First off, let me say I am not any kind of OpenLDAP guru. I came to Herman’s blog looking for help. I have been messing around with LDAP in many forms for a few years now, and have never really understood much about it. I could follow a tutorial, and sometimes get a working sign on system on one OS, but the idea of a single-sign-on authentication system always seemed out of my grasp. This stuff is not easy to understand. There’s a steep learning curve and I’m just rounding the corner of discovery, so go easy on me!
I’m a sys admin, and the idea of a single-sign-on system that allows you to maintain users for all OSes in one place is a shangri-la for me. As admins, we are a busy people. Adding users to groups and changing passwords in three places are not high on our priority lists. Anything that takes away maintenance responsibilities gives us more time to “work” on our current lan game championship. And that, of course, is time well spent.
Adding to my motivation is the current state of affairs at my shop. We use a patchwork of systems; Active directory with windows Unix Services to link users with an NIS server. The macs aren’t even on the domain. So if you want to add a new user, you need to create them in active directory, then go to the samba server and do a `smbpasswd -a`, then take note of their UID and GID and update those values in the Unix Services plugin in Active Directory. And the Macs need to be updated individually. It’s a mess. There’s lots of places for things to go wrong, and changes to users don’t get published when you change them in active directory, you have to manually push them out to the different servers.
I found out about OpenLDAP a few years ago and on my free time have tried to come up with (or…can you say Google?) a good solution to our work problems. I’ve had little bits of success, but without the boss actually behind me in these ventures it becomes tough to find the time. I found some time again recently and for the first time, with Herman’s help, a single-sign-on system is a reality (for me). I also must give tons of credit to this post on the Ubuntu forums. He gave me the building blocks to get the Samba side of things going.
I know there are plenty of people that have set up this kind of system before, but they never seem to share it in it’s entirety. I’m hoping to fill that gap. This system allows you to go to one machine to add a user, and as soon as you set a password, that user can log into any box on the domain, whether it is Linux, Mac or (god forbid) Windows. When you change the password, the change is instantly recognized on all systems. Permissions work seamlessly on shared resources…Samba, NFS, CVFS, etc. Also, because Herman spent the time to carefully set up all of the Mac specific attributes, you get to store all of the cool stuff that Open Directory contains.
It’s not quite right, but (I think) it is the foundation of a great system. I will try to write a nice installer like Herman has done with the changes/additions needed for this system.
Before I get into details (and because Im not prepared…) here’s an overview of what we will do.
Samba, Schemas and Pam
A few major things need to be added/changed in Herman’s setup to get the login system to work on Windows. (and Linux) The missing piece of software to allow this is Samba. We are going to set up Samba as a PDC (Primary Domain Controller) and have it use the same OpenLDAP directory data that we used for Herman’s all mac setup. Well, actually we will modify his installer script, and add/update a few schemas, so that when users are created, not only do they include the mandatory attributes for Mac, but they contain the mandatory attributes for authenticating against Samba. We will also set up PAM authentication for the server and Linux clients. Finally, once we get the directory up and running and Samba configured, we will modify the Smbldap-tools so that they add users with all of the needed objectClasses for all OSes.
Be back in a few days.