/ldap/ldif. This is not needed anymore as the convert_ldif script can create the database itself

• e-smith-ldap-5.2.0-remove_ldif_templates.patch

This patch simply removes the ldif templates as they are not used anymore

• e-smith-ldap-5.2.0-use_convert_ldif_in_ldap_update.patch

This patch replace the complex ldap-update script with a simple call to convert_ldif like this:

perl /var/service/ldap/convert_ldif --update

the service ldap.init is now restart during ldap-update event.

The main goal of these patches is to remove code duplication (mainly in ldap-update script and templates).

If you use your LDAP database to authenticate third party applications (GLPI, eGroupware, SOGo, Linux workstations etc…) you'll want to see only your SME users and groups, and not all the system and dummy accounts. Here are the filters you can use:

• for users:
  • base: ou=Users,dc=domain,dc=tld
  • filter: (objectClass=inetOrgPerson)
• for groups:
  • base: ou=Groups,dc=domain,dc=tld
  • filter: (objectClass=mailboxRelatedObject)

You can install phpldapadmin (available here: http://sme-mirror.firewall-services.com/releases/7/smecontribs/i386/RPMS/smeserver-phpldapadmin-0.9.8.3-1.el4.sme.noarch.rpm) to see the content of the LDAP directory from a web browser. Other LDAP browser are available like GQ or Luma on linux

• After enabling LDAP auth and after the post-upgrade / reboot, the directory /etc/e-smith/ldap/init should be emtpy (which means all the scripts have been loaded successfully
• Every users should be available, and functional (same password, mail access, samba access etc…)
• Every group should also be available, and group membership should be the same
• Workstation logon (NT domain) should work for existing machines
• Adding new workstation in the domain should work
• users, groups and machine accounts should not be present in /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow. They should only be available in LDAP
• Creating/changing/removing users, groups and ibays from the server-manager should work without any error message (you can check /var/log/messages)
• backup / restore. We need to be sure the ldap dump is restored cleanly (I've not tested this yet)
• Initial account creation should also be tested. For this, a ISO including the modified rpms should be created.
• pptp VPN should work as expected (using LDAP as backend instead of smbpasswd)

Some issue remains, here's a list of what I have in mind:

• templates for /home/e-smith/db/ldap/ldif should be removed

With the changes proposed on this page, LDAP will be the primary users and groups database. Most services will use it, through pam/nss. But for some services, we can take advantage of native LDAP support

• pwauth used in httpd could be replaced with mod_authnz_ldap, which would bring group membership support, and doesn't require setuid binary

• Provide a memberOf equivalent. The memberOf attribute (available for example on AD), allows to query the list of group a user is member of with a simple ldap filter. For example a filter like this (&(objectClass=inetOrgPerson)(memberOf=cn=group1,ou=Groups,dc=domain,dc=tld)) would only return users member of the group name group1. This can be extremely useful for some applications which doesn't support posix group membership (and only support simple LDAP filters)

• Support slave setup, where a SME server sync it's account on a main SME server