Investigate moving to LDAP for user management

[broder]

Anyone who's involved in more than 2 crusty student groups starts getting punted from groups in Hesiod, and Murphy dictates that you get punted from the groups you want to key on for ACLs.

We should figure out something else to use as a group database (LDAP?), or what needs to be modified to make something else usable as a group database.

[jdreed]

From athena10[1715]:

I talked with Richard Edelson about this at the end of IAP. He said that as far as he knew, the LDAP servers definitely knew about moira GIDs, so it was probably a matter of just figuring out how to do it. So the next step is that some debathena-dev folks should find a time to sit down with Richard (and possibly a few other people) and hash out what Debathena needs and how we can get it. Bill and/or I can probably help with facilitating this meeting.

[broder]

I finally took a stab at the LDAP configuration. Here's what I have so far to add to /etc/ldap.conf:

host ldap-dev-1.mit.edu
ssl on
base dc=mit,dc=edu

pam_member_attribute member
nss_base_passwd ou=users,ou=moira,?one
nss_base_group ou=lists,ou=moira,?one
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member

It doesn't quite work, because nss_ldap tries to use a memberUid field in addition to the member field when querying group membership, and ldap-dev-1.mit.edu seems to reject any queries that include memberUid. I've e-mailed mark to ask if he can change that configuration.

[broder]

I've made some major progress on this by replacing "hesiod" with "ldap" in /etc/nsswitch.conf and using libnss-ldapd + nslcd instead of libnss-ldap.

Brief aside: libnss-ldap does NSS resolutions through LDAP by running the queries directly in the context of the user doing the NSS lookup. libnss-ldapd does NSS resolutions through LDAP by bouncing the queries off to a persistently running daemon, nslcd, which bounces the results back. nslcd does not do any caching of results - it leaves that responsibility to nscd.

The necessary configuration to nss-ldapd is very straightforward. Here's what needs to go into /etc/nss-ldapd.conf:

uri ldap://ldap-dev-1.mit.edu/
base dc=mit,dc=edu
scope one
base   group  ou=lists,ou=moira,dc=mit,dc=edu
base   passwd ou=users,ou=moira,dc=mit,dc=edu
tls_reqcert demand
filter passwd (objectClass=posixAccount)
filter group (&(objectClass=group)(gidNumber=*))
map group uniqueMember member
uid nslcd
gid nslcd

Right now, nss-ldapd works for passwd lookups:

root@login-test:~# getent passwd broder
broder:x:41803:65534:Evan Broder:/afs/athena.mit.edu/user/b/r/broder:/bin/athena/bash

However, mark reverted the change that allowed me to query membership and GIDs of NFS groups unauthenticated, so I can't do group lookups.

I can reconfigure nslcd to use my tickets, so I know it's possible to make it work.

However, it is slow - slow on the order of a several seconds to do all the necessary queries to handle a login. We need a caching solution, and nscd won't cut it. See also #486

[geofft]

We're not going to get this done by the end of IAP, since it requires a lot of work to make it sufficiently performant and a fair amount of testing.

[geofft]

ldap-dev-1 is firewalled from off-campus, which makes it effectively useless for private machines, laptops, etc. (In order for logins to work, the computer need to be able to get name service information before prompting the user for authentication...)

[andersk]

I think it’s dumb to firewall the LDAP servers from off campus; surely at least authenticated+encrypted access should be allowed. However, if that isn’t going to change, can we at least make sure that the firewall gracefully REJECTs packets instead of DROPping them on the floor, so that off-campus clients don’t hang waiting for a timeout?