Provisioning Linux UsersAs mentioned at the beginning of this chapter, not all services support native eDirectory authentication. This is especially apparent within the services commonly associated with Linux environments. Typical Linux servers provide user authentication for a number of services. Common examples of these are local logins, secure shell connections, Samba, NFS, and HTTP/FTP access. Managing user accounts across these access methods can be the most frustrating part of administration! Thankfully, OES Linux greatly simplifies this aspect of administration through enabling eDirectory as a central storage location for all user accounts across all services.The central component of OES that provides this integration is Linux User Management. Linux User ManagementIn a nutshell, Linux User Management (LUM) is a directory-enabled application that centralizes the storage and management of Linux user accounts. LUM uses eDirectory for the back-end repository of users and therefore benefits from the security, scalability, and reliability eDirectory users have come to expect. LUM extends the capabilities of the Novell Account Management (NAM) software and includes the following components: NAM Pluggable Authentication Module ( pam_nam) This module provides eDirectory authentication through LDAP for all PAM-aware services. When authenticated, users have the same privileges as when authenticating through NIS, NIS+, or local files. Linux Administrators may equate this to the pam_ldap module. Although the primary purpose of pam_nam is to provide LDAP authentication, similar to pam_ldap, pam_nam offers a closer integration with eDirectory with the following additional benefits: Unique UIDs and GIDs across the LDAP tree, or LUM domain Advanced server access control based on LDAP access control lists (ACLs) in eDirectory Refined LDAP searches offering a more effective integration with eDirectory NAM Name Service Switch ( libnss_nam) redirector This redirector enables user lookup through an LDAP connection to eDirectory. This is used to enforce permissions when accessing system resources. NAM Cache Daemon ( namcd) This daemon caches all user lookups performed by NAM. This cache is checked first when performing user lookups. If the requested resource is located with the cache, the LDAP lookup against eDirectory will not be performed. This greatly increases name resolution performance. Command-Line Utilities Many different command-line utilities exist to add Linux administrators. These utilities can be used in place of iManager for basic LUM administration. More information on these utilities will be available later in this section. LUM-RELATED OBJECTSIn addition to the physical components of LUM, in order for LUM to integrate Linux authentication into eDirectory, the eDirectory schema must be extended. The extension takes place automatically during the LUM installation. LUM-specific extensions create both classes and attributes required for authentication by the Linux services. These extensions are used in creating LUM-specific objects used to configure LUM, and when modifying user and group objects to convert them to valid Linux users and groups. The following list describes each of these required LUM objects: Linux (UNIX) Config This object is used to store configuration information for a specific LUM domain. It contains such things as the next available GID and UID numbers and the context for Linux Workstations. NOTEA LUM Domain is simply a term used to describe one Linux Config object and all users and workstations associated with that object. By default, one Linux Config object and therefore one LUM Domain, is created during the installation of LUM. Into this one LUM Domain, additional Linux servers and workstations can be added using the namconfig utility. If your network spans multiple sites, or LUM services will be offered to a large number of users, additional Linux Config objects (and therefore additional LUM Domains) can be created.The namconfig utility is the only tool that can create Linux Config objects in eDirectory. When creating multiple Linux Config objects, ensure that all LUM domains exist in their own eDirectory partition. Also, due to the subtree LDAP search used with LUM, ensure that no LUM domain exists beneath another LUM domain in the eDirectory tree. Linux (UNIX) WorkstationsEvery Linux server or workstation relying on LUM authentication must have a Linux Workstation object in the eDirectory tree. This object maintains a link to all LUM groups that are allowed access to local services. LUM User Normal eDirectory users are extended with a Linux-specific auxiliary class. This extension provides users with attributes required for Linux authentication. New attributes assigned to users include such things as the User ID (UID) number, primary Group ID (GID) number, default shell, and home directory location. LUM Group eDirectory groups are also extended using a Linux-specific auxiliary class. This extension adds such attributes as the Group ID (GID) number, and Linux Workstations and users assigned to the group. NOTEDuring the installation of LUM, a default Linux Config, Linux Workstation, and LUM group are all configured automatically. However, LUM users must either be created manually during the creation of a new eDirectory user, or an existing eDirectory user must be converted to a LUM User prior to using LUM.LUM INSTALLATIONThe installation of LUM is normally performed during the main OES installation. If LUM was not selected during installation, follow these steps for adding LUM to your OES server. LUM ADMINISTRATIONLUM administration can effectively be divided into the following three categories: LUM configuration User and group administration Linux service administration LUM CONFIGURATIONAlthough LUM is usable immediately after installation, it is a good idea to check the default LUM configuration prior to creating LUM users. The following steps describe checking the LUM configuration:
