What's LUM Got To Do with It Deployment Considerations for Linux User Management on Novell® Open Enterprise Server
Arthur NielsonNovellGlobal Technical Support [email protected]
Fred PattersonNovellGlobal Technical Support [email protected]
© Novell, Inc. All rights reserved.2
Agenda
• Benefits
• Usability Demo
• Architecture
• Configuration
• Installation Demo
• Tuning and Parameters
• Troubleshooting
• Troubleshooting Demo
© Novell, Inc. All rights reserved.3
• Administration
– Using LUM and eDirectory™ to manage user login information eliminates the need to create local users in the /etc/passwd and /etc/shadow files on each Linux computer. It simplifies administration by consolidating user accounts and workstations into a central point of administration.
• User Bennefits
– Users can login to Linux computers by using access methods such as login, SSH, FTP, su, rsh, rlogin, xdm, and gdm. The user only needs to remember their user name and password. The context is not needed as LUM will find the user in eDirectory.
BenefitsGotta LUM it!
Usability Demo
© Novell, Inc. All rights reserved.5
ArchitectureOverview
eDirectoryServer
ManagementWorkstation
LinuxWorkstation
eDirectory™
Server
iManager
NAM onLinux snapin
eDirectoryServer
LDAP Client
pam_nam nss_nam namconfig Commandline utilities
LDAP/TCP
telnet login ls id
© Novell, Inc. All rights reserved.6
ArchitectureOverview
Source WorkstationTarget LinuxWorkstation
Login RequestUser: tomPassword: xxxx
eDirectory
UIDGIDPassword...
nam.conf
LUM
Linux/UnixConfig Object● L/U Workstation_001● L/U Workstation_002● L/U Workstation_003 ...
Linux/UnixWorkstation Object● mkting● sales● linux ...
Group Object
● Timi.mktg.novell● Toddp.dev.novell● Toml.sales.novell ...
User Object
● UID● GID● Password ...
© Novell, Inc. All rights reserved.7
ArchitecturePosix Account Schema
• The RFC2307 schema
– Adding the RFC2307 schema to the tree allows for the group and user classes to obtain the needed attributes to be enabled to work on Linux
– The RFC2307 schema is extended when installing LUM
– /var/lib/novell-lum/nam.ldif
– http://www.ietf.org/rfc/rfc2307.txt
© Novell, Inc. All rights reserved.8
ArchitecturePosix Account Schema
– Attributes> UidNumber> GidNumber> Gecos> HomeDirectory> LoginShell> ShadowLastChange> ShadowMin> ShadowMax> ShadowWarning> ShadowInactive> ShadowExpire> ShadowFlag> memberUid
> UamPosixWorkstationList> UamPosixWorkstationContexts> UamPosixSalt> UamPosixPAMServiceExcludeList
© Novell, Inc. All rights reserved.9
ArchitecturePosix Account Schema
– Classes> PosixAccount> ShadowAccount> PosixGroup> UamPosixWorkstation> UamPosixConfig> UamPosixUser> uamPosixGroup
© Novell, Inc. All rights reserved.10
ArchitectureLUM Directory Objects Structureand Rights• Unix Config Object
– It is created by default in the context where the Admin user is located, which is currently authenticated to the tree during the initial install of LUM
• Unix Workstation Object– Created by default, in the context of the NCP Server object
• LUM-enabled User and Group Objects– These objects are no different than any other user or group
except for the fact that they have been provisioned with the needed Posix attributes
– They can be located anywhere under the sub context of where the Unix Config object is located
> This is where the public is granted rights to the posix related attributes
© Novell, Inc. All rights reserved.11
Architecture[Public] ACL rights
© Novell, Inc. All rights reserved.12
ArchitectureUnix Workstation ACL Rights
© Novell, Inc. All rights reserved.13
ArchitectureFiles / Locations
• Configuration file for LUM / namcd– /etc/nam.conf
• Cache daemon – Communicates with eDirectory through LDAP. Caches users and groups on the local file system.
– /etc/init.d/namcd –- linked to /usr/sbin/rcnamcd• Name Services configuration sample – example of how
to configure name resolution in the /etc/nsswitch.conf– /etc/nsswitch.conf.nam
• Pluggable Authentication Module can be configure to work with LUM.
