NetworkAuthServer
Differences between revisions 6 and 17 (spanning 11 versions)
|
Size: 3286
Comment:
|
← Revision 17 as of 2010-01-21 19:00:02 ⇥
Size: 4687
Comment: Moved page to appropriate namespace
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from EdubuntuNetworkAuthServer | |
| Line 6: | Line 7: |
| * '''Launchpad entry''': https://features.launchpad.net/distros/ubuntu/+spec/edubuntu-network-auth-server | * '''Launchpad entry''': UbuntuSpec:edubuntu-network-auth-server |
| Line 11: | Line 12: |
| Many schools we wish to deploy to manage their users and groups using LDAP. Currenly, Edubuntu doesn't fit into these environments easily, because we don't have automatic installation of tools that will enable this. If we wish to make a dent in these markets, we'll need this functionality. | Integrate network authentication by default into edubuntu servers. |
| Line 15: | Line 16: |
| * sbalneav, ogra, moquist, rwiederman, eharrison, rnovo, pschroeder, dtrask, jhaltom , jammcq, amitchell, stgraber (VOIP) | * sbalneav, ogra, moquist, RichEd, eharrison, rodarvus, pips1, dtrask, wasabi , jammcq, ajmitch, stgraber (VOIP) |
| Line 19: | Line 20: |
| Many schools wish to manage their users and groups using LDAP. Currently, Edubuntu doesn't fit into these environments easily, because we don't have automatic installation of tools that will enable this. If we wish to make a dent in these markets, we'll need this functionality. |
|
| Line 21: | Line 24: |
| * Dave | * Dave Trask manages a single-building K-8 school network. His principal gives him a list of students, and he installs Edubuntu Authentication Services (EAS) and uses [[[http://majen.net/smbldap|smbldap-useradd-bulk]]] to create user accounts in one fell swoop. * Scottie administers a school with 2000 users, and he needs more than one Edubuntu/LTSP server to handle the workload. Scottie installs EAS and sets other Edubuntu/LTSP servers to authenticate there, and all users have single-sign on with centralized home directories. Job done! * Mabel runs a heterogeneous network including Ubuntu, Windows, and Mac workstations. When an EAS server is in place, a user can sit down at any workstation and log in with the same username and password, and access the same home directory. |
| Line 24: | Line 31: |
| * provide single-sign on services for Linux/Windows/Mac OOTB * provide at least basic failover (e.g., OpenLDAP Master/Slave) * provide GUI user managment |
* provide single sign-on services for Linux/Windows/Mac OOTB * provide GUI user management |
| Line 29: | Line 36: |
| Packages: | == Packages affected == |
| Line 31: | Line 39: |
| * slapd/FDS(?) | * slapd |
| Line 35: | Line 43: |
| * samba | |
| Line 36: | Line 45: |
| == Design == | == Design and Implementation == |
| Line 38: | Line 47: |
| Properly integrate smbldap-tools which is used widely in k12LTSP setups for user and group management into edubuntu. Package and install http://edsadmin.sourceforge.net/ as maintenance tool for the above server setup. == Implementation == === Code === |
* Move smbldap-tools (which is used widely in k12LTSP setups for user and group management) to main. * moquist has done much work on smbldap-installer, which installs and configures smbldap-tools with openLDAP -- prepend useradd, groupadd, passwd, etc. with smbldap-, and CLI user management works as per normal. We will integrate smbldap-tools into edubuntu so it works out of the box. * Package and install http://edsadmin.sourceforge.net/ as GUI maintenance tool for the above server setup. * Create a configuration metapackage called edubuntu-auth-server which depends on the above listed packages and properly configures smbldap in Edubuntu. * Hide the usual user-management GUI tools from the menus and put edsadmin in their place through the postinst script of our config metapackage. * Use preseeding for the dependent packages where possible (libnss-ldap, libpam-ldap) * For the packages where preseeding isn't possible or desired (i.e. slapd and samba) the package will have an /etc/edubuntu-auth-server dir. Config files in this directory will override the default configuration (i.e. the initscript of slapd will be modified to use the slapd.conf file from this directory if it exists instead of its default file... very much like /etc/ltsp/dhcpd.conf does for dhcp3-server) * For caching, we'll make sure nscd is installed. * For now, we'll only concern ourselves with dealing with other Edubuntu (smbldap-tools+{openLDAP,FDS}) servers. Feisty+1 we'll deal with true enterprise-level server considerations (e.g., failover) and AD integration or switch to the solution the ubuntu-directory team will provide by then (plan is to operate as guinea-pig for the directory team with our setup so they have experience data to base their server implementation on). * The e-a-s package will have a preseedable debconf option to set the domain name, this question needs to have the necessary priority to be asked in the installer. * A crontab entry will be put into /etc/cron.d which backs up the ldap database on a regular base. * /home will be added to /etc/exports on the server to provide the NFS mounts to the e-a-s clients. |
| Line 49: | Line 62: |
| * A script will be shipped in the /usr/share/doc/e-a-s/examples dir to easily migrate an existing /etc/passwd, shadow and group into an installed EAS. |
|
| Line 51: | Line 66: |
