SlideShare uma empresa Scribd logo

What's LUM Got To Do with It: Deployment Considerations for Linux User Management on Novell Open Enterprise Server

Novell
Novell

LUM it or leave it! Join us in this session to explore the inner workings of Linux User Management. You'll learn about the architecture, configuration and implementation of Linux User Management on Novell Open Enterprise Server and SUSE Linux Enterprise Desktop. We'll also cover placement of LUM objects in a tree, services and tree design to enhance performance for LUM-enabled users, and LUM considerations when upgrading from NetWare to Linux.

1 de 33
Baixar para ler offline
What's LUM Got To Do with It Deployment Considerations for Linux User Management on Novell Open Enterprise Server ® Arthur Nielson Fred Patterson Novell Novell Global Technical Support Engineer Global Technical Support Engineer anielson@novell.com fpatterson@novell.com
Agenda • Benefits • Usability Demo • Architecture • Configuration • Installation Demo • Tuning and Parameters • Troubleshooting • Troubleshooting Demo 2 © Novell, Inc. All rights reserved.
Benefits Gotta LUM it! • Administration – Using LUM and eDirectory to manage user login information ™ eliminates the need to create local users in the /etc/passwd and /etc/shadow files on each Linux computer. It simplifies administration by consolidating user accounts and workstations into a central point of administration. • User Bennefits – Users can login to Linux computers by using access methods such as login, SSH, FTP, su, rsh, rlogin, xdm, and gdm. The user only needs to remember their user name and password. The context is not needed as LUM will find the user in eDirectory. 3 © Novell, Inc. All rights reserved.
Usability Demo
Architecture Overview Management Linux eDirectory ™ Workstation Workstation Server telnet login ls id eDirectory iManager Server Command pam_nam nss_nam namconfig line utilities NAM on eDirectory Linux snapin Server LDAP Client LDAP/TCP 5 © Novell, Inc. All rights reserved.
Architecture Overview Target Linux Source Workstation Workstation Login Request User: tom Password: xxxx LUM nam.conf UID GID eDirectory Password ... Linux/Unix Linux/Unix Group Object User Object Config Object Workstation Object ● Timi.mktg.novell ● UID ● L/U Workstation_001 ● mkting ● Toddp.dev.novell ● GID ● L/U Workstation_002 ● sales ● Toml.sales.novell ● Password ● L/U Workstation_003 ● linux ... ... ... ... 6 © Novell, Inc. All rights reserved.
Architecture Posix Account Schema • The RFC2307 schema – Adding the RFC2307 schema to the tree allows for the group and user classes to obtain the needed attributes to be enabled to work on Linux – The RFC2307 schema is extended when installing LUM – /var/lib/novell-lum/nam.ldif – http://www.ietf.org/rfc/rfc2307.txt 7 © Novell, Inc. All rights reserved.
Architecture Posix Account Schema – Attributes > UamPosixWorkstationList > UidNumber > UamPosixWorkstationContexts > GidNumber > UamPosixSalt > Gecos > UamPosixPAMServiceExcludeList > HomeDirectory > LoginShell > ShadowLastChange > ShadowMin > ShadowMax > ShadowWarning > ShadowInactive > ShadowExpire > ShadowFlag > memberUid 8 © Novell, Inc. All rights reserved.
Architecture Posix Account Schema – Classes > PosixAccount > ShadowAccount > PosixGroup > UamPosixWorkstation > UamPosixConfig > UamPosixUser > uamPosixGroup 9 © Novell, Inc. All rights reserved.
Architecture LUM Directory Objects Structure and Rights • Unix Config Object – It is created by default in the context where the Admin user is located, which is currently authenticated to the tree during the initial install of LUM • Unix Workstation Object – Created by default, in the context of the NCP Server object • LUM-enabled User and Group Objects – These objects are no different than any other user or group except for the fact that they have been provisioned with the needed Posix attributes – They can be located anywhere under the sub context of where the Unix Config object is located > This is where the public is granted rights to the posix related attributes 10 © Novell, Inc. All rights reserved.
Architecture [Public] ACL rights 11 © Novell, Inc. All rights reserved.
Architecture Unix Workstation ACL Rights 12 © Novell, Inc. All rights reserved.
Architecture Files / Locations • Configuration file for LUM / namcd – /etc/nam.conf • Cache daemon – Communicates with eDirectory through LDAP. Caches users and groups on the local file system. – /etc/init.d/namcd –- linked to /usr/sbin/rcnamcd • Name Services configuration sample – example of how to configure name resolution in the /etc/nsswitch.conf – /etc/nsswitch.conf.nam • Pluggable Authentication Module can be configure to work with LUM. – /etc/pam.d/pam_nam_sample 13 © Novell, Inc. All rights reserved.
Architecture Files / Locations • LUM PAM files – Modules that perform authentication – /lib/security/pam_nam.so, /lib/security/pam_nam.so.0 • Name Services modules – Provides name resolution – /lib/libnss_nam.so, /usr/lib/libnss_nm.so • LUM Configuration – Program used to configure LUM – /usr/bin/namconfig • LUM Group and User Configuration – /usr/bin/.. namgroupadd, namgroupdel, namgrouplist, namgroupmod, namuseradd, namuserdel, namuserlist, namusermod 14 © Novell, Inc. All rights reserved.
Architecture Files / Locations • User Migrations Tools – /usr/bin/unix2edir - Script import users from /etc/passwd to eDirectory ™ – /usr/bin/nambulkadd – Script to LUM enable defined eDirectory users • Exported eDirectory certificate – Used to SSL communication with NLDAP – /var/lib/novell-lum/servername or ipaddress.der • LUM configuration log – /var/lib/novell-lum/nam.log • LUM schema definitions – Ldif of LUM schema modifications – /var/lib/novell-lum/nam.ldif 15 © Novell, Inc. All rights reserved.
Configuration Command Line • Namconfig – Add > -a <admin fdn> > -p <password> > -r <base context> > -w <server / workstation context> > -o (used to overwrite existing NAM configuration) > -c (configure namcd with cache-only option) > -s <LDAP server:port> 16 © Novell, Inc. All rights reserved.
Configuration Command Line • Namconfig – Add > -l <SSL port> > -R <alternate LDAP server:port,alternate LDAP server:port> > -y <proxy user fdn> > -d <proxy user password> 17 © Novell, Inc. All rights reserved.
Configuration Command Line • Namconfig (see MAN page for namconfig) – namconfig add -a adminFDN -r base_context -w workstation_context [-o] -S servername [:port] [-l sslport] [-R server [:port],server [:port],...] > Example: namconfig add -a cn=admin,o=novell -r ou=nam,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389 > Example (secure LDAP): namconfig add -a cn=admin,o=novell -r ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389 -l 636 18 © Novell, Inc. All rights reserved.
