Make everything dynamic with LDAP
This page just lists a few thing I have in mind to make SME Server better. LDAP authentication is nearly ready (there's still a few little things to fix, but I'm running with LDAP auth enabled on my own personal server for 3 years now without issue). What I'd like now is make more use of LDAP.
The goal
The goal is to have more things in LDAP, ultimately, adding users and groups shouldn't require anything but adding the user or the group in LDAP. No templates to expand, no service to restart. This means for example, all the mail stuff (qpsmtpd, qmail) should read LDAP to get the required info, no more flat files, no more static configuration.
In which way this can be useful
A first bonus we would have with this is adding, removing, modifying groups and users really faster, but that would just be a side effect. The real benefit is that SME could then use another LDAP directory. You can manage all your users and groups elsewhere, in any LDAP server you want, and then connect your SME box (or several SME servers). Your master LDAP server could of course be another SME, but should not be required, as long as you use a compatible LDAP schema.
What needs to be done to get there
Switch to LDAP auth
The first step (of course) is to enable LDAP as the main source of authentication on SME. Most of the work is already done, we just need some testers, bugs reports etc…
Here's a list of bugs which need to be fixed:
- Configure a valid binddn and bindpw for nss_ldap (http://bugs.contribs.org/show_bug.cgi?id=6445)
Modify a few things in LDAP
Here's a list of a few things which can be enhanced in LDAP
Replace cpu
LDAP users and groups are managed with cpu. While this tool is working, it has some drawbacks:
- this tool isn't maintained anymore (last version was released in 2004)
- it only supports rfc2307 (see next chapter: switch to rfc2307bis)
- it won't let you add local users to LDAP groups (see http://bugs.contribs.org/show_bug.cgi?id=6458)
- it's written in C, so a bit hard to enhance
I think it'd be better to switch to a perl based tool, like Samba::LDAP
Switch to rfc2307bis ?
The main difference between rfc2307 (currently used) and rfc2307bis is the way groups are handled. The biggest advantage of rfc2307bis is the possibility to enabled the memberOf overlay. The memberOf overlay (see http://www.openldap.org/doc/admin24/overlays.html) can maintain reverse membership attribute. With posixGroup (rfc2307), you can only query the members of a group, but not the list of groups a user is member of. With rfc2307bis and the memberOf overlay, it's possible. This makes it very easy to restrict access to some application to a list of groups. For example:
(&(objectClass=inetOrgPerson)(memberOf=cn=admins,ou=Groups,dc=domain,dc=tld))
This filter would only match members of the admins group.
The problem here is that switching to rfc2307bis requires a modification of the structural objectClass of group objects (from posixGroup to groupOfNames), and this is not possible online, we have to dump the database to an LDIF file, make the modifications and re-import it back. Another advantage of rfc2307bis is that it can be compatible with rfc2307: groups can have members defined as member (full DN of the user) and memberUid (just the uid of the user), so we don't really need to care about breaking anything as long as we maintain both attribute.
Add smbk5pwd
smbk5pwd is a overlay which makes sure Unix and samba passwords stay in sync (as long as you use LDAP exop to change the password). This would ensure password are in sync even if you change it from the command line using the passwd command, or with any other software which allow password modification through LDAP (SOGo, LemonLDAP::NG etc…)
See this bug: http://bugs.contribs.org/show_bug.cgi?id=6451
Add pseudonyms as mail/mailAlternateAddress attributes
Pseudonyms and all the variants with the different virtual domains should be added in LDAP
- All the virtual domains / pseudonyms combinations should be added in LDAP either as mail or mailAlternateAddress
- A new prop should be available to select the first/preferred mail from the available pseudonyms
- Maybe we should add a prop to create domains only for apache, and not handle mails.
Automatically create the home dir on first connection
If we want everything to be dynamic, the home directory of users should be created on the fly on the first connection. This can be achieve with:
- pam_mkhomedir: the pam module will create the home directory the first time the user logs in
- root preexec: if the user tries to access his personal folder through samba, we can also create it on the fly using a root preexec script defined in smb.conf
Switch to qmail-ldap (or another LDAP aware MTA, like postfix)
qmail-ldap (see http://www.lifewithqmail.org/ldap/) is a patch for qmail 1.03 to get all user information from LDAP.
- Add required schema to LDAP
- Add required objectClass/attributes to users and groups
- switch to qmail-ldap (or postfix) using an LDAP backend.
Modify qpsmtpd to use LDAP
- Replace goodrcptto with an LDAP equivalent (rcpt_ldap)
Modify esmith::AccountsDB to read LDAP
- Read operations should first try to read LDAP directly
- Write/read fallback to standard flat file DB
Configure OpenLDAP as a proxy
Disable user/group managements
- Make it possible to disable user and group management. When a SME Server is using a remote LDAP server, we should prevent user/groups management