-1

Hello or Good evening,

I actually work as a trainee for a small society and one of the improvement that they want, is to have a central authentication server. After some research, we chose to use UCS (Univention Corporate Server) which handle a lot of tools that they want to use in the future. And my problem begin here ...

I want to do a authentication at computer startup and only authentication, by my UCS (no roaming profile or else). I just need to get a ticket to allow the user to have a single sign on, on the intranet (to access NAS or cluster for example). I know that an LDAP server run on my UCS because when I use univention-ldapsearch, I can see a big file with a lot of information ... However, I don't know which LDAP server it is. I have kerberos v5, slapd, pam (maybe), so everything for an SSO and authenticate a user.

What they want to have is this :

--> When a user start a computer, they can connect with their login/password from everywhere.

--> The home directory have to stay ONLY on the main user computer. (so the fact that they can connect from everywhere is more for accessing to data in the intranet)

--> They can access, with SSO to all device (allowed for the user) in the intranet.

Now : I know :

 how to add a user / group. UCS is very user friendly for that, 

 that an LDAP server is running on UCS.

 that I have samba but i'm pretty sure I can do it without using it.

I don't know :

 how to set up the authentication at startup (nsss doesn't want to install on UCS and the documentation from UCS using PAM don't take missing files inside UCS -_- ...),

 Which LDAP server is running (not an openldap (no directory from them.)) 

 If it's possible to create (ONLY) if it's not the main user computer, an empty home directory and how.

I don't know if someone is familiar with this tech, I hope so because it's more like : "I need a tutorial" than "RTFD" where, a lot of point are missing.

I prefer to specify that we don't have an heterogeneous network, all computer are linux based.

If someone can help me, Please, I spent the day trying to do one startup connection and nothing ... (I can connect from a browser but it's just to change password. And we really need a central authentication).

Thank's in advance,

Regards.

Black Butterfly
  • 329
  • 2
  • 8

1 Answers1

-1

Hello Black Butterfly,

I am working at Univention and know that UCS is quite versatile, so you can connect pretty much any box to it.

UCS comes with OpenLDAP and Kerberos which are closely connected (and even the PAM-Stack uses Kerberos in the end). The important part to know is, that OpenLDAP is running on ports 7389 (LDAP with StartTLS) and 7636 (LDAPS). Samba/AD is optional and "only" needed if you have Windows(-like) clients. But since you said that you only have Linux boxes, you don't need Samba/AD.

Now, if you want to connect Linux/Unix-like clients to UCS, you will have to ... 1. create a computer object for the client in the UCS LDAP/management system. There's a webmodule for that: http://docs.software-univention.de/manual-4.1.html#computers::hostaccounts 2. configure the client: - use UCS as nameserver - use UCS as timeserver - configure the LDAP-client to use UCS as LDAP-Directory server - configure the Kerberos-client to use UCS as KDC/Kerberos-Realm - use some kind of identity/group caching and bridging software like NSS and/or SSSD

Unfortunately every Linux distro behaves differently regarding the nitty-gritty details. There is a straight forward tutorial on how to do this with Ubuntu - it's mostly copy&paste: http://docs.software-univention.de/domain-4.1.html#ext-dom-ubuntu What Linux distro(s) are you using at your organisation for the Linux clients? Maybe I can give you better advice if I know.

Regarding home directories: Do I understand correctly, that you don't want "Roaming Profiles" or shared home directories? That would be the default.

For further advice, you can also always refer to the Univention forum.

Maren Abatielos
  • 1
  • 1
  • Please declare your affiliation with Univention. – ChrisF Apr 21 '16 at 08:09
  • Hi, Thank's for the answer. I'll try this when I'll be done with docker and registry sharing... But yes, you understood right. I don't want/need roaming profile. In fact, I need something like : If the user connect with his workstation (I can add his computer to UCS I saw), I don't create nothing. I just wanna authenticate him. In the case that he connect to another computer (usually that will be admin for debug or add right for example), I just need that the session work the time he need to do what he want. I can say : "Go as guest and connect to UCS by browser", but they don't want that :/ – Black Butterfly Apr 22 '16 at 06:40
  • As to "If the user connect with his workstation [...] I don't create nothing. I just wanna authenticate him." If you integrated the workstation into the UCS domain before correctly (as described in http://docs.software-univention.de/domain-4.1.html), you're fine. You don't need to create anything, authentication will work. As to "In the case that he connect to another computer ..., I just need that the session work the time he need to do what he want." Same requirements here, the other computer needs to be integrated into the UCS domain, too. Hope to have been of help. – Maren Abatielos May 02 '16 at 08:11