User story #3827
closedtechnique for authentication mechanisms
Added by Fabrice FLORE-THÉBAULT over 11 years ago. Updated almost 3 years ago.
Description
It would be nice to have a technique providing settings for authentification mechanisms.
Centos has a nice tool for that: authconfig-tui, which can be used either with ncurses interface, or with command line arguments.
Rudder could be a nice frontend to automate the usage of this tool, and provide some configuration gui.
Updated by Fabrice FLORE-THÉBAULT over 11 years ago
check status¶
The command output to analyse to see if something has to be done is:
authconfig --test
Example output (full):
authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://ldap.domain.tld/" LDAP base DN = "dc=domain,dc=tld" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_sss is disabled by default nss_wins is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is md5 pam_krb5 is disabled krb5 realm = "EXAMPLE.COM" krb5 realm via dns is disabled krb5 kdc = "kerberos.example.com:88" krb5 kdc via dns is disabled krb5 admin server = "kerberos.example.com:749" pam_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://ldap.domain.tld/" LDAP base DN = "dc=domain,dc=tld" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignorer" pam_smb_auth is disabled SMB workgroup = "WORKGROUP" SMB servers = "" pam_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default pam_cracklib is enabled (try_first_pass retry=3) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir is disabled () Always authorize local users is disabled () Authenticate system accounts against network services is disabled
execute command¶
All available options on centos 5:
authconfig --help usage: authconfig [options] <--update|--test|--probe> options: -h, --help show this help message and exit --enableshadow, --useshadow enable shadowed passwords by default --disableshadow disable shadowed passwords by default --enablemd5, --usemd5 enable MD5 passwords by default --disablemd5 disable MD5 passwords by default --passalgo=<descrypt|bigcrypt|md5|sha256|sha512> hash/crypt algorithm for new passwords --enablenis enable NIS for user information by default --disablenis disable NIS for user information by default --nisdomain=<domain> default NIS domain --nisserver=<server> default NIS server --enableldap enable LDAP for user information by default --disableldap disable LDAP for user information by default --enableldapauth enable LDAP for authentication by default --disableldapauth disable LDAP for authentication by default --ldapserver=<server> default LDAP server --ldapbasedn=<dn> default LDAP base DN --enableldaptls, --enableldapssl enable use of TLS with LDAP --disableldaptls, --disableldapssl disable use of TLS with LDAP --ldaploadcacert=<URL> load CA certificate from the URL --enablesmartcard enable authentication with smart card by default --disablesmartcard disable authentication with smart card by default --enablerequiresmartcard require smart card for authentication by default --disablerequiresmartcard do not require smart card for authentication by default --smartcardmodule=<module> default smart card module to use --smartcardaction=<0=Lock|1=Ignore> action to be taken on smart card removal --enablekrb5 enable kerberos authentication by default --disablekrb5 disable kerberos authentication by default --krb5kdc=<server> default kerberos KDC --krb5adminserver=<server> default kerberos admin server --krb5realm=<realm> default kerberos realm --enablekrb5kdcdns enable use of DNS to find kerberos KDCs --disablekrb5kdcdns disable use of DNS to find kerberos KDCs --enablekrb5realmdns enable use of DNS to find kerberos realms --disablekrb5realmdns disable use of DNS to find kerberos realms --enablesmbauth enable SMB authentication by default --disablesmbauth disable SMB authentication by default --smbservers=<servers> names of servers to authenticate against --smbworkgroup=<workgroup> workgroup authentication servers are in --enablewinbind enable winbind for user information by default --disablewinbind disable winbind for user information by default --enablewinbindauth enable winbind for authentication by default --disablewinbindauth disable winbind for authentication by default --smbsecurity=<user|server|domain|ads> security mode to use for samba and winbind --smbrealm=<realm> default realm for samba and winbind when security=ads --smbidmapuid=<lowest-highest> uid range winbind will assign to domain or ads users --smbidmapgid=<lowest-highest> gid range winbind will assign to domain or ads users --winbindseparator=<\> the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled --winbindtemplatehomedir=</home/%D/%U> the directory which winbind-created users will have as