Configuration Yast on SUSE Linux Enterprise Desktop ® • Security and Users – Linux User Management > Local or remote - which LDAP server is LUM going to utilize > Directory server address - IP address (or DNS name) of the LDAP server > Admin name with context (in LDAP format) -- Password > Port Details - clear text and ssl ports of LDAP server > Linux/Unix config context - conext of where to create the unix config object > LUM workstation context – context of where to create the uxix workstation > Proxy user name with context -- password - (optional) – If you want a specific user to be the entity that does the initial LDAP queries that LUM performs > Select PAM-enabled services to allow authentication via eDirectory – eg. ™ login, sshd, su, gdm, xdm, etc... 19 © Novell, Inc. All rights reserved.
Configuration Yast on Novell Open Enterprise Server 2 ® • Novell Open Enterprise Server – OES Install and Configuration – Download, checks install files > Shows page of component patterns to install – select Linux User Management – Novell Open Enterprise Server Configuration > See a list of all installed and /or to be configured OES components > Linux User Management – configuration should be enabled , select to configure – Linux User management – Check configuration if fields have data > Directory Server Address – LDAP Server (pulls info from LDAP server config) > Unix Config context - Context of unix config object 20 © Novell, Inc. All rights reserved.
Configuration Yast on Novell Open Enterprise Server 2 ® > Unix Workstation context - context of the workstation object for this server > Proxy User name with context – Password > Select Services to LUM-enable for authentication via eDirectory 21 © Novell, Inc. All rights reserved.
Installation Demo
Tuning and Parameters • Namconfig get (used to list configured parameters) • Namconfig set (used to set parameters) – Base-name (eDirectory context where LUM is installed) ™ – User-context (Context for Unix users migrated to eDirectory) – Greoup-context (context for UNIX groups migrated to eDirectory) – admin-fdn (Full context for LDAP administrator) – proxy-user-fdn (FDN of bind user) – proxy-user-pwd (Password for proxy user) 23 © Novell, Inc. All rights reserved.
Tuning and Parameters – alternative-ldap-server-list (List of servers to use after preferred) – preferred-server (LDAP server w/ replica of base used in base- name) – num-threads (Number of namcd worker threads) – schema (Supported schema) – support-outside-base-context (Access users/groups outside of base-context) – cache-only (Specify whether namcd should only use cache instead of also querying LDAP) – persistent-search (Used to listen for change events in LDAP) – case-sensitive (Used to enable/disable case sensitivity for users/groups) 24 © Novell, Inc. All rights reserved.
Tuning and Parameters – alternative-ldap-server-list (List of servers to use after preferred) – preferred-server (LDAP server w/ replica of base used in base-name) – num-threads (Number of namcd worker threads) – schema (Supported schema) – enable-persistent-cache (Maintain local user/group cache) – user-hash-size (Hash size for user persistent cache) – group-hash-size (Hash size for group persistent cache) – persistent-cache-refresh-period (Rate in seconds to refresh cached users / groups) – persistent-cache-refresh-flag (Dictates whether to refresh all or accessed users/groups) – create-home (Create user home directories if they don't exist locally) 25 © Novell, Inc. All rights reserved.
Tuning and Parameters – type-of-authentication (1- simple auth, 2-SSL) – certificate-file-type (Format for certificate file – der or base64) – ldap-ssl-port (LDAP SSL port) – ldap-port (LDAP port) – support-alias-name (Use of alias user/groups objects) – support-outside-base-context (Access users/groups outside of base-context) – cache-only (Specify whether namcd should only use cache instead of also querying LDAP) – persistent-search (Used to listen for change events in LDAP) – case-sensitive (Used to enable/disable case sensitivity for users/groups) 26 © Novell, Inc. All rights reserved.
Tuning and Parameters - nam.conf 27 © Novell, Inc. All rights reserved.
Troubleshooting • Common issues – namcd does not start or shows not running – ID Command Not Giving the Desired Results – Missing Mandatory Attribute Error When Adding a User to a Linux User Management Group – Linux User Management Returns Invalid UID and GID for Users and Groups – nameuserlist fails to return proper values – Namcd indicates that a certificate is not found – User cannot login – Password expiration information for the user is not available – Namcd not coming up after a system reboot 28 © Novell, Inc. All rights reserved.
Troubleshooting • Resources – Log files > /var/log/messages > /var/lib/novell-lum – LDAP trace > ldapconfig set "LDAP Screen Level=all" > Ndstrace | set ndstrace = +ldap | set ndstrace = +time | set ndstrace=+tags | ndstrace file on | ndstrace screen on > Duplicate issue > Type “ndstrace file off” from the ndstrace command prompt. > View the /var/opt/novell/eDirectory/log/ndstrace.log file > Observe where the trace does not continue where it should – Online documentation > See page 149 of the online Novell Open Enterprise Server 2 documentation: ® http://www.novell.com/documentation/oes2/pdfdoc/oes_implement_lx_nw/oes_implement_lx_nw.pdf 29 © Novell, Inc. All rights reserved.
Troubleshooting Flow Chart Unable to login as LUM user Does id <userid> Does id <userid> Is /etc/nsswitch.conf NO Modify per w for the user that ork NO return any LUM configured to use nam nsswitch.conf.nam fails to login? users? NO for passwd & group and restart namcd YES YES YES Add pam _nam .so Is the service in NO Start namcd NO /etc/pam.d configured NO Can any LUM users Make sure <userid> is Is nam running? cd per example to login? Check for cores if it the service with the pam _nam .so? LUM enabled doesn't stay running YES YES YES YES Check Check user's passwd Make sure <userid> is Is namcd configured YES pam _nam.so m odule Check for duplicate am ember of the group to use cache_only? Refresh cache /var/log/messages userid's with the workstation NO Troubleshoot LDAP 30 © Novell, Inc. All rights reserved.
Troubleshooting Demo
Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Recomendados

