Re: [Cooker] new userdrake
quote who=Pixel
Buchan Milne [EMAIL PROTECTED] writes:
Note that for the client side, some changes need to be made in drakx
for LDAP support to make it work better out-the-box:
-use objectclass posixaccount instead of objectclass account
(deprecated in openldap-2.1.x, many tools don't add it anyway) in
pam_filter in /etc/ldap.conf
This has been done already in nss_ldap package, but I wonder if it is
sensible to fix it in %post. Vince?
-put pam_pwdb before pam_ldap in /etc/pam.d/system-auth
Actually, pam_unix is used at present, which I have placed before
pam_ldap. Vince, in your article you mention problems with pam_unix, which
can be solved by using pam_pwdb instead. I however am now using the config
generated by my patched chkauth, with no problems (local and ldap password
changes work via pam_ldap only, su works for local and ldap users, ssh
works for local and ldap users), but I am using a local slave server
without ssl/tls. (Hmmm, at present even ldapsearch is segfaulting on a
stock+updates 9.1 trying with tls to a local or remote tls-capable server
will have to investigate).
Anyway, placing pam_unix before pam_ldap in the password lines means at
least local accounts can change their password.
-add ldap to the automount line of /etc/nsswitch.conf
This is done in the attached patch. It may also be useful to add ldap to
the netgroup line, since the latest version (204) of nss_ldap added
support for netgroups, but I have not added it at present, as I have not
used netgroups before. Maybe someone who has used NIS netgroups can test
the LDAP support and make a recommendation?
-If NIS or LDAP are used for auth, and NFS is installed, install
autofs also
I don't think this one can go in chkauth (or should I add it to the list
of required packages - does DrakX use this or not?). And what if people
use NIS/LDAP but not NFS?
These changes should go in chkauth, a quite ugly script that takes care
of configuring ldap. I'm not really excited having to modify it, if
someone want to try, the result will be faster :)
Proposed patches below, I did some cleanups in white-space in the pam
files, so there are two diff's here so you can see what had actual
changes.
Patch without white-space changes:
# diff -uw /usr/sbin/chkauth.orig /usr/sbin/chkauth
--- /usr/sbin/chkauth.orig 2002-08-07 19:46:47.0 +0200
+++ /usr/sbin/chkauth 2003-07-06 16:15:08.0 +0200
@@ -36,7 +36,7 @@
open (NSSWITCH, /etc/nsswitch.conf);
open (NEWNSSWITCH, /etc/nsswitch.conf.new);
while (NSSWITCH) {
- if (my ($cat, $options) = /^(\s*(?:passwd|shadow|group):\s*)(.*)/) {
+ if (my ($cat, $options) =
/^(\s*(?:passwd|shadow|group|automount):\s*)(.*)/) {
my @other =
grep { $_ ne $type $_ ne 'files' } # remove it and 'files'
split(' ', $options);
@@ -70,7 +70,7 @@
accountrequired /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
-password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow use_first_pass
+password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
@@ -85,8 +85,8 @@
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_env.so
-auth sufficient /lib/security/pam_ldap.so
-auth sufficient /lib/security/pam_unix.so likeauth nullok
try_first_pass
+auth sufficient /lib/security/pam_unix.so likeauth nullok
+auth sufficient /lib/security/pam_ldap.so try_first_pass
auth required /lib/security/pam_deny.so
accountsufficient /lib/security/pam_ldap.so
@@ -94,8 +94,8 @@
accountrequired /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
-password sufficient /lib/security/pam_ldap.so
-password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow use_first_pass
+password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
+password sufficient /lib/security/pam_ldap.so use_first_pass
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
Patch with white-space changes:
# diff -u /usr/sbin/chkauth.orig /usr/sbin/chkauth
--- /usr/sbin/chkauth.orig 2002-08-07 19:46:47.0 +0200
+++ /usr/sbin/chkauth 2003-07-06 16:15:08.0 +0200
@@ -36,7 +36,7 @@
open (NSSWITCH, /etc/nsswitch.conf);
open (NEWNSSWITCH, /etc/nsswitch.conf.new);
while (NSSWITCH) {
- if (my ($cat, $options) = /^(\s*(?:passwd|shadow|group):\s*)(.*)/) {
+ if (my ($cat, $options) =
/^(\s*(?:passwd|shadow|group|automount):\s*)(.*)/) {
my @other =
grep { $_ ne $type $_ ne 'files' } # remove it and 'files'
