NetworkAuthClient

Differences between revisions 3 and 10 (spanning 7 versions)
Revision 3 as of 2006-11-07 00:53:27
Size: 1500
Editor: 207
Comment:
Revision 10 as of 2010-01-21 19:01:15
Size: 3173
Editor: 196-210-177-89-wblv-esr-3
Comment: Moved page to appropriate namespace
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
BOF notes: ## page was renamed from EdubuntuNetworkAuthClient
 * '''Launchpad entry''': UbuntuSpec:edubuntu-network-auth-client
 * '''Packages affected''': authtool, libpam-mount, libpam-ldap, libnss-ldap, libpam-ccreds, edsadmin, gnome-control-center
Line 3: Line 5:
 * pam changes
 * nssldap changes
 * how do we mount home ?
== Summary ==
Line 7: Line 7:
ajmitch's authtool already cares for the first two points
all we have left for this spec is to find a proper way to mount /home on login
Authenticating Edubuntu clients (workstations and LTSP servers) against an Edubuntu network auth server.
Line 10: Line 9:
we will need kerberos integration, to integrate this a nameserver will be needed -> to be added to the -auth-server spec == Rationale ==
Line 12: Line 11:
a metapackage will be created that depends on the authtool package and pulls in the necessary kerberos bits To provide centralized user management in a school using Edubuntu, an [[https://features.launchpad.net/distros/ubuntu/+spec/edubuntu-network-auth-server|Edubuntu network authentication server]] is implemented. To authenticate against such a server a certain client setup is required. This spec outlines what will be done to achieve client authentication on Edubuntu LTSP servers and workstations.
Line 14: Line 13:
to change the password a tool is needed, this can either be a samba tool or a pam based one == Use cases ==
Line 16: Line 15:
for mounting home we will need to do a nfs export of /home from the server to mount that on login, for windows clients this needs also be done in parallel via samba Will is an administrator at a high school. He used to use an Edubuntu LTSP server in one classroom to test the functionality. Since the software convinced him, he will now set up his whole school with Edubuntu and set up an Edubuntu network authentication server where he maintains the students' accounts for the whole school and their home directories. After he installed the edubuntu-auth-client metapackage on all his workstations and LTSP servers, all his students log in via the centralized service without problems.
Line 18: Line 17:
pam-mount needs to be extended to read the users home directory location from the ldap server where we store the information where to find the use
rs home.
== Scope ==
Line 21: Line 19:
pam-mount can do nfs mounts on login, Out of the box working authentication against an Edubuntu network authserver.
Line 23: Line 21:
Packages to move to main: == Design and Implementation ==
Line 25: Line 23:
 * libpam-mount
 * libpam-ldap
 * libnss-ldap
 * libpam-ccreds
A metapackage called edubuntu-auth-client will be created.
It will depend on https://launchpad.net/people/ajmitch/+branch/network-authentication/authtool (which will provide the basic authentication functionality) as well as on libpam-mount, libpam-ldap, libnss-ldap and libpam-ccreds.
Line 30: Line 26:
 * the edubuntu-auth-client package will install edsadmin and disable users-admin in the gnomemenu.
 * edubuntu-auth-client will ask for the desired domainname (field is prefilled with the provided domainname from the dhcp server) and for the ip address of the ldap server.
The libpam-mount, libpam-ldap, libnss-ldap and libpam-ccreds packages will move to main.
Line 33: Line 28:
There must be an additional preseed file for "networked-workstation" on the edubuntu CD that installs edubuntu-auth-client, the usual workstation preseed file will still do a local auth based install. A dependency on the edsadmin package (handled in edubuntu-auth-server) will be created. In the postinst of the edubuntu-auth-client package, the menu entry of the users-admin tool shipped by gnome-system-tools will be disabled to avoid the confusion of having two user management tools.

The postinst of edubuntu-auth-client will ask for the desired domain name and for the IP address of the LDAP server and preseed the authtool debconf values with it.

The Edubuntu CD will get a new networked-workstation preseed file that pulls in the edubuntu-auth-client package. This way the user will still have the option to install a complete standalone workstation.

Edubuntu LTSP server installs will install the edubuntu-auth-client by default.

For mounting /home an NFS export is required on the authentication server, the edubuntu-auth-server will care for this.

The password tool of the "About Me" application shipped by default in Ubuntu/Edubuntu will be enhanced to operate properly with the user's password on an LDAP server.

== Unresolved issues ==

The pam-mount binary needs to be extended to read the user's home directory location from the LDAP server.
 * Is making it use libpam-ldap not enough? Does it do hardcoded stuff with /etc/passwd? --ColinWatson

----
CategorySpec
CategoryEdubuntuSpec
  • Launchpad entry: edubuntu-network-auth-client

  • Packages affected: authtool, libpam-mount, libpam-ldap, libnss-ldap, libpam-ccreds, edsadmin, gnome-control-center

Summary

Authenticating Edubuntu clients (workstations and LTSP servers) against an Edubuntu network auth server.

Rationale

To provide centralized user management in a school using Edubuntu, an Edubuntu network authentication server is implemented. To authenticate against such a server a certain client setup is required. This spec outlines what will be done to achieve client authentication on Edubuntu LTSP servers and workstations.

Use cases

Will is an administrator at a high school. He used to use an Edubuntu LTSP server in one classroom to test the functionality. Since the software convinced him, he will now set up his whole school with Edubuntu and set up an Edubuntu network authentication server where he maintains the students' accounts for the whole school and their home directories. After he installed the edubuntu-auth-client metapackage on all his workstations and LTSP servers, all his students log in via the centralized service without problems.

Scope

Out of the box working authentication against an Edubuntu network authserver.

Design and Implementation

A metapackage called edubuntu-auth-client will be created. It will depend on https://launchpad.net/people/ajmitch/+branch/network-authentication/authtool (which will provide the basic authentication functionality) as well as on libpam-mount, libpam-ldap, libnss-ldap and libpam-ccreds.

The libpam-mount, libpam-ldap, libnss-ldap and libpam-ccreds packages will move to main.

A dependency on the edsadmin package (handled in edubuntu-auth-server) will be created. In the postinst of the edubuntu-auth-client package, the menu entry of the users-admin tool shipped by gnome-system-tools will be disabled to avoid the confusion of having two user management tools.

The postinst of edubuntu-auth-client will ask for the desired domain name and for the IP address of the LDAP server and preseed the authtool debconf values with it.

The Edubuntu CD will get a new networked-workstation preseed file that pulls in the edubuntu-auth-client package. This way the user will still have the option to install a complete standalone workstation.

Edubuntu LTSP server installs will install the edubuntu-auth-client by default.

For mounting /home an NFS export is required on the authentication server, the edubuntu-auth-server will care for this.

The password tool of the "About Me" application shipped by default in Ubuntu/Edubuntu will be enhanced to operate properly with the user's password on an LDAP server.

Unresolved issues

The pam-mount binary needs to be extended to read the user's home directory location from the LDAP server.

  • Is making it use libpam-ldap not enough? Does it do hardcoded stuff with /etc/passwd? --ColinWatson


CategorySpec CategoryEdubuntuSpec

Edubuntu/Specifications/NetworkAuthClient (last edited 2010-01-21 19:01:15 by 196-210-177-89-wblv-esr-3)