Novell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and WorkflowsNovell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and Workflows
Novell
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
Brendan Gregg
 
Using Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsUsing Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell Applications
Novell
 
File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2
Novell
 
Linux beginner's Workshop
Linux beginner's WorkshopLinux beginner's Workshop
Linux beginner's Workshop
futureshocked
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/Core
Shay Cohen
 
Docker on Power Systems
Docker on Power SystemsDocker on Power Systems
Docker on Power Systems
Cesar Maciel
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
eurobsdcon
 

Recomendados

Novell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and WorkflowsNovell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and Workflows
Novell
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
Brendan Gregg
 
Using Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsUsing Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell Applications
Novell
 
File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2
Novell
 
Linux beginner's Workshop
Linux beginner's WorkshopLinux beginner's Workshop
Linux beginner's Workshop
futureshocked
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/Core
Shay Cohen
 
Docker on Power Systems
Docker on Power SystemsDocker on Power Systems
Docker on Power Systems
Cesar Maciel
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
eurobsdcon
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B KuteUnit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Tushar B Kute
 
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
Novell
 
Cl306
Cl306Cl306
Cl306
Juliette Ponnet
 
Building a Two Node SLES 11 SP2 Linux Cluster with VMware
Building a Two Node SLES 11 SP2 Linux Cluster with VMwareBuilding a Two Node SLES 11 SP2 Linux Cluster with VMware
Building a Two Node SLES 11 SP2 Linux Cluster with VMware
geekswing
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
mukul bhardwaj
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and image
ejlp12
 
