Ubuntu Wiki

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

• Launchpad entry: https://features.launchpad.net/distros/ubuntu/+spec/edubuntu-network-auth-server

• Packages affected: edubuntu-server

Summary

Many schools we wish to deploy to manage their users and groups using LDAP. Currenly, Edubuntu doesn't fit into these environments easily, because we don't have automatic installation of tools that will enable this. If we wish to make a dent in these markets, we'll need this functionality.

Attendees

• sbalneav, ogra, moquist, rwiederman, eharrison, rnovo, pschroeder, dtrask, jhaltom , jammcq, amitchell, stgraber (VOIP)

Rationale

Use cases

• Dave Trask manages a single-building K-8 school network. His principal gives him a list of students, and he installs Edubuntu Authentication Services (EAS) and uses http://majen.net/smbldap smbldap-useradd-bulk to create user accounts in one fell swoop.

• Scottie administers a school with 2000 users, and he needs more than one Edubuntu/LTSP server to handle the workload. Scottie installs EAS and sets other Edubuntu/LTSP servers to authenticate there, and all users have single-sign on with centralized home directories. Job done!
• Mabel runs a heterogeneous network including Ubuntu, Windows, and Mac workstations. When an EAS server is in place, a user can sit down at any workstation and log in with the same username and password, and access the same home directory.
• Nikita administers the network for a school district with three buildings connected via a WAN. Nikita sets up an EAS master in the largest school and an EAS slave in each other school. Users can move from building to building and continue to use the same usernames, passwords, and home directories.

Scope

• provide single-sign on services for Linux/Windows/Mac OOTB
• provide at least basic failover (e.g., OpenLDAP Master/Slave)
• provide GUI user managment
• provide a single home directory for each user that can be accessed from any Linux/Windows/Mac client

Packages affected

• smbldap-tools
• slapd/FDS(?)
• nscd
• libnss-ldap
• libpam-ldap

Design

Properly integrate smbldap-tools which is used widely in k12LTSP setups for user and group management into edubuntu.

Package and install http://edsadmin.sourceforge.net/ as maintenance tool for the above server setup.

Implementation

• Current gui administration tools use command line useradd, usermod, etc, for the backend.
• modify smbldap-tools to be command line compatible with the existing tools.
• Move useradd, usermod to the /etc/alternatives system.
• Changing backends can then be handled by update-alternatives.

Code

• To be discussed.

Data preservation and migration

• It would be nice to have a way to easily migrate an existing /etc/passwd, shadow and group into an installed EAS.

Unresolved issues

• We may consider FDS instead of OpenLDAP; needs much discussion.

BoF agenda and discussion

BoF Notes:

• moquist has done much work on smbldap-installer, which installs and configures smbldap-tools with openLDAP. Prepend useradd, group tools with smbldap-, and CLI user management works as per normal. Goal will be to integrate smbldap-tools into edubuntu so it works out of the box.
• For caching, we'll want to make sure nscd is installed.
• For now, we'll only concern ourselves with dealing with other Edubuntu (smbldap-tools+{openLDAP,FDS}) servers. Feisty+1 we'll deal with true enterprise-level server considerations (e.g., failover) and AD integration.

CategorySpec