Re: [Cooker] new userdrake
quote who=Pixel Buchan Milne [EMAIL PROTECTED] writes: Note that for the client side, some changes need to be made in drakx for LDAP support to make it work better out-the-box: -use objectclass posixaccount instead of objectclass account (deprecated in openldap-2.1.x, many tools don't add it anyway) in pam_filter in /etc/ldap.conf This has been done already in nss_ldap package, but I wonder if it is sensible to fix it in %post. Vince? -put pam_pwdb before pam_ldap in /etc/pam.d/system-auth Actually, pam_unix is used at present, which I have placed before pam_ldap. Vince, in your article you mention problems with pam_unix, which can be solved by using pam_pwdb instead. I however am now using the config generated by my patched chkauth, with no problems (local and ldap password changes work via pam_ldap only, su works for local and ldap users, ssh works for local and ldap users), but I am using a local slave server without ssl/tls. (Hmmm, at present even ldapsearch is segfaulting on a stock+updates 9.1 trying with tls to a local or remote tls-capable server will have to investigate). Anyway, placing pam_unix before pam_ldap in the password lines means at least local accounts can change their password. -add ldap to the automount line of /etc/nsswitch.conf This is done in the attached patch. It may also be useful to add ldap to the netgroup line, since the latest version (204) of nss_ldap added support for netgroups, but I have not added it at present, as I have not used netgroups before. Maybe someone who has used NIS netgroups can test the LDAP support and make a recommendation? -If NIS or LDAP are used for auth, and NFS is installed, install autofs also I don't think this one can go in chkauth (or should I add it to the list of required packages - does DrakX use this or not?). And what if people use NIS/LDAP but not NFS? These changes should go in chkauth, a quite ugly script that takes care of configuring ldap. I'm not really excited having to modify it, if someone want to try, the result will be faster :) Proposed patches below, I did some cleanups in white-space in the pam files, so there are two diff's here so you can see what had actual changes. Patch without white-space changes: # diff -uw /usr/sbin/chkauth.orig /usr/sbin/chkauth --- /usr/sbin/chkauth.orig 2002-08-07 19:46:47.0 +0200 +++ /usr/sbin/chkauth 2003-07-06 16:15:08.0 +0200 @@ -36,7 +36,7 @@ open (NSSWITCH, /etc/nsswitch.conf); open (NEWNSSWITCH, /etc/nsswitch.conf.new); while (NSSWITCH) { - if (my ($cat, $options) = /^(\s*(?:passwd|shadow|group):\s*)(.*)/) { + if (my ($cat, $options) = /^(\s*(?:passwd|shadow|group|automount):\s*)(.*)/) { my @other = grep { $_ ne $type $_ ne 'files' } # remove it and 'files' split(' ', $options); @@ -70,7 +70,7 @@ accountrequired /lib/security/pam_deny.so password required /lib/security/pam_cracklib.so retry=3 -password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow use_first_pass +password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so @@ -85,8 +85,8 @@ auth required /lib/security/pam_nologin.so auth required /lib/security/pam_env.so -auth sufficient /lib/security/pam_ldap.so -auth sufficient /lib/security/pam_unix.so likeauth nullok try_first_pass +auth sufficient /lib/security/pam_unix.so likeauth nullok +auth sufficient /lib/security/pam_ldap.so try_first_pass auth required /lib/security/pam_deny.so accountsufficient /lib/security/pam_ldap.so @@ -94,8 +94,8 @@ accountrequired /lib/security/pam_deny.so password required /lib/security/pam_cracklib.so retry=3 -password sufficient /lib/security/pam_ldap.so -password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow use_first_pass +password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow +password sufficient /lib/security/pam_ldap.so use_first_pass password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so Patch with white-space changes: # diff -u /usr/sbin/chkauth.orig /usr/sbin/chkauth --- /usr/sbin/chkauth.orig 2002-08-07 19:46:47.0 +0200 +++ /usr/sbin/chkauth 2003-07-06 16:15:08.0 +0200 @@ -36,7 +36,7 @@ open (NSSWITCH, /etc/nsswitch.conf); open (NEWNSSWITCH, /etc/nsswitch.conf.new); while (NSSWITCH) { - if (my ($cat, $options) = /^(\s*(?:passwd|shadow|group):\s*)(.*)/) { + if (my ($cat, $options) = /^(\s*(?:passwd|shadow|group|automount):\s*)(.*)/) { my @other = grep { $_ ne $type $_ ne 'files' } # remove it and 'files' split(' ', $options); @@
