What's LUM Got To Do with It: Deployment Considerations for Linux User Management on Novell Open...

What's LUM Got To Do with It Deployment Considerations for Linux User Management on Novell® Open Enterprise Server

Arthur NielsonNovellGlobal Technical Support [email protected]

Fred PattersonNovellGlobal Technical Support [email protected]

mailto:[email protected]

mailto:[email protected]

© Novell, Inc. All rights reserved.2

Agenda

• Benefits

• Usability Demo

• Architecture

• Configuration

• Installation Demo

• Tuning and Parameters

• Troubleshooting

• Troubleshooting Demo


• Administration

– Using LUM and eDirectory™ to manage user login information eliminates the need to create local users in the /etc/passwd and /etc/shadow files on each Linux computer. It simplifies administration by consolidating user accounts and workstations into a central point of administration.

• User Bennefits

– Users can login to Linux computers by using access methods such as login, SSH, FTP, su, rsh, rlogin, xdm, and gdm. The user only needs to remember their user name and password. The context is not needed as LUM will find the user in eDirectory.

BenefitsGotta LUM it!

Usability Demo


ArchitectureOverview

eDirectoryServer

ManagementWorkstation

LinuxWorkstation

eDirectory™

Server

iManager

NAM onLinux snapin

eDirectoryServer

LDAP Client

pam_nam nss_nam namconfig Commandline utilities

LDAP/TCP

telnet login ls id


ArchitectureOverview

Source WorkstationTarget LinuxWorkstation

Login RequestUser: tomPassword: xxxx

eDirectory

UIDGIDPassword...

nam.conf

LUM

Linux/UnixConfig Object● L/U Workstation_001● L/U Workstation_002● L/U Workstation_003 ...

Linux/UnixWorkstation Object● mkting● sales● linux ...

Group Object

● Timi.mktg.novell● Toddp.dev.novell● Toml.sales.novell ...

User Object

● UID● GID● Password ...


ArchitecturePosix Account Schema

• The RFC2307 schema

– Adding the RFC2307 schema to the tree allows for the group and user classes to obtain the needed attributes to be enabled to work on Linux

– The RFC2307 schema is extended when installing LUM

– /var/lib/novell-lum/nam.ldif

– http://www.ietf.org/rfc/rfc2307.txt

http://www.ietf.org/rfc/rfc2307.txt



– Attributes> UidNumber> GidNumber> Gecos> HomeDirectory> LoginShell> ShadowLastChange> ShadowMin> ShadowMax> ShadowWarning> ShadowInactive> ShadowExpire> ShadowFlag> memberUid

> UamPosixWorkstationList> UamPosixWorkstationContexts> UamPosixSalt> UamPosixPAMServiceExcludeList



– Classes> PosixAccount> ShadowAccount> PosixGroup> UamPosixWorkstation> UamPosixConfig> UamPosixUser> uamPosixGroup


ArchitectureLUM Directory Objects Structureand Rights• Unix Config Object

– It is created by default in the context where the Admin user is located, which is currently authenticated to the tree during the initial install of LUM

• Unix Workstation Object– Created by default, in the context of the NCP Server object

• LUM-enabled User and Group Objects– These objects are no different than any other user or group

except for the fact that they have been provisioned with the needed Posix attributes

– They can be located anywhere under the sub context of where the Unix Config object is located

> This is where the public is granted rights to the posix related attributes


Architecture[Public] ACL rights


ArchitectureUnix Workstation ACL Rights


ArchitectureFiles / Locations

• Configuration file for LUM / namcd– /etc/nam.conf

• Cache daemon – Communicates with eDirectory through LDAP. Caches users and groups on the local file system.

– /etc/init.d/namcd –- linked to /usr/sbin/rcnamcd• Name Services configuration sample – example of how

to configure name resolution in the /etc/nsswitch.conf– /etc/nsswitch.conf.nam

• Pluggable Authentication Module can be configure to work with LUM.

