Mais conteúdo relacionado Semelhante a What's LUM Got To Do with It: Deployment Considerations for Linux User Management on Novell Open Enterprise Server (20) What's LUM Got To Do with It: Deployment Considerations for Linux User Management on Novell Open Enterprise Server1. What's LUM Got To Do with It
Deployment Considerations for Linux User Management on
Novell Open Enterprise Server
®
Arthur Nielson Fred Patterson
Novell Novell
Global Technical Support Engineer Global Technical Support Engineer
anielson@novell.com fpatterson@novell.com
2. Agenda
• Benefits
• Usability Demo
• Architecture
• Configuration
• Installation Demo
• Tuning and Parameters
• Troubleshooting
• Troubleshooting Demo
2 © Novell, Inc. All rights reserved.
3. Benefits
Gotta LUM it!
• Administration
– Using LUM and eDirectory to manage user login information
™
eliminates the need to create local users in the /etc/passwd
and /etc/shadow files on each Linux computer. It simplifies
administration by consolidating user accounts and workstations
into a central point of administration.
• User Bennefits
– Users can login to Linux computers by using access methods
such as login, SSH, FTP, su, rsh, rlogin, xdm, and gdm. The
user only needs to remember their user name and password.
The context is not needed as LUM will find the user in
eDirectory.
3 © Novell, Inc. All rights reserved.
5. Architecture
Overview
Management Linux eDirectory
™
Workstation Workstation Server
telnet login ls id
eDirectory
iManager
Server
Command
pam_nam nss_nam namconfig line utilities
NAM on eDirectory
Linux snapin Server
LDAP Client
LDAP/TCP
5 © Novell, Inc. All rights reserved.
6. Architecture
Overview
Target Linux
Source Workstation Workstation
Login Request
User: tom
Password: xxxx
LUM
nam.conf
UID
GID
eDirectory Password
...
Linux/Unix Linux/Unix Group Object User Object
Config Object Workstation Object
● Timi.mktg.novell ● UID
● L/U Workstation_001 ● mkting ● Toddp.dev.novell ● GID
● L/U Workstation_002 ● sales
● Toml.sales.novell ● Password
● L/U Workstation_003 ● linux
... ...
... ...
6 © Novell, Inc. All rights reserved.
7. Architecture
Posix Account Schema
• The RFC2307 schema
– Adding the RFC2307 schema to the tree allows for the group
and user classes to obtain the needed attributes to be enabled
to work on Linux
– The RFC2307 schema is extended when installing LUM
– /var/lib/novell-lum/nam.ldif
– http://www.ietf.org/rfc/rfc2307.txt
7 © Novell, Inc. All rights reserved.
8. Architecture
Posix Account Schema
– Attributes > UamPosixWorkstationList
> UidNumber > UamPosixWorkstationContexts
> GidNumber > UamPosixSalt
> Gecos > UamPosixPAMServiceExcludeList
> HomeDirectory
> LoginShell
> ShadowLastChange
> ShadowMin
> ShadowMax
> ShadowWarning
> ShadowInactive
> ShadowExpire
> ShadowFlag
> memberUid
8 © Novell, Inc. All rights reserved.
9. Architecture
Posix Account Schema
– Classes
> PosixAccount
> ShadowAccount
> PosixGroup
> UamPosixWorkstation
> UamPosixConfig
> UamPosixUser
> uamPosixGroup
9 © Novell, Inc. All rights reserved.
10. Architecture
LUM Directory Objects Structure
and Rights
• Unix Config Object
– It is created by default in the context where the Admin user is
located, which is currently authenticated to the tree during the
initial install of LUM
• Unix Workstation Object
– Created by default, in the context of the NCP Server object
• LUM-enabled User and Group Objects
– These objects are no different than any other user or group
except for the fact that they have been provisioned with the
needed Posix attributes
– They can be located anywhere under the sub context of where
the Unix Config object is located
> This is where the public is granted rights to the posix related attributes
10 © Novell, Inc. All rights reserved.
11. Architecture
[Public] ACL rights
11 © Novell, Inc. All rights reserved.
12. Architecture
Unix Workstation ACL Rights
12 © Novell, Inc. All rights reserved.
13. Architecture
Files / Locations
• Configuration file for LUM / namcd
– /etc/nam.conf
• Cache daemon – Communicates with eDirectory
through LDAP. Caches users and groups on the local
file system.