split(' ', $options);
@@
Re: [Cooker] new userdrake
Buchan Milne wrote: quote who=Pixel Buchan Milne [EMAIL PROTECTED] writes: -put pam_pwdb before pam_ldap in /etc/pam.d/system-auth Actually, pam_unix is used at present, which I have placed before pam_ldap. Vince, in your article you mention problems with pam_unix, which can be solved by using pam_pwdb instead. I however am now using the config generated by my patched chkauth, with no problems (local and ldap password changes work via pam_ldap only, su works for local and ldap users, ssh works for local and ldap users), but I am using a local slave server without ssl/tls. (Hmmm, at present even ldapsearch is segfaulting on a stock+updates 9.1 trying with tls to a local or remote tls-capable server will have to investigate). Anyway, placing pam_unix before pam_ldap in the password lines means at least local accounts can change their password. There is one more issue, and that is having a pam_mkhomedir entry for use with LDAP. I am not sure how often it would be as useful with ldap (since one can probably assume most LDAP uses would be in conjunction with NFS?) as it is with winbind (where we do use it by default). Maybe in future it should be an option in a GUI? Patch without white-space changes: Looks like mozilla and squirrelmail managed to mangle the patches, I will resend in private from a real mail client ;-). Regards, Buchan
Re: [Cooker] new userdrake
Buchan Milne [EMAIL PROTECTED] writes: Which is why I would want to be able to use libconf if possible. Will it be available to DrakX and drakxtools for 9.2? not a single chance :) (i'm taking a more than 3 weeks holidays, i'm currently trying to see what real life is... it means no important rewrite of drakxtools for 9.2)
Re: [Cooker] new userdrake
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pixel wrote: Buchan Milne [EMAIL PROTECTED] writes: How much work would it be to split the gui bits from DrakX to allow standalone use? not much work, at leas the GUI part. For the backend part, one must check that it works after install (since it may rely on things being untouched) Which is why I would want to be able to use libconf if possible. Will it be available to DrakX and drakxtools for 9.2? Also, it can bring more possibilities (having both ldap and winbind, or one service by ldap, another by winbind etc). Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+/HQ1rJK6UGDSBKcRApIjAJ0dxijWNc1Sd+kloFBhx81vG0sM6QCgtTx8 bBEi7htt7ux54vRQiekc7uU= =aQnN -END PGP SIGNATURE- ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. **
Re: [Cooker] new userdrake
Buchan Milne [EMAIL PROTECTED] writes: Also, we had mentioned trying to get auth config available after installation. How much work would it be to split the gui bits from DrakX to allow standalone use? not much work, at leas the GUI part. For the backend part, one must check that it works after install (since it may rely on things being untouched)
[Cooker] new userdrake
Buchan Milne [EMAIL PROTECTED] writes: FACORAT Fabrice wrote: Just a question : could userdrake allow to switch auth system ( files - NIS - LDAP ) easily after installation ? No, but openldap-migration should help you to do most of it. I had hoped to have time to work on a GUI for openldap, but I don't think I will. It's on my todo and i need your help for this as i don't know ldap enough.
Re: [Cooker] new userdrake
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Daouda LO wrote:
Buchan Milne [EMAIL PROTECTED] writes:
FACORAT Fabrice wrote:
Just a question : could userdrake allow to switch auth system ( files
- NIS - LDAP ) easily after installation ?
No, but openldap-migration should help you to do most of it. I had hoped
to have time to work on a GUI for openldap, but I don't think I will.
It's on my todo and i need your help for this as i don't know ldap
enough.
Attached is a script that could be seen as a simple prototype for
setting up a single LDAP server. Instead of (or in addition to)
prompting for min/max UIDs, a dual-user-list approach (as in say the kcm
module for samba in ksambaplugin contrib package) may be better.
The samba import mechanism may change for samba3, but I haven't imported
for samba3 yet since some aspects of LDAP support are still broken at
present.
