Hi folks,
(I just figured I wasn't subscribed to -sysadmin).
An update on status of the auth mechanism for the new
infrastructure:
Generally, all users should be in LDAP, with their password
stored in Kerberos. However, there must be a way for administrators
and/or special cases to log in using simpler and more direct methods.
So the procedure is this:
- Users found in LDAP must have their password in Kerberos. This is
done by adding a user through LDAP interface, then adding a principal in
Kerberos using kadmin.local -> addprinc. They change their password using
'kpasswd'. Running the traditional 'passwd' will produce an error.
- Users in local password files (only administrators should have those)
may authenticate either with Kerberos (if the principal has been created
for them) or the password stored in /etc/shadow. If Kerberos principal
is defined, it takes precedence. After three password attempts, another
three will open, allowing you to enter the password from the shadow file.
If there is no Kerberos principal for the account, then the password you
type in is immediately compared against the shadow file.
Kerberos password (if the principal has been created) is changed using
'kpasswd'. Shadow password is changed using the traditional 'passwd'.
Please use NAME_admin pattern for for passwd+kerberos accounts, and
NAME_local for pure file-based accounts.
Local accounts are added using the usual 'adduser'.
For those interested in how all this works on PAM level,
see /etc/pam.d/common-* .
What's left to do till the Wednesday deadline is:
- Print friendly error message when regular users try to run passwd
- Start adding test users to LDAP
- Enable LDAP verification of which hosts users are allowed to connect to
- Wiki page describing what files get checked, what files
are the right place to add what kind of access controls, how to
connect to LDAP
- Script for adding users in ldap+kerberos that does everything
automatically
- PAM's mkhomedir module for automatic homedir creation
To-do at some later time (when I move to mire/abu):
- Enable tls connections between Abulafia, Mire and Deleuze for
sensitive channels like kerberos and ldap queries.
Have a nice day,
-doc
_______________________________________________
HCoop-SysAdmin mailing list
[email protected]
http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
