Working with Linux User Management

< Day Day Up >

Test Objective Covered:

2. Access a Linux Server with Linux User Management (LUM).

The LUM component of NNLS serves as the link between the local Linux system and eDirectory. LUM represents a huge leap forward in eDirectory technology.

eDirectory was actually ported over to Linux in 1998. I remember when the first version became available for beta testing. I went to a training session in a room packed with Linux administrators. All of us were waiting with baited breath to see eDirectory on our favorite platform.

We all proceeded through the install portion of the class without incident. Shortly after that, things started to go wrong. The product itself worked fine ”it was the way it worked that caused consternation.

As you probably know, Linux administrators tend to have an inquisitive nature. In accordance, after the install portion of the class, most of the students were off experimenting and tinkering with the eDirectory service instead of listening to the instructor (he wasn't terribly interesting to listen to anyway).

As a result of this tinkering, all of us realized in a moment of group collective consciousness that the eDirectory and Linux authentication systems weren't connected to each other in any way. Because of our past experience with NetWare, we were fully expecting to be able to use eDirectory to authenticate Linux users. Instead, we found that Linux users were still being managed with the passwd, shadow, and group files. eDirectory and Linux were in no way connected.

To authenticate to eDirectory, you had to log in using the Novell Client from a Windows or DOS workstation. To log in to the Linux server, you had to authenticate from the login prompt at the server console. Essentially, eDirectory used Linux as a platform to run on and wasn't used to actually manage the server itself.

Needless to say, all the students in the class were very disappointed and called the instructor's attention to this issue. He looked at us in a funny way and said something to the effect of, "Well, of course it doesn't," as if we were expecting the impossible . Thankfully, Novell realized this fact and included LUM in NNLS.

Note

Novell actually started working on this problem prior to NNLS. LUM descends from Novell's Account Management product line. Having used both, LUM is considerably easier to use and works much more reliably.

LUM makes eDirectory do exactly what we were expecting it to do back in 1998: tt redirects authentication to the Linux system through eDirectory. Linux users can authenticate to the system without an entry being required in the passwd file.

This alone makes eDirectory worth its while on the Linux platform. Recall in Chapter 4, "Introduction to Novell Nterprise Linux Services (NNLS)," that we discussed the administrative challenge presented by synchronizing Linux user and group accounts on multiple servers. Previously, you had two options for this problem:

You could synchronize accounts manually. In a very large network, this could be a daunting task.
You could implement NIS+. NIS+ is an Open Source service that synchronizes accounts between Linux systems.

Either way, it wasn't an easy task.

Using eDirectory to manage your Linux user accounts makes life much easier for the administrator. Instead of trying to synchronize accounts among multiple systems, eDirectory serves as a central repository for all network information.

Tip

It's important that you understand that eDirectory doesn't synchronize user accounts.

With eDirectory, you only need a single user account for every user in your organization. You assign rights to the single user account to control what resources the user can and cannot use.

Recall when we installed NNLS in the previous chapter. We configured NNLS to redirect authentication for PAM-enabled services. PAM stands for Pluggable Authentication Modules . PAM uses a series of shared library files to create a modular authentication system. It allows the administrator to customize the authentication mechanism a particular service, such as login or ftp, uses.

Linux services such as ftp, login, and so on have been redirected to use eDirectory user accounts instead of the user accounts in the passwd file. This is particularly useful when implementing Samba. We'll discuss this topic in more depth in a later chapter.

How LUM Works with eDirectory

When LUM is installed, it extends the eDirectory schema (if you're new to eDirectory, you may not know what this means). Recall in Chapter 5, "NNLS Installation and Administration," that I said the eDirectory schema defines objects that are allowed in the tree, defines the attributes they have, and specifies containment rules.

The base schema installed when you implemented NNLS isn't static. You can add, delete, or modify object classes and attributes in your tree. LUM does exactly this when it is installed. It extends the schema and adds LUM-specific attributes to the default user, group, and template object classes. As you can see in Figure 6.11, the user object receives a new property page called Linux Profile .

Figure 6.11. The user object Linux Profile page.

graphics/06fig11.jpg

The following attributes are added to the user object:

User ID
Primary Group ID
Primary Group Name
Login Shell
Home Directory
Comments

In Figure 6.12, you can see that the group object class also has a new property page named Linux Profile.

Figure 6.12. The group object Linux Profile page.

graphics/06fig12.jpg

Group objects have the following attributes added:

Group ID
uamPosixWorkstationList
Description
memberUid

LUM also extends the schema to add two new types of objects to the tree, as listed in Table 6.1.

Table 6.1. LUM eDirectory Objects

LUM OBJECT	DESCRIPTION
Linux Workstation	Contains access control information for the Linux system. Each Linux system has an associated workstation object in the tree.
Linux Config	Contains LUM configuration information.