Hot sec10 slide-suzaki
Hot sec10 slide-suzakiHot sec10 slide-suzaki
Hot sec10 slide-suzaki
Kuniyasu Suzaki
 
Practical Tips for Novell Cluster Services
Practical Tips for Novell Cluster ServicesPractical Tips for Novell Cluster Services
Practical Tips for Novell Cluster Services
Novell
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...
Boden Russell
 
Building a Distributed Block Storage System on Xen
Building a Distributed Block Storage System on XenBuilding a Distributed Block Storage System on Xen
Building a Distributed Block Storage System on Xen
The Linux Foundation
 
Linux Kernel Programming
Linux Kernel ProgrammingLinux Kernel Programming
Linux Kernel Programming
Nalin Sharma
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.
 
DTraceCloud2012
DTraceCloud2012DTraceCloud2012
DTraceCloud2012
Brendan Gregg
 
Linux Instrumentation
Linux InstrumentationLinux Instrumentation
Linux Instrumentation
DarkStarSword
 
(Free and Net) BSD Xen Roadmap
(Free and Net) BSD Xen Roadmap(Free and Net) BSD Xen Roadmap
(Free and Net) BSD Xen Roadmap
The Linux Foundation
 
Nachos
NachosNachos
Nachos
Ganesh Chavan
 
BACD July 2012 : The Xen Cloud Platform
BACD July 2012 : The Xen Cloud Platform BACD July 2012 : The Xen Cloud Platform
BACD July 2012 : The Xen Cloud Platform
The Linux Foundation
 
Introduction to NetBSD kernel
Introduction to NetBSD kernelIntroduction to NetBSD kernel
Introduction to NetBSD kernel
Mahendra M
 
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made EasyBrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
Schlomo Schapiro
 
Integrating Apple Macs Using Novell Technologies
Integrating Apple Macs Using Novell TechnologiesIntegrating Apple Macs Using Novell Technologies
Integrating Apple Macs Using Novell Technologies
Novell
 
Zentyal Customization (templates, hooks, LDAP)
Zentyal Customization (templates, hooks, LDAP)Zentyal Customization (templates, hooks, LDAP)
Zentyal Customization (templates, hooks, LDAP)
Carlos Pérez-Aradros
 

Mais conteúdo relacionado

Mais procurados

Building a Distributed Block Storage System on Xen
Building a Distributed Block Storage System on XenBuilding a Distributed Block Storage System on Xen
Building a Distributed Block Storage System on Xen
The Linux Foundation
 
Linux Kernel Programming
Linux Kernel ProgrammingLinux Kernel Programming
Linux Kernel Programming
Nalin Sharma
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.
 
Linux Instrumentation
Linux InstrumentationLinux Instrumentation
Linux Instrumentation
DarkStarSword
 
Introduction to NetBSD kernel
Introduction to NetBSD kernelIntroduction to NetBSD kernel
Introduction to NetBSD kernel
Mahendra M
 
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made EasyBrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
Schlomo Schapiro
 

Mais procurados (20)

Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B KuteUnit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
 
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
 
Cl306
Cl306Cl306
Cl306
 
Building a Two Node SLES 11 SP2 Linux Cluster with VMware
Building a Two Node SLES 11 SP2 Linux Cluster with VMwareBuilding a Two Node SLES 11 SP2 Linux Cluster with VMware
Building a Two Node SLES 11 SP2 Linux Cluster with VMware
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and image
 
Hot sec10 slide-suzaki
Hot sec10 slide-suzakiHot sec10 slide-suzaki
Hot sec10 slide-suzaki
 
Practical Tips for Novell Cluster Services
Practical Tips for Novell Cluster ServicesPractical Tips for Novell Cluster Services
Practical Tips for Novell Cluster Services
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...
 
Building a Distributed Block Storage System on Xen
Building a Distributed Block Storage System on XenBuilding a Distributed Block Storage System on Xen
Building a Distributed Block Storage System on Xen
 
Linux Kernel Programming
Linux Kernel ProgrammingLinux Kernel Programming
Linux Kernel Programming
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
DTraceCloud2012
DTraceCloud2012DTraceCloud2012
DTraceCloud2012
 
Linux Instrumentation
Linux InstrumentationLinux Instrumentation
Linux Instrumentation
 
(Free and Net) BSD Xen Roadmap
(Free and Net) BSD Xen Roadmap(Free and Net) BSD Xen Roadmap
(Free and Net) BSD Xen Roadmap
 
