|
As mentioned at the beginning of this chapter, not all services support native eDirectory authentication. This is especially apparent within the services commonly associated with Linux environments. Typical Linux servers provide user authentication for a number of services. Common examples of these are local logins, secure shell connections, Samba, NFS, and HTTP/FTP access. Managing user accounts across these access methods can be the most frustrating part of administration! Thankfully, OES Linux greatly simplifies this aspect of administration through enabling eDirectory as a central storage location for all user accounts across all services. The central component of OES that provides this integration is Linux User Management. Linux User ManagementIn a nutshell, Linux User Management (LUM) is a directory-enabled application that centralizes the storage and management of Linux user accounts. LUM uses eDirectory for the back-end repository of users and therefore benefits from the security, scalability, and reliability eDirectory users have come to expect. LUM extends the capabilities of the Novell Account Management (NAM) software and includes the following components:
LUM-RELATED OBJECTSIn addition to the physical components of LUM, in order for LUM to integrate Linux authentication into eDirectory, the eDirectory schema must be extended. The extension takes place automatically during the LUM installation. LUM-specific extensions create both classes and attributes required for authentication by the Linux services. These extensions are used in creating LUM-specific objects used to configure LUM, and when modifying user and group objects to convert them to valid Linux users and groups. The following list describes each of these required LUM objects:
NOTE A LUM Domain is simply a term used to describe one Linux Config object and all users and workstations associated with that object. By default, one Linux Config object and therefore one LUM Domain, is created during the installation of LUM. Into this one LUM Domain, additional Linux servers and workstations can be added using the namconfig utility. If your network spans multiple sites, or LUM services will be offered to a large number of users, additional Linux Config objects (and therefore additional LUM Domains) can be created. The namconfig utility is the only tool that can create Linux Config objects in eDirectory. When creating multiple Linux Config objects, ensure that all LUM domains exist in their own eDirectory partition. Also, due to the subtree LDAP search used with LUM, ensure that no LUM domain exists beneath another LUM domain in the eDirectory tree.
NOTE During the installation of LUM, a default Linux Config, Linux Workstation, and LUM group are all configured automatically. However, LUM users must either be created manually during the creation of a new eDirectory user, or an existing eDirectory user must be converted to a LUM User prior to using LUM. LUM INSTALLATIONThe installation of LUM is normally performed during the main OES installation. If LUM was not selected during installation, follow these steps for adding LUM to your OES server.
LUM ADMINISTRATIONLUM administration can effectively be divided into the following three categories:
LUM CONFIGURATIONAlthough LUM is usable immediately after installation, it is a good idea to check the default LUM configuration prior to creating LUM users. The following steps describe checking the LUM configuration:
In addition to iManager-based configuration, there are some configuration options that you may want to set on the OES machine itself. One important option is regarding the configuration of the NAM Cache Daemon (namcd). As explained earlier, the NAM Cache Daemon caches user and group lookups from eDirectory. By default this daemon uses a persistent cache that will be immediately available upon server restarts. For most implementations this is the desired behavior and will produce optimal performance. However, if you would like to use a nonpersistent cache, or modify the cache refresh or size settings, the configuration of namcd must be manually modified. The configuration file for NAM is /etc/nam.conf. Within this configuration file, there are settings that determine the behavior of namcd. The primary settings regarding the namcd cache are as follows (see the nam.conf man page for more information):
NOTE Do not confuse namcd (NAM Cache Daemon) with nscd (Name Service Cache Daemon). With LUM, namcd and nscd work together. The nscd daemon is used to cache hostnames and addresses. The namcd daemon specifically caches user and group names and IDs from eDirectory. Using namcd, performance of subsequent lookups of cached users and groups is significantly improved. USER AND GROUP ADMINISTRATIONeDirectory users do not automatically have the attributes required for LUM authentication. In order for the user to be a valid LUM user, these attributes must either be added during the initial user creation from within iManager, or added after the fact by converting the existing user to a LUM user. Assigning the LUM attributes to users during user creation has already been described in the User Object section at the beginning of this chapter. The following steps describe how to convert an existing user to a valid LUM user.
NOTE Existing Linux implementations may want to migrate users directly from local, NIS, or NIS+ accounts. For information on this process, please see the man page for the unix2edir utility. Linux requires every user to have a primary group associated with the user. LUM must also require a primary LUM group for users within eDirectory. As with user objects, eDirectory groups do not automatically have the attributes required for valid LUM groups. In order for the group to be a valid LUM group, these attributes must either be added during the initial group creation from within iManager, or added after the fact by converting the existing group to a LUM group. Assigning the LUM attributes to groups during user creation has already been described in the Group Object section at the beginning of this chapter. The following steps describe how to convert an existing group to a valid LUM group.
