Hi Server team, The Support team receives requests for single-signon authentication with Active Directory on a regular basis. So this work is a definite plus from the paid customer's point of view. I've managed to implement this manually with the exception of mounting an AD share automatically (i.e. user's home share) using pam_mount. I began to write a whitepaper on it. Hopefully pam_mount can also be included in the 'auth-client-config' work.
I'm willing to help test the new script here in the Support office. Thank you, p.s. Contact me if anyone wants to help me troubleshoot my pam_mount issue. -- Peter Matulis, Ubuntu Support Analyst Tel: +1 514 940 8917 Canonical Services and Support http://www.canonical.com/support/ 0x34F740E8 7EFC B394 871D CA0B 6AB7 DB5E 91F8 F8EF 34F7 40E8 James Strandboge wrote: > Hi, > > As per the meeting the other day, I created the 'auth-client-config' > script to help with management of nsswitch.conf and pam. > > Summary > ------- > The basic idea came from a conversation with dendrobates, where he > wanted a script that debconf (or other programs) could call and handle > the updating of pam and nsswitch.conf, ala update-inetd. > > Implementation > -------------- > auth-client-config is written in python (OO). It is non-interactive cli > only. It supports modifying nss, pam-account, pam-auth, pam-password, > and pam-session types, and any number of configurable profiles. > Profiles are configured in a configuration file (via ConfigParser) that > is simply a database of various authentication 'profiles'. Eg, an > example entry from the database is: > > [ldap] > nss_passwd=passwd: files ldap > nss_group=group: files ldap > nss_shadow=shadow: files ldap > pam_auth=auth required pam_env.so > auth sufficient pam_unix.so likeauth nullok > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > pam_account=account sufficient pam_unix.so > account sufficient pam_ldap.so > account required pam_deny.so > pam_password=password required pam_cracklib.so difok=2 minlen=8 > dcredit=2 ocredit=2 retry=3 > password sufficient pam_unix.so nullok md5 shadow > use_authtok > password sufficient pam_ldap.so use_first_pass > password required pam_deny.so > pam_session=session required pam_limits.so > session required pam_unix.so > session optional pam_ldap.so > > As you can see, this is in the INI config style (this is what > ConfigParser supports), and for each 'key', its value is what you want > in a particular type. > > Usage > ----- > To update a particular file, run auth-client-config with the type to > modify, and the profile to use. Eg, to update nsswitch.conf with the > above ldap entry, you would run: > > auth-client-config -t nss -p ldap > > This will change the standard /etc/nsswitch.conf file to: > ... > # pre_auth-client-config # passwd: compat > passwd: files ldap > # pre_auth-client-config # group: compat > group: files ldap > # pre_auth-client-config # shadow: compat > shadow: files ldap > ... > > The '# pre_auth-client-config #' comment allows for users to easily back > out changes to the original, pre-auth-client-config state. > > auth-client-config also supports an '-f' option for specifying a > different file to use than the default (eg /tmp/nsswitch.conf, instead > of /etc/nsswitch.conf), and also a '-n' option for a dry-run that will > not modify anything. See the man page for all options. > > Discussion > ---------- > I envision this being integrated with dendrobates' work, where he will > setup the various profiles for auth-client-config (see TODO for more > discussion). The profile name will correspond to a debconf option in > his 'ldap-auth-client' package. Eg: > > Choose an authentication/authorization method: > > Ubuntu Directory > Active Directory > Fedora Directory Server > Novell > LDAP > Local > > Ok > > If the user chooses 'Active Directory' say, then debconf would run: > auth-client-config -t nss -p ad > auth-client-config -t pam_auth -p ad > auth-client-config -t pam_account -p ad > auth-client-config -t pam_password -p ad > auth-client-config -t pam_session -p ad > > and auth-client-config's profiles database would have: > [ad] > ... > > > TODO > ---- > 1. Move some configuration from auth-client-config > into /etc/auth-client-config/acc.conf > > 2. Currently, the database is stored > in /etc/auth-client-config/profile.d/acc-default. This value is hard > coded. I plan on making auth-client-config support reading all files > from the /etc/auth-client-config/profile.d directory, so that packages > can drop in authentication profiles, and have them picked up easily. > > Eg, dendrobates' 'ldap-auth-client' package might create: > /etc/auth-client-config/profile.d/ldap > > and a future kerberos-auth-client might create: > /etc/auth-client-config/profile.d/kerberos > > The design also supports local administrators to create their own > profiles, so that site wide network authentication roll-outs can be > better supported. Eg, the sysadmin at ABC.com might create: > /etc/auth-client-config/profile.d/abc > > Through creative use of install scripts/kickstart/etc, they can get > unattended client installs that end up with proper configuration of > network authentication. > > 'authtool' could also create profiles and use auth-client-config as a > backend. > > User's could create different profiles for different networks, and add > these to /etc/auth-client-config/profile.d/ (maybe even for future > network-manager integration) > > 3. create some testing scripts for automated testing > > 4. testing, testing, and more testing > > > Download > -------- > Currently the files are at: > http://www.strandboge.com/software/auth-client-config/ > > There is a deb file too. This has been tested on dapper, but should > work on any system supporting python 2.4. > > > > Take a look at the man page (or run 'auth-client-config -h'). I highly > recommend running this as non-root against non-system files until it has > received thorough testing. If running as root, be sure to make backups > of /etc/nsswitch.conf and /etc/pam.d/common-*, and leave one root > terminal/console open (sudo is not enough!) while testing logins in > another, so you can back out the changes. > > Please feel free to give me feedback or ask questions. > > > Jamie Strandboge (aka 'jdstrand' on IRC) > > > -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
