NetworkAuthentication
Differences between revisions 15 and 16
|
Size: 3512
Comment: Move to draft
|
Size: 3524
Comment: added myself to the "interested" list
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 11: | Line 11: |
| * Interested: EricHarrison | * Interested: EricHarrison, MattOquist |
NetworkAuthentication
Status
Created: Date(2005-04-25T05:47:19Z) by JaneW
Priority: MediumPriority
People: MatthiasKloseLead, JimMcQuillanSecond, ShahmsKing
- Contributors: JaneW
Interested: EricHarrison, MattOquist
Status: DraftSpecification, BreezyGoal, DistroSpecification
- Branch:
- Malone Bug:
- Packages:
- Depends:
- Dependents:
UduSessions: 1, 4, 8, etc
Introduction
Network Authentication -- LDAP, AD, NIS, NIS+ Directory Integration
Rationale
Scope and Use Cases
Implementation Plan
- Network auth on the client seems to be doable for breezy
- add tool to configure nsswitch.conf (base-files)
- make sure the needed packages for an authentication method are installed on the system, base-files cannot depend on all packages providing an auth method.
- all needed packages are already in main
- questions to configure the auth method are not asked when installing with Ubuntu's default priority
Data Preservation and Migration
Packages Affected
- base-files
- pam-* ???
- config files in packages like nis, ....
User Interface Requirements
Outstanding Issues
UDU BOF Agenda
* Client Config
- authconfig/libuser or equivalent?
- Fedora tool, but the only Fedora-only pieces should be minimal and easily portable.
- Fedora-specific parts should be restricted to pam_stack which is a relatively straightforward port to pam.d/common-*
- Doesn't fit in well with Debian policy as it modifies config files from many, many packages
- Porting might be useful as a short-term solution
- At the very least is useful as an implementation guide or roadmap for knowing which files need to be modified for each method
- start nscd
- Authentication
- modify pam.d/common-*
- modify backend-specific files
- LDAP, AD, eDirectory: /etc/ldap.conf
- NIS, NIS+
- Kerberos
- Winbind
- Authorization and user information
- modify nsswitch.conf
- backend-specifc config files should be the same as for authentication
- LDAP, AD, eDirectory: /etc/ldap.conf
- NIS, NIS+
- Winbind
- Hesiod
- Fedora has this, but it's an ugly DNS hack and can probably be dropped.
* Server Config
- some scripts
- graphical front ends
- directory-administrator
- ...
- Not implementable in Breezy timeframe, possibly Breezy+1
- Should be split into its own BOF
- NIS/YP might be doable by Breezy, but should be killed off
- NIS+?
- Kerberos?
- Winbind/Samba are currently shipped but can be a configuration nightmare (but see below)
- LDAP: currently the only option is OpenLDAP which is ridiculously hard to configure.
- The biggest problem is that it doesn't ship with sane defaults, or really any defaults. Adding good defaults to the slapd package is the low-hanging fruit for this.
RedHat will be releasing the Netscape Directory Server code as GPL? "Real Soon Now(tm)" which might be a better alternative.
- Samba4 will also have their own LDAP server as it is required for the Active Directory stuff they want to do. This will likely make configuring both LDAP and Samba/Winbind significantly easier.
- Both Netscape Directory Server and Samba4 "indefinite future releases".
UDU Pre-Work
NetworkAuthentication (last edited 2008-08-06 16:34:01 by localhost)