LINUX SERVICE ADMINISTRATIONDuring the installation of LUM, you can determine which PAM-aware services you would like LUM-enabled. Services available for selection are listed in Table 8.4.
If these services were not configured during installation, you can use the YaST module for LUM to LUM-enable these services later. The following steps document this process:
SECURING LUMWhen you're using LUM, users can be authenticated to eDirectory using a secure or nonsecure LDAP connection. To increase security, it is a good idea to always use a secure LDAP connection. This is the default configuration of OES, but adding additional servers or workstations to the LUM domain will require a manual configuration. This process can also be followed on the current OES server to reconfigure LUM if configuration errors are encountered. To enable secure LDAP connections with LUM, or to add an additional server or workstation to your LUM domain, execute the following command:
After determining the appropriate values for the admin name and context, Linux Config context, and server or workstation context, the command should look more like the following:
The namconfig utility is used to configure NAM on Linux servers and workstations. This command configures the local server to communicate via SSL by modifying the /etc/nam.conf file and retrieving the server's SSL certificate from eDirectory. The server certificate is stored in the /var/nam directory as a hidden file named with the server name and a .der extension. If this certificate expires, it can be re-created using the following command: namconfig -k NOTE For more information on namconfig, refer to the man page or to Novell's online documentation. LUM COMMAND-LINE UTILITIESThe majority of LUM administration is performed through iManager. However, Linux administrators experienced with the command-line interface may find the command-line tools quicker than the browser-based interface of iManager. Table 8.5 summarizes the command-line tools available for LUM administration on the OES machine.
NOTE More information on each of these utilities is available by accessing the man page for the respective utility. AUTHENTICATION WITH LUMWith LUM configured, valid LUM users and groups created, and Linux services integrated into LUM, the authentication process a user goes through with LUM can finally be investigated. LUM is specifically designed to take advantage of the Pluggable Authentication Module (PAM) infrastructure common with Linux servers. The primary benefit this offers is that all PAM-aware services have the potential to be integrated into eDirectory through LUM with relative ease. This section will describe the integration steps and processes of authentication with a PAM-aware service. NOTE It is possible to enable LDAP-aware services to integrate directly with eDirectory, but this configuration is specific to the application being integrated and beyond the scope of this book. PAM INTEGRATION WITH LUMAs mentioned in the Login Process section of Chapter 3, "Working with SUSE Linux Enterprise Server 9," PAM utilizes a configuration file for every PAM-aware service. These files exist in the /etc/pam.d directory and are named after the respective service. The contents of these files are used to determine what modules are involved with the authentication process to ensure that the user is allowed access. As shown in Figure 8.12, the pam_nam module is used for all authentication services. Figure 8.12. The pam_nam configuration used with the Login service.The control flag used with these services is normally set to sufficient. This causes the authentication process to halt upon successfully retrieving authentication, account, and password information from the pam_nam module. If pam_nam is unable to fulfill the request, the remainder of the configuration file is used. This allows local accounts to authenticate after checking for the requested account in eDirectory. It is important to ensure that the service configuration file allows for local authentication for root-level access for administrators. The pam_nam module relies on the /etc/nam.conf configuration file. This file contains information regarding the IP address of the eDirectory server, what credentials to use when authenticating to that server, and where in the eDirectory tree to search for LUM users and groups. NOTE For more information regarding the nam.conf configuration file, refer to the man page, or Novell's online documentation. NAME SERVICES WITH LUMAfter authentication, the ability to look up user and group names in eDirectory is still required. The process of resolving user, group, machine, and other identities in Linux is known as Name Services. When using LUM, the Name Services configuration must be altered to also look up names in eDirectory. The configuration file for Name Services is /etc/nsswitch.conf. The main purpose of this file is to list possible databases of names being queried and where information regarding those names can be located. With LUM, the information we are concerned about is resolution of user and group names. User and group lookup configuration can be found on the "passwd" and "group" database entries within the nsswitch.conf file. When you're using LUM on the local server, these two entries should contain the following configuration: passwd: compat nam group: compat nam This configuration causes the Name Service lookup to initially query the local files (using the default compatibility mode), and then query for names and groups using the libnss_nam library. This library uses LDAP to query eDirectory for user and group names. After being resolved, the names and IDs are cached by the NAM Cache Daemon (namcd) to reduce lookup time for subsequent