Shared authentication, 2010 style
Back in the day (a Wednesday, for those who remember it) us WLUG/NZLUG folks were pretty clued up when it came to things like connecting Linux machines to Active Directory using SAMBA [1]. However, kids these days just don't know what kind of crap we had to go through back then, and while I haven't done the testing myself, I'm pretty sure that today you just type 'apt-get install likewise-open', and you don't have to know any magic incantations at all. How about if you want to run a central directory on Linux, not on Windows? You could look at the Ubuntu guide [2]. Or "LDAP for the Lazy Sysadmin" [3]. Do go check that last one out - you don't have to read it all. Just scroll through it for a second. I'll wait. <<taps toes>> That isn't lazy at all! Lazy is paying Microsoft for Active Directory. Unfortunately, due to one complexity or another, it seemed AD often won out for a situation where you had to have some Windows machines as well as your Linux hosts. I remember thinking it strange back when Windows was supposed to be all about the desktop and Linux was supposed to be all about the server, that you got a better client experience on Linux and server experience on Windows. It's 2010 now. Flying cars, etc. I want central authentication across a small network of Ubuntu machines - no Windows machines are expected. Ultimately I'd like multi-master (I believe 389, formerly Fedora DS/Netscape Directory Server does this; and OpenLDAP does not?) so I don't have to think too much about failover/redundancy. Please, someone, tell me there is a better solution? Is there a turn-key method for this? Craig [1] http://www.wlug.org.nz/SambaAsPDC?action=PageHistory and http://www.wlug.org.nz/LDAPAuthentication?action=PageHistory for some examples. Look at the dates. [2] https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html [3] http://wiki.ucc.asn.au/LDAP/LazySysadmin
On Mon, May 24, 2010 at 03:46:06PM +0100, Craig Box wrote:
It's 2010 now. Flying cars, etc. I want central authentication across a small network of Ubuntu machines - no Windows machines are expected. Ultimately I'd like multi-master (I believe 389, formerly Fedora DS/Netscape Directory Server does this; and OpenLDAP does not?) so I don't have to think too much about failover/redundancy.
Not really answering your main question in any way, but one gotcha that I've encountered: thunderbird includes its own copy of an ldap library, and if you have 'ldap' in /etc/nsswitch.conf for resolving user IDs then thunderbird will crash on startup. (Basically thunderbird's ldap library is binary-incompatible with the system's openldap, and if nsswitch is using ldap then thunderbird will be dynamically linked against both). John
John McPherson wrote:
Not really answering your main question in any way, but one gotcha that I've encountered: thunderbird includes its own copy of an ldap library, and if you have 'ldap' in /etc/nsswitch.conf for resolving user IDs then thunderbird will crash on startup. (Basically thunderbird's ldap library is binary-incompatible with the system's openldap, and if nsswitch is using ldap then thunderbird will be dynamically linked against both).
Ooooh yes, that's a good one. The following works, FSVO, YMMV, no promises as to what the next upgrade may do: # getent passwd ldap_user_name >> /etc/passwd This'll leave something like the following at the foot of /etc/passwd: jbloggs:x:1017:1017:jbloggs:/home/jbloggs:/bin/bash Which I think is enough for the TB ldap library to get started, while forcing it to fall back on openldap if it tries and fails to match the password. (I apparently failed to bookmark the page that suggested this solution, and could easily be completely misremembering the explanation, if indeed there was one.) I don't -know- of any nasty pointy teeth attached to this, but if anyone does please let me know, so's I can have another stab at reinstalling TB 2. butting
On Tue, May 25, 2010 at 11:18:39AM +1200, Bryce Utting wrote:
John McPherson wrote:
Not really answering your main question in any way, but one gotcha that I've encountered: thunderbird includes its own copy of an ldap library, and if you have 'ldap' in /etc/nsswitch.conf for resolving user IDs then thunderbird will crash on startup.
The following works, FSVO, YMMV, no promises as to what the next upgrade may do:
# getent passwd ldap_user_name >> /etc/passwd
This'll leave something like the following at the foot of /etc/passwd:
jbloggs:x:1017:1017:jbloggs:/home/jbloggs:/bin/bash
Alternatively, if you don't use any ldap addressbooks in thunderbird, you can get thunderbird to link against the system ldap library instead of its bundled one: mv /usr/lib/thunderbird-3.0.4/libldap60.so{,-} ln -s /usr/lib/libldap-2.4.so.2 /usr/lib/thunderbird-3.0.4 but that's a bit of a hack, and will get overridden on package upgrades... John
It's 2010 now. Flying cars, etc. I want central authentication across a small network of Ubuntu machines - no Windows machines are expected. Ultimately I'd like multi-master (I believe 389, formerly Fedora DS/Netscape Directory Server does this; and OpenLDAP does not?) so I don't have to think too much about failover/redundancy. Please, someone, tell me there is a better solution? Is there a turn-key method for this?
I haven't used it myself, but I think you may be looking for FreeIPA. "FreeIPA is an integrated security information management solution combining Linux (Fedora), Fedora Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools." Does scripted installs for both server and client, and expects to have full reign over the server install. Also looks like it prefers Fedora or RHEL for both client and server, but there is some noise about packaging for ubuntu, and I suspect rejigging the client setup script to work with ubuntu won't be too much of a problem. If you can deal with the server side of stuff, then ubuntu has an "ldap-auth-client" and "ldap-auth-config" set of metapackages, that install and configure everything needed for ldap auth. This includes a pam-auth snippet, which if you haven't come across before, is like debconf for pam configurations. Kindof. These don't do kerberos AFAIK, so they may not work so well against a freeipa server, but they also may work just fine. Finally, a lot of the pain we had in the past regarding LDAP setup was around custom schema and getting samba integrated with it If you're not doing windows desktop clients, then straight LDAP as a backend becomes a lot cleaner, and you could easily just use something like phpldapadmin or ldap-account-manager pointing at fairly default openldap server. No need for messing round with samba stuff, which was where most of the suffering originated from. No need to mess with LDIFs either.
participants (4)
-
Bryce Utting -
Craig Box -
Daniel Lawson -
John McPherson