Re: ldap/gosa postcreation and kerberos password synchronization
On 23. aug. 2010 21:00, Andreas B. Mundt wrote: what if the gosa web server is not the homedirectory server, and maybe even not the ldap-server ? What about other users that create php-scripts that also calls the gosa sudo-tools for debian, changing passowrds for the teachers and admins on their own ? There have been many changes and improvements since I wrote the mail cited above. Please provide comments/patches related to the current scripts in use: URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-create URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-remove URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-sync My comments was in fact to those scripts, and the version in debian-edu-config 1.443~svn68602, from the install I made this weekend. The users created with gosa in my test-install, was created, but they i was not able to log in with their password. I had to run kadmin.local manually to create htem as principals, and set their passwords. I'll focus now on a working user admin by patching debian-edu-config to make lwat work with the changes in schema's and adding kerberos support to lwat. Then I might look at what needs to be improved in gosa. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c73586c.2000...@bzz.no
password synchronization
Hi Veli-Matti, On Wed, May 05, 2010 at 04:41:41PM +0300, Veli-Matti Lintu wrote: ma, 2010-05-03 kello 21:47 +0200, Andreas B. Mundt kirjoitti: The critical point in using kerberos is the synchronization i.e. integration of all passwords: posix, samba and kerberos. [...] We've been figuring out for a while what to do with this syncing problem and we just finished smbkrb5pwd for MIT kerberos. Its implementation differs from smbk5pwd for Heimdal, but the idea is to sync all the passwords at once when ldap password is changed. This is the first version and it still needs work, but if you are interested testing it, here are instructions on how to use it: http://www.opinsys.fi/en/smbkrb5pwd-password-syncing-for-openldap-mit-kerberos-and-samba smbkrb5pwd does not alter the kerberos ldap entries directly, but connects kadmind to do the work. This has pros and cons, but for us it seems to work nicely in test environments. The testing has been done on Ubuntu 10.04, but I cannot see why it wouldn't work in Debian also. Many thanks for these links. I am currently investigating pros and cons of the various methods used to achive synchronized passwords. Do you know of any activities to get this package into mainline Ubuntu/Debian? Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100512142204.ga7...@flashgordon
Re: password synchronization
ke, 2010-05-12 kello 16:22 +0200, Andreas B. Mundt kirjoitti: On Wed, May 05, 2010 at 04:41:41PM +0300, Veli-Matti Lintu wrote: ma, 2010-05-03 kello 21:47 +0200, Andreas B. Mundt kirjoitti: The critical point in using kerberos is the synchronization i.e. integration of all passwords: posix, samba and kerberos. [...] We've been figuring out for a while what to do with this syncing problem and we just finished smbkrb5pwd for MIT kerberos. Its implementation Many thanks for these links. I am currently investigating pros and cons of the various methods used to achive synchronized passwords. Do you know of any activities to get this package into mainline Ubuntu/Debian? We haven't looked into getting it in mainline or in OpenLDAP yet as we are still testing it. There have been some issues in multi-realm kdc/kadmin setups, but those should be fixed now in the Launchpad version. We should get out tools to setup ldap+kerberos and manage users with the overlay really soon now. I hope to be able to think about packaging after that. Do you see any problems with the approach used in smbkrb5pwd? Veli-Matti -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1273674798.3388.18.ca...@punajuuri.liitu.vm.opinsys.fi
ldap/gosa postcreation and kerberos password synchronization
Hi all, [first, congrats to the gosa-guys for their latest release ;-)] I am currently thinking about how to handle the post-creation, post-password-change and related stuff properly. So far, I use the draft-script attached below which is run by the gosa postcreation hook (www-data added to sudoers file) to handle all needs: 1.: A (posix) user is created in gosa: The script called as /usr/bin/sudo /usr/sbin/gosa-pp %uid creates homedir and corresponding principal with random password. This works fine. 2.: Now, the password for the new user is entered in gosa. I figured out that the passwordHook=/usr/bin/sudo /usr/sbin/gosa-pp is called with just the password as argument. Unfortunately there is no uid attached, so I do not know how to set the attached password for the user just(?) created. (Currently, the script tries to create a homedir for a user with uid=password, so this has to be fixed too.) 3.: Assume, the user changes his password in gosa now. In this case gosa-pp is called as: gosa-pp uid oldpw newpw As you see below, with root's almighty power the new password is enforced, but there is no check if the old password is known by the executing party. Issue 3 can probably be solved by executing the change as the principal the password corresponds to. But what about issue 2? Are there any better solutions, hints and tips around? Thanks in advance, Andi Here's most of the gosa-pp script: #!/bin/sh [...] NUMARGS=$# PREFIX=/skole HOSTNAME=$(hostname -s) LDAPHOST=ldap BASE=dc=skole,dc=skolelinux,dc=no USERID=$1 case $NUMARGS in 1) ## lookup user and create home directory and principal: ldapsearch -xLLL -h $LDAPHOST ((uid=$USERID)(objectClass=posixAccount)) \ cn homeDirectory gidNumber 2/dev/null | \ while read KEY VALUE ; do case $KEY in dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN=dn=$VALUE ;; cn:) USERNAME=$VALUE ;; homeDirectory:) HOMEDIR=$VALUE ;; gidNumber:) GROUPID=$VALUE ;; ) test $HOMEDIR || continue echo $HOMEDIR | grep -q ^$PREFIX/$HOSTNAME || continue test -e $HOMEDIR continue cp -r /etc/skel $HOMEDIR chown -R $USERID:$GROUPID $HOMEDIR kadmin.local -q add_principal -randkey -x $USERDN $USERID logger -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created. ## send a welcome-email: cat EOF | /usr/lib/sendmail $USERID Subject: Welcome to the mail-system [...] EOF ;; esac done ;; 3) USERDN=`ldapsearch -xLLL -h ldap ((uid=$USERID)(objectClass=posixAccount)) dn | sed s/: /=/` OLDPW=$2 NEWPW=$3 ## FIXME: make sure that $OLDPW is correct kadmin.local -q change_password -pw $NEWPW $USERID 1/dev/null logger -p notice Password for \'$USERID\' changed. ;; *) logger -p warning Invalid number of arguments for $0. esac exit 0 -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100512172612.ga4...@flashgordon