requests. One example of where this lookup is performed is when performing a file listing using the ls command. The ls command uses Name Services to translate the file and group owner IDs to usable names rather than the actual ID numbers. If the lookup is not successful, IDs rather than names will be displayed, and accurate permissions enforcement may be compromised. Default installations of LUM should have this configuration performed automatically. However, if additional servers or workstations are added to the LUM domain outside of an OES installation, after adding the machine using namconfig, the nsswitch.conf file must be manually configured as in the preceding example in order for name lookups to be successful. Samba User ManagementThe Samba program suite provides access to local resources through the Microsoft SMB/CIFS protocol. This effectively allows Windows, Linux, and other operating systems to connect to those resources as though they were residing on a Windows-based computer. To do this, Samba must use an authentication method that is compatible with Windows authentication. Samba provides this authentication through a local store of Samba usersin addition to those same users being stored as local Linux accounts. Although this default configuration does work, it can result in unsynchronized passwords, and an environment that is difficult to maintain. OES Linux resolves this situation by leveraging the LUM infrastructure to provide Samba authentication as well. Samba User Management requires the LUM component to be fully operational. All Samba users must first be valid LUM users. It is a good idea to fully test LUM using local logins prior to beginning Samba configuration. NOTE With OES, a user's Samba password is stored as two specific attributes of each Samba user. This password can only be synchronized when users change their password from within Virtual Office. If you expect users to change their password from other utilities, you must enable the Universal Password component of NMAS. When Universal Password is enabled, the Universal Password is used in place of the Samba password during user authentication. This ensures a single user password across all authentication methods, including Samba, and synchronization is not an issue. For more information on Universal Password, see the "Universal Password" section earlier in this chapter. SAMBA COMPONENTSThe Samba suite that comes with OES is the same version of Samba that is available through other Linux distributions, such as SLES 9, with one notable exception. In order to integrate with LUM, the OES version of Samba has been compiled using the -with-ldapsam and -with-ssl switches. These switches are necessary to leverage the LDAP storage of user accounts, and to provide secure access to those accounts. In order to access LDAP directories, Samba also relies on the OpenLDAP client libraries. These libraries are libldap.so and libldap_r.so. The default configuration of the OpenLDAP client is to provide a connection to eDirectory through a secure (SSL) LDAP session. SAMBA INSTALLATIONThe installation of Samba is normally performed during the main OES installation. If Samba was not selected during installation, follow these steps to add Samba to your OES server.
SAMBA ADMINISTRATIONAdministration of Samba services within OES can be divided into the following three basic categories:
GENERAL SAMBA CONFIGURATIONThe main configuration file for Samba is /etc/samba/smb.conf. This file contains the necessary information for Samba to connect to eDirectory. The following list contains a few of the parameters required for Samba integration with LUM:
SAMBA USER ADMINISTRATIONAs mentioned, Samba users are simply LUM users with an additional set of attributes associated with each user. During user creation within iManager, you are automatically prompted to convert the new user to both a LUM and Samba user. If user conversion is done at this time, the user's Samba password field will be automatically filled in with the new user's password. If the user is not converted at this time, the user will have to be manually converted later and the password must be re-entered manually. Normal users cannot be converted directly to a Samba user without being also converted to a LUM user. For information on this process, refer to the LUM user section earlier in this chapter. If you have a LUM user who was not designated as a Samba user, the LUM user must be manually converted to a Samba user through the following steps:
When this process has been completed, the user is now a valid Samba user and can access any Samba resources configured on the server. SAMBA RESOURCE ADMINISTRATIONSamba resources include such things as local files and printers. With OES, iPrint is the recommended method of printer sharing as the iPrint solution is much more complete than printer sharing under Samba. File sharing with Windows users can be accomplished through either Samba or using the Novell Client to access NCP server resources. The NCP server provides a more complete filesystem permission structure than Samba, and NCP-based permissions are fully integrated with eDirectory. However, Samba shares are a commonly used method of sharing files and may be the best option based on your requirements. Configuring Samba file shares with OES is identical to configuring shares without OES. The YaST administration tool provides access to a Samba server configuration module. This module should be used to configure all Samba shares. The following steps document this process:
NOTE Samba can be quite complex. For more information regarding the many options for configuring Samba resources, refer to the main Samba documentation found at http://www.samba.org. |
|