Installing LUM also adds the components listed in Table 6.2 to your system.

Table 6.2. LUM Components

LUM COMPONENT	LOCATION	DESCRIPTION
nss_nam.so	`/usr/lib`	Retrieves user and group information from the eDirectory tree. This module uses LDAP to access eDirectory.
namconfig	`/usr/bin/`	Used to configure LUM on the server.
pam_nam.so	`/usr/lib/security`	Provides authentication, account, and password management services on the Linux server using eDirectory.

These new objects and modules play a critical role in LUM. One of the issues encountered when redirecting to eDirectory is that of context. Recall that eDirectory uses a hierarchical database structure. Objects are referenced by their username and their context (for example, DCoughanour.SLC.CLE).

The Linux passwd file, on the other hand, is a flat file. User accounts are not arranged into a hierarchy.

This brings up a new problem: How do you deal with the issue of context in a system that previously had no notion of the concept? To fix this problem, LUM provides Linux users with an authentication process called contextless login , which is just what it sounds like. Users can log in to the Linux system using a typical Linux username.

The LUM nss_nam.so module resolves the contextless user name provided by the user during login to the particular system's workstation object in the eDirectory tree. This object is shown in Figure 6.13.

Figure 6.13. UNIX workstation object.

graphics/06fig13.jpg

The workstation object contains a list of all the groups that have been given access to the Linux system. This is shown in Figure 6.14.

Figure 6.14. Authorized groups.

graphics/06fig14.jpg

Only users who are members of these groups are allowed to authenticate to the Linux system. In Figure 6.14, only users who are members of the IFEmployees.IF.CLE group or the SLCEmployees.SLC.CLE group are allowed to authenticate to the CLE1 Linux system.

The username supplied by the user is compared with the usernames in the associated LUM groups. If a match is found, the user is authenticated and his or her Linux profile is used to configure the system environment.

Let's look at this redirection process in greater detail.

How LUM Redirection Works

LUM redirection is based on the Name Service Switch (NSS) component integrated into Linux. NSS allows you to configure how you want authentication to occur in the system. The NSS configuration is controlled by the /etc/nsswitch.conf file.

When you install LUM, the NNLS installation script modifies the nsswitch.conf file. This modified file is shown in Figure 6.15.

Figure 6.15. LUM-modified `nsswitch.conf` file.

graphics/06fig15.jpg

Notice that the parameters for passwd, shadow, and group have been modified with the addition of the string nam . With the system configured in the way shown in Figure 6.15, it will first look in the passwd file for the user during login. This is configured by the files directive.

If not found there, it will next use eDirectory for authentication. This is configured by the nam directive. This system is configured to use NIS+ after eDirectory (if we actually had it installed on the system). This is configured by the nisplus directive.

The installation script also modifies the PAM files in the /etc/pam.d directory for services such as login, ftp, and ssh to use eDirectory for authentication. The modified file for the login service is shown in Figure 6.16.

Figure 6.16. LUM-modified login file in `/etc/pam.d` .

graphics/06fig16.jpg

Notice in Figure 6.16 that login has been configured to use the LUM pam_nam.so module. This module redirects authentication requests to the nss_name.so module.

When the nss_nam.so module receives a request, it contacts the LUM daemon, namcd . This service retrieves and caches information from your eDirectory tree. If the username of the user authenticating is already in the daemon's cache, it will return the distinguished name (which is the object name and its context) of the associated user object. Otherwise, it queries eDirectory for the information, returns the distinguished name, and stores the information in its cache.

The namcd daemon can be configured using the /etc/nam.conf configuration file or by running the namconfig utility. A typical nam.conf file is shown in Figure 6.17.

Figure 6.17. A typical `nam.conf` file.

graphics/06fig17.jpg

The parameters in this file are explained in Table 6.3.

