Doing some parallel work here and I think we might want to join ourefforts.
Here is what I have made while working on a Gentoo Clustering LiveCD
(which I hope to change into an
actual SEED):
The two files of interest are cluster_ldap_skel.conf and ldap-
setup.sh, all other files are auto-generated by calling
./ldap-setup.sh cluster_ldap_skel.conf
The final intention is that the functions in the .sh file be
integrated into multiple .ebuilds/seed-ebuilds and that the .conf file
be a reference for these seeds.
As much as possible information is deduced from the system (ie: usage
of $(hostname -d) for generating the ldap DC info) and all.
I am attempting to keep documentation of my efforts here but I'm no
blogger...so:
http://soc.gentooexperimental.org/projects/gentoo-cluster-seed/news
On Thu, Jun 26, 2008 at 7:10 PM, kyron <ky...@neuralbs.com> wrote:
Doing some parallel work here and I think we might want to join ourefforts.
:)Here is what I have made while working on a Gentoo Clustering LiveCD
(which I hope to change into an
actual SEED):
The two files of interest are cluster_ldap_skel.conf and ldap-
setup.sh, all other files are auto-generated by calling
./ldap-setup.sh cluster_ldap_skel.conf
The final intention is that the functions in the .sh file be
integrated into multiple .ebuilds/seed-ebuilds and that the .conf file
be a reference for these seeds.
As much as possible information is deduced from the system (ie: usage
of $(hostname -d) for generating the ldap DC info) and all.
I am attempting to keep documentation of my efforts here but I'm no
blogger...so:
http://soc.gentooexperimental.org/projects/gentoo-cluster-seed/news
Interesting stuff. Are you working on this as part of this year's Summer of Code?
1- I absolutely have to modify/create some files in /etc
2- Once some of the files created, I have to initiate the
ldap database
3- Then successfully start the slapd daemon
4- and only then shall I finish the /etc file modifications
(ie: changing /etc/nsswitch.conf to also use ldap as a backend)
Obviously,
since this script is supposed to be called from within the catalyst
process, Joe user should not have to use it but my intention is that
the script could also be used later on for people wishing to implement
LDAP without having to learn all that is required to get that
going on their system (obviously with a BFW: "This is a one shot deal,
don't expect it to work, you should read the docs, it's poison, it will
reformat your car's carburator, etc..." I'm also leaving in the
possiblity that the same script + config file approach could be used to
add LDAP databases in the future (such as a shared Addressbook)
</quote>
Best regards,Stu
RE the LDAP automation script I made, I was wondering if you had any suggestions on how I (we) should convert this into seed(ed) ebuild(s). Lazily copying from the above blog link:
Although most of the work that is being done by the script should be done by an ebuild, I had to chose a stand alone script beacuse:1- I absolutely have to modify/create some files in /etc
2- Once some of the files created, I have to initiate the ldap database
3- Then successfully start the slapd daemon
4- and only then shall I finish the /etc file modifications (ie: changing /etc/nsswitch.conf to also use ldap as a backend)
Obviously, since this script is supposed to be called from within the catalyst process,
Joe user should not have to use it but my intention is that the script could also be used later on for people wishing to implement LDAP without having to learn all that is required to get that going on their system (obviously with a BFW: "This is a one shot deal, don't expect it to work, you should read the docs, it's poison, it will reformat your car's carburator, etc..." I'm also leaving in the possiblity that the same script + config file approach could be used to add LDAP databases in the future (such as a shared Addressbook)
Hi all,
Just wanted to keep the thread alive and such -
I've been cleaning up my systems at home, and working on implementing
LDAP here so I know what I'm talking about. (I've had VERY limited
experience with LDAP until this point.) The Gentoo docs on LDAP are
decent, I find:
* http://gentoo-wiki.com/OpenLDAP (VERY applicable)
* http://www.gentoo.org/proj/en/infrastructure/ldap.xml (merely
notable)
* http://www.gentoo.org/doc/en/ldap-howto.xml (also applicable)
> In that vein ... :) work is currently eating up much of my spare time,c'est la vie
> leaving me little time to progress the LDAP support myself.
Indeed, but in a practical sense, who doesn't use the Gentoo wiki from
> Certain Gentoo developers will be bursting a blood vessel at the notion that
> the gentoo-wiki.com site is part of the Gentoo docs ;-)
time to time when setting up their Gentoo boxes? Official affiliation
is overrated :p
On Wed, Jul 30, 2008 at 5:45 PM, samba <sam.brie...@gmail.com> wrote:
> In that vein ... :) work is currently eating up much of my spare time,c'est la vie
> leaving me little time to progress the LDAP support myself.
I now have my Seed Linux Desktop support user account details stored in LDAP. The Gentoo Wiki docs were useful, as was the O'Reilly LDAP book I bought a long time ago and had forgotten I owned :)
Now that I have working config files, next steps are:
1) agree a structure to the directory tree, and2) agree configuration and security measures, and3) have Seed Linux working with LDAP out of the box.