Nachos
NachosNachos
Nachos
 
BACD July 2012 : The Xen Cloud Platform
BACD July 2012 : The Xen Cloud Platform BACD July 2012 : The Xen Cloud Platform
BACD July 2012 : The Xen Cloud Platform
 
Introduction to NetBSD kernel
Introduction to NetBSD kernelIntroduction to NetBSD kernel
Introduction to NetBSD kernel
 
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made EasyBrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
 

Semelhante a What's LUM Got To Do with It: Deployment Considerations for Linux User Management on Novell Open Enterprise Server

Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Opersys inc.
 
the NML project
the NML projectthe NML project
the NML project
Lei Yang
 
Using Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesUsing Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial Times
Emeka Mosanya
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70
UGIF
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Nicolas Desachy
 
Enea Linux and LWRT FTF China 2012
Enea Linux and LWRT FTF China 2012Enea Linux and LWRT FTF China 2012
Enea Linux and LWRT FTF China 2012
EneaSoftware
 

Semelhante a What's LUM Got To Do with It: Deployment Considerations for Linux User Management on Novell Open Enterprise Server (20)

Integrating Apple Macs Using Novell Technologies
Integrating Apple Macs Using Novell TechnologiesIntegrating Apple Macs Using Novell Technologies
Integrating Apple Macs Using Novell Technologies
 
Zentyal Customization (templates, hooks, LDAP)
Zentyal Customization (templates, hooks, LDAP)Zentyal Customization (templates, hooks, LDAP)
Zentyal Customization (templates, hooks, LDAP)
 
Monitoring a SUSE Linux Enterprise Environment with System Center Operations ...
Monitoring a SUSE Linux Enterprise Environment with System Center Operations ...Monitoring a SUSE Linux Enterprise Environment with System Center Operations ...
Monitoring a SUSE Linux Enterprise Environment with System Center Operations ...
 
Securing Your Linux System
Securing Your Linux SystemSecuring Your Linux System
Securing Your Linux System
 
Plugin-able POS Solutions by Javascript @HDM9 Taiwan
Plugin-able POS Solutions by Javascript @HDM9 TaiwanPlugin-able POS Solutions by Javascript @HDM9 Taiwan
Plugin-able POS Solutions by Javascript @HDM9 Taiwan
 
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
 
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
 
IBM Think Session 8598 Domino and JavaScript Development MasterClass
IBM Think Session 8598 Domino and JavaScript Development MasterClassIBM Think Session 8598 Domino and JavaScript Development MasterClass
IBM Think Session 8598 Domino and JavaScript Development MasterClass
 
the NML project
the NML projectthe NML project
the NML project
 
Duma ver3
Duma ver3Duma ver3
Duma ver3
 
Puppetconf2012
Puppetconf2012Puppetconf2012
Puppetconf2012
 
Using Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesUsing Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial Times
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Nos Windows
Nos WindowsNos Windows
Nos Windows
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
 
Linux Containers : dupliquer Linux à volonté - David Hueber - Grégory Steulet...
Linux Containers : dupliquer Linux à volonté - David Hueber - Grégory Steulet...Linux Containers : dupliquer Linux à volonté - David Hueber - Grégory Steulet...
Linux Containers : dupliquer Linux à volonté - David Hueber - Grégory Steulet...
 
Enea Linux and LWRT FTF China 2012
Enea Linux and LWRT FTF China 2012Enea Linux and LWRT FTF China 2012
Enea Linux and LWRT FTF China 2012
 
Open nebula froscon
Open nebula frosconOpen nebula froscon
Open nebula froscon
 

Mais de Novell

Social media class 4 v2
Social media class 4 v2Social media class 4 v2
Social media class 4 v2
Novell
 
Social media class 3
Social media class 3Social media class 3
Social media class 3
Novell
 
Social media class 2
Social media class 2Social media class 2
Social media class 2
Novell
 
Social media class 1
Social media class 1Social media class 1
Social media class 1
Novell
 
Social media class 2 v2
Social media class 2 v2Social media class 2 v2
Social media class 2 v2
Novell
 
Workload iq final
Workload iq finalWorkload iq final
Workload iq final
Novell
 
Shining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of SocialShining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of Social
Novell
 
Iaas for a demanding business
Iaas for a demanding businessIaas for a demanding business
Iaas for a demanding business
Novell
 
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Novell
 

Mais de Novell (20)

Filr white paper
Filr white paperFilr white paper
Filr white paper
 
Social media class 4 v2
Social media class 4 v2Social media class 4 v2
Social media class 4 v2
 
Social media class 3
Social media class 3Social media class 3
Social media class 3
 
Social media class 2
Social media class 2Social media class 2
Social media class 2
 