Table 6.3. The namcd Configuration Parameters

PARAMETER	DESCRIPTION
base-name	This parameter identifies the base container in your eDirectory tree where LUM has been installed.
admin-fdn	The parameter specifies the name of your eDirectory tree's admin user.
preferred-server	This parameter lists the IP address of the eDirectory LDAP server the namcd daemon is to use.
positive-time-to-live	This parameter specifies the amount of time, in seconds, that object information is kept in the namcd daemon's cache.
	This value can range from 1 to 2147483647 seconds. The default value is 600 . If you have a static tree, you can increase this value because reads from cache are much faster than reads from the tree.
	However, if you have a tree that changes frequently, you may want to keep the value where it is or even reduce it. This is done to ensure that the data in the cache matches the current tree data.
num-threads	This parameter identifies the number of CPU threads concurrently used by the daemon.
	The default value is 5 . This parameter can be set to a value between 1 and 25 threads.
Schema	This parameter identifies the version of the eDirectory schema used by the tree the daemon is configured to use.
enable-persistent-cache	This parameter enables or disables the namcd daemon's cache.
user-hash- size	The namcd daemon uses a hash algorithm to encrypt data in its cache. This parameter specifies the hash size.
	Novell recommends that you use a value that is a prime number equal to or greater than 0.25 times the number of users in the tree. The default value is 211 .
group-hash-size	This parameter is the same as the preceding parameter, except it's for groups.
	The recommended value is the same: 0.25 times the number of groups in the tree. The default value is 211 .
persistent-cache-entries-aging-interval	This parameter specifies the interval, in seconds, after which information in the namcd daemon's cache will be removed from the persistent cache.
	This value can range from 1 to 2147483647 seconds. The default value is 7200 .
persistent-cache-refresh-period	This parameter specifies how frequently, in seconds, the namcd daemon refreshes the information in its cache from eDirectory.
	This value can range from 1 to 2147483647 seconds. The default value is 28800 .
persistent-cache-refresh-flag	This parameter specifies whether all user and group information is to be included in the cache during refresh, or just those currently in use.
	The default value is all . The other possible value is accessed .
create-home	Specifies whether home directories are created for users. This value can be either yes or no . The default value is no .
type-of-authentication	This parameter specifies whether SSL is to be used ( 2 ) or not used ( 1 ). The default value is 1 .
Certificate-file-type	This parameter specifies the format of the certificate file to be used, if SSL is configured.
	The value can be either der or base64 . The default value is der .
ldap-ssl-port	This parameter lists the secure IP port that LDAP is using on the eDirectory server. The default value is 636.
ldap-port	This parameter lists the insecure port that LDAP is using on the eDirectory server. The default value is 389 .
support-alias-name	This parameter identifies whether eDirectory alias objects that point to regular users and groups in the tree are allowed. The default value is no .
support-outside-base-context	This parameter specifies whether objects outside the base scope configured previously are allowed to use LUM. The default value is no .

As you can see from Figure 6.17, the NNLS installation script automatically configures your system, and usually very little additional configuration is needed ” assuming you entered the correct information.

Let's now look at how you enable LUM functionality on your system.

Setting Up LUM

LUM is a highly flexible product, allowing you to configure your system in a variety of different ways. For the CLE certification, you only need to know how to perform a basic configuration, and that is what we will focus on here.

To perform a basic configuration of LUM on your system, you would do the following steps:

Note

This is a set of generic steps. We'll go through a detailed set of steps in the upcoming lab exercise.

In a web browser, navigate to https :// your_server's_IP_address /nps/iManager.html.
Authenticate to iManager as the admin user.
Create groups for LUM access. You can create one single group or multiple groups. To do so, complete the following steps:
1. In iManager, scroll down to the eDirectory Administration role and select Create Object .
2. In the Available Object Classes field, select Group and then click OK .
3. In the Group Name field, enter a name for your group.
4. In the Context field, enter the context where you want the group to reside and then click OK .
5. When prompted that the group has been created, click OK .
6. When prompted to convert the group to a LUM group, click Cancel . You'll convert the group at a later point.
Populate the new group with the users you want to be able to authenticate to the Linux system using eDirectory by completing the following steps:
1. In iManager, select Modify Object .
2. In the Object Name field, enter the name of your group.
3. In the drop-down list, select Members .
4. In the Members field, browse to and select each user object you want in the group.
5. Click OK .
Convert the group to a LUM group by completing the following steps:
1. In the left frame, scroll down to the Linux User Management role and select Convert eDirectory Group to LUM Group .
2. In the Select Group field, browse to and select your group and then click OK .
3. When prompted to select the workstations you want the group added to, select Linux Workstations .
4. In the Linux Workstations field, browse to and select your UNIX Workstation object and then click OK .
5. When prompted that the LUM group was created, click OK .
Convert each user in the group to a LUM user by completing the following steps:
1. Under the Linux User Management role, select Convert eDirectory User to LUM User .
2. In the Select User field, browse to and select the first user in your group and then click OK .
3. When prompted to specify the primary group for the user, browse to and select your group.
4. Deselect the option to convert the user to a Samba user object; then click OK .
5. Select Repeat Task .
6. Repeat these steps for each user in the group.

Test the configuration by completing the following steps:

Switch to a shell prompt by pressing Ctrl+Alt+F2 if you are running in a graphical environment. If you are working from the text-based shell prompt without the X Window System, press Alt+F2 .
At the login prompt, enter the username of a user object in the converted group. Don't include the context of the object. For example, if you wanted to authenticate as DCoughanour.SLC.CLE, you would simply enter DCoughanour .
Supply the user's password at the password prompt. You should see a message indicating that a new home directory is being created in /home for the user.

That's all there is to it! In Lab Exercise 6.2, you can configure LUM on your server.

< Day Day Up >

Working with Linux User Management