Re: [Cooker] new userdrake
Buchan Milne wrote: quote who=Pixel Buchan Milne [EMAIL PROTECTED] writes: -put pam_pwdb before pam_ldap in /etc/pam.d/system-auth Actually, pam_unix is used at present, which I have placed before pam_ldap. Vince, in your article you mention problems with pam_unix, which can be solved by using pam_pwdb instead. I however am now using the config generated by my patched chkauth, with no problems (local and ldap password changes work via pam_ldap only, su works for local and ldap users, ssh works for local and ldap users), but I am using a local slave server without ssl/tls. (Hmmm, at present even ldapsearch is segfaulting on a stock+updates 9.1 trying with tls to a local or remote tls-capable server will have to investigate). Anyway, placing pam_unix before pam_ldap in the password lines means at least local accounts can change their password. There is one more issue, and that is having a pam_mkhomedir entry for use with LDAP. I am not sure how often it would be as useful with ldap (since one can probably assume most LDAP uses would be in conjunction with NFS?) as it is with winbind (where we do use it by default). Maybe in future it should be an option in a GUI? Patch without white-space changes: Looks like mozilla and squirrelmail managed to mangle the patches, I will resend in private from a real mail client ;-). Regards, Buchan
Re: [Cooker] new userdrake
Buchan Milne [EMAIL PROTECTED] writes: Which is why I would want to be able to use libconf if possible. Will it be available to DrakX and drakxtools for 9.2? not a single chance :) (i'm taking a more than 3 weeks holidays, i'm currently trying to see what real life is... it means no important rewrite of drakxtools for 9.2)
Re: [Cooker] new userdrake
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pixel wrote: Buchan Milne [EMAIL PROTECTED] writes: How much work would it be to split the gui bits from DrakX to allow standalone use? not much work, at leas the GUI part. For the backend part, one must check that it works after install (since it may rely on things being untouched) Which is why I would want to be able to use libconf if possible. Will it be available to DrakX and drakxtools for 9.2? Also, it can bring more possibilities (having both ldap and winbind, or one service by ldap, another by winbind etc). Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+/HQ1rJK6UGDSBKcRApIjAJ0dxijWNc1Sd+kloFBhx81vG0sM6QCgtTx8 bBEi7htt7ux54vRQiekc7uU= =aQnN -END PGP SIGNATURE- ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. **
Re: [Cooker] new userdrake
Buchan Milne [EMAIL PROTECTED] writes: Also, we had mentioned trying to get auth config available after installation. How much work would it be to split the gui bits from DrakX to allow standalone use? not much work, at leas the GUI part. For the backend part, one must check that it works after install (since it may rely on things being untouched)
[Cooker] new userdrake
Buchan Milne [EMAIL PROTECTED] writes: FACORAT Fabrice wrote: Just a question : could userdrake allow to switch auth system ( files - NIS - LDAP ) easily after installation ? No, but openldap-migration should help you to do most of it. I had hoped to have time to work on a GUI for openldap, but I don't think I will. It's on my todo and i need your help for this as i don't know ldap enough.