– /etc/init.d/namcd –- linked to /usr/sbin/rcnamcd
• Name Services configuration sample – example of how
to configure name resolution in the /etc/nsswitch.conf
– /etc/nsswitch.conf.nam
• Pluggable Authentication Module can be configure to
work with LUM.
– /etc/pam.d/pam_nam_sample
13 © Novell, Inc. All rights reserved.
14. Architecture
Files / Locations
• LUM PAM files – Modules that perform authentication
– /lib/security/pam_nam.so, /lib/security/pam_nam.so.0
• Name Services modules – Provides name resolution
– /lib/libnss_nam.so, /usr/lib/libnss_nm.so
• LUM Configuration – Program used to configure LUM
– /usr/bin/namconfig
• LUM Group and User Configuration
– /usr/bin/.. namgroupadd, namgroupdel, namgrouplist,
namgroupmod, namuseradd, namuserdel, namuserlist,
namusermod
14 © Novell, Inc. All rights reserved.
15. Architecture
Files / Locations
• User Migrations Tools
– /usr/bin/unix2edir - Script import users from /etc/passwd to eDirectory
™
– /usr/bin/nambulkadd – Script to LUM enable defined eDirectory users
• Exported eDirectory certificate – Used to SSL
communication with NLDAP
– /var/lib/novell-lum/servername or ipaddress.der
• LUM configuration log
– /var/lib/novell-lum/nam.log
• LUM schema definitions – Ldif of LUM schema
modifications
– /var/lib/novell-lum/nam.ldif
15 © Novell, Inc. All rights reserved.
16. Configuration
Command Line
• Namconfig
– Add
> -a <admin fdn>
> -p <password>
> -r <base context>
> -w <server / workstation context>
> -o (used to overwrite existing NAM configuration)
> -c (configure namcd with cache-only option)
> -s <LDAP server:port>
16 © Novell, Inc. All rights reserved.
17. Configuration
Command Line
• Namconfig
– Add
> -l <SSL port>
> -R <alternate LDAP server:port,alternate LDAP server:port>
> -y <proxy user fdn>
> -d <proxy user password>
17 © Novell, Inc. All rights reserved.
18. Configuration
Command Line
• Namconfig (see MAN page for namconfig)
– namconfig add -a adminFDN -r base_context -w
workstation_context [-o] -S servername [:port] [-l sslport]
[-R server [:port],server [:port],...]
> Example: namconfig add -a cn=admin,o=novell -r ou=nam,o=novell
-w ou=ws,ou=nam,o=novell -S MYSERVER:389
> Example (secure LDAP): namconfig add -a cn=admin,o=novell -r
ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389
-l 636
18 © Novell, Inc. All rights reserved.
19. Configuration
Yast on SUSE Linux Enterprise Desktop ®
• Security and Users
– Linux User Management
> Local or remote - which LDAP server is LUM going to utilize
> Directory server address - IP address (or DNS name) of the LDAP server
> Admin name with context (in LDAP format) -- Password
> Port Details - clear text and ssl ports of LDAP server
> Linux/Unix config context - conext of where to create the unix config object
> LUM workstation context – context of where to create the uxix workstation
> Proxy user name with context -- password - (optional) – If you want a specific
user to be the entity that does the initial LDAP queries that LUM performs
> Select PAM-enabled services to allow authentication via eDirectory – eg.
™
login, sshd, su, gdm, xdm, etc...
19 © Novell, Inc. All rights reserved.
20. Configuration
Yast on Novell Open Enterprise Server 2
®
• Novell Open Enterprise Server
– OES Install and Configuration – Download, checks install files
> Shows page of component patterns to install – select Linux User
Management
– Novell Open Enterprise Server Configuration
> See a list of all installed and /or to be configured OES components
> Linux User Management – configuration should be enabled , select to
configure
– Linux User management – Check configuration if fields have
data
> Directory Server Address – LDAP Server (pulls info from LDAP server
config)
> Unix Config context - Context of unix config object
20 © Novell, Inc. All rights reserved.
21. Configuration
Yast on Novell Open Enterprise Server 2
®
> Unix Workstation context - context of the workstation object for this server
> Proxy User name with context – Password
> Select Services to LUM-enable for authentication via eDirectory
21 © Novell, Inc. All rights reserved.