Social media class 1
Social media class 1Social media class 1
Social media class 1
 
Social media class 2 v2
Social media class 2 v2Social media class 2 v2
Social media class 2 v2
 
LinkedIn training presentation
LinkedIn training presentationLinkedIn training presentation
LinkedIn training presentation
 
Twitter training presentation
Twitter training presentationTwitter training presentation
Twitter training presentation
 
Getting started with social media
Getting started with social mediaGetting started with social media
Getting started with social media
 
Strategies for sharing and commenting in social media
Strategies for sharing and commenting in social mediaStrategies for sharing and commenting in social media
Strategies for sharing and commenting in social media
 
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECHInformation Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
 
Workload iq final
Workload iq finalWorkload iq final
Workload iq final
 
The Identity-infused Enterprise
The Identity-infused EnterpriseThe Identity-infused Enterprise
The Identity-infused Enterprise
 
Shining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of SocialShining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of Social
 
Accelerate to the Cloud
Accelerate to the CloudAccelerate to the Cloud
Accelerate to the Cloud
 
The New Business Value of Today’s Collaboration Trends
The New Business Value of Today’s Collaboration TrendsThe New Business Value of Today’s Collaboration Trends
The New Business Value of Today’s Collaboration Trends
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Iaas for a demanding business
Iaas for a demanding businessIaas for a demanding business
Iaas for a demanding business
 
Workload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachWorkload IQ: A Differentiated Approach
Workload IQ: A Differentiated Approach
 
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
 

What's LUM Got To Do with It: Deployment Considerations for Linux User Management on Novell Open Enterprise Server

