Actions
User story #3827
closed
technique for authentication mechanisms
Pull Request:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:
Description
It would be nice to have a technique providing settings for authentification mechanisms.
Centos has a nice tool for that: authconfig-tui, which can be used either with ncurses interface, or with command line arguments.
Rudder could be a nice frontend to automate the usage of this tool, and provide some configuration gui.
Updated by Fabrice FLORE-THÉBAULT over 11 years ago
check status¶
The command output to analyse to see if something has to be done is:
authconfig --test
Example output (full):
authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://ldap.domain.tld/" LDAP base DN = "dc=domain,dc=tld" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_sss is disabled by default nss_wins is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is md5 pam_krb5 is disabled krb5 realm = "EXAMPLE.COM" krb5 realm via dns is disabled krb5 kdc = "kerberos.example.com:88" krb5 kdc via dns is disabled krb5 admin server = "kerberos.example.com:749" pam_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://ldap.domain.tld/" LDAP base DN = "dc=domain,dc=tld" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignorer" pam_smb_auth is disabled SMB workgroup = "WORKGROUP" SMB servers = "" pam_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default pam_cracklib is enabled (try_first_pass retry=3) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir is disabled () Always authorize local users is disabled () Authenticate system accounts against network services is disabled
execute command¶
All available options on centos 5:
authconfig --help
usage: authconfig [options] <--update|--test|--probe>
options:
-h, --help show this help message and exit
--enableshadow, --useshadow
enable shadowed passwords by default
--disableshadow disable shadowed passwords by default
--enablemd5, --usemd5
enable MD5 passwords by default
--disablemd5 disable MD5 passwords by default
--passalgo=<descrypt|bigcrypt|md5|sha256|sha512>
hash/crypt algorithm for new passwords
--enablenis enable NIS for user information by default
--disablenis disable NIS for user information by default
--nisdomain=<domain> default NIS domain
--nisserver=<server> default NIS server
--enableldap enable LDAP for user information by default
--disableldap disable LDAP for user information by default
--enableldapauth enable LDAP for authentication by default
--disableldapauth disable LDAP for authentication by default
--ldapserver=<server>
default LDAP server
--ldapbasedn=<dn> default LDAP base DN
--enableldaptls, --enableldapssl
enable use of TLS with LDAP
--disableldaptls, --disableldapssl
disable use of TLS with LDAP
--ldaploadcacert=<URL>
load CA certificate from the URL
--enablesmartcard enable authentication with smart card by default
--disablesmartcard disable authentication with smart card by default
--enablerequiresmartcard
require smart card for authentication by default
--disablerequiresmartcard
do not require smart card for authentication by
default
--smartcardmodule=<module>
default smart card module to use
--smartcardaction=<0=Lock|1=Ignore>
action to be taken on smart card removal
--enablekrb5 enable kerberos authentication by default
--disablekrb5 disable kerberos authentication by default
--krb5kdc=<server> default kerberos KDC
--krb5adminserver=<server>
default kerberos admin server
--krb5realm=<realm> default kerberos realm
--enablekrb5kdcdns enable use of DNS to find kerberos KDCs
--disablekrb5kdcdns disable use of DNS to find kerberos KDCs
--enablekrb5realmdns enable use of DNS to find kerberos realms
--disablekrb5realmdns
disable use of DNS to find kerberos realms
--enablesmbauth enable SMB authentication by default
--disablesmbauth disable SMB authentication by default
--smbservers=<servers>
names of servers to authenticate against
--smbworkgroup=<workgroup>
workgroup authentication servers are in
--enablewinbind enable winbind for user information by default
--disablewinbind disable winbind for user information by default
--enablewinbindauth enable winbind for authentication by default
--disablewinbindauth disable winbind for authentication by default
--smbsecurity=<user|server|domain|ads>
security mode to use for samba and winbind
--smbrealm=<realm> default realm for samba and winbind when security=ads
--smbidmapuid=<lowest-highest>
uid range winbind will assign to domain or ads users
--smbidmapgid=<lowest-highest>
gid range winbind will assign to domain or ads users
--winbindseparator=<\>
the character which will be used to separate the
domain and user part of winbind-created user names if
winbindusedefaultdomain is not enabled
--winbindtemplatehomedir=</home/%D/%U>
