FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 04-29-2010, 09:04 AM
Javier Palacios
 
Default UDS Maverick: Call for Blueprints for Ubuntu Server

On Mon, Apr 26, 2010 at 4:08 PM, Adam Sommer <asommer70@gmail.com> wrote:
>
> On Sat, Apr 24, 2010 at 9:24 AM, Veli-Matti Lintu
> <veli-matti.lintu@opinsys.fi> wrote:
>>
>> Are there plans regarding ldap/kerberos user management and
>> authentication? Launchpad has quite a few old blueprints around these, but I
>> haven't been able to find information about long term plans.
>>
>
> I would like to propose a blueprint for a base directory setup tool based on
> the OpenLDAP-DIT project:*https://launchpad.net/openldap-dit. *The current
> branch adds schemas and objects for DNS, DHCP, etc and these may be more
> work than I have time for.

Although related, these are two different targets with two different
scopes and probably two different audiences and possible contributors.
One is services configuration, which need tight collaboration with
packagers and even upstream developers.

The other one is user management, which many will consider useless
within datacenters, but a must when there are many (users & nodes)
around.

To these 1/2 topics, I would add provisioning to the wishlist, which
is not a new item. Either cobbler based or not, in my opinion it
should address both iron and virtual deployments.

Javier Palacios

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 04-29-2010, 09:21 AM
Javier Palacios
 
Default UDS Maverick: Call for Blueprints for Ubuntu Server

> I think the goal should be to get a starting point that helps newbies to
> at least *see* something when they point an ldap client to the server,
> and also allow more seasoned admins to build upon that tree.
>
> For me, that means:
> - - we need a database configured (indexes, checkpoints, caches,
> DB_CONFIG, etc)
> - - we need a tree root
> - - seems like ou=People and ou=Group are pretty common and we should also
> have them at least
> - - basic ACLs to protect content that is not even there yet (like
> userPassword, krb5key, samba hashes, etc)
> - - basic ACLs to allow for group-delegated based administration

The two points above probably discard using phpldapadmin (and most web
tools). I haven't looked for long, but it used a special user with
global privileges, so once you log in the web, you can do (nearly)
anything.
I might add jxplorer as possible client (hopefully it's still alive)

> - - an admin group, with a member for whom we have a password. This member
> is what the user should use. This concept of administration group
> resonates quite nicely with the default ubuntu sudo setup.
>

To this list I would add policies and associated ACL about what can be
changed by users (for example, select a different login shell).

Maybe you can have a look at
http://kad.sourceforge.net/?action=slapd
where many of those points are covered. In the source repository of
the project, there are also some patches to be applied after
installing the slapd package and before configuring it (patchs built
against debian etch, as far as I remember).
Although the project is quite a bit abandoned, I'm more than glad to
contribute, or even revive it if useful.

Javier Palacios

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 04-29-2010, 12:17 PM
Andreas Hasenack
 
Default UDS Maverick: Call for Blueprints for Ubuntu Server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2010 06:21 AM, Javier Palacios wrote:
>> I think the goal should be to get a starting point that helps newbies to
>> at least *see* something when they point an ldap client to the server,
>> and also allow more seasoned admins to build upon that tree.
>>
>> For me, that means:
>> - - we need a database configured (indexes, checkpoints, caches,
>> DB_CONFIG, etc)
>> - - we need a tree root
>> - - seems like ou=People and ou=Group are pretty common and we should also
>> have them at least
>> - - basic ACLs to protect content that is not even there yet (like
>> userPassword, krb5key, samba hashes, etc)
>> - - basic ACLs to allow for group-delegated based administration
>
> The two points above probably discard using phpldapadmin (and most web

The ACLs?

> tools). I haven't looked for long, but it used a special user with
> global privileges, so once you log in the web, you can do (nearly)
> anything.

They probably ask for the rootdn. In that case, just give them the DN of
a user that is a member of the ldap admin group, it has the exact same
effect.

> I might add jxplorer as possible client (hopefully it's still alive)

I think Apache Directory Studio is eating jxplorer's user base

> To this list I would add policies and associated ACL about what can be
> changed by users (for example, select a different login shell).
>
> Maybe you can have a look at
> http://kad.sourceforge.net/?action=slapd
> where many of those points are covered. In the source repository of
> the project, there are also some patches to be applied after
> installing the slapd package and before configuring it (patchs built
> against debian etch, as far as I remember).
> Although the project is quite a bit abandoned, I'm more than glad to
> contribute, or even revive it if useful.

Thanks for the pointer, I'll take a look

- --
Andreas Hasenack
andreas@canonical.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvZePUACgkQeEJZs/PdwpCruQCeJ4fFuIp/RgyWfBVC3cUo9gNa
+hkAn36+n7MBSAgnnR7nEMNHtaCcBV0p
=DPlL
-----END PGP SIGNATURE-----

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 04-29-2010, 12:45 PM
"Nikolai K. Bochev"
 
Default UDS Maverick: Call for Blueprints for Ubuntu Server

While we're at it, why not use/adopt the 389 directory server ?
Isn't it better to get something that's been built to work as a complete solution, than to tie different independent projects to work together to achieve the same thing. This and that FreeIPA is getting better and better ( and it requires 389 ).
Just my thoughts.