– /etc/pam.d/pam_nam_sample


ArchitectureFiles / Locations

• LUM PAM files – Modules that perform authentication – /lib/security/pam_nam.so, /lib/security/pam_nam.so.0

• Name Services modules – Provides name resolution – /lib/libnss_nam.so, /usr/lib/libnss_nm.so

• LUM Configuration – Program used to configure LUM– /usr/bin/namconfig

• LUM Group and User Configuration– /usr/bin/.. namgroupadd, namgroupdel, namgrouplist,

namgroupmod, namuseradd, namuserdel, namuserlist, namusermod


ArchitectureFiles / Locations• User Migrations Tools

– /usr/bin/unix2edir - Script import users from /etc/passwd to eDirectory™

– /usr/bin/nambulkadd – Script to LUM enable defined eDirectory users

• Exported eDirectory certificate – Used to SSL communication with NLDAP

– /var/lib/novell-lum/servername or ipaddress.der

• LUM configuration log – /var/lib/novell-lum/nam.log

• LUM schema definitions – Ldif of LUM schema modifications

– /var/lib/novell-lum/nam.ldif


• Namconfig

– Add

> -a <admin fdn>

> -p <password>

> -r <base context>

> -w <server / workstation context>

> -o (used to overwrite existing NAM configuration)

> -c (configure namcd with cache-only option)

> -s <LDAP server:port>

ConfigurationCommand Line



• Namconfig

– Add

> -l <SSL port>

> -R <alternate LDAP server:port,alternate LDAP server:port>

> -y <proxy user fdn>

> -d <proxy user password>



• Namconfig (see MAN page for namconfig)

– namconfig add -a adminFDN -r base_context -w workstation_context [-o] -S servername [:port] [-l sslport] [-R server [:port],server [:port],...]

> Example: namconfig add -a cn=admin,o=novell -r ou=nam,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389

> Example (secure LDAP): namconfig add -a cn=admin,o=novell -r ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389-l 636


ConfigurationYast on SUSE® Linux Enterprise Desktop

• Security and Users– Linux User Management

> Local or remote - which LDAP server is LUM going to utilize

> Directory server address - IP address (or DNS name) of the LDAP server

> Admin name with context (in LDAP format) -- Password

> Port Details - clear text and ssl ports of LDAP server

> Linux/Unix config context - conext of where to create the unix config object

> LUM workstation context – context of where to create the uxix workstation

> Proxy user name with context -- password - (optional) – If you want a specific user to be the entity that does the initial LDAP queries that LUM performs

> Select PAM-enabled services to allow authentication via eDirectory™ – eg. login, sshd, su, gdm, xdm, etc...


ConfigurationYast on Novell® Open Enterprise Server 2

• Novell Open Enterprise Server– OES Install and Configuration – Download, checks install files

> Shows page of component patterns to install – select Linux User Management

– Novell Open Enterprise Server Configuration> See a list of all installed and /or to be configured OES components> Linux User Management – configuration should be enabled , select to

configure

– Linux User management – Check configuration if fields have data

> Directory Server Address – LDAP Server (pulls info from LDAP server config)

> Unix Config context - Context of unix config object


> Unix Workstation context - context of the workstation object for this server> Proxy User name with context – Password> Select Services to LUM-enable for authentication via eDirectory

ConfigurationYast on Novell® Open Enterprise Server 2

Installation Demo


• Namconfig get (used to list configured parameters)• Namconfig set (used to set parameters)

– Base-name (eDirectory™ context where LUM is installed)

– User-context (Context for Unix users migrated to eDirectory)

– Greoup-context (context for UNIX groups migrated to eDirectory)

– admin-fdn (Full context for LDAP administrator)

– proxy-user-fdn (FDN of bind user)

– proxy-user-pwd (Password for proxy user)

Tuning and Parameters


– alternative-ldap-server-list (List of servers to use after preferred)

– preferred-server (LDAP server w/ replica of base used in base-name)

