



User story #3827


technique for authentication mechanisms

Added by Fabrice FLORE-THÉBAULT almost 11 years ago. Updated over 2 years ago.

UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:


It would be nice to have a technique providing settings for authentification mechanisms.

Centos has a nice tool for that: authconfig-tui, which can be used either with ncurses interface, or with command line arguments.

Rudder could be a nice frontend to automate the usage of this tool, and provide some configuration gui.

Actions #1

Updated by Fabrice FLORE-THÉBAULT almost 11 years ago

check status

The command output to analyse to see if something has to be done is:

authconfig --test

Example output (full):

authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = "" 
 hesiod RHS = "" 
nss_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldap://ldap.domain.tld/" 
 LDAP base DN = "dc=domain,dc=tld" 
nss_nis is disabled
 NIS server = "" 
 NIS domain = "" 
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "WORKGROUP" 
 SMB servers = "" 
 SMB security = "user" 
 SMB realm = "" 
 Winbind template shell = "/bin/false" 
 SMB idmap uid = "16777216-33554431" 
 SMB idmap gid = "16777216-33554431" 
nss_sss is disabled by default
nss_wins is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is md5
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM" 
 krb5 realm via dns is disabled
 krb5 kdc = "" 
 krb5 kdc via dns is disabled
 krb5 admin server = "" 
pam_ldap is enabled

 LDAP+TLS is disabled
 LDAP server = "ldap://ldap.domain.tld/" 
 LDAP base DN = "dc=domain,dc=tld" 
pam_pkcs11 is disabled

 use only smartcard for login is disabled
 smartcard module = "coolkey" 
 smartcard removal action = "Ignorer" 
pam_smb_auth is disabled
 SMB workgroup = "WORKGROUP" 
 SMB servers = "" 
pam_winbind is disabled
 SMB workgroup = "WORKGROUP" 
 SMB servers = "" 
 SMB security = "user" 
 SMB realm = "" 
pam_sss is disabled by default
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is disabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled

execute command

All available options on centos 5:

authconfig --help
usage: authconfig [options] <--update|--test|--probe>

  -h, --help            show this help message and exit
  --enableshadow, --useshadow
                        enable shadowed passwords by default
  --disableshadow       disable shadowed passwords by default
  --enablemd5, --usemd5
                        enable MD5 passwords by default
  --disablemd5          disable MD5 passwords by default
                        hash/crypt algorithm for new passwords
  --enablenis           enable NIS for user information by default
  --disablenis          disable NIS for user information by default
  --nisdomain=<domain>  default NIS domain
  --nisserver=<server>  default NIS server
  --enableldap          enable LDAP for user information by default
  --disableldap         disable LDAP for user information by default
  --enableldapauth      enable LDAP for authentication by default
  --disableldapauth     disable LDAP for authentication by default
                        default LDAP server
  --ldapbasedn=<dn>     default LDAP base DN
  --enableldaptls, --enableldapssl
                        enable use of TLS with LDAP
  --disableldaptls, --disableldapssl
                        disable use of TLS with LDAP
                        load CA certificate from the URL
  --enablesmartcard     enable authentication with smart card by default
  --disablesmartcard    disable authentication with smart card by default
                        require smart card for authentication by default
                        do not require smart card for authentication by
                        default smart card module to use
                        action to be taken on smart card removal
  --enablekrb5          enable kerberos authentication by default
  --disablekrb5         disable kerberos authentication by default
  --krb5kdc=<server>    default kerberos KDC
                        default kerberos admin server
  --krb5realm=<realm>   default kerberos realm
  --enablekrb5kdcdns    enable use of DNS to find kerberos KDCs
  --disablekrb5kdcdns   disable use of DNS to find kerberos KDCs
  --enablekrb5realmdns  enable use of DNS to find kerberos realms
                        disable use of DNS to find kerberos realms
  --enablesmbauth       enable SMB authentication by default
  --disablesmbauth      disable SMB authentication by default
                        names of servers to authenticate against
                        workgroup authentication servers are in
  --enablewinbind       enable winbind for user information by default
  --disablewinbind      disable winbind for user information by default
  --enablewinbindauth   enable winbind for authentication by default
  --disablewinbindauth  disable winbind for authentication by default
                        security mode to use for samba and winbind
  --smbrealm=<realm>    default realm for samba and winbind when security=ads
                        uid range winbind will assign to domain or ads users
                        gid range winbind will assign to domain or ads users
                        the character which will be used to separate the
                        domain and user part of winbind-created user names if
                        winbindusedefaultdomain is not enabled
                        the directory which winbind-created users will have as
                        home directories
                        the group which winbind-created users will have as
                        their primary group
                        the shell which winbind-created users will have as
                        their login shell
                        configures winbind to assume that users with no domain
                        in their user names are domain users
                        configures winbind to assume that users with no domain
                        in their user names are not domain users
                        configures winbind to allow offline login
                        configures winbind to prevent offline login
                        join the winbind domain or ads realm now as this
  --enablewins          enable wins for hostname resolution
  --disablewins         disable wins for hostname resolution
  --enablepreferdns     prefer dns over wins or nis for hostname resolution
  --disablepreferdns    do not prefer dns over wins or nis for hostname
  --enablehesiod        enable hesiod for user information by default
  --disablehesiod       disable hesiod for user information by default
  --hesiodlhs=<lhs>     default hesiod LHS
  --hesiodrhs=<rhs>     default hesiod RHS
  --enablesssd          enable SSSD for user information by default with
                        manually managed configuration
  --disablesssd         disable SSSD for user information by default (still
                        used for supported configurations)
  --enablesssdauth      enable SSSD for authentication by default with
                        manually managed configuration
  --disablesssdauth     disable SSSD for authentication by default (still used
                        for supported configurations
  --enablecache         enable caching of user information by default
  --disablecache        disable caching of user information by default
  --enablelocauthorize  local authorization is sufficient for local users
                        authorize local users also through remote service
  --enablepamaccess     check access.conf during account authorization
  --disablepamaccess    do not check access.conf during account authorization
  --enablesysnetauth    authenticate system accounts by network services
  --disablesysnetauth   authenticate system accounts by local files only
  --enablemkhomedir     create home directories for users on their first login
  --disablemkhomedir    do not create home directories for users on their
                        first login
  --nostart             do not start/stop portmap, ypbind, and nscd
  --test                do not update the configuration files, only print new
  --update, --kickstart
                        opposite of --test, update configuration files with
                        changed settings
  --updateall           update all configuration files
  --probe               probe network for defaults and print them