| == Use Cases == * Dave Trask manages a single-building K-8 school network. His principal gives him a list of students, and he installs Edubuntu Authentication Services (EAS) and uses [[http://majen.net/smbldap smbldap-useradd-bulk]] to create user accounts in one fell swoop. * Scottie administers a school with 2000 users, and he needs more than one Edubuntu/LTSP server to handle the workload. Scottie installs EAS and sets other Edubuntu/LTSP servers to authenticate there, and all users have single-sign on with centralized home directories. Job done! * Mabel runs a heterogeneous network including Ubuntu, Windows, and Mac workstations. When an EAS server is in place, a user can sit down at any workstation and log in with the same username and password, and access the same home directory. * Nikita administers the network for a school district with three buildings connected via a WAN. == BoF agenda and discussion == BoF Notes: * moquist has done much work on smbldap-installer, which installs and configures smbldap-tools with openLDAP. Prepend useradd, group tools with smbldap-, and CLI user management works as per normal. Goal will be to integrate smbldap-tools into edubuntu so it works out of the box. * For caching, we'll want to make sure nscd is installed. * For now, we'll only concern ourselves with dealing with other Edubuntu (smbldap-tools/openLDAP) servers. Feisty+1 we'll deal with true enterprise-level server considerations (e.g., failover) and AD integration. * We may consider FDS instead of OpenLDAP; needs much discussion. |
* We may consider FDS instead of OpenLDAP for later releases; this will need discussion for Feisty+1. |
| Line 76: | Line 70: |
| CategoryEdubuntuSpec |
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad entry: edubuntu-network-auth-server
Packages affected: edubuntu-server
Summary
Integrate network authentication by default into edubuntu servers.
Attendees
sbalneav, ogra, moquist, RichEd, eharrison, rodarvus, pips1, dtrask, wasabi , jammcq, ajmitch, stgraber (VOIP)
Rationale
Many schools wish to manage their users and groups using LDAP. Currently, Edubuntu doesn't fit into these environments easily, because we don't have automatic installation of tools that will enable this. If we wish to make a dent in these markets, we'll need this functionality.
Use cases
Dave Trask manages a single-building K-8 school network. His principal gives him a list of students, and he installs Edubuntu Authentication Services (EAS) and uses smbldap-useradd-bulk] to create user accounts in one fell swoop.
- Scottie administers a school with 2000 users, and he needs more than one Edubuntu/LTSP server to handle the workload. Scottie installs EAS and sets other Edubuntu/LTSP servers to authenticate there, and all users have single-sign on with centralized home directories. Job done!
- Mabel runs a heterogeneous network including Ubuntu, Windows, and Mac workstations. When an EAS server is in place, a user can sit down at any workstation and log in with the same username and password, and access the same home directory.
Scope
- provide single sign-on services for Linux/Windows/Mac OOTB
- provide GUI user management
- provide a single home directory for each user that can be accessed from any Linux/Windows/Mac client
Packages affected
- smbldap-tools
- slapd
- nscd
- libnss-ldap
- libpam-ldap
- samba
Design and Implementation
- Move smbldap-tools (which is used widely in k12LTSP setups for user and group management) to main.
- moquist has done much work on smbldap-installer, which installs and configures smbldap-tools with openLDAP -- prepend useradd, groupadd, passwd, etc. with smbldap-, and CLI user management works as per normal. We will integrate smbldap-tools into edubuntu so it works out of the box.
Package and install http://edsadmin.sourceforge.net/ as GUI maintenance tool for the above server setup.
- Create a configuration metapackage called edubuntu-auth-server which depends on the above listed packages and properly configures smbldap in Edubuntu.
- Hide the usual user-management GUI tools from the menus and put edsadmin in their place through the postinst script of our config metapackage.
- Use preseeding for the dependent packages where possible (libnss-ldap, libpam-ldap)
- For the packages where preseeding isn't possible or desired (i.e. slapd and samba) the package will have an /etc/edubuntu-auth-server dir. Config files in this directory will override the default configuration (i.e. the initscript of slapd will be modified to use the slapd.conf file from this directory if it exists instead of its default file... very much like /etc/ltsp/dhcpd.conf does for dhcp3-server)
- For caching, we'll make sure nscd is installed.
- For now, we'll only concern ourselves with dealing with other Edubuntu (smbldap-tools+{openLDAP,FDS}) servers. Feisty+1 we'll deal with true enterprise-level server considerations (e.g., failover) and AD integration or switch to the solution the ubuntu-directory team will provide by then (plan is to operate as guinea-pig for the directory team with our setup so they have experience data to base their server implementation on).
- The e-a-s package will have a preseedable debconf option to set the domain name, this question needs to have the necessary priority to be asked in the installer.
- A crontab entry will be put into /etc/cron.d which backs up the ldap database on a regular base.
- /home will be added to /etc/exports on the server to provide the NFS mounts to the e-a-s clients.
Data preservation and migration
- A script will be shipped in the /usr/share/doc/e-a-s/examples dir to easily migrate an existing /etc/passwd, shadow and group into an installed EAS.
Unresolved issues
- We may consider FDS instead of OpenLDAP for later releases; this will need discussion for Feisty+1.
Edubuntu/Specifications/NetworkAuthServer (last edited 2010-01-21 19:00:02 by 196-210-177-89-wblv-esr-3)