[OpenAFS] Authorization Setup for AFS?

Peter Popovics pop@dtv.dk
Fri, 23 Feb 2001 22:44:34 +0100

We were running the nss_ldap library: (http://www.padl.com/nss_ldap.html)
there is an opportunity to dispatch all the name lookups to an external
library in /etc/nsswitch.conf. I wouldn't go in details here, but this seems
to be extremly slow... Just imagine, when starting X, and all tohose stupid
Gnome applications were doing different name lookups... It was around 10-20
calls to the LDAP server. This case you should also consider to tunnel LDAP
queries into a secure chanel - we have done this using stunnel. It was
working, but the realiability and speed was quite weak... The LDAP server
setup is quite easy, and there is also a script converting existing name
files into an LDAP database.

The way we are doing this now:

- we have written a synchronization script, which queries LDAP at each
system startup to fetch /etc/passwd and /etc/group entries. We are also
storing the CellServDB entries in LDAP (??? Is there any standard to do
this? How we did was:

afscell=cell.name, ou=Misc, o=dtv, c=dk
description=CELL Description
afscell=cell.name         # CELLLNAME
cellserver=a.b.c.d         # hostname.domain
cellserver=a.b.c.d         # hostname.domain

- Authentication is done in a quite ugly way now, just see
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
auth        required      /lib/security/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/pam_afs.so.1 use_first_pass
auth        required      /lib/security/pam_deny.so

This means, that if krb5 authentication succeeds, the system will try to use
the same password for afs... This is not the nicest way, but it still works.
There modified version of "klog", which can be used to get valid afs tickets
from a krb5 server, but i didn't find a pam module doing that. This would be
very nice. 

Is there a more standard way of doing this? How will things come together
with krb5? Is there someone working on a pam module using aklog?

Is there an administration tool (maybe web based) to do everything when
adding/removing/modifying a user? In our case this means:
- add/modify/delete a krb5 principal
- add/modify/delete an aafs krb4 principal
- add/modify/delete the LDAP entry
- add/modify/delete the AFS protection database entry
- setting up group membership in LDAP and in AFS protection database
- create/remove the home volume for the user
... and maybe some more ...

Thanks in advance: