[homepage.git] / blog / tags / ldap / ldap.rss

<?xml version="1.0" encoding="utf-8"?>
<rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/'>
        <channel>
                <title>Petter Reinholdtsen - Entries tagged ldap</title>
                <description>Entries tagged ldap</description>
                <link>http://people.skolelinux.org/pere/blog/</link>

        
        <item>
                <title>Time for new  LDAP schemas replacing RFC 2307?</title>
                <link>http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html</guid>
                <pubDate>Sun, 29 Mar 2009 20:30:00 +0200</pubDate>
                <description>
&lt;p&gt;The state of standardized LDAP schemas on Linux is far from
optimal.  There is RFC 2307 documenting one way to store NIS maps in
LDAP, and a modified version of this normally called RFC 2307bis, with
some modifications to be compatible with Active Directory.  The RFC
specification handle the content of a lot of system databases, but do
not handle DNS zones and DHCP configuration.&lt;/p&gt;

&lt;p&gt;In &lt;a href=&quot;http://www.skolelinux.org/&quot;&gt;Debian Edu/Skolelinux&lt;/a&gt;,
we would like to store information about users, SMB clients/hosts,
filegroups, netgroups (users and hosts), DHCP and DNS configuration,
and LTSP configuration in LDAP.  These objects have a lot in common,
but with the current LDAP schemas it is not possible to have one
object per entity.  For example, one need to have at least three LDAP
objects for a given computer, one with the SMB related stuff, one with
DNS information and another with DHCP information.  The schemas
provided for DNS and DHCP are impossible to combine into one LDAP
object.  In addition, it is impossible to implement quick queries for
netgroup membership, because of the way NIS triples are implemented.
It just do not scale.  I believe it is time for a few RFC
specifications to cleam up this mess.&lt;/p&gt;

&lt;p&gt;I would like to have one LDAP object representing each computer in
the network, and this object can then keep the SMB (ie host key), DHCP
(mac address/name) and DNS (name/IP address) settings in one place.
It need to be efficently stored to make sure it scale well.&lt;/p&gt;

&lt;p&gt;I would also like to have a quick way to map from a user or
computer and to the net group this user or computer is a member.&lt;/p&gt;

&lt;p&gt;Active Directory have done a better job than unix heads like myself
in this regard, and the unix side need to catch up.  Time to start a
new IETF work group?&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Idea for a change to LDAP schemas allowing DNS and DHCP info to be combined into one object</title>
                <link>http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html</guid>
                <pubDate>Thu, 24 Jun 2010 00:35:00 +0200</pubDate>
                <description>
&lt;p&gt;A while back, I
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html&quot;&gt;complained
about the fact&lt;/a&gt; that it is not possible with the provided schemas
for storing DNS and DHCP information in LDAP to combine the two sets
of information into one LDAP object representing a computer.&lt;/p&gt;

&lt;p&gt;In the mean time, I discovered that a simple fix would be to make
the dhcpHost object class auxiliary, to allow it to be combined with
the dNSDomain object class, and thus forming one object for one
computer when storing both DHCP and DNS information in LDAP.&lt;/p&gt;

&lt;p&gt;If I understand this correctly, it is not safe to do this change
without also changing the assigned number for the object class, and I
do not know enough about LDAP schema design to do that properly for
Debian Edu.&lt;/p&gt;

&lt;p&gt;Anyway, for future reference, this is how I believe we could change
the
&lt;a href=&quot;http://tools.ietf.org/html/draft-ietf-dhc-ldap-schema-00&quot;&gt;DHCP
schema&lt;/a&gt; to solve at least part of the problem with the LDAP schemas
available today from IETF.&lt;/p&gt;

&lt;pre&gt;
--- dhcp.schema    (revision 65192)
+++ dhcp.schema    (working copy)
@@ -376,7 +376,7 @@
 objectclass ( 2.16.840.1.113719.1.203.6.6
        NAME &#39;dhcpHost&#39;
        DESC &#39;This represents information about a particular client&#39;
-       SUP top
+       SUP top AUXILIARY
        MUST cn
        MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
        X-NDS_CONTAINMENT (&#39;dhcpService&#39; &#39;dhcpSubnet&#39; &#39;dhcpGroup&#39;) )
&lt;/pre&gt;