user interface

The interface should follow authconfig --help and authconfig-tui interface ...

For example for LDAP we need in the interface:

  • Use LDAP for user information : yes/no
  • Use LDAP for user authentication : yes/no
  • LDAP server : <user input>
  • Base DN : <user input>
  • LDAP use TLS : yes/no
  • Create user home directory at first login: yes/no

And the command to run should be then simething like:

authconfig --enableldap  --enableldapauth --ldapserver=ldap.mydomain.tld --ldapbasedn="dc=mydomain,dc=tld" --disableldaptls --disablemkhomedir --updateall
Actions #2

Updated by Vincent MEMBRÉ almost 11 years ago

  • Status changed from New to Discussion
  • Assignee set to Fabrice FLORE-THÉBAULT
  • Target version set to Ideas (not version specific)

Nice specs, thanks Fabrice!

Do you have any ideas about what should be the behavior ?

Is there a package to install to use it ? is there a config file for it ?

Do we need other parameters than those you quoted in the third part ?

Actions #3

Updated by Fabrice FLORE-THÉBAULT almost 11 years ago

  • I guess the behaviour should be inspired from the behaviour of authconfig-tui which is the command commonly used in centos (as users have some habits with it).
  • authconfig is part of standard centos base install, part of package authconfig.
  • The parameters listed here are all the parameters documented in the help on centos 5 ; it may be different on centos 6, rhel or fedora.
Actions #4

Updated by Benoît PECCATTE about 9 years ago

  • Assignee deleted (Fabrice FLORE-THÉBAULT)
Actions #5

Updated by Alex Bron over 7 years ago

Is there any update on this idea? Although authconfig is a fairly Red Hat / Centos / Fedora specific thing, I would love to have it so I could deploy new machines and have them automatically adapt to the standard LDAP authentication mechanism. Although I'm totally new to technique creation, I am more than willing to help on the Red Hat specification side of things...

Actions #6

Updated by Alexis Mousset over 2 years ago

This won’t be added to that technique, please use the technique editor for that. If you are missing some capabilities in it, please open a ticket for that need.

Actions #7

Updated by Alexis Mousset over 2 years ago

  • Status changed from Discussion to Rejected

Also available in: Atom PDF