Copyright © 2006-2009 Cédric Delfosse - Mandriva
| Revision History | ||
|---|---|---|
| Revision $Revision: 3927 $ | $Date: 2009-03-19 18:25:12 +0100 (Thu, 19 Mar 2009) $ | $Author: cdelfosse $ |
Abstract
This document explains the content of the MMC base plugin configuration file
Table of Contents
The « base » plugin is the main plugin of the MMC Python API. It features base operations like LDAP management (users, groups, etc), user authentication and provisioning.
The plugin configuration file is /etc/mmc/plugins/base.ini.
Like all MMC related configuration file, its file format is INI style. The file is made of sections, each one starting with a « [sectionname] » header. In each section options can be defined like this « option = value ».
For example:
[section1]
option1 = 1
option2 = 2
[section2]
option1 = foo
option2 = plop
All the passwords contained in MMC-related configuration files can be obfuscated using a base64 encoding. This is not a security feature, but at least somebody won't be able to read accidentally a password.
To obfuscate a password, for example the word "secret", you can use the Python interpreter:
$ python -c 'print "secret".encode("base64")'
c2VjcmV0
The base64-encoded password is the word "c2VjcmV0". Now to use it in a configuration file:
[section]
password = {base64}c2VjcmV0
The {base64} prefix warns the configuration parser that the following word is a base64-encoded word, and so needs to be decoded before being used.
Here are all the base.ini available sections
Table 1. base.ini available sections
| Section name | Description | Optional |
|---|---|---|
| ldap | LDAP access definition | no |
| backup-tools | Backup tools configuration | no |
| hooks | Hooks for scripts that interacts with the MMC | yes |
| userdefault | Attributes and Objectclass values that are added or deleted when adding a new user into the LDAP | yes |
| authentication | Defines how a user is authenticated when logging into the MMC web interface. For example, another LDAP server can be use to perform the authentication. | yes |
| provisioning | User accounts can be created or updated automatically when logging in to the MMC web interface. | yes |
This section defines how the main LDAP is accessed, where are located the users organization units, etc.
Table 2. Available options for the "ldap" section
| Option name | Description | Optional | Default value |
|---|---|---|---|
| host | IP address or hostname of the LDAP server | no | |
| baseDN | LDAP base Distinguished Name (DN) | no | |
| rootName | LDAP administrator DN | no | |
| password | LDAP administrator password | no | |
| baseUsersDN | LDAP organisational unit DN where the users are located | no | |
| baseGroupsDN | LDAP organisational unit DN where the groups are located | no | |
| gpoDN | LDAP organisational unit DN where the GPO are located | yes | ou=System,baseDN |
| userHomeAction | If set to 1, create and delete user directory when creating/deleting one | no | |
| defaultUserGroup | When creating an user, set this group as the primary user group | yes | |
| skelDir | Use the specified directory when creating a user home directory | yes | /etc/skel |
| defaultHomeDir | Use this directory as a base directory when creating a user without specifying a home directory. If the creater user is called "foo", his/her homeDirectory will be "defaultHomeDir/foo" | yes | /home |
| authorizedHomeDir | a list of directory where user home directory can be put | yes | defaultHomeDir |
| uidStart | starting uid number for user accounts | yes | 10000 |
| gidStart | starting gid number for groups | yes | 10000 |
| logfile | LDAP log file path | no |
This section defines where are located the backup tools. The backup tools are used when backuping a home directory or a SAMBA share from the MMC.
Table 3. Available options for the "backup-tools" section
| Option name | Description | Optional | Default value |
|---|---|---|---|
| path | Where are located the executable needed by the backup tools | no | |
| destpath | Where the backup are located once done | no |
The hooks system allow you to run external script when doing some operations with the MMC.
The script will be run as root user, with as only argument the path to a temporary file containing the full LDIF export of the LDAP user. For the « adduser » and « changeuserpassword » hooks, the LDIF file will contain the userPassword attribute in cleartext.
The executable bit must be set on the script to run. The temporary LDIF file is removed once the script has been executed.
Table 4. Available options for the "hooks" section
| Option name | Description | Optional | Default value |
|---|---|---|---|
| adduser | path to the script launched when a user has been added into the LDAP directory | yes | |
| changeuserpassword | path to the script launched when a user has been changed into the LDAP directory | yes | |
| deluser | path to the script launched when a user is going to be removed from the LDAP directory | yes |
Here is a hook example written in BASH for « adduser »:
#!/bin/sh
# Get the uid of the new user
VALUE=`cat $1 | grep ^uid: | sed "s/uid: //"`
# Log new user event
echo "New user $VALUE created" >> /var/log/newuser.log
exit 0
The same hook, written in Python:
#!/usr/bin/python
import sys
# ldif is a Python package of the python-ldap extension
import ldif
LOGFILE="/var/log/newuser.log"
class MyParser(ldif.LDIFParser):
def handle(self, dn, entry):
uid = entry["uid"][0]
f = file(LOGFILE, "a")
f.write("New user %s created\n" % uid)
f.close()
parser = MyParser(file(sys.argv[1]))
parser.parse()
This section allows to set default attributes to a user, or remove them, only at user creation.
Each option of this section is corresponding to the attribute you want to act on.
If you want to remove the « displayName » attribute of each newly added user:
[userdefault]
displayName = DELETE
Substitution is done on the value of an option if a string between '%' is found. For example, if you want that all new user have a default email address containing their uid:
[userdefault]
mail = %uid%@mandriva.com
If you want to add a value to a multi-valuated LDAP attribute, do this:
[userdefault]
objectClass = +corporateUser
Since version 1.1.0, you can add modifiers that interact with the substitution. This modifiers are put between square bracket at the beginning os the string to substitute.
Table 5. Available modifiers for substitution
| modifier character | Description |
|---|---|
| / | Remove diacritics (accents mark) from the substitution string |
| _ | Set substitution string to lower case |
| | | Set substitution string to upper case |
For example, you want that all new created users have a default mail address made this way: « firstname.lastname@mandriva.com ». But your user firstname/lastname have accent marks, that are forbidden for email address. You do it like