23. Tuning and Parameters
• Namconfig get (used to list configured parameters)
• Namconfig set (used to set parameters)
– Base-name (eDirectory context where LUM is installed)
™
– User-context (Context for Unix users migrated to
eDirectory)
– Greoup-context (context for UNIX groups migrated to
eDirectory)
– admin-fdn (Full context for LDAP administrator)
– proxy-user-fdn (FDN of bind user)
– proxy-user-pwd (Password for proxy user)
23 © Novell, Inc. All rights reserved.
24. Tuning and Parameters
– alternative-ldap-server-list (List of servers to use after preferred)
– preferred-server (LDAP server w/ replica of base used in base-
name)
– num-threads (Number of namcd worker threads)
– schema (Supported schema)
– support-outside-base-context (Access users/groups outside of
base-context)
– cache-only (Specify whether namcd should only use cache instead
of also querying LDAP)
– persistent-search (Used to listen for change events in LDAP)
– case-sensitive (Used to enable/disable case sensitivity for
users/groups)
24 © Novell, Inc. All rights reserved.
25. Tuning and Parameters
– alternative-ldap-server-list (List of servers to use after preferred)
– preferred-server (LDAP server w/ replica of base used in base-name)
– num-threads (Number of namcd worker threads)
– schema (Supported schema)
– enable-persistent-cache (Maintain local user/group cache)
– user-hash-size (Hash size for user persistent cache)
– group-hash-size (Hash size for group persistent cache)
– persistent-cache-refresh-period (Rate in seconds to refresh cached
users / groups)
– persistent-cache-refresh-flag (Dictates whether to refresh all or
accessed users/groups)
– create-home (Create user home directories if they don't exist locally)
25 © Novell, Inc. All rights reserved.
26. Tuning and Parameters
– type-of-authentication (1- simple auth, 2-SSL)
– certificate-file-type (Format for certificate file – der or base64)
– ldap-ssl-port (LDAP SSL port)
– ldap-port (LDAP port)
– support-alias-name (Use of alias user/groups objects)
– support-outside-base-context (Access users/groups outside of
base-context)
– cache-only (Specify whether namcd should only use cache
instead of also querying LDAP)
– persistent-search (Used to listen for change events in LDAP)
– case-sensitive (Used to enable/disable case sensitivity for
users/groups)
26 © Novell, Inc. All rights reserved.
28. Troubleshooting
• Common issues
– namcd does not start or shows not running
– ID Command Not Giving the Desired Results
– Missing Mandatory Attribute Error When Adding a User to a
Linux User Management Group
– Linux User Management Returns Invalid UID and GID for Users
and Groups
– nameuserlist fails to return proper values
– Namcd indicates that a certificate is not found
– User cannot login
– Password expiration information for the user is not available
– Namcd not coming up after a system reboot
28 © Novell, Inc. All rights reserved.
29. Troubleshooting
• Resources
– Log files
> /var/log/messages
> /var/lib/novell-lum
– LDAP trace
> ldapconfig set "LDAP Screen Level=all"
> Ndstrace | set ndstrace = +ldap | set ndstrace = +time | set ndstrace=+tags | ndstrace
file on | ndstrace screen on
> Duplicate issue
> Type “ndstrace file off” from the ndstrace command prompt.
> View the /var/opt/novell/eDirectory/log/ndstrace.log file
> Observe where the trace does not continue where it should
– Online documentation
> See page 149 of the online Novell Open Enterprise Server 2 documentation:
®
http://www.novell.com/documentation/oes2/pdfdoc/oes_implement_lx_nw/oes_implement_lx_nw.pdf
29 © Novell, Inc. All rights reserved.
30. Troubleshooting
Flow Chart
Unable to login
as LUM user
Does id <userid> Does id <userid> Is /etc/nsswitch.conf NO Modify per
w for the user that
ork NO return any LUM configured to use nam nsswitch.conf.nam
fails to login? users? NO for passwd & group
and restart namcd
YES YES YES
Add pam _nam .so Is the service in NO Start namcd
NO /etc/pam.d configured NO Can any LUM users Make sure <userid> is Is nam running?
cd
per example to login? Check for cores if it
the service with the pam _nam .so? LUM enabled
doesn't stay running
YES YES YES YES
Check Check user's passwd Make sure <userid> is Is namcd configured YES
pam _nam.so m odule Check for duplicate am ember of the group to use cache_only? Refresh cache
/var/log/messages userid's with the workstation
NO
Troubleshoot
LDAP
30 © Novell, Inc. All rights reserved.
33. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.