  • 1. What's LUM Got To Do with It Deployment Considerations for Linux User Management on Novell Open Enterprise Server ® Arthur Nielson Fred Patterson Novell Novell Global Technical Support Engineer Global Technical Support Engineer anielson@novell.com fpatterson@novell.com
  • 2. Agenda • Benefits • Usability Demo • Architecture • Configuration • Installation Demo • Tuning and Parameters • Troubleshooting • Troubleshooting Demo 2 © Novell, Inc. All rights reserved.
  • 3. Benefits Gotta LUM it! • Administration – Using LUM and eDirectory to manage user login information ™ eliminates the need to create local users in the /etc/passwd and /etc/shadow files on each Linux computer. It simplifies administration by consolidating user accounts and workstations into a central point of administration. • User Bennefits – Users can login to Linux computers by using access methods such as login, SSH, FTP, su, rsh, rlogin, xdm, and gdm. The user only needs to remember their user name and password. The context is not needed as LUM will find the user in eDirectory. 3 © Novell, Inc. All rights reserved.
  • 5. Architecture Overview Management Linux eDirectory ™ Workstation Workstation Server telnet login ls id eDirectory iManager Server Command pam_nam nss_nam namconfig line utilities NAM on eDirectory Linux snapin Server LDAP Client LDAP/TCP 5 © Novell, Inc. All rights reserved.
  • 6. Architecture Overview Target Linux Source Workstation Workstation Login Request User: tom Password: xxxx LUM nam.conf UID GID eDirectory Password ... Linux/Unix Linux/Unix Group Object User Object Config Object Workstation Object ● Timi.mktg.novell ● UID ● L/U Workstation_001 ● mkting ● Toddp.dev.novell ● GID ● L/U Workstation_002 ● sales ● Toml.sales.novell ● Password ● L/U Workstation_003 ● linux ... ... ... ... 6 © Novell, Inc. All rights reserved.
  • 7. Architecture Posix Account Schema • The RFC2307 schema – Adding the RFC2307 schema to the tree allows for the group and user classes to obtain the needed attributes to be enabled to work on Linux – The RFC2307 schema is extended when installing LUM – /var/lib/novell-lum/nam.ldif – http://www.ietf.org/rfc/rfc2307.txt 7 © Novell, Inc. All rights reserved.
  • 8. Architecture Posix Account Schema – Attributes > UamPosixWorkstationList > UidNumber > UamPosixWorkstationContexts > GidNumber > UamPosixSalt > Gecos > UamPosixPAMServiceExcludeList > HomeDirectory > LoginShell > ShadowLastChange > ShadowMin > ShadowMax > ShadowWarning > ShadowInactive > ShadowExpire > ShadowFlag > memberUid 8 © Novell, Inc. All rights reserved.
  • 9. Architecture Posix Account Schema – Classes > PosixAccount > ShadowAccount > PosixGroup > UamPosixWorkstation > UamPosixConfig > UamPosixUser > uamPosixGroup 9 © Novell, Inc. All rights reserved.
  • 10. Architecture LUM Directory Objects Structure and Rights • Unix Config Object – It is created by default in the context where the Admin user is located, which is currently authenticated to the tree during the initial install of LUM • Unix Workstation Object – Created by default, in the context of the NCP Server object • LUM-enabled User and Group Objects – These objects are no different than any other user or group except for the fact that they have been provisioned with the needed Posix attributes – They can be located anywhere under the sub context of where the Unix Config object is located > This is where the public is granted rights to the posix related attributes 10 © Novell, Inc. All rights reserved.
  • 11. Architecture [Public] ACL rights 11 © Novell, Inc. All rights reserved.
  • 12. Architecture Unix Workstation ACL Rights 12 © Novell, Inc. All rights reserved.
  • 13. Architecture Files / Locations • Configuration file for LUM / namcd – /etc/nam.conf • Cache daemon – Communicates with eDirectory through LDAP. Caches users and groups on the local file system. – /etc/init.d/namcd –- linked to /usr/sbin/rcnamcd • Name Services configuration sample – example of how to configure name resolution in the /etc/nsswitch.conf – /etc/nsswitch.conf.nam • Pluggable Authentication Module can be configure to work with LUM. – /etc/pam.d/pam_nam_sample 13 © Novell, Inc. All rights reserved.
  • 14. Architecture Files / Locations • LUM PAM files – Modules that perform authentication – /lib/security/pam_nam.so, /lib/security/pam_nam.so.0 • Name Services modules – Provides name resolution – /lib/libnss_nam.so, /usr/lib/libnss_nm.so • LUM Configuration – Program used to configure LUM – /usr/bin/namconfig • LUM Group and User Configuration – /usr/bin/.. namgroupadd, namgroupdel, namgrouplist, namgroupmod, namuseradd, namuserdel, namuserlist, namusermod 14 © Novell, Inc. All rights reserved.
  • 15. Architecture Files / Locations • User Migrations Tools – /usr/bin/unix2edir - Script import users from /etc/passwd to eDirectory ™ – /usr/bin/nambulkadd – Script to LUM enable defined eDirectory users • Exported eDirectory certificate – Used to SSL communication with NLDAP – /var/lib/novell-lum/servername or ipaddress.der • LUM configuration log – /var/lib/novell-lum/nam.log • LUM schema definitions – Ldif of LUM schema modifications – /var/lib/novell-lum/nam.ldif 15 © Novell, Inc. All rights reserved.
  • 16. Configuration Command Line • Namconfig – Add > -a <admin fdn> > -p <password> > -r <base context> > -w <server / workstation context> > -o (used to overwrite existing NAM configuration) > -c (configure namcd with cache-only option) > -s <LDAP server:port> 16 © Novell, Inc. All rights reserved.
  • 17. Configuration Command Line • Namconfig – Add > -l <SSL port> > -R <alternate LDAP server:port,alternate LDAP server:port> > -y <proxy user fdn> > -d <proxy user password> 17 © Novell, Inc. All rights reserved.
  • 18. Configuration Command Line • Namconfig (see MAN page for namconfig) – namconfig add -a adminFDN -r base_context -w workstation_context [-o] -S servername [:port] [-l sslport] [-R server [:port],server [:port],...] > Example: namconfig add -a cn=admin,o=novell -r ou=nam,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389 > Example (secure LDAP): namconfig add -a cn=admin,o=novell -r ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389 -l 636 18 © Novell, Inc. All rights reserved.
