Summary
NSS (Name Service Switch) is provided by the base libc libraries and used to provide POSIX defined elements to applications (passwd, group, shadow, host.) To introduce the concept of remote users to systems, extensions are added to NSS which retrieve the required user information from remote sources.
Release Note
Rationale
Integrating an Ubuntu system into an existing infrastructure requires installingdifferent sets of packages in order to enable authentication and directory lookups. This process could be streamlined by asking relevant information while installing and configuring the system.
Use Cases
- Janice installed Ubuntu Server into her existing network. By runing one command she enables the system to recognize and accept users located from the existing LDAP directory.
- Ken deploys dozens of workstations for the engineering team and uses a single command to configure the system to authenticate against the existing AD.
Design
nss_ldap
nss_ldap is used to retrieve name services information from a remove LDAP server.
nss-ldapd is a fork of nss_ldap: it splits the nss_ldap library in two parts: a daemon that connects to the LDAP server and does all the requests and a thin NSS connector that passes requests to the daemon through a socket. The package is available in universe.
During UDS there was some talk about integrating nss_ldap into openldap and use slapd as the daemon. Howard Chu started to work on this:
- On a separate topic, I've been slowly rewriting nss-ldapd as a slapd overlay (in between technical sessions at the Summit). This will also be showing up in contrib soon. With this approach, we can eliminate all the libldap/libldap_r/version dependencies that currently plague the usual nss-ldap implementation (and nss-ldapd already does that). Plus, we can not only have direct NSS mapping into local slapd databases, but with back-ldap, pcache, and/or translucent, we can also provide excellent NSS performance from a remote LDAP server, as well as locally cached credentials for disconnected host operation.
winbind
winbind resolves the identity of users and groups by contacting domain controllers and allocates UID and GID.
It provides an nss module and can use multiple backends to store its the ID mapping information: tdb, ldap.
likewise-open
likewise-open is based on winbind and provide more functionalities.
auth-client-config
auth-client-config can be used to centralize PAM and NSS configuration in one location. Currently, the following profiles are available by default:
- kerberos_example.
- ldap_example.
Other packages can drop profiles in /etc/auth-client-config/profile.d/ to make them available to auth-client-config.
Implementation
nss_ldap
Package nss_ldap overlay once it's available in contrib. Look into moving nss_ldap into universe and replace it with either nss_ldapd or openldap nss_ldap overlay.
Installing an nss_ldap overlay would run a local slapd daemon in caching mode. Packaging it depends on the cn=config migration of openldap.
auth-client-config
Check if pam and nss libraries that are about to be installed are available on the system. If not, lists the packages that should be installed to get the profile applied.
Improve logging infrastructure:
- use python logging module
- add syslog support (for automated installation and configuration).
Document to usage of auth-client-config in the Ubuntu Server Guide.
Test/Demo Plan
Test integration in an LDAP environmnent and a AD environment.
Documentation
Add a section about Network Authentification in the Ubuntu Server guide.
Outstanding Issues