...
This section assumes that each component is already installed and configured for basic connectivity.xxx set up enrollment flow, provisioner, set up unix server (ssh mod/config to read from ldap)
LDAP Server
The following schemas must be enabled on the LDAP server, if not already enabled:
- posixAccount (RFC 2307)
ldapPublicKey (ie: https://github.com/AndriiGrytsenko/openssh-ldap-publickey/blob/master/misc/openssh-lpk-openldap.schema)
COmanage
First, set up a suitable enrollment flow for onboarding participants. Various configurations are possible, but a typical configuration might be Self Signup With Approval:
- Petitioner Enrollment Authorization: Authenticated User
- Identity Matching: None
- Require Approval For Enrollment: Yes
- Email Confirmation Mode: Review
- Require Enrollee Authentication: Yes
- Notify On Approved Status: Yes
- Enrollment Attributes
- Name, Official, Organizational Identity, Copy To CO Person, Required
- Email, Official, Organizational Identity, Required
- Affiiliation
- Other attributes as desired
Next, configure identifier assignment. Because the Unix account provisioning support is currently experimental, it is necessary to use identifier assignment to set up some of the attributes used by the posixAccount schema. (It may be necessary to define some of these types as extended types before the identifier assignments can be configured.) Sample identifier assignments:
- uidNumber, minimum: 2000, format: (#)
- gidNumber: Use the same configuration as uidNumber (which means each user will get their own group; this is a requirement of the PoC implementation)
- homeDirectory: format: /home/(g:7)(#)
- uid: format: (g:7)(#)
Finally, configure a provisioning target using the LDAP provisioner. Enable both posixAccount and ldapPublicKey objectclasses, but be sure to read the notes in the documentation for considerations and restrictions.
Unix VM
Configure the VM to read account information from LDAP, according to the installed distribution and local requirements. Here are some pointers:
Only name service information should be collected via LDAP as passwords will not be written to LDAP. (Make sure to have a way to login as root and/or sudo, and test that before logging out.) Authentication will instead be handled by SSH. Depending on the installed version, a helper script may or may not be required:
- https://github.com/AndriiGrytsenko/openssh-ldap-publickey
- https://linux.die.net/man/8/ssh-ldap-helper
Usage
xxx enroll, upload ssh keys, login to VM
Resources
- Screencast demonstrating this pilot
- COmanage documentation