– num-threads (Number of namcd worker threads)

– schema (Supported schema)

– support-outside-base-context (Access users/groups outside of base-context)

– cache-only (Specify whether namcd should only use cache instead of also querying LDAP)

– persistent-search (Used to listen for change events in LDAP)

– case-sensitive (Used to enable/disable case sensitivity for users/groups)



– alternative-ldap-server-list (List of servers to use after preferred)– preferred-server (LDAP server w/ replica of base used in base-name)– num-threads (Number of namcd worker threads)– schema (Supported schema)– enable-persistent-cache (Maintain local user/group cache)– user-hash-size (Hash size for user persistent cache)– group-hash-size (Hash size for group persistent cache)– persistent-cache-refresh-period (Rate in seconds to refresh cached

users / groups)– persistent-cache-refresh-flag (Dictates whether to refresh all or

accessed users/groups)– create-home (Create user home directories if they don't exist locally)



– type-of-authentication (1- simple auth, 2-SSL)– certificate-file-type (Format for certificate file – der or base64)– ldap-ssl-port (LDAP SSL port)– ldap-port (LDAP port)– support-alias-name (Use of alias user/groups objects)– support-outside-base-context (Access users/groups outside of

base-context)– cache-only (Specify whether namcd should only use cache

instead of also querying LDAP)– persistent-search (Used to listen for change events in LDAP)– case-sensitive (Used to enable/disable case sensitivity for

users/groups)



Tuning and Parameters - nam.conf


Troubleshooting

• Common issues– namcd does not start or shows not running– ID Command Not Giving the Desired Results– Missing Mandatory Attribute Error When Adding a User to a

Linux User Management Group– Linux User Management Returns Invalid UID and GID for Users

and Groups– nameuserlist fails to return proper values– Namcd indicates that a certificate is not found– User cannot login– Password expiration information for the user is not available– Namcd not coming up after a system reboot


Troubleshooting

• Resources– Log files

> /var/log/messages

> /var/lib/novell-lum

– LDAP trace> ldapconfig set "LDAP Screen Level=all"

> Ndstrace | set ndstrace = +ldap | set ndstrace = +time | set ndstrace=+tags | ndstrace file on | ndstrace screen on

> Duplicate issue

> Type “ndstrace file off” from the ndstrace command prompt.

> View the /var/opt/novell/eDirectory/log/ndstrace.log file

> Observe where the trace does not continue where it should

– Online documentation> See page 149 of the online Novell® Open Enterprise Server 2 documentation:

http://www.novell.com/documentation/oes2/pdfdoc/oes_implement_lx_nw/oes_implement_lx_nw.pdf

http://www.novell.com/documentation/oes2/pdfdoc/oes_implement_lx_nw/oes_implement_lx_nw.pdf


TroubleshootingFlow Chart

Unable to login as LUM user

Does id <userid>return any LUM

users?NO

NO

Is /etc/nsswitch.confconfigured to use nam

for passwd & group

YES

Is namcd running?

Is namcd configured to use cache_only?

YES

TroubleshootLDAP

Modify per nsswitch.conf.namand restart namcd

Start namcdCheck for cores if itdoesn't stay running

Refresh cache

Does id <userid>work for the user that

fails to login?

Make sure <userid> isLUM enabled

Make sure <userid> is a member of the group with the workstation

Is the service in/etc/pam.d configuredwith the pam_nam.so?

Does id <userid>return any LUM

users?

YES

Can any LUM userslogin?

YES

Check user's passwdCheck for duplicate

userid's

Check pam_nam.so module

/var/log/messages

Add pam_nam.soper example to

the serviceNO NO

YESYES

NO

NO

YES

NO

YES

Troubleshooting Demo

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Date post:	31-May-2015
Category:	Documents
Upload:	novell
View:	4,039 times
Download:	0 times

What's LUM Got To Do with It: Deployment Considerations for Linux User Management on Novell Open...

Documents