So, structure ... so far, I simply have ou=users,dc=seed-linux,dc=com in the tree, with the uid field under there being used as the Linux user name. The structure needs to expand a little bit to include user groups and (probably) valid hosts. My thinking is that we want a structure that makes as much sense on one machine as it does when there's one LDAP tree shared between many machines via replication. Anyone have any feedback on this?
Configuration ... the main point here is that I've setup the LDAP clients (pam_ldap et al) to use the local UNIX socket rather than the network. My thinking is that each machine should always have its own LDAP server. In a larger setup, there would be a master server that replicates out to all the local servers, and if anyone needs an even larger setup (where the cost of replication is an issue), that can be addressed at the time.
Working out of the box ... my thinking here is that /etc/passwd would continue to hold root + all the system accounts installed by Portage (does Portage support storing new users into LDAP),
and all user accounts would be stored in LDAP. I would prefer to get to the point where only root + a few others lived in /etc/passwd, and everything else ran off LDAP (including accounts created by Portage), but I think that would be difficult to achieve, because we rely on Portage to install the base system in the first place.
Let me have your feedback :) I'm aiming to commit this to SVN at the weekend.
This is why Mike Kelly wrote creandus 2 years ago
<http://trac.pioto.org/creandus>. Someone could finish it.
--
Thanks,
Donnie
Donnie Berkholz
Developer, Gentoo Linux
Blog: http://dberkholz.wordpress.com
I strongly suggest not to use dc=com but rather dc=local to keep all options opened, including hostname integration into ldap, thus avoiding real (Internet) vs local DNS resolution.
The newest version of OpenLDAP (2.4.10) has many new features that will be desirable (caching and groups of group wise).
the eutils eclass would have to be re-written for that IIRC...which wouldn't be a bad thing either.
Make OpenLDAP part of the base system, there aren't that many users in a stage3 when you look at this. I don't have a specific scenario but I can imagine one wanting to centrally control some of the system accounts for XYZ reason (apache, postfix, etc?).
It is strongly recommended that Kerberos be part of the loop as it's what is being used in "serious" infrastructures ans would be a sign of robustness. The diradm app shouldn't be too difficult to modify to provide a single interface to user management but it might not be the ideal solution (as it requires that the sldapd admin password be stored in /etc/ldap.secret).
This is why Mike Kelly wrote creandus 2 years ago
<http://trac.pioto.org/creandus>. Someone could finish it.
On Mon, Aug 4, 2008 at 6:41 PM, Eric Thibodeau <ky...@neuralbs.com> wrote:
I strongly suggest not to use dc=com but rather dc=local to keep all options opened, including hostname integration into ldap, thus avoiding real (Internet) vs local DNS resolution.
Can you provide more information about this? It's not clear what the problem is that you're suggesting we need to avoid.
The newest version of OpenLDAP (2.4.10) has many new features that will be desirable (caching and groups of group wise).
That's what I'm using. I'm also wondering whether we should move the config into OpenLDAP itself (as per the 2.3 and 2.4 admin handbooks) rather than use /etc/openldap/slapd.conf.
the eutils eclass would have to be re-written for that IIRC...which wouldn't be a bad thing either.
My preference would be to replace useradd et al with LDAP-aware versions, tbh. It would be easy enough to do with a bit of Perl, and we could easily have a rule that all UIDs < 1000 go into /etc/passwd, and the rest go into LDAP.
Make OpenLDAP part of the base system, there aren't that many users in a stage3 when you look at this. I don't have a specific scenario but I can imagine one wanting to centrally control some of the system accounts for XYZ reason (apache, postfix, etc?).
OpenLDAP will be part of the base system, but the Seed Linux base system is substantially different to Gentoo's. All of the Seed Linux packages are installed into 'system', leaving 'world' for additional packages installed by the local admin.
There is a good reason why apache, postfix et al should not go into LDAP at this time. We have zero control over changes made to these system accounts by Portage packages. It would only take one package to fsck up one of these system accounts, and via LDAP and a suitably-placed referrer Gentoo would take out more than just the local machine. We can look at this again in the future, but atm it's simply not worth the risk.
It is strongly recommended that Kerberos be part of the loop as it's what is being used in "serious" infrastructures ans would be a sign of robustness. The diradm app shouldn't be too difficult to modify to provide a single interface to user management but it might not be the ideal solution (as it requires that the sldapd admin password be stored in /etc/ldap.secret).
Apart from Windows, I've never come across an installation of Kerberos, so I don't know much about it atm or why it should be built into Seed Linux. I'd need to know more about who is actually using it before I can go down that road, and how we could make it work from single boxes (e.g. Seed Linux LAMP Developer Desktop) through to larger server farms (e.g. Seed Linux LAMP Server).
> > Make OpenLDAP part of the base system, there aren't that many
> > users in a stage3 when you look at this. I don't have a specific
> > scenario but I can imagine one wanting to centrally control some
> > of the system accounts for XYZ reason (apache, postfix, etc?).
> >
> >
> > OpenLDAP will be part of the base system, but the Seed Linux base
> > system is substantially different to Gentoo's. All of the Seed Linux
> > packages are installed into 'system', leaving 'world' for additional
> > packages installed by the local admin.