In addition to iManager-based configuration, there are some configuration options that you may want to set on the OES machine itself. One important option is regarding the configuration of the NAM Cache Daemon (namcd). As explained earlier, the NAM Cache Daemon caches user and group lookups from eDirectory. By default this daemon uses a persistent cache that will be immediately available upon server restarts. For most implementations this is the desired behavior and will produce optimal performance. However, if you would like to use a nonpersistent cache, or modify the cache refresh or size settings, the configuration of namcd must be manually modified. The configuration file for NAM is /etc/nam.conf. Within this configuration file, there are settings that determine the behavior of namcd. The primary settings regarding the namcd cache are as follows (see the nam.conf man page for more information): enable-persistent-cache=YES Determines whether the namcd cache is maintained on the local server and kept persistent across server reboots. Valid values are "yes" or "no." persistent-cache-refresh-period=28800 Specifies the interval (in seconds) in which cached users and groups are refreshed from eDirectory. A longer interval reduces network traffic but can produce stale data. Valid settings range from 1 to 2147483647 seconds. persistent-cache-refresh-flag=all Determines whether all user and group data is refreshed during a cache refresh, or just accounts that have been accessed during the current session. Valid values are "all" or "accessed." NOTEDo not confuse namcd (NAM Cache Daemon) with nscd (Name Service Cache Daemon). With LUM, namcd and nscd work together. The nscd daemon is used to cache hostnames and addresses. The namcd daemon specifically caches user and group names and IDs from eDirectory. Using namcd, performance of subsequent lookups of cached users and groups is significantly improved.USER AND GROUP ADMINISTRATIONeDirectory users do not automatically have the attributes required for LUM authentication. In order for the user to be a valid LUM user, these attributes must either be added during the initial user creation from within iManager, or added after the fact by converting the existing user to a LUM user. Assigning the LUM attributes to users during user creation has already been described in the User Object section at the beginning of this chapter. The following steps describe how to convert an existing user to a valid LUM user. the Group Object section at the beginning of this chapter. The following steps describe how to convert an existing group to a valid LUM group. LINUX SERVICE ADMINISTRATIONDuring the installation of LUM, you can determine which PAM-aware services you would like LUM-enabled. Services available for selection are listed in Table 8.4.
SECURING LUMWhen youre using LUM, users can be authenticated to eDirectory using a secure or nonsecure LDAP connection. To increase security, it is a good idea to always use a secure LDAP connection. This is the default configuration of OES, but adding additional servers or workstations to the LUM domain will require a manual configuration. This process can also be followed on the current OES server to reconfigure LUM if configuration errors are encountered.[View full width] namconfig add -a <admin name and context > -r <Linux Config context > -w <Server/workstation  context > -S <Server DNS or IP Address >:389 -l 636After determining the appropriate values for the admin name and context, Linux Config context, and server or workstation context, the command should look more like the following: [View full width] namconfig add -a cn=admin,o=novell -r ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S OESSERVER1:389 -l 636The namconfig utility is used to configure NAM on Linux servers and workstations. This command configures the local server to communicate via SSL by modifying the /etc/nam.conf file and retrieving the servers SSL certificate from eDirectory. The server certificate is stored in the /var/nam directory as a hidden file named with the server name and a .der extension. If this certificate expires, it can be re-created using the following command: namconfig -k NOTEFor more information on namconfig, refer to the man page or to Novells online documentation.LUM COMMAND-LINE UTILITIESThe majority of LUM administration is performed through iManager. However, Linux administrators experienced with the command-line interface may find the command-line tools quicker than the browser-based interface of iManager. Table 8.5 summarizes the command-line tools available for LUM administration on the OES machine. NOTEMore information on each of these utilities is available by accessing the man page for the respective utility.AUTHENTICATION WITH LUMWith LUM configured, valid LUM users and groups created, and Linux services integrated into LUM, the authentication process a user goes through with LUM can finally be investigated. LUM is specifically designed to take advantage of the Pluggable Authentication Module (PAM) infrastructure common with Linux servers. The primary benefit this offers is that all PAM-aware services have the potential to be integrated into eDirectory through LUM with relative ease. This section will describe the integration steps and processes of authentication with a PAM-aware service. NOTEIt is possible to enable LDAP-aware services to integrate directly with eDirectory, but this configuration is specific to the application being integrated and beyond the scope of this book.PAM INTEGRATION WITH LUMAs mentioned in the Login Process section of Chapter 3, "Working with SUSE Linux Enterprise Server 9," PAM utilizes a configuration file for every PAM-aware service. These files exist in the /etc/pam.d directory and are named after the respective service. The contents of these files are used to determine what modules are involved with the authentication process to ensure that the user is allowed access. As shown in Figure 8.12, the pam_nam module is used for all authentication services. Figure 8.12. The pam_nam configuration used with the Login service. NOTEFor more information regarding the nam.conf configuration file, refer to the man page, or Novells online documentation.NAME SERVICES WITH LUMAfter authentication, the ability to look up user and group names in eDirectory is still required. The process of resolving user, group, machine, and other identities in Linux is known as Name Services. When using LUM, the Name Services configuration must be altered to also look up names in eDirectory. The configuration file for Name Services is /etc/nsswitch.conf. The main purpose of this file is to list possible databases of names being queried and where information regarding those names can be located. With LUM, the information we are concerned about is resolution of user and group names. User and group lookup configuration can be found on the "passwd" and "group" database entries within the nsswitch.conf file. When youre