Ldap – Managing access to multiple linux system

groupshome-directoryldapuser-accountsuser-management

A searched for answers but have found nothing on here…

Long story short: a non-profit organization is in dire need of modernizing its infrastructure. First thing is to find an alternatives to managing user accounts on a number of Linux hosts.

We have 12 servers (both physical and virtual) and about 50 workstations. We have 500 potential users for these systems. The individual who built and maintained the systems over the years has retired. He wrote his own scripts to manage it all. It still works. No complaints there. However, a lot of the stuff is very manual and error-prone. Code is messy and after updates often needs to be tweaked. Worst part is there is little to no docs written. There are just a few ReadMe's and random notes which may or may not be relevant anymore. So maintenance has become a difficult task.

Currently accounts are managed via /etc/passwd on each system. Updates are distributed via cron scripts to correct systems as accounts are added on the "main" server. Some users have to have access to all systems (like a sysadmin account), others need access to shared servers, while others may need access to workstations or only a subset of those.

Is there a tool that can help us manage accounts that meets the following requirements?

Preferably open source (i.e. free as budget is VERY limited)
mainstream (i.e. maintained)
preferably has LDAP integration or could be made to interface with LDAP or AD service for user authentication (will be needed in the near future to integrate accounts with other offices)
user management (adding, expiring, removing, lockout, etc)
allows to manage what systems (or group of systems) each user has access to – not all users are allowed on all systems
support for user accounts that could have different homedirs and mounts available depending on what system they are logged into. For example
- sysadmin logged into "main" server has main://home/sysadmin/ as homedir and has all shared mounts
- sysadmin logged into staff workstations would have nas://user/s/sysadmin as homedir(different from above) and potentially limited set of mounts,
- a logged in client would have his/her homedir at different location and no shared mounts.
If there is an easy management interface that would be awesome.
And if this tool is cross-platform (Linux / MacOS / *nix), that will be a miracle!

I have searched the web and so have found nothing suitable. We are open to any suggestions. Thank you.

EDIT:
This question has been incorrectly marked as a duplicate. The linked to answer only talks about having same homedirs on all systems, whereas we need to have different homedirs based on what system user is currently logged into(MULTIPLE homedirs). Also access needs to be granted only to some machinees not the whole lot. Mods, please understand the full extent of the problem instead of merely marking it as duplicate for points…

Best Answer

FreeIPA is probably what you're looking for. It's to Linux what Active Directory is to Windows. (It can also talk to AD if you have a heterogeneous environment, but shouldn't be used to manage Windows machines directly. Use AD for that.)

Red Hat's documentation (they call it Identity Management) is very thorough and easy to follow, and should be mostly applicable even if you aren't using Red Hat-derived systems.

Related Solutions

Linux – Multiple login names for a single user in linux using LDAP server authentication

Agree with SLESKE but to expand on his/her comments, you need to do a couple things first!

In Linux, the libraries that control logging in need to be redirected to use an LDAP backend as oppose to looking things up in /etc/passwd.

If you are using OpenLDAP then you will want to look at two things:

NSCD (Name Server Caching Daemon) which caches the LDAP queries. You will run this on each host where users log in.

NSSLDAP (Name Server Switch for LDAP) this is the glue that causes logins to query NSCD, which in turn, will query LDAP backend or NSSLDAP will query LDAP backend directly if NSCD is stale or not available.

So on each workstation you will need to install OpenLDAP, NSCD, and NSSLDAP if not part of your distribution. OpenLDAP is required to get the client libraries which know how to speak LDAP protocol.

Then you need to make edits to some files:

/etc/nscd.conf This file controls what gets cached. Here is a dump from one of my systems that acts as a Samba server:

    enable-cache            passwd          yes
    positive-time-to-live   passwd          10
    negative-time-to-live   passwd          3
    suggested-size          passwd          211
    check-files             passwd          yes
    persistent              passwd          yes
    shared                  passwd          yes
    max-db-size             passwd          33554432
    auto-propagate          passwd          yes

    enable-cache            group           yes
    positive-time-to-live   group           3600
    negative-time-to-live   group           3
    suggested-size          group           211
    check-files             group           yes
    persistent              group           yes
    shared                  group           yes
    max-db-size             group           33554432
    auto-propagate          group           yes

    enable-cache            hosts           yes
    positive-time-to-live   hosts           3600
    negative-time-to-live   hosts           3
    suggested-size          hosts           211
    check-files             hosts           yes
    persistent              hosts           yes
    shared                  hosts           yes
    max-db-size             hosts           33554432

You'll then need to modify your nsswitch.ldap file (read the DOCs on it, too much to go into here).

ONE VERY IMPORTANT THING!!!!

If your LDAP server is down, you want to make sure the local root account can still log in. Or if one of your workstations is having network issues, you'll want to make sure that you can still log in.

So when my Linux boxes boot up, I have a script that always copies a nsswitch.conf file into place that looks as follows:

passwd: compat group: compat

hosts: files dns networks: files

services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files bootparams: files

automount: files aliases: files

and once I'm ready to use LDAP for logins, I replace the nsswitch.conf file with the following:

passwd: files ldap group: files ldap shadow: files ldap

hosts: files dns networks: files

services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files bootparams: files

automount: files aliases: files

The former allows me to login locally and the latter allows both but due to caching by NSCD, it takes time for NSCD to get stale thus causing login delays or issues.

There is much more to be said on this but this hopefully gets you started.

BTW: I'm the developer of Pozix Linux and the Pozix Linux Small Business Server and we have over 400 Samba systems running much this way!

Agreed, TRS80's comments are valid but here is a script we use to create LDIF files from /etc/passwd files. The resulting LDIF file can be used to populate your LDAP database. You'll need to make sure that if you run this script on multiple workstations that you weed out duplicate account names so that you wind up with unique account names with unique UIDs.

cat /etc/passwd | while read i; do
  uid=`echo $i | cut -d : -f 1`
  uidNumber=`echo $i | cut -d : -f 3`
  gidNumber=`echo $i | cut -d : -f 4`
  gecos=`echo $i | cut -d : -f 5`
  homeDirectory=`echo $i | cut -d : -f 6`
  loginShell=`echo $i | cut -d : -f 6`
  userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2`

  echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com"
  echo "objectClass: account"
  echo "objectClass: posixAccount"
  echo "cn: $gecos"
  echo "uid: $uid"
  echo "uidNumber: $uidNumber"
  echo "gidNumber: $gidNumber"
  echo "homeDirectory: $homeDirectory"
  echo "loginShell: $loginShell"
  echo "userPassword: $userPassword"

done

Windows – Restricting access to Share using both an AD user using a specific Computer

I don't believe there's any way to do this as you describe with native tools. NTFS (and share) permissions are assigned to a user, not to the computer that a user's network session is coming from. You could use IPSec or Windows Firewall on your Zeta server to only allow CIFS traffic to come from computer A, but then no other computers could connect to Zeta at all.

I think you're primarily out of luck. And it would be a big pain if computer A was re-imaged or got a new dynamic IP address or was simply retired. Why are you scared of computer B? It would generally already need to be in domain Alpha. And since you're allowing all kinds of network traffic between the domains anyway (I assume that they share a LAN?), you're not really preventing anything by your planned scheme that you wouldn't be vulnerable to anyway.

Best Answer

Related Solutions

Linux – Multiple login names for a single user in linux using LDAP server authentication

Windows – Restricting access to Share using both an AD user using a specific Computer

Related Topic