&lt;p&gt;I very much welcome clues on how to do this properly for Debian
Edu/Squeeze.  We provide the DHCP schema in our debian-edu-config
package, and should thus be free to rewrite it as we see fit.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>LUMA, a very nice LDAP GUI</title>
                <link>http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html</guid>
                <pubDate>Mon, 28 Jun 2010 00:30:00 +0200</pubDate>
                <description>
&lt;p&gt;The last few days I have been looking into the status of the LDAP
directory in Debian Edu, and in the process I started to miss a GUI
tool to browse the LDAP tree.  The only one I was able to find in
Debian/Squeeze and Lenny is
&lt;a href=&quot;http://luma.sourceforge.net/&quot;&gt;LUMA&lt;/a&gt;, which has proved to
be a great tool to get a overview of the current LDAP directory
populated by default in Skolelinux.  Thanks to it, I have been able to
find empty and obsolete subtrees, misplaced objects and duplicate
objects.  It will be installed by default in Debian/Squeeze.  If you
are working with LDAP, give it a go. :)&lt;/p&gt;

&lt;p&gt;I did notice one problem with it I have not had time to report to
the BTS yet.  There is no .desktop file in the package, so the tool do
not show up in the Gnome and KDE menus, but only deep down in in the
Debian submenu in KDE.  I hope that can be fixed before Squeeze is
released.&lt;/p&gt;

&lt;p&gt;I have not yet been able to get it to modify the tree yet.  I would
like to move objects and remove subtrees directly in the GUI, but have
not found a way to do that with LUMA yet.  So in the mean time, I use
&lt;a href=&quot;http://www.lichteblau.com/ldapvi/&quot;&gt;ldapvi&lt;/a&gt; for that.&lt;/p&gt;

&lt;p&gt;If you have tips on other GUI tools for LDAP that might be useful
in Debian Edu, please contact us on debian-edu@lists.debian.org.&lt;/p&gt;

&lt;p&gt;Update 2010-06-29: Ross Reedstrom tipped us about the
&lt;a href=&quot;http://packages.qa.debian.org/g/gq.html&quot;&gt;gq&lt;/a&gt; package as a
useful GUI alternative.  It seem like a good tool, but is unmaintained
in Debian and got a RC bug keeping it out of Squeeze.  Unless that
changes, it will not be an option for Debian Edu based on Squeeze.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Caching password, user and group on a roaming Debian laptop</title>
                <link>http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</link>        
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html</guid>
                <pubDate>Thu, 1 Jul 2010 11:40:00 +0200</pubDate>
                <description>
&lt;p&gt;For a laptop, centralized user directories and password checking is
a bit troubling.  Laptops are typically used also when not connected
to the network, and it is vital for a user to be able to log in or
unlock the screen saver also when a central server is unavailable.
This is possible by caching passwords and directory information (user
and group attributes) locally, and the packages to do so are available
in Debian.  Here follow two recipes to set this up in Debian/Squeeze.
It is also possible to set up in Debian/Lenny, but require more manual
setup there because pam-auth-update is missing in Lenny.&lt;/p&gt;

&lt;h2&gt;LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;

This is the traditional method with a twist.  The password caching is
provided by libpam-ccreds (version 10-4 or later is needed on
Squeeze), and the directory caching is done by nscd.  The directory
lookup and password checking is done using LDAP.  If one want to use
Kerberos for password checking the libpam-ldapd package can be
replaced with libpam-krb5 or libpam-heimdal.  If one is happy having a
local home directory with the path listed in LDAP, one can use the
pam_mkhomedir module from pam-modules to make this happen instead of
using libpam-mklocaluser.  A setup for pam-auth-update to enable
pam_mkhomedir will have to be written until a fix for
&lt;a href=&quot;http://bugs.debian.org/568577&quot;&gt;bug #568577&lt;/a&gt; is in the
archive.  Because I believe it is a bad idea to have local home
directories using misleading paths like /site/server/partition/, I
prefer to create a local user with the home directory in /home/.  This
is done using the libpam-mklocaluser package.&lt;/p&gt;

&lt;p&gt;These packages need to be installed and configured&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The ldapd packages will ask for LDAP connection information, and
one have to fill in the values that fits ones own site.  Make sure the
PAM part uses encrypted connections, to make sure the password is not
sent in clear text to the LDAP server.  I&#39;ve been unable to get TLS
certificate checking for a self signed certificate working, which make
LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
is talking to the correct LDAP server), and very much welcome feedback
on how to get this working.&lt;/p&gt;