– /etc/pam.d/pam_nam_sample
© Novell, Inc. All rights reserved.14
ArchitectureFiles / Locations
• LUM PAM files – Modules that perform authentication – /lib/security/pam_nam.so, /lib/security/pam_nam.so.0
• Name Services modules – Provides name resolution – /lib/libnss_nam.so, /usr/lib/libnss_nm.so
• LUM Configuration – Program used to configure LUM– /usr/bin/namconfig
• LUM Group and User Configuration– /usr/bin/.. namgroupadd, namgroupdel, namgrouplist,
namgroupmod, namuseradd, namuserdel, namuserlist, namusermod
© Novell, Inc. All rights reserved.15
ArchitectureFiles / Locations• User Migrations Tools
– /usr/bin/unix2edir - Script import users from /etc/passwd to eDirectory™
– /usr/bin/nambulkadd – Script to LUM enable defined eDirectory users
• Exported eDirectory certificate – Used to SSL communication with NLDAP
– /var/lib/novell-lum/servername or ipaddress.der
• LUM configuration log – /var/lib/novell-lum/nam.log
• LUM schema definitions – Ldif of LUM schema modifications
– /var/lib/novell-lum/nam.ldif
© Novell, Inc. All rights reserved.16
• Namconfig
– Add
> -a <admin fdn>
> -p <password>
> -r <base context>
> -w <server / workstation context>
> -o (used to overwrite existing NAM configuration)
> -c (configure namcd with cache-only option)
> -s <LDAP server:port>
ConfigurationCommand Line
© Novell, Inc. All rights reserved.17
ConfigurationCommand Line
• Namconfig
– Add
> -l <SSL port>
> -R <alternate LDAP server:port,alternate LDAP server:port>
> -y <proxy user fdn>
> -d <proxy user password>
© Novell, Inc. All rights reserved.18
ConfigurationCommand Line
• Namconfig (see MAN page for namconfig)
– namconfig add -a adminFDN -r base_context -w workstation_context [-o] -S servername [:port] [-l sslport] [-R server [:port],server [:port],...]
> Example: namconfig add -a cn=admin,o=novell -r ou=nam,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389
> Example (secure LDAP): namconfig add -a cn=admin,o=novell -r ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S MYSERVER:389-l 636
© Novell, Inc. All rights reserved.19
ConfigurationYast on SUSE® Linux Enterprise Desktop
• Security and Users– Linux User Management
> Local or remote - which LDAP server is LUM going to utilize
> Directory server address - IP address (or DNS name) of the LDAP server
> Admin name with context (in LDAP format) -- Password
> Port Details - clear text and ssl ports of LDAP server
> Linux/Unix config context - conext of where to create the unix config object
> LUM workstation context – context of where to create the uxix workstation
> Proxy user name with context -- password - (optional) – If you want a specific user to be the entity that does the initial LDAP queries that LUM performs
> Select PAM-enabled services to allow authentication via eDirectory™ – eg. login, sshd, su, gdm, xdm, etc...