> >
> > There is a good reason why apache, postfix et al should not go into
> > LDAP at this time. We have zero control over changes made to these
> > system accounts by Portage packages. It would only take one package
> > to fsck up one of these system accounts, and via LDAP and a
> > suitably-placed referrer Gentoo would take out more than just the
> > local machine. We can look at this again in the future, but atm it's
> > simply not worth the risk.
>
> "should NOT" ...agreed!
>
I think puppet would be ideal for Seed Linux (and indeed Gentoo):
http://reductivelabs.com/trac/puppet
Some of the security stuff looks a lot like Mandrake tbh.
> > It is strongly recommended that Kerberos be part of the loop as
> > it's what is being used in "serious" infrastructures ans would be
> > a sign of robustness. The diradm app shouldn't be too difficult to
> > modify to provide a single interface to user management but it
> > might not be the ideal solution (as it requires that the sldapd
> > admin password be stored in /etc/ldap.secret).
> >
> >
> > Apart from Windows, I've never come across an installation of
> > Kerberos, so I don't know much about it atm or why it should be built
> > into Seed Linux. I'd need to know more about who is actually using it
> > before I can go down that road, and how we could make it work from
> > single boxes (e.g. Seed Linux LAMP Developer Desktop) through to
> > larger server farms (e.g. Seed Linux LAMP Server).
>
> I'm currently managing a Linux only LDAP+Kerberos environment. I didn't
> set it up originally but I did manage to migrate the setting from an
> RH7.3 install to Gentoo so I did have to go through some configuration.
> One of my colleagues insists that Kerberos is a decent authentication
> mechanism compared to using OpenLDAP and that it's _meant_ to be
> one...not ldap per say. But I'm more of a user at that point than an
> integrator, I just followed the instructions and it works.
>
Kerberos is lovely when you can get it to work; it amazes me that people think
it's a Windows thing, though: it was developed by MIT from what I remember,
and only works properly via that god-awful "Services" for Unix thing (unless
your boxen are all doze in which case you have bigger problems..;) All of
these work much better if you don't have Windows running _any_ of the domain
controllers, and can bring up the network using samba for AD from the
beginning, with krb5 on another host as "ticket" manager; client machines
join that domain. I think it's reasonable to focus on that first, and leave
automating the move of an existing `forest' over til later (or for another
project) unless someone wants to work on it, ofc.
Once you have machine accounts setup and talking you're pretty much there
iirc, at least as far as getting a login authenticated by AD from *nix and
querying the user data, although M$ has a habit of adding binary blobs to
standard protocols, just to make it difficult (and keep people upgrading)
which is why I recommend setting up a PDC from Unix before you bring up
Exchange. 2K and XP behave as clients and if they're working with samba AD
and krb5, you're most of the way there (if you avoid Exchange altogether life
will be much sweeter. ;)
On Monday 04 August 2008 22:54:00 Eric Thibodeau wrote:Stuart Herbert wrote:On Mon, Aug 4, 2008 at 6:41 PM, Eric Thibodeau <ky...@neuralbs.com <mailto:ky...@neuralbs.com>> wrote: I strongly suggest not to use dc=com but rather dc=local to keep all options opened, including hostname integration into ldap, thus avoiding real (Internet) vs local DNS resolution. Can you provide more information about this? It's not clear what the problem is that you're suggesting we need to avoid.No, not really, I just have a bad feeling about setting something that could potentially be used as a real domain name inside a private structure. I say this with Kerberos and other services which are _very_ picky about DNS resolution..local is fairly standard practise from what I remember (I worked on a project integrating postNuke with Active Directory via OpenLDAP a few years ago, when samba3 was in beta, and have seen the same on many client Windows installs.)
Once you have machine accounts setup and talking you're pretty much there iirc, at least as far as getting a login authenticated by AD from *nix and querying the user data, although M$ has a habit of adding binary blobs to standard protocols, just to make it difficult (and keep people upgrading) which is why I recommend setting up a PDC from Unix before you bring up Exchange. 2K and XP behave as clients and if they're working with samba AD and krb5, you're most of the way there (if you avoid Exchange altogether life will be much sweeter. ;
.local is fairly standard practise from what I remember (I worked on a project
integrating postNuke with Active Directory via OpenLDAP a few years ago, when
samba3 was in beta, and have seen the same on many client Windows installs.)
I think puppet would be ideal for Seed Linux (and indeed Gentoo):
http://reductivelabs.com/trac/puppet
Some of the security stuff looks a lot like Mandrake tbh.
Kerberos is lovely when you can get it to work; it amazes me that people think
it's a Windows thing, though: it was developed by MIT from what I remember
Exchange is very hard to replace in an opensource fashion either as server or even client-server. The showstoppers I've hit:
- PIM gadget sync is poor to non-existant (ie: kpilot is still unable to sync categories) and..well...it doesn't run on windows
- Shared data such as schedules, tasks, and all other collaborative data is less than obvious and not well integrated on the FOSS servers as well as the clients. Point in case, thunderbird doesn't have calendaring yet and, IMHO, still has many annoying bugs/features (can't spell check a word with Shift-F10, I _have_ to use the mouse, sorting is inconsistent, it's not a PIM) .