Auth plugin¶
There are different ways to use this plugin.
Setting the root password¶
Executing
slxos-plugin install suse-11.0-auth auth \ auth::rootpwd=foo
will set the root-password to "foo".
LDAP¶
slxos-plugin install suse-11.0-auth auth \ auth::rootpwd=foo \ auth::ldap=1 \ auth::ldapuri="ldap://132.230.4.6" \ auth::ldapbase="ou=people,dc=uni-freiburg,dc=local" \ auth::nss_base_passwd="ou=people,dc=uni-freiburg,dc=local" \ auth::nss_base_group="ou=people,dc=uni-freiburg,dc=local" \ auth::ldapbinddn="cn=admin,dc=uni-freiburg,dc=local" \ auth::ldapbindpw="foo"
Beside setting the root-password, this example will configure LDAP. The last two lines in the above example are optional and not required in every LDAP setup. But they can be required in some environments.
Another way to configure LDAP is:
slxos-plugin install suse-11.0-auth auth \ auth::rootpwd=foo \ auth::ldap=1 \ auth::ldapuri="ldap://132.230.1.62" \ auth::ldapbase="ou=people,dc=uni-freiburg,dc=de" \ auth::nss_base_passwd="ou=people,dc=uni-freiburg,dc=de?one?rufdienst=ldap*)(&(rufclienthome=*)(rufstatus=enabled)" \ auth::nss_base_group="ou=group,dc=uni-freiburg,dc=de?one" \ auth::ldap_options="nss_map_attribute homeDirectory rufClientHome\nTLS_REQCERT allow"
The last line is optional. auth::ldap_options can set more configuration options in /etc/ldap.conf. If more as one line should be added to ldap.conf you need to separate the lines by \n, as you can also see in the example.
Possible issues with LDAPS / LDAP+TLS¶
nss_ldap: failed to bind to LDAP server ldap(s)://x.x.x.x: Can't contact LDAP server nss_ldap: could not search LDAP server - Server is unavailable
If you see the above error message it could be that SSL/TLS is the problem. ssl start_tls or ssl on in ldap.conf could fix this problem. But the same issue also occurs if the certificates are not valid (or trusted). The check of the certificate (e.g. if self signed) can be disabled by setting tls_checkpeer no.
But the same error message can also occure if the whole ldap-authentification is working. This could happen when the LDAP server is listening to ldap and ldaps at the same time (and ldaps is used). In one case this error message disapperead after the ldap port was disabled (but ldaps was still connect- and useable).
Automount/Autofs of HOME-directories¶
NFS¶
The following example is build up on the previous LDAP setup example. The configuration options to add automount/autofs support for the HOME-directories is appended and affects the last three lines.
slxos-plugin install suse-11.0-auth auth \ auth::rootpwd=foo \ auth::ldap=1 \ auth::ldapuri="ldaps://132.230.4.6" \ auth::ldapbase="ou=people,dc=uni-freiburg,dc=local" \ auth::nss_base_passwd="ou=people,dc=uni-freiburg,dc=local" \ auth::nss_base_group="ou=people,dc=uni-freiburg,dc=local" \ auth::ldapbinddn="cn=admin,dc=uni-freiburg,dc=local" \ auth::ldapbindpw="foo" \ auth::ldap_options="TLS_REQCERT allow\ntls_checkpeer no\nssl on\n" \ auth::automount=1 \ auth::automnt_src="nfs://132.230.4.6/srv/openslx/export/nfs/autofstest/" \ auth::automnt_dir="/home/users"
possible configuration issues¶
Be aware that the auth::automnt_dir depends on the LDAP-server configuration! If it is not the same as the one from the LDAP user, the HOME directory is not mounted. Beside changing the auth::automnt_dir, setting up mapping-optionen in ldap.conf bzw. auth::ldap could be another workaround (be aware of the differences and possible issues).
nss-pam-ldapd problems
The mapping of the HOME-directories or LDAP configuration could also fail do of the use of nslcd (nss-pam-ldapd, which is a modified pam_ldap.so). Is this the case, /etc/nslcd.conf is used as ldap.conf. But this file can't handle nss*_ options. Therefore the use of nss-pam-ldapd is not recommended and a warning is presented upon plugin installation. If there is no nss*_ configuration in ldap.conf the nslcd way could work out the box - but don't have to.
If there is an issue with nslcd, there are multiple workarounds- fix of the ldap configuration, so it will be compatible with nslcd.
- creation of an nslcd.conf file which is stored in auth::files. This file will be automatically copied to /etc/nslcd.conf.
- installation of the original pam_ldap paket on the (cloned) system, which is also announced upon plugin installation.