© Novell, Inc. All rights reserved.20
ConfigurationYast on Novell® Open Enterprise Server 2
• Novell Open Enterprise Server– OES Install and Configuration – Download, checks install files
> Shows page of component patterns to install – select Linux User Management
– Novell Open Enterprise Server Configuration> See a list of all installed and /or to be configured OES components> Linux User Management – configuration should be enabled , select to
configure
– Linux User management – Check configuration if fields have data
> Directory Server Address – LDAP Server (pulls info from LDAP server config)
> Unix Config context - Context of unix config object
© Novell, Inc. All rights reserved.21
> Unix Workstation context - context of the workstation object for this server> Proxy User name with context – Password> Select Services to LUM-enable for authentication via eDirectory
ConfigurationYast on Novell® Open Enterprise Server 2
Installation Demo
© Novell, Inc. All rights reserved.23
• Namconfig get (used to list configured parameters)• Namconfig set (used to set parameters)
– Base-name (eDirectory™ context where LUM is installed)
– User-context (Context for Unix users migrated to eDirectory)
– Greoup-context (context for UNIX groups migrated to eDirectory)
– admin-fdn (Full context for LDAP administrator)
– proxy-user-fdn (FDN of bind user)
– proxy-user-pwd (Password for proxy user)
Tuning and Parameters
© Novell, Inc. All rights reserved.24
– alternative-ldap-server-list (List of servers to use after preferred)
– preferred-server (LDAP server w/ replica of base used in base-name)
– num-threads (Number of namcd worker threads)
– schema (Supported schema)
– support-outside-base-context (Access users/groups outside of base-context)
– cache-only (Specify whether namcd should only use cache instead of also querying LDAP)
– persistent-search (Used to listen for change events in LDAP)
– case-sensitive (Used to enable/disable case sensitivity for users/groups)
Tuning and Parameters
© Novell, Inc. All rights reserved.25
– alternative-ldap-server-list (List of servers to use after preferred)– preferred-server (LDAP server w/ replica of base used in base-name)– num-threads (Number of namcd worker threads)– schema (Supported schema)– enable-persistent-cache (Maintain local user/group cache)– user-hash-size (Hash size for user persistent cache)– group-hash-size (Hash size for group persistent cache)– persistent-cache-refresh-period (Rate in seconds to refresh cached
users / groups)– persistent-cache-refresh-flag (Dictates whether to refresh all or
accessed users/groups)– create-home (Create user home directories if they don't exist locally)
Tuning and Parameters
© Novell, Inc. All rights reserved.26
– type-of-authentication (1- simple auth, 2-SSL)– certificate-file-type (Format for certificate file – der or base64)– ldap-ssl-port (LDAP SSL port)– ldap-port (LDAP port)– support-alias-name (Use of alias user/groups objects)– support-outside-base-context (Access users/groups outside of
base-context)– cache-only (Specify whether namcd should only use cache
instead of also querying LDAP)– persistent-search (Used to listen for change events in LDAP)– case-sensitive (Used to enable/disable case sensitivity for
users/groups)
Tuning and Parameters
© Novell, Inc. All rights reserved.27
Tuning and Parameters - nam.conf
© Novell, Inc. All rights reserved.28
Troubleshooting
• Common issues– namcd does not start or shows not running– ID Command Not Giving the Desired Results– Missing Mandatory Attribute Error When Adding a User to a
Linux User Management Group– Linux User Management Returns Invalid UID and GID for Users
and Groups– nameuserlist fails to return proper values– Namcd indicates that a certificate is not found– User cannot login– Password expiration information for the user is not available– Namcd not coming up after a system reboot
© Novell, Inc. All rights reserved.29
Troubleshooting
• Resources– Log files
> /var/log/messages
> /var/lib/novell-lum
– LDAP trace> ldapconfig set "LDAP Screen Level=all"
> Ndstrace | set ndstrace = +ldap | set ndstrace = +time | set ndstrace=+tags | ndstrace file on | ndstrace screen on
> Duplicate issue
> Type “ndstrace file off” from the ndstrace command prompt.
> View the /var/opt/novell/eDirectory/log/ndstrace.log file
> Observe where the trace does not continue where it should
– Online documentation> See page 149 of the online Novell® Open Enterprise Server 2 documentation:
http://www.novell.com/documentation/oes2/pdfdoc/oes_implement_lx_nw/oes_implement_lx_nw.pdf
© Novell, Inc. All rights reserved.30
TroubleshootingFlow Chart
Unable to login as LUM user
Does id <userid>return any LUM
users?NO
NO
Is /etc/nsswitch.confconfigured to use nam
for passwd & group
YES
Is namcd running?
Is namcd configured to use cache_only?
YES
TroubleshootLDAP
Modify per nsswitch.conf.namand restart namcd
Start namcdCheck for cores if itdoesn't stay running
Refresh cache
Does id <userid>work for the user that
fails to login?
Make sure <userid> isLUM enabled
Make sure <userid> is a member of the group with the workstation
Is the service in/etc/pam.d configuredwith the pam_nam.so?
Does id <userid>return any LUM
users?
YES
Can any LUM userslogin?
YES
Check user's passwdCheck for duplicate
userid's
Check pam_nam.so module
/var/log/messages
Add pam_nam.soper example to
the serviceNO NO
YESYES
NO
NO
YES
NO
YES
Troubleshooting Demo
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.