NetworkAuthentication
Differences between revisions 1 and 14 (spanning 13 versions)
813
Comment:
|
3300
|
Deletions are marked like this. | Additions are marked like this. |
Line 8: | Line 8: |
* Priority: NeedsPriority * People: NeedsLead, NeedsSecond |
* Priority: MediumPriority * People: MatthiasKloseLead, JimMcQuillanSecond, ShahmsKing |
Line 11: | Line 11: |
* Interested: | * Interested: EricHarrison |
Line 22: | Line 22: |
Network Authentication – LDAP, AD etc Directory Integration | Network Authentication -- LDAP, AD, NIS, NIS+ Directory Integration |
Line 29: | Line 30: |
* Network auth on the client seems to be doable for breezy * add tool the configure nsswitch.conf * make sure the needed packages for an authentication method are installed on the system * questions to configure the auth method are not at with Ubuntu's default priority |
|
Line 40: | Line 46: |
* Client Config * authconfig/libuser or equivalent? * Fedora tool, but the only Fedora-only pieces should be minimal and easily portable. * Fedora-specific parts should be restricted to pam_stack which is a relatively straightforward port to pam.d/common-* * Doesn't fit in well with Debian policy as it modifies config files from many, many packages * Porting might be useful as a short-term solution * At the very least is useful as an implementation guide or roadmap for knowing which files need to be modified for each method * start nscd * Authentication * modify pam.d/common-* * modify backend-specific files * LDAP, AD, eDirectory: /etc/ldap.conf * NIS, NIS+ * Kerberos * Winbind * Authorization and user information * modify nsswitch.conf * backend-specifc config files should be the same as for authentication * LDAP, AD, eDirectory: /etc/ldap.conf * NIS, NIS+ * Winbind * Hesiod * Fedora has this, but it's an ugly DNS hack and can probably be dropped. * Server Config * some scripts * graphical front ends * directory-administrator * ... * Not implementable in Breezy timeframe, possibly Breezy+1 * Should be split into its own BOF * NIS/YP might be doable by Breezy, but should be killed off * NIS+? * Kerberos? * Winbind/Samba are currently shipped but can be a configuration nightmare (but see below) * LDAP: currently the only option is OpenLDAP which is ridiculously hard to configure. * The biggest problem is that it doesn't ship with sane defaults, or really any defaults. Adding good defaults to the slapd package is the low-hanging fruit for this. * RedHat will be releasing the Netscape Directory Server code as GPL? "Real Soon Now(tm)" which might be a better alternative. * Samba4 will also have their own LDAP server as it is required for the Active Directory stuff they want to do. This will likely make configuring both LDAP and Samba/Winbind significantly easier. * Both Netscape Directory Server and Samba4 "indefinite future releases". |
NetworkAuthentication
Status
Created: Date(2005-04-25T05:47:19Z) by JaneW
Priority: MediumPriority
People: MatthiasKloseLead, JimMcQuillanSecond, ShahmsKing
- Contributors: JaneW
Interested: EricHarrison
Status: BrainDump, BreezyGoal, UduBof, DistroSpecification, NewSpec
- Branch:
- Malone Bug:
- Packages:
- Depends:
- Dependents:
UduSessions: 1, 4, 8, etc
Introduction
Network Authentication -- LDAP, AD, NIS, NIS+ Directory Integration
Rationale
Scope and Use Cases
Implementation Plan
- Network auth on the client seems to be doable for breezy
- add tool the configure nsswitch.conf
- make sure the needed packages for an authentication method are installed on the system
- questions to configure the auth method are not at with Ubuntu's default priority
Data Preservation and Migration
Packages Affected
User Interface Requirements
Outstanding Issues
UDU BOF Agenda
* Client Config
- authconfig/libuser or equivalent?
- Fedora tool, but the only Fedora-only pieces should be minimal and easily portable.
- Fedora-specific parts should be restricted to pam_stack which is a relatively straightforward port to pam.d/common-*
- Doesn't fit in well with Debian policy as it modifies config files from many, many packages
- Porting might be useful as a short-term solution
- At the very least is useful as an implementation guide or roadmap for knowing which files need to be modified for each method
- start nscd
- Authentication
- modify pam.d/common-*
- modify backend-specific files
- LDAP, AD, eDirectory: /etc/ldap.conf
- NIS, NIS+
- Kerberos
- Winbind
- Authorization and user information
- modify nsswitch.conf
- backend-specifc config files should be the same as for authentication
- LDAP, AD, eDirectory: /etc/ldap.conf
- NIS, NIS+
- Winbind
- Hesiod
- Fedora has this, but it's an ugly DNS hack and can probably be dropped.
* Server Config
- some scripts
- graphical front ends
- directory-administrator
- ...
- Not implementable in Breezy timeframe, possibly Breezy+1
- Should be split into its own BOF
- NIS/YP might be doable by Breezy, but should be killed off
- NIS+?
- Kerberos?
- Winbind/Samba are currently shipped but can be a configuration nightmare (but see below)
- LDAP: currently the only option is OpenLDAP which is ridiculously hard to configure.
- The biggest problem is that it doesn't ship with sane defaults, or really any defaults. Adding good defaults to the slapd package is the low-hanging fruit for this.
RedHat will be releasing the Netscape Directory Server code as GPL? "Real Soon Now(tm)" which might be a better alternative.
- Samba4 will also have their own LDAP server as it is required for the Active Directory stuff they want to do. This will likely make configuring both LDAP and Samba/Winbind significantly easier.
- Both Netscape Directory Server and Samba4 "indefinite future releases".
UDU Pre-Work
NetworkAuthentication (last edited 2008-08-06 16:34:01 by localhost)