&lt;p&gt;Because nscd do not have a default configuration fit for offline
caching until &lt;a href=&quot;http://bugs.debian.org/485282&quot;&gt;bug #485282&lt;/a&gt;
is fixed, this configuration should be used instead of the one
currently in /etc/nscd.conf.  The changes are in the fields
reload-count and positive-time-to-live, and is based on the
instructions I found in the
&lt;a href=&quot;http://www.flyn.org/laptopldap/&quot;&gt;LDAP for Mobile Laptops&lt;/a&gt;
instructions by Flyn Computing.&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
        debug-level             0
        reload-count            unlimited
        paranoia                no

        enable-cache            passwd          yes
        positive-time-to-live   passwd          2592000
        negative-time-to-live   passwd          20
        suggested-size          passwd          211
        check-files             passwd          yes
        persistent              passwd          yes
        shared                  passwd          yes
        max-db-size             passwd          33554432
        auto-propagate          passwd          yes

        enable-cache            group           yes
        positive-time-to-live   group           2592000
        negative-time-to-live   group           20
        suggested-size          group           211
        check-files             group           yes
        persistent              group           yes
        shared                  group           yes
        max-db-size             group           33554432
        auto-propagate          group           yes

        enable-cache            hosts           no
        positive-time-to-live   hosts           2592000
        negative-time-to-live   hosts           20
        suggested-size          hosts           211
        check-files             hosts           yes
        persistent              hosts           yes
        shared                  hosts           yes
        max-db-size             hosts           33554432

        enable-cache            services        yes
        positive-time-to-live   services        2592000
        negative-time-to-live   services        20
        suggested-size          services        211
        check-files             services        yes
        persistent              services        yes
        shared                  services        yes
        max-db-size             services        33554432
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;While we wait for a mechanism to update /etc/nsswitch.conf
automatically like the one provided in
&lt;a href=&quot;http://bugs.debian.org/496915&quot;&gt;bug #496915&lt;/a&gt;, the file
content need to be manually replaced to ensure LDAP is used as the
directory service on the machine.  /etc/nsswitch.conf should normally
look like this:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      files
services:       files
ethers:         files
rpc:            files
netgroup:       files ldap
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The important parts are that ldap is listed last for passwd, group,
shadow and netgroup.&lt;/p&gt;

&lt;p&gt;With these changes in place, any user in LDAP will be able to log
in locally on the machine using for example kdm, get a local home
directory created and have the password as well as user and group
attributes cached.

&lt;h2&gt;LDAP/Kerberos + nss-updatedb + libpam-ccreds +
  libpam-mklocaluser/pam_mkhomedir&lt;/h2&gt;

&lt;p&gt;Because nscd have had its share of problems, and seem to have
problems doing proper caching, I&#39;ve seen suggestions and recipes to
use nss-updatedb to copy parts of the LDAP database locally when the
LDAP database is available.  I have not tested such setup, because I
discovered sssd.&lt;/p&gt;

&lt;h2&gt;LDAP/Kerberos + sssd + libpam-mklocaluser&lt;/h2&gt;

&lt;p&gt;A more flexible and robust setup than the nscd combination
mentioned earlier that has shown up recently, is the
&lt;a href=&quot;https://fedorahosted.org/sssd/&quot;&gt;sssd&lt;/a&gt; package from Redhat.
It is part of the &lt;a href=&quot;http://www.freeipa.org/&quot;&gt;FreeIPA&lt;/A&gt; project
to provide a Active Directory like directory service for Linux
machines.  The sssd system combines the caching of passwords and user
information into one package, and remove the need for nscd and
libpam-ccreds.  It support LDAP and Kerberos, but not NIS.  Version
1.2 do not support netgroups, but it is said that it will support this
in version 1.5 expected to show up later in 2010.  Because the
&lt;a href=&quot;http://packages.qa.debian.org/s/sssd.html&quot;&gt;sssd package&lt;/a&gt;
was missing in Debian, I ended up co-maintaining it with Werner, and
version 1.2 is now in testing.

&lt;p&gt;These packages need to be installed and configured to get the
roaming setup I want&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
libpam-sss libnss-sss libpam-mklocaluser
&lt;/pre&gt;&lt;/blockquote&gt;

The complete setup of sssd is done by editing/creating
&lt;tt&gt;/etc/sssd/sssd.conf&lt;/tt&gt;.

&lt;blockquote&gt;&lt;pre&gt;
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = INTERN

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/INTERN]
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap
ldap_search_base = dc=skole,dc=skolelinux,dc=no
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;I got the same problem here with certificate checking.  Had to set
&quot;ldap_tls_reqcert = never&quot; to get it working.&lt;/p&gt;

&lt;p&gt;With the libnss-sss package in testing at the moment, the
nsswitch.conf file is update automatically, so there is no need to
modify it manually.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        </channel>
</rss>