[gentoo-dev] OpenLDAP user authentication / autofs integration

[gentoo-dev] OpenLDAP user authentication / autofs integration

[gdjohn]

Hi,

I've recently got my Gentoo systems authenticating users/automount'ing
home directories with all of the directory information coming from my
openldap server :)

What I would like to do is get al of my hard work into the relevant
ebuilds now.  I've a query though regarding USE variables. The "ldap" use
variable seems a little overloaded in it's scope - it can be used for
everything from adding ldap address book support in email clients, to
providing ldap user authentication (with a little extra work...).

I realise that USE variables could quickly become unmanageable if loads
were added, but it would be nice if there were a way to specify, for
example, what sort of authentication you wanted to use (a la RedHat and
others I imagine) and have it work out of the box (or, if you will,
source).

For things like ldap, I would suggest maybe ldap_client and ldap_auth USE
variables. Is this a bad suggestion...?

I will attempt to document all that I actually had to do in order to get
LDAP authentication/autofs working in case anyone else is interested...

Cheers,

Gareth

Re: [gentoo-dev] OpenLDAP user authentication / autofs integration

[Mark Bainter]

gdjohn@egregious.org.uk [gdjohn@egregious.org.uk] wrote:
> Hi,
> 
> I've recently got my Gentoo systems authenticating users/automount'ing
> home directories with all of the directory information coming from my
> openldap server :)
> 
> What I would like to do is get al of my hard work into the relevant
> ebuilds now.  I've a query though regarding USE variables. The "ldap" use
> variable seems a little overloaded in it's scope - it can be used for
> everything from adding ldap address book support in email clients, to
> providing ldap user authentication (with a little extra work...).
> 
> I realise that USE variables could quickly become unmanageable if loads
> were added, but it would be nice if there were a way to specify, for
> example, what sort of authentication you wanted to use (a la RedHat and
> others I imagine) and have it work out of the box (or, if you will,
> source).
> 
> For things like ldap, I would suggest maybe ldap_client and ldap_auth USE
> variables. Is this a bad suggestion...?
> 

Hrm...I'd say maybe just add ldap_auth.  That way, existing builds
won't break, and people won't have to add additional flags to their
USE variable (ldap_client) unless they want this new functionality.

Re: [gentoo-dev] OpenLDAP user authentication / autofs integration

[Gareth John]

>> I've recently got my Gentoo systems authenticating users/automount'ing
>> home directories with all of the directory information coming from my
>> openldap server :)
>>
>> What I would like to do is get al of my hard work into the relevant
>> ebuilds now.  I've a query though regarding USE variables. The "ldap"
>> use variable seems a little overloaded in it's scope - it can be used
>> for everything from adding ldap address book support in email clients,
>> to providing ldap user authentication (with a little extra work...).
>>
>> I realise that USE variables could quickly become unmanageable if
>> loads were added, but it would be nice if there were a way to specify,
>> for example, what sort of authentication you wanted to use (a la
>> RedHat and others I imagine) and have it work out of the box (or, if
>> you will, source).
>>
>> For things like ldap, I would suggest maybe ldap_client and ldap_auth
>> USE variables. Is this a bad suggestion...?
>>
>
> Hrm...I'd say maybe just add ldap_auth.  That way, existing builds won't
> break, and people won't have to add additional flags to their USE
> variable (ldap_client) unless they want this new functionality.

The ldap_auth flag would make more sense in this respect. Thinking about
it a little more though, I'm not so sure I was thinking straight anyway.
Authentication should be handled by PAM, and so the back end should be
transparent to any applications.

I guess what I would really like is to be able to do:

emerge ldap_auth

and have it emerge openldap, pam_ldap and nss_ldap.

Additionally, the ebuild will provide a convenient
-
"If you want to set up an LDAP directory for user authentication, run this
command:

ebuild /usr/portage/net-misc/ldap_auth/ldap_auth.ebuild setup_ldap_user_auth
-

or something like that. This command could then create the LDAP directory
entries. Ideally, I can knock up some scripts like ldap_useradd,
ldap_userdel, etc. to mimic their non-ldap counterparts functionality.

How does this sound?

Cheers,

Gareth John

Re: [gentoo-dev] OpenLDAP user authentication / autofs integration

[Troy Dack]

> Hi,
>
> I've recently got my Gentoo systems authenticating users/automount'ing
> home directories with all of the directory information coming from my
> openldap server :)

Well done! LDAP is causing me all sorts of grief at the moment.  Do you
also have global or private address books?

<snip>

> I will attempt to document all that I actually had to do in order to get
> LDAP authentication/autofs working in case anyone else is interested...

That would be really, really, really good.  A HOWTO or step by step would
be really appreciated.

-- 
     Troy Dack

Re: [gentoo-dev] OpenLDAP user authentication / autofs integration

[Gareth John]

>>
>> I've recently got my Gentoo systems authenticating users/automount'ing
>> home directories with all of the directory information coming from my
>> openldap server :)
>
> Well done! LDAP is causing me all sorts of grief at the moment.  Do you
> also have global or private address books?
>
> <snip>
>
>> I will attempt to document all that I actually had to do in order to
>> get LDAP authentication/autofs working in case anyone else is
>> interested...
>
> That would be really, really, really good.  A HOWTO or step by step
> would be really appreciated.
>

I will try to get a step-by-step guide done on Sunday - I'm too busy until
then I'm afraid.  How far have you got? My main stalling points were
realising that I needed to patch autofs - you can get the necessary
patches from http://people.redhat.com/~nalin/autofs. These apply to the
current version of autofs. There is also an autofs.schema in
http://people.redhat.com/~nalin/schema which you will need to include in
your ldap configuration schema file thing.

I did hit some other stumbling points - I'll document them as and when I
remember them...

Hope this helps,

Gareth