home directories --winbindtemplateprimarygroup=<nobody> the group which winbind-created users will have as their primary group --winbindtemplateshell=</bin/false> the shell which winbind-created users will have as their login shell --enablewinbindusedefaultdomain configures winbind to assume that users with no domain in their user names are domain users --disablewinbindusedefaultdomain configures winbind to assume that users with no domain in their user names are not domain users --enablewinbindoffline configures winbind to allow offline login --disablewinbindoffline configures winbind to prevent offline login --winbindjoin=<Administrator> join the winbind domain or ads realm now as this administrator --enablewins enable wins for hostname resolution --disablewins disable wins for hostname resolution --enablepreferdns prefer dns over wins or nis for hostname resolution --disablepreferdns do not prefer dns over wins or nis for hostname resolution --enablehesiod enable hesiod for user information by default --disablehesiod disable hesiod for user information by default --hesiodlhs=<lhs> default hesiod LHS --hesiodrhs=<rhs> default hesiod RHS --enablesssd enable SSSD for user information by default with manually managed configuration --disablesssd disable SSSD for user information by default (still used for supported configurations) --enablesssdauth enable SSSD for authentication by default with manually managed configuration --disablesssdauth disable SSSD for authentication by default (still used for supported configurations --enablecache enable caching of user information by default --disablecache disable caching of user information by default --enablelocauthorize local authorization is sufficient for local users --disablelocauthorize authorize local users also through remote service --enablepamaccess check access.conf during account authorization --disablepamaccess do not check access.conf during account authorization --enablesysnetauth authenticate system accounts by network services --disablesysnetauth authenticate system accounts by local files only --enablemkhomedir create home directories for users on their first login --disablemkhomedir do not create home directories for users on their first login --nostart do not start/stop portmap, ypbind, and nscd --test do not update the configuration files, only print new settings --update, --kickstart opposite of --test, update configuration files with changed settings --updateall update all configuration files --probe probe network for defaults and print them
user interface¶
The interface should follow authconfig --help and authconfig-tui interface ...
For example for LDAP we need in the interface:
- Use LDAP for user information : yes/no
- Use LDAP for user authentication : yes/no
- LDAP server : <user input>
- Base DN : <user input>
- LDAP use TLS : yes/no
- Create user home directory at first login: yes/no
And the command to run should be then simething like:
authconfig --enableldap --enableldapauth --ldapserver=ldap.mydomain.tld --ldapbasedn="dc=mydomain,dc=tld" --disableldaptls --disablemkhomedir --updateall
Updated by Vincent MEMBRÉ over 11 years ago
- Status changed from New to Discussion
- Assignee set to Fabrice FLORE-THÉBAULT
- Target version set to Ideas (not version specific)
Nice specs, thanks Fabrice!
Do you have any ideas about what should be the behavior ?
Is there a package to install to use it ? is there a config file for it ?
Do we need other parameters than those you quoted in the third part ?
Updated by Fabrice FLORE-THÉBAULT over 11 years ago
- I guess the behaviour should be inspired from the behaviour of authconfig-tui which is the command commonly used in centos (as users have some habits with it).
- authconfig is part of standard centos base install, part of package
authconfig
.
- The parameters listed here are all the parameters documented in the help on centos 5 ; it may be different on centos 6, rhel or fedora.
Updated by Benoît PECCATTE over 9 years ago
- Assignee deleted (
Fabrice FLORE-THÉBAULT)
Updated by Alex Bron about 8 years ago
Is there any update on this idea? Although authconfig is a fairly Red Hat / Centos / Fedora specific thing, I would love to have it so I could deploy new machines and have them automatically adapt to the standard LDAP authentication mechanism. Although I'm totally new to technique creation, I am more than willing to help on the Red Hat specification side of things...
Updated by Alexis Mousset almost 3 years ago
This won’t be added to that technique, please use the technique editor for that. If you are missing some capabilities in it, please open a ticket for that need.
Updated by Alexis Mousset almost 3 years ago
- Status changed from Discussion to Rejected