What's LUM Got To Do with It Deployment Considerations for Linux User Management on Novell® Open Enterprise Server Arthur Nielson Novell Global Technical Support Engineer [email protected]Fred Patterson Novell Global Technical Support Engineer [email protected]
33
Embed
What's LUM Got To Do with It: Deployment Considerations for Linux User Management on Novell Open Enterprise Server
LUM it or leave it! Join us in this session to explore the inner workings of Linux User Management. You'll learn about the architecture, configuration and implementation of Linux User Management on Novell Open Enterprise Server and SUSE Linux Enterprise Desktop. We'll also cover placement of LUM objects in a tree, services and tree design to enhance performance for LUM-enabled users, and LUM considerations when upgrading from NetWare to Linux.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
What's LUM Got To Do with It Deployment Considerations for Linux User Management on Novell® Open Enterprise Server
– Using LUM and eDirectory™ to manage user login information eliminates the need to create local users in the /etc/passwd and /etc/shadow files on each Linux computer. It simplifies administration by consolidating user accounts and workstations into a central point of administration.
• User Bennefits
– Users can login to Linux computers by using access methods such as login, SSH, FTP, su, rsh, rlogin, xdm, and gdm. The user only needs to remember their user name and password. The context is not needed as LUM will find the user in eDirectory.
– It is created by default in the context where the Admin user is located, which is currently authenticated to the tree during the initial install of LUM
• Unix Workstation Object– Created by default, in the context of the NCP Server object
• LUM-enabled User and Group Objects– These objects are no different than any other user or group
except for the fact that they have been provisioned with the needed Posix attributes
– They can be located anywhere under the sub context of where the Unix Config object is located
> This is where the public is granted rights to the posix related attributes
ConfigurationYast on SUSE® Linux Enterprise Desktop
• Security and Users– Linux User Management
> Local or remote - which LDAP server is LUM going to utilize
> Directory server address - IP address (or DNS name) of the LDAP server
> Admin name with context (in LDAP format) -- Password
> Port Details - clear text and ssl ports of LDAP server
> Linux/Unix config context - conext of where to create the unix config object
> LUM workstation context – context of where to create the uxix workstation
> Proxy user name with context -- password - (optional) – If you want a specific user to be the entity that does the initial LDAP queries that LUM performs
> Select PAM-enabled services to allow authentication via eDirectory™ – eg. login, sshd, su, gdm, xdm, etc...
ConfigurationYast on Novell® Open Enterprise Server 2
• Novell Open Enterprise Server– OES Install and Configuration – Download, checks install files
> Shows page of component patterns to install – select Linux User Management
– Novell Open Enterprise Server Configuration> See a list of all installed and /or to be configured OES components> Linux User Management – configuration should be enabled , select to
configure
– Linux User management – Check configuration if fields have data
> Directory Server Address – LDAP Server (pulls info from LDAP server config)
> Unix Config context - Context of unix config object
> Unix Workstation context - context of the workstation object for this server> Proxy User name with context – Password> Select Services to LUM-enable for authentication via eDirectory
ConfigurationYast on Novell® Open Enterprise Server 2
– alternative-ldap-server-list (List of servers to use after preferred)– preferred-server (LDAP server w/ replica of base used in base-name)– num-threads (Number of namcd worker threads)– schema (Supported schema)– enable-persistent-cache (Maintain local user/group cache)– user-hash-size (Hash size for user persistent cache)– group-hash-size (Hash size for group persistent cache)– persistent-cache-refresh-period (Rate in seconds to refresh cached
users / groups)– persistent-cache-refresh-flag (Dictates whether to refresh all or
accessed users/groups)– create-home (Create user home directories if they don't exist locally)
– type-of-authentication (1- simple auth, 2-SSL)– certificate-file-type (Format for certificate file – der or base64)– ldap-ssl-port (LDAP SSL port)– ldap-port (LDAP port)– support-alias-name (Use of alias user/groups objects)– support-outside-base-context (Access users/groups outside of
base-context)– cache-only (Specify whether namcd should only use cache
instead of also querying LDAP)– persistent-search (Used to listen for change events in LDAP)– case-sensitive (Used to enable/disable case sensitivity for
• Common issues– namcd does not start or shows not running– ID Command Not Giving the Desired Results– Missing Mandatory Attribute Error When Adding a User to a
Linux User Management Group– Linux User Management Returns Invalid UID and GID for Users
and Groups– nameuserlist fails to return proper values– Namcd indicates that a certificate is not found– User cannot login– Password expiration information for the user is not available– Namcd not coming up after a system reboot
Start namcdCheck for cores if itdoesn't stay running
Refresh cache
Does id <userid>work for the user that
fails to login?
Make sure <userid> isLUM enabled
Make sure <userid> is a member of the group with the workstation
Is the service in/etc/pam.d configuredwith the pam_nam.so?
Does id <userid>return any LUM
users?
YES
Can any LUM userslogin?
YES
Check user's passwdCheck for duplicate
userid's
Check pam_nam.so module
/var/log/messages
Add pam_nam.soper example to
the serviceNO NO
YESYES
NO
NO
YES
NO
YES
Troubleshooting Demo
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.