the directory which winbind-created users will have as
home directories
--winbindtemplateprimarygroup=<nobody>
the group which winbind-created users will have as
their primary group
--winbindtemplateshell=</bin/false>
the shell which winbind-created users will have as
their login shell
--enablewinbindusedefaultdomain
configures winbind to assume that users with no domain
in their user names are domain users
--disablewinbindusedefaultdomain
configures winbind to assume that users with no domain
in their user names are not domain users
--enablewinbindoffline
configures winbind to allow offline login
--disablewinbindoffline
configures winbind to prevent offline login
--winbindjoin=<Administrator>
join the winbind domain or ads realm now as this
administrator
--enablewins enable wins for hostname resolution
--disablewins disable wins for hostname resolution
--enablepreferdns prefer dns over wins or nis for hostname resolution
--disablepreferdns do not prefer dns over wins or nis for hostname
resolution
--enablehesiod enable hesiod for user information by default
--disablehesiod disable hesiod for user information by default
--hesiodlhs=<lhs> default hesiod LHS
--hesiodrhs=<rhs> default hesiod RHS
--enablesssd enable SSSD for user information by default with
manually managed configuration
--disablesssd disable SSSD for user information by default (still
used for supported configurations)
--enablesssdauth enable SSSD for authentication by default with
manually managed configuration
--disablesssdauth disable SSSD for authentication by default (still used
for supported configurations
--enablecache enable caching of user information by default
--disablecache disable caching of user information by default
--enablelocauthorize local authorization is sufficient for local users
--disablelocauthorize
authorize local users also through remote service
--enablepamaccess check access.conf during account authorization
--disablepamaccess do not check access.conf during account authorization
--enablesysnetauth authenticate system accounts by network services
--disablesysnetauth authenticate system accounts by local files only
--enablemkhomedir create home directories for users on their first login
--disablemkhomedir do not create home directories for users on their
first login
--nostart do not start/stop portmap, ypbind, and nscd
--test do not update the configuration files, only print new
settings
--update, --kickstart
opposite of --test, update configuration files with
changed settings
--updateall update all configuration files
--probe probe network for defaults and print them
user interface¶
The interface should follow authconfig --help and authconfig-tui interface ...
For example for LDAP we need in the interface:
- Use LDAP for user information : yes/no
- Use LDAP for user authentication : yes/no
- LDAP server : <user input>
- Base DN : <user input>
- LDAP use TLS : yes/no
- Create user home directory at first login: yes/no
And the command to run should be then simething like:
authconfig --enableldap --enableldapauth --ldapserver=ldap.mydomain.tld --ldapbasedn="dc=mydomain,dc=tld" --disableldaptls --disablemkhomedir --updateall
Updated by Vincent MEMBRÉ over 11 years ago
- Status changed from New to Discussion
- Assignee set to Fabrice FLORE-THÉBAULT
- Target version set to Ideas (not version specific)
Nice specs, thanks Fabrice!
Do you have any ideas about what should be the behavior ?
Is there a package to install to use it ? is there a config file for it ?
Do we need other parameters than those you quoted in the third part ?
Updated by Fabrice FLORE-THÉBAULT over 11 years ago
- I guess the behaviour should be inspired from the behaviour of authconfig-tui which is the command commonly used in centos (as users have some habits with it).
- authconfig is part of standard centos base install, part of package
authconfig.
- The parameters listed here are all the parameters documented in the help on centos 5 ; it may be different on centos 6, rhel or fedora.
Updated by Benoît PECCATTE over 9 years ago
- Assignee deleted (
Fabrice FLORE-THÉBAULT)
Updated by Alex Bron about 8 years ago
Is there any update on this idea? Although authconfig is a fairly Red Hat / Centos / Fedora specific thing, I would love to have it so I could deploy new machines and have them automatically adapt to the standard LDAP authentication mechanism. Although I'm totally new to technique creation, I am more than willing to help on the Red Hat specification side of things...
Updated by Alexis Mousset almost 3 years ago
This won’t be added to that technique, please use the technique editor for that. If you are missing some capabilities in it, please open a ticket for that need.
Updated by Alexis Mousset almost 3 years ago
- Status changed from Discussion to Rejected
Actions