  • 19. Configuration Yast on SUSE Linux Enterprise Desktop ® • Security and Users – Linux User Management > Local or remote - which LDAP server is LUM going to utilize > Directory server address - IP address (or DNS name) of the LDAP server > Admin name with context (in LDAP format) -- Password > Port Details - clear text and ssl ports of LDAP server > Linux/Unix config context - conext of where to create the unix config object > LUM workstation context – context of where to create the uxix workstation > Proxy user name with context -- password - (optional) – If you want a specific user to be the entity that does the initial LDAP queries that LUM performs > Select PAM-enabled services to allow authentication via eDirectory – eg. ™ login, sshd, su, gdm, xdm, etc... 19 © Novell, Inc. All rights reserved.
  • 20. Configuration Yast on Novell Open Enterprise Server 2 ® • Novell Open Enterprise Server – OES Install and Configuration – Download, checks install files > Shows page of component patterns to install – select Linux User Management – Novell Open Enterprise Server Configuration > See a list of all installed and /or to be configured OES components > Linux User Management – configuration should be enabled , select to configure – Linux User management – Check configuration if fields have data > Directory Server Address – LDAP Server (pulls info from LDAP server config) > Unix Config context - Context of unix config object 20 © Novell, Inc. All rights reserved.
  • 21. Configuration Yast on Novell Open Enterprise Server 2 ® > Unix Workstation context - context of the workstation object for this server > Proxy User name with context – Password > Select Services to LUM-enable for authentication via eDirectory 21 © Novell, Inc. All rights reserved.
  • 23. Tuning and Parameters • Namconfig get (used to list configured parameters) • Namconfig set (used to set parameters) – Base-name (eDirectory context where LUM is installed) ™ – User-context (Context for Unix users migrated to eDirectory) – Greoup-context (context for UNIX groups migrated to eDirectory) – admin-fdn (Full context for LDAP administrator) – proxy-user-fdn (FDN of bind user) – proxy-user-pwd (Password for proxy user) 23 © Novell, Inc. All rights reserved.
  • 24. Tuning and Parameters – alternative-ldap-server-list (List of servers to use after preferred) – preferred-server (LDAP server w/ replica of base used in base- name) – num-threads (Number of namcd worker threads) – schema (Supported schema) – support-outside-base-context (Access users/groups outside of base-context) – cache-only (Specify whether namcd should only use cache instead of also querying LDAP) – persistent-search (Used to listen for change events in LDAP) – case-sensitive (Used to enable/disable case sensitivity for users/groups) 24 © Novell, Inc. All rights reserved.
  • 25. Tuning and Parameters – alternative-ldap-server-list (List of servers to use after preferred) – preferred-server (LDAP server w/ replica of base used in base-name) – num-threads (Number of namcd worker threads) – schema (Supported schema) – enable-persistent-cache (Maintain local user/group cache) – user-hash-size (Hash size for user persistent cache) – group-hash-size (Hash size for group persistent cache) – persistent-cache-refresh-period (Rate in seconds to refresh cached users / groups) – persistent-cache-refresh-flag (Dictates whether to refresh all or accessed users/groups) – create-home (Create user home directories if they don't exist locally) 25 © Novell, Inc. All rights reserved.
  • 26. Tuning and Parameters – type-of-authentication (1- simple auth, 2-SSL) – certificate-file-type (Format for certificate file – der or base64) – ldap-ssl-port (LDAP SSL port) – ldap-port (LDAP port) – support-alias-name (Use of alias user/groups objects) – support-outside-base-context (Access users/groups outside of base-context) – cache-only (Specify whether namcd should only use cache instead of also querying LDAP) – persistent-search (Used to listen for change events in LDAP) – case-sensitive (Used to enable/disable case sensitivity for users/groups) 26 © Novell, Inc. All rights reserved.
  • 27. Tuning and Parameters - nam.conf 27 © Novell, Inc. All rights reserved.
  • 28. Troubleshooting • Common issues – namcd does not start or shows not running – ID Command Not Giving the Desired Results – Missing Mandatory Attribute Error When Adding a User to a Linux User Management Group – Linux User Management Returns Invalid UID and GID for Users and Groups – nameuserlist fails to return proper values – Namcd indicates that a certificate is not found – User cannot login – Password expiration information for the user is not available – Namcd not coming up after a system reboot 28 © Novell, Inc. All rights reserved.
  • 29. Troubleshooting • Resources – Log files > /var/log/messages > /var/lib/novell-lum – LDAP trace > ldapconfig set "LDAP Screen Level=all" > Ndstrace | set ndstrace = +ldap | set ndstrace = +time | set ndstrace=+tags | ndstrace file on | ndstrace screen on > Duplicate issue > Type “ndstrace file off” from the ndstrace command prompt. > View the /var/opt/novell/eDirectory/log/ndstrace.log file > Observe where the trace does not continue where it should – Online documentation > See page 149 of the online Novell Open Enterprise Server 2 documentation: ® http://www.novell.com/documentation/oes2/pdfdoc/oes_implement_lx_nw/oes_implement_lx_nw.pdf 29 © Novell, Inc. All rights reserved.
  • 30. Troubleshooting Flow Chart Unable to login as LUM user Does id <userid> Does id <userid> Is /etc/nsswitch.conf NO Modify per w for the user that ork NO return any LUM configured to use nam nsswitch.conf.nam fails to login? users? NO for passwd & group and restart namcd YES YES YES Add pam _nam .so Is the service in NO Start namcd NO /etc/pam.d configured NO Can any LUM users Make sure <userid> is Is nam running? cd per example to login? Check for cores if it the service with the pam _nam .so? LUM enabled doesn't stay running YES YES YES YES Check Check user's passwd Make sure <userid> is Is namcd configured YES pam _nam.so m odule Check for duplicate am ember of the group to use cache_only? Refresh cache /var/log/messages userid's with the workstation NO Troubleshoot LDAP 30 © Novell, Inc. All rights reserved.
  • 32.
  • 33. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.