Re: [Cooker] new userdrake
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daouda LO wrote: Buchan Milne [EMAIL PROTECTED] writes: FACORAT Fabrice wrote: Just a question : could userdrake allow to switch auth system ( files - NIS - LDAP ) easily after installation ? No, but openldap-migration should help you to do most of it. I had hoped to have time to work on a GUI for openldap, but I don't think I will. It's on my todo and i need your help for this as i don't know ldap enough. Attached is a script that could be seen as a simple prototype for setting up a single LDAP server. Instead of (or in addition to) prompting for min/max UIDs, a dual-user-list approach (as in say the kcm module for samba in ksambaplugin contrib package) may be better. The samba import mechanism may change for samba3, but I haven't imported for samba3 yet since some aspects of LDAP support are still broken at present. For more info (a complete tool for this would need to support adding LDAP slaves etc) see the updated articles on mandrakesecure.net: http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php http://www.mandrakesecure.net/en/docs/samba-pdc.php http://www.mandrakesecure.net/en/docs/ldap-auth2.php Note that for the client side, some changes need to be made in drakx for LDAP support to make it work better out-the-box: - -use objectclass posixaccount instead of objectclass account (deprecated in openldap-2.1.x, many tools don't add it anyway) in pam_filter in /etc/ldap.conf - -put pam_pwdb before pam_ldap in /etc/pam.d/system-auth - -add ldap to the automount line of /etc/nsswitch.conf - -If NIS or LDAP are used for auth, and NFS is installed, install autofs also (last two changes mean that automount maps that are stored in ldap will be used without any further configuration on the client machine, and users will be able to login to NFS-mounted home directory and have all other NFS shares mounted on access - extemely low maintenance solution rivalling Active Directory-based folder redirection - just missing per-OU support or similar). (Pixel, do you rather want a bugzilla bug?) I will be happy to test import to LDAP from system accounts if it can be done on 9.1 (my cooker box has no local accounts, all are in LDAP already). Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE++uxVrJK6UGDSBKcRAtYnAKCTfLNSDr7jLm5oC8ZsJaIyfC9v5ACgvX1i tbJNF8sXDjUUuas03XpNFoQ= =CBJs -END PGP SIGNATURE- ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. ** #!/bin/bash # need perl-ldap perl-Convert-ASN1 to import samba passwords echo Before continuing, please check that your local LDAP server is running PASSWD_MIN=${PASSWD_MIN=500} PASSWD_MAX=${PASSWD_MAX=65000} GROUP_MIN=${GROUP_MIN=500} GROUP_MAX=${GROUP_MAX=65000} LDAP_MIGRATION=/usr/share/openldap/migration BASE_CONFIRMED=0 while [ $BASE_CONFIRMED -eq 0 ] do read -p Enter your LDAP BaseDN [$LDAP_BASEDN] : ANSWER [ -n $ANSWER ] export LDAP_BASEDN=$ANSWER read -p Enter your default mail domain [$LDAP_DEFAULT_MAIL_DOMAIN]: ANSWER [ -n $ANSWER ] export LDAP_DEFAULT_MAIL_DOMAIN=$ANSWER read -p Enter your default mail host [$LDAP_DEFAULT_MAIL_HOST]: ANSWER [ -n $ANSWER ] export LDAP_DEFAULT_MAIL_HOST=$ANSWER read -p Enter your LDAP Root DN: [$LDAP_ROOTDN]: ANSWER [ -n $ANSWER ] export LDAP_ROOTDN=$ANSWER read -p Did you enter the correct values? [(y)/n] : ANSWER [ $ANSWER = n ] || BASE_CONFIRMED=1 done export LDAP_EXTENDED_SCHEMA=1 #export LDAP_BASEDN=dc=home,dc=control,dc=co,dc=za #export LDAP_DEFAULT_MAIL_DOMAIN=control.co.za #export LDAP_DEFAULT_MAIL_HOST=mail.home.control.co.za #export LDAP_ROOTDN=cn=root,dc=home,dc=control,dc=co,dc=za read -s -p Enter LDAP Root DN Password: LDAP_BINDPW LDAP_ADD=ldapadd -x -H ldap://localhost -D $LDAP_ROOTDN -w $LDAP_BINDPW -c # These scripts need to be run from inside LDAP_MIGRATION to use the # config file pushd $LDAP_MIGRATION - echo -e \n\nImporting base entries:\n $LDAP_MIGRATION/migrate_base.pl | $LDAP_ADD echo -e \nEntering user import section\n PASSWD_CONFIRMED=0 while [ $PASSWD_CONFIRMED -eq 0 ];do read -p Enter the lowest UID you would like to import [$PASSWD_MIN]: PASSWD_MIN1 read -p Enter the higehst UID you would like to import [$PASSWD_MAX]: PASSWD_MAX1 [ -n $PASSWD_MIN1 ] PASSWD_MIN=$PASSWD_MIN1 [ -n $PASSWD_MAX1 ]