##(see the SpecSpec for an explanation)

== Summary ==

## This should provide an overview of the issue/functionality/change proposed here. Focus here on what will actually be DONE, summarising that so that other people don't have to read the whole spec. See also CategorySpec for examples.

NSS (Name Service Switch) is provided by the base libc libraries and used to provide POSIX defined elements to applications (passwd, group, shadow, host.) To introduce the concept of remote users to systems, extensions are added to NSS which retrieve the required user information from remote sources.

== Release Note ==

## This section should include a paragraph describing the end-user impact of this change.  It is meant to be included in the release notes of the first release in which it is implemented.  (Not all of these will actually be included in the release notes, at the release manager's discretion; but writing them is a useful exercise.)

## It is mandatory.

== Rationale ==

## This should cover the _why_: why is this change being proposed, what justifies it, where we see this justified.

Integrating an Ubuntu system into an existing infrastructure requires installingdifferent sets of packages in order to enable authentication and directory lookups. This process could be streamlined by asking relevant information while installing and configuring the system.

== Use Cases ==
 * Janice installed Ubuntu Server into her existing network. By runing one command she enables the system to recognize and accept users located from the existing LDAP directory.
 * Ken deploys dozens of workstations for the engineering team and uses a single command to configure the system to authenticate against the existing AD.

== Design ==

## You can have subsections that better describe specific parts of the issue.

=== nss_ldap ===

nss_ldap is used to retrieve name services information from a remove LDAP server.

[[http://ch.tudelft.nl/~arthur/nss-ldapd/|nss-ldapd]] is a fork of nss_ldap: it splits the nss_ldap library in two parts: a daemon that connects to the LDAP server and does all the requests and a thin NSS connector that passes requests to the daemon through a socket. The package is available in universe.

During UDS there was some talk about integrating nss_ldap into openldap and use slapd as the daemon. Howard Chu [[http://www.mail-archive.com/openldap-devel@openldap.org/msg02792.html|started to work on this]]: 

   On a separate topic, I've been slowly rewriting nss-ldapd as a slapd overlay (in between technical sessions at the Summit). This will also be showing up in contrib soon. With this approach, we can eliminate all the libldap/libldap_r/version dependencies that currently plague the usual nss-ldap implementation (and nss-ldapd already does that). Plus, we can not only have direct NSS mapping into local slapd databases, but with back-ldap, pcache, and/or translucent, we can also provide excellent NSS performance from a remote LDAP server, as well as locally cached credentials for disconnected host operation. 

=== winbind ===

winbind resolves the identity of users and groups by contacting domain controllers and allocates UID and GID.

It provides an nss module and can use multiple backends to store its the ID mapping information: tdb, ldap.

=== likewise-open ===

likewise-open is based on winbind and provide more functionalities.

=== auth-client-config ===

auth-client-config can be used to centralize PAM and NSS configuration in one location. Currently, the following profiles are available by default:
 * kerberos_example.
 * ldap_example.

Other packages can drop profiles in /etc/auth-client-config/profile.d/ to make them available to auth-client-config.

== Implementation ==

## This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:

==== nss_ldap ====

Package nss_ldap overlay once it's available in contrib. Look into moving nss_ldap into universe and replace it with either nss_ldapd or openldap nss_ldap overlay.

Installing an nss_ldap overlay would run a local slapd daemon in caching mode. Packaging it depends on the cn=config migration of openldap.

==== auth-client-config ====

Check if pam and nss libraries that are about to be installed are available on the system. If not, lists the packages that should be installed to get the profile applied.

Improve logging infrastructure: 
  * use python logging module 
  * add syslog support (for automated installation and configuration).

Document to usage of auth-client-config in the Ubuntu Server Guide.

== Test/Demo Plan ==

## It's important that we are able to test new features, and demonstrate them to users.  Use this section to describe a short plan that anybody can follow that demonstrates the feature is working.  This can then be used during testing, and to show off after release.

## This need not be added or completed until the specification is nearing beta.

Test integration in an LDAP environmnent and a AD environment.

== Documentation ==

Add a section about Network Authentification in the Ubuntu Server guide.

== Outstanding Issues ==

## This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.

== BoF agenda and discussion ==

## Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.

----
CategorySpec