Launchpad Entry: server-karmic-directory-architecture
Created:
Contributors: MathiasGug
Packages affected:
Summary
This specification focuses on defining an architecture to provide user, group and host management in a centralized manner. An combination of MIT Kerberos, Openldap and ntp with a default Ubuntu DIT and deployment tasks are outlined.
Release Note
Rationale
Managing users and groups in a corporate environements is usually done via a centralized reliable infrastructure.
User stories
- Francis wants to provide a centralized infrastructure to manage user credentials. He installs a new system with Ubuntu Server Edition and deploys a new directory server.
- Olaf wants to increase the redundancy of the directory infrastructure. He starts by installing a new Ubuntu Server and deploys a replica of the existing Directory service.
Assumptions
Design
Architecture
MIT kdc + openldap + ntp
Directory
Default DIT
https://launchpad.net/openldap-dit
- Group based administration, access control through group membership.
- Each group has an Owner that can manage the group.
- Dynamic ACLs.
- Available schemas:
schema name (description) |
Freeipa 1.2.1 |
openldap-dit (revno 30) |
60ipaconfig.ldif (ipa configuration) |
X |
|
60kerberos.ldif (Novell Kerberos Schema Definitions - MIT) |
X |
|
krb5-kdc.schema (Definitions for a Kerberos V KDC schema - heimdal) |
|
X |
kerberosobject.schema |
|
X |
60radius.ldif (RADIUS attributes) |
X |
|
samba (Samba user accounts and group maps in LDAP) |
X |
X |
core.schema |
|
X |
cosine.schema |
|
X |
corba.schema |
|
X |
inetorgperson.schema |
|
X |
java.schema |
|
X |
misc.schema |
|
X |
nis.schema |
|
X |
openldap.schema |
|
X |
autofs.schema |
|
X |
samba.schema |
|
X |
kolab.schema |
|
X |
evolutionperson.schema |
|
X |
calendar.schema |
|
X |
sudo.schema |
|
X |
dnszone.schema |
|
X |
dhcp.schema |
|
X |
dyngroup.schema |
|
X |
ppolicy.schema |
|
X |
kde.schema |
|
X |
Ressources: Schema Available in DS in IPA v1
NB: kerberos.schema from upstream krb5-1.7 has one more attribute than kerberos.schema from FreeIPA:
attributetype ( 1.2.840.113554.1.4.1.6.1
NAME 'krbCanonicalName'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE)
overlays
- Uid generation:
- nextUID generation overlay.
- uniq overlay: make sure that uid are unique, mgmt tools account for a failed entry creation if the uid already exists.
- password synchronisation overlay: userPassword, samba, MIT kerberos.
KDC
MIT kdc uses openldap as its data store backend.
NTP
NTP installed on both master and replica.
Replication
openldap replica using syncrepl in MirrorMode with slapo-chain + back-ldap running on local slapd to reroute write requests to the master.
Deployment
setupmaster task
- Install slapd
- load default DIT
- Install kdc
- Configure kdc to use local slapd as the backend
- Install ntp
setupreplica task
- Install slapd
Setup syncrepl in MirrorMode with slapo-chain overlay to redirect writes to master.
- Install kdc
- Configure kdc to use local slapd as the backend (??? and reroute password change requests to master kdc???)
- Configure ntp
promotetomaster task
- Turn off slapo-chain overlay.
- Enable kdc to accept password change requests.
Implementation
Openldap overlays
- Setup the uniq overlay for UID.
- Port smbkrb5 overlay to MIT kerberos.
- Port Freeipa dna slapi plugin to openldap.
Default DIT
- Package openldap-dit.
Deployment tasks
Deployment tasks can be provide as scripts or manifest for a configuration mgmt tool.
Configuration mgmt tool
- Provide a puppet manifest to take care of each task.
Scripts
- Package and update the freeipa development scripts.
Test/Demo Plan
Unresolved issues
BoF agenda and discussion
UDS discussion
= Directory Architecture =
* Determine directory structure.
* Integrate Kerberos
* Make it easy to confiure the server to be either a master or slave.
* Cache by default, partial replication on clients will be discussed during client integration discussion.
* How to integrate DHCP, DNS, and Kerberos.
* DHCP: not really required for the first configuration due to 3rd party patches.
* Store DHCP configuration in LDAP.
* Store lease information in LDAP.
* DNS: possible, but for first iteration may not be useful.
* 1 patch to query LDAP for every DNS request.
* 1 patch to cache requests, and not need to query LDAP every time.
* Kerberos
* MIT Kerberos able to use LDAP for backend principal store.
* Kerberos schema available.
* Heimdal schema is a bit simpler.
* A couple of commands are needed to both load the schema, and configure Kerberos to use LDAP.
* Only one KDC is used for password changing.
* One package for master KDC and another for slave KDC.
* Both KDCs will have a local replica of LDAP directory.
* Need to add DNS records for Kerberos.
* Will have some automated method to add the records.
* In a later itteration integrating into existing DNS will be addressed.
* Redundant DHCP
* Two servers in an active/passive mode.
* New version of Kerberos will not have to rely on reverse DNS lookups.
* DIT
* openldap-dit
* Group based administration, access control through group membership.
* Each group has an Owner that can manage the group.
* Dynamic ACLs.
* RFC 2307
* User login supported.
* Postfix table lookup.
* ou=aliases
* Sudoers
* sudo can be configured to ignore /etc/sudoers or do a merge with fall back entries.
* Authorization and Access Control
* Uniqueness Overlay -- rejects commit if value is already used.
* For uidNumber determine if the user already exists.
* Password changes
* How to change password for LDAP, Kerberos, Samba, etc.
* Heimdal has the ability to sync all three through the smbkrb5 overlay.
* Two Overlays
* Uid generation
* Password change sync.
* Packages to make changes to the directory during install.
* Add admin groups for paticular applications.
* SASL external can map any LDAP user to a local user.