For more info (a complete tool for this would need to support adding
LDAP slaves etc) see the updated articles on mandrakesecure.net:
http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php
http://www.mandrakesecure.net/en/docs/samba-pdc.php
http://www.mandrakesecure.net/en/docs/ldap-auth2.php
Note that for the client side, some changes need to be made in drakx for
LDAP support to make it work better out-the-box:
- -use objectclass posixaccount instead of objectclass account (deprecated
in openldap-2.1.x, many tools don't add it anyway) in pam_filter in
/etc/ldap.conf
- -put pam_pwdb before pam_ldap in /etc/pam.d/system-auth
- -add ldap to the automount line of /etc/nsswitch.conf
- -If NIS or LDAP are used for auth, and NFS is installed, install
autofs also
(last two changes mean that automount maps that are stored in ldap will
be used without any further configuration on the client machine, and
users will be able to login to NFS-mounted home directory and have all
other NFS shares mounted on access - extemely low maintenance solution
rivalling Active Directory-based folder redirection - just missing
per-OU support or similar).
(Pixel, do you rather want a bugzilla bug?)
I will be happy to test import to LDAP from system accounts if it can be
done on 9.1 (my cooker box has no local accounts, all are in LDAP already).
Regards,
Buchan
- --
|--Another happy Mandrake Club member--|
Buchan MilneMechanical Engineer, Network Manager
Cellphone * Work+27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE++uxVrJK6UGDSBKcRAtYnAKCTfLNSDr7jLm5oC8ZsJaIyfC9v5ACgvX1i
tbJNF8sXDjUUuas03XpNFoQ=
=CBJs
-END PGP SIGNATURE-
**
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy.
**
#!/bin/bash
# need perl-ldap perl-Convert-ASN1 to import samba passwords
echo Before continuing, please check that your local LDAP server is running
PASSWD_MIN=${PASSWD_MIN=500}
PASSWD_MAX=${PASSWD_MAX=65000}
GROUP_MIN=${GROUP_MIN=500}
GROUP_MAX=${GROUP_MAX=65000}
LDAP_MIGRATION=/usr/share/openldap/migration
BASE_CONFIRMED=0
while [ $BASE_CONFIRMED -eq 0 ]
do
read -p Enter your LDAP BaseDN [$LDAP_BASEDN] : ANSWER
[ -n $ANSWER ] export LDAP_BASEDN=$ANSWER
read -p Enter your default mail domain [$LDAP_DEFAULT_MAIL_DOMAIN]: ANSWER
[ -n $ANSWER ] export LDAP_DEFAULT_MAIL_DOMAIN=$ANSWER
read -p Enter your default mail host [$LDAP_DEFAULT_MAIL_HOST]: ANSWER
[ -n $ANSWER ] export LDAP_DEFAULT_MAIL_HOST=$ANSWER
read -p Enter your LDAP Root DN: [$LDAP_ROOTDN]: ANSWER
[ -n $ANSWER ] export LDAP_ROOTDN=$ANSWER
read -p Did you enter the correct values? [(y)/n] : ANSWER
[ $ANSWER = n ] || BASE_CONFIRMED=1
done
export LDAP_EXTENDED_SCHEMA=1
#export LDAP_BASEDN=dc=home,dc=control,dc=co,dc=za
#export LDAP_DEFAULT_MAIL_DOMAIN=control.co.za
#export LDAP_DEFAULT_MAIL_HOST=mail.home.control.co.za
#export LDAP_ROOTDN=cn=root,dc=home,dc=control,dc=co,dc=za
read -s -p Enter LDAP Root DN Password: LDAP_BINDPW
LDAP_ADD=ldapadd -x -H ldap://localhost -D $LDAP_ROOTDN -w $LDAP_BINDPW -c
# These scripts need to be run from inside LDAP_MIGRATION to use the
# config file
pushd $LDAP_MIGRATION -
echo -e \n\nImporting base entries:\n
$LDAP_MIGRATION/migrate_base.pl | $LDAP_ADD
echo -e \nEntering user import section\n
PASSWD_CONFIRMED=0
while [ $PASSWD_CONFIRMED -eq 0 ];do
read -p Enter the lowest UID you would like to import [$PASSWD_MIN]: PASSWD_MIN1
read -p Enter the higehst UID you would like to import [$PASSWD_MAX]: PASSWD_MAX1
[ -n $PASSWD_MIN1 ] PASSWD_MIN=$PASSWD_MIN1
[ -n $PASSWD_MAX1 ]