NFSv4¶
The use of NFSv4 is enabled by setting auth::nfs4=1 and auth::idmap_domain. It's also possible to set the protocol in auth::automnt_src to nfs4://, but_nfs://_ will be enough, too. auth::idmap_domain defines the domain which will be set in /etc/idmapd.conf . An optimiziation of other /etc/idmapd.conf is currently not implemted. Enabling NFSv4 with the above example will lead to the following configuration option:
slxos-plugin install suse-11.0-auth auth \ auth::rootpwd=foo \ auth::ldap=1 \ auth::ldapuri="ldap://132.230.4.6" \ auth::ldapbase="ou=people,dc=uni-freiburg,dc=local" \ auth::nss_base_passwd="ou=people,dc=uni-freiburg,dc=local" \ auth::nss_base_group="ou=people,dc=uni-freiburg,dc=local" \ auth::ldapbinddn="cn=admin,dc=uni-freiburg,dc=local" \ auth::ldapbindpw="foo" \ auth::ldap_options="" \ auth::automount=1 \ auth::automnt_src="nfs://132.230.4.6/srv/openslx/export/nfs/autofstest/" \ auth::automnt_dir="/home/users" \ auth::idmap_domain="uni-freiburg.local" \ auth::nfs4=1
Automount by script¶
There are (huge) environments where the HOME-folders are distributed over different file servers. In such an environment the different users can have their data on different servers. A script can figure out where the HOME folder is
located and how to mount it.
If there is such a script required to mount the HOME folder of the users, it can be given to the auth-plugin via auth::automnt_script. In this variable defined script has to be in auth::files (usually /root/auth-plugin/). An important setting is that the usual auth::automnt_src is not definied (e.g. resetted via auth::automnt_src="").
If the script defined auth::automnt_script requires other scripts of files, they can be distributed to the client by putting them into auth::files. All those files will be copied to the OpenSLX client and can be found under at /opt/openslx/plugin-repo/auth/. See also the kerberos description.
slxos-plugin install ubuntu-10.04-auth auth \ auth::rootpwd=foo \ auth::ldap=1 \ auth::ldapuri="ldap://132.230.4.6" \ auth::ldapbase="ou=people,dc=uni-freiburg,dc=local" \ auth::nss_base_passwd="ou=people,dc=uni-freiburg,dc=local" \ auth::nss_base_group="ou=people,dc=uni-freiburg,dc=local" \ auth::ldapbinddn="cn=admin,dc=uni-freiburg,dc=local" \ auth::ldapbindpw="foo" \ auth::ldap_options="" \ auth::automount=1 \ auth::automnt_script="automount-home.pl" \ auth::automnt_dir="/home/users"
If the automount-script also use NFSv4, then the two options auth::idmap_domain und auth::nfs4 should be defined, too. For setting information please take a look at the NFSv4 description above.
Kerberos¶
If Kerberos should be used, it needs to be enabled by setting auth::krb=1.
Beside this, the file krb5.conf needs to be in auth::files (default: /root/auth-plugin) and will be available in /etc/krb5.conf on the OpenSLX-Client.
Modifications and krb5.keytab¶
There are different ways to get the credentials of /etc/krb5.keytab. Therefore, a script could be used to create a /etc/krb5.keytab in Stage4. Therefore, a script needs to be defined in auth::krbscript - which also needs to be in auth::files.
Beside this, all files and folder in auth::files will be available in stage4 in /opt/openslx/plugin-repo/auth/. As result, all other scripts required by auth::krbscript will be available in this folder after they were copied to auth::files.
Example:
... auth::krb=1 \ auth::krbscript="krb5-script.sh"
Example krb5-script.sh
#!/bin/sh
for i in {1..30}; do
test -s /etc/krb5.keytab && break
[ $i -le 10 ] && sleep 3 | /opt/openslx/plugin-repo/auth/secretapplication \
> /etc/krb5.keytab && \
chmod 600 /etc/krb5.keytab 2>/dev/null
[ $i -gt 10 ] && ( set -x; sleep 10 |
/opt/openslx/plugin-repo/auth/secretapplication > \
/etc/krb5.keytab && chmod 600 /etc/krb5.keytab 2>/dev/null )
[ $i -eq 30 ] && echo -e \
"\n\tGetting Krb keytable failed, only root login possible!\n"
done
In this exdample, the folder /root/auth-plugin include the following files to have a successful creation of /etc/krb5.keytab: krb5-script.sh, secretapplication.
Own configuration files¶
Beside the above explicit mentioned files, some configuration files can be replaced with own version. These files need to be in auth::files (default: /root/auth-plugin).
You need to be aware, that these files will overwrite the from the auth-plugin configured configurations!
- nsswitch.conf will be copied to /etc/nsswitch.conf
- krb5.conf will be copied to /etc/krb5.conf
- ldap.conf will be copied to /etc/ldap.conf and linked to /etc/ldap/ldap.conf and /etc/openldap/ldap.conf (as long as these folders will be available).
- pam.d/* (all files under pam.d/, e.g. /root/auth-plugin/pam.d/foo) will be copied to /mnt/etc/pam.d/
- nslcd.conf will be copied to /etc/nslcd.conf
- Every other file and folder from auth::files will be copied to /opt/openslx/plugin-repo/auth/