using LUM on the local server, these two entries should contain the following configuration: passwd: compat nam group: compat nam This configuration causes the Name Service lookup to initially query the local files (using the default compatibility mode), and then query for names and groups using the libnss_nam library. This library uses LDAP to query eDirectory for user and group names. After being resolved, the names and IDs are cached by the NAM Cache Daemon (namcd) to reduce lookup time for subsequent requests. One example of where this lookup is performed is when performing a file listing using the ls command. The ls command uses Name Services to translate the file and group owner IDs to usable names rather than the actual ID numbers. If the lookup is not successful, IDs rather than names will be displayed, and accurate permissions enforcement may be compromised.Default installations of LUM should have this configuration performed automatically. However, if additional servers or workstations are added to the LUM domain outside of an OES installation, after adding the machine using namconfig, the nsswitch.conf file must be manually configured as in the preceding example in order for name lookups to be successful. Samba User ManagementThe Samba program suite provides access to local resources through the Microsoft SMB/CIFS protocol. This effectively allows Windows, Linux, and other operating systems to connect to those resources as though they were residing on a Windows-based computer. To do this, Samba must use an authentication method that is compatible with Windows authentication. Samba provides this authentication through a local store of Samba usersin addition to those same users being stored as local Linux accounts. Although this default configuration does work, it can result in unsynchronized passwords, and an environment that is difficult to maintain. OES Linux resolves this situation by leveraging the LUM infrastructure to provide Samba authentication as well.Universal Password" section earlier in this chapter. SAMBA COMPONENTSThe Samba suite that comes with OES is the same version of Samba that is available through other Linux distributions, such as SLES 9, with one notable exception. In order to integrate with LUM, the OES version of Samba has been compiled using the -with-ldapsam and -with-ssl switches. These switches are necessary to leverage the LDAP storage of user accounts, and to provide secure access to those accounts. In order to access LDAP directories, Samba also relies on the OpenLDAP client libraries. These libraries are libldap.so and libldap_r.so. The default configuration of the OpenLDAP client is to provide a connection to eDirectory through a secure (SSL) LDAP session. SAMBA INSTALLATIONThe installation of Samba is normally performed during the main OES installation. If Samba was not selected during installation, follow these steps to add Samba to your OES server. SAMBA ADMINISTRATIONAdministration of Samba services within OES can be divided into the following three basic categories: General Samba configuration Samba user administration Samba resource administration GENERAL SAMBA CONFIGURATIONThe main configuration file for Samba is /etc/samba/smb.conf. This file contains the necessary information for Samba to connect to eDirectory. The following list contains a few of the parameters required for Samba integration with LUM: passdb backend This field contains the connection information to the eDirectory server. ldap admin dn The eDirectory administrators name and context, in LDAP format, must be specified with this parameter. ldap suffix This field contains the LDAP search base context to be used when locating Samba users. This is normally the same context where the Linux Config object can be found. ldap passwd sync This option determines whether the Samba password should be synchronized via LDAP. This should be set to on with OES. security This field should be set to user with OES. This ensures that a valid username and password combination is required, prior to the user gaining access to Samba shares. encrypt passwords This option configures the server to recognize the encrypted passwords used with OES. netbios name This option configures the NetBIOS name the Samba server will be known as. OES appends -W to the host name for this entry. This is required to prevent a conflict with NCP server name. SAMBA USER ADMINISTRATIONAs mentioned, Samba users are simply LUM users with an additional set of attributes associated with each user. During user creation within iManager, you are automatically prompted to convert the new user to both a LUM and Samba user. If user conversion is done at this time, the users Samba password field will be automatically filled in with the new users password. If the user is not converted at this time, the user will have to be manually converted later and the password must be re-entered manually. Normal users cannot be converted directly to a Samba user without being also converted to a LUM user. For information on this process, refer to the LUM user section earlier in this chapter.If you have a LUM user who was not designated as a Samba user, the LUM user must be manually converted to a Samba user through the following steps:
When this process has been completed, the user is now a valid Samba user and can access any Samba resources configured on the server. SAMBA RESOURCE ADMINISTRATIONSamba resources include such things as local files and printers. With OES, iPrint is the recommended method of printer sharing as the iPrint solution is much more complete than printer sharing under Samba. File sharing with Windows users can be accomplished through either Samba or using the Novell Client to access NCP server resources. The NCP server provides a more complete filesystem permission structure than Samba, and NCP-based permissions are fully integrated with eDirectory. However, Samba shares are a commonly used method of sharing files and may be the best option based on your requirements.Configuring Samba file shares with OES is identical to configuring shares without OES. The YaST administration tool provides access to a Samba server configuration module. This module should be used to configure all Samba shares. The following steps document this process: NOTESamba can be quite complex. For more information regarding the many options for configuring Samba resources, refer to the main Samba documentation found at http://www.samba.org. |
لطفا منتظر باشید ...