----- Original Message -----
> > Lately I've been involved in creating OpenLDAP DIT for schools
> > running on Lucid and one thing that I've been wondering is whether
> > it would be
> > possible to define one standard structure for Ubuntu that all tools
> > would be configured to use by default. That wouldn't take away the
> > possibility of configuring everything differently, but all tools and
> > tutorials would follow this one model.
> >
> > Out of curiosity I checked what the defaults are in different
> > systems. If I got things written down correctly, the different
> > default structures
> > I could find were:
> >
> > Hardy slapd package init script and OpenDS:
> > * ou=People
> > * ou=Groups
> >
> > smbldap-tools: * ou=Users
> > * ou=Groups
> > * ou=Computers
> > * ou=Idmap
> >
> > openldap-dit and openldap-mandriva-dit are based on RFC2307bis:
> > * ou=People
> > * ou=Group
> > * ou=Hosts
> > * ou=System Accounts
> > * ou=System Groups
> > * ou=Kerberos Realms
> > * ou=Idmap
> > * ou=Address Book
> >
> > Fedora / FreeIPA uses something completely different:
> > * cn=users,cn=accounts
> > * cn=groups,cn=accounts
> > * cn=computers,cn=accounts
> > * cn=services,cn=accounts
> > * cn=account inactivation,cn=accounts
> > * cn=Kerberos
> >
> > Now different tools have different defaults and tutorials use
> > randomly some names that probably confuse many people.
> >
> > Having one standard DIT that is installed by default would help a
> > lot with external applications that are not packaged for Ubuntu. For
> > example Moodle that is used in schools can use LDAP, but it needs to
> > be configured properly. Writing a guide for that gets a lot easier
> > if standard structure is available.
>
>
> > As I wasn't aware of openldap-dit until recently, I've been working
> > on a script to initialise slapd w/ssl and mit kerberos. The idea is
> > that the script first checks which schemas and modules are installed
> > and then adds the missing schemas and modules and configures them.
> > It makes also
> > possible to dump current configuration and check for common problems
> > with ssl certificates and such. I try to get it uploaded somewhere
> > soon so that others can see if it'd be helpful.
> >
> > Automatically loading the schemas sounds good, but how to configure
> > overlays and ACLs for everything is something that would probably
> > need some other solution. E.g. we have some needs for ACLs that
> > probably don't make sense outside schools, but are needed for us as
> > we have
> > school districts, schools, superusers, school admins, teachers,
> > pupils, etc..
> >
> > Veli-Matti

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 04-29-2010, 01:59 PM
Javier Palacios
 
Default UDS Maverick: Call for Blueprints for Ubuntu Server

On Thu, Apr 29, 2010 at 2:17 PM, Andreas Hasenack <andreas@canonical.com> wrote:
>>> - - basic ACLs to protect content that is not even there yet (like
>>> userPassword, krb5key, samba hashes, etc)
>>> - - basic ACLs to allow for group-delegated based administration
>>
>> The two points above probably discard using phpldapadmin (and most web
>
> The ACLs?
>
>> tools). I haven't looked for long, but it used a special user with
>> global privileges, so once you log in the web, you can do (nearly)
>> anything.
>
> They probably ask for the rootdn. In that case, just give them the DN of
> a user that is a member of the ldap admin group, it has the exact same
> effect.

Yes, the ACLs, because I'm not thinking on a single user with full
privileges and many users without any privileges.

Let say, I would like the DNS admins to modify their entries, and the
"user" administrator to create or modify user entries. That means
giving any of them only partial privileges. If you use any kind of
'proxy' (as phpldapadmin) it must be aware of existing ACL and the
most sensible way to acomplish that is to let the ldap server evaluate
them, using direct identification against the ldap server.
The phpldapadmin I remember (it might have evolved) has a single user
and wasn't capable to do this.

Javier Palacios

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 04-29-2010, 02:15 PM
Andreas Hasenack
 
Default UDS Maverick: Call for Blueprints for Ubuntu Server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2010 10:59 AM, Javier Palacios wrote:
> Yes, the ACLs, because I'm not thinking on a single user with full
> privileges and many users without any privileges.
>
> Let say, I would like the DNS admins to modify their entries, and the
> "user" administrator to create or modify user entries. That means
> giving any of them only partial privileges. If you use any kind of
> 'proxy' (as phpldapadmin) it must be aware of existing ACL and the
> most sensible way to acomplish that is to let the ldap server evaluate
> them, using direct identification against the ldap server.
> The phpldapadmin I remember (it might have evolved) has a single user
> and wasn't capable to do this.

True. So it's not that phpldapadmin "doesn't work" or "breaks" with
these ACLs, it's just that it bypasses them entirely. So we can say it
doesn't take advantage of them. It's a choice.

Maybe at some point it could work in such a way that it would use the
user's credentials to access the directory instead of the rootdn or some
other proxy user.

I wonder if sasl authorization could be more widely used and how it
could help. It was meant to be used by such proxy agents I believe.

- --
Andreas Hasenack
andreas@canonical.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvZlJUACgkQeEJZs/PdwpDa5wCfWcacFrHYeq4QScJDGaXUJtIa
kTUAn3rKr9blZnBIYUk6IK5ax1EfFN5u
=2ZWz
-----END PGP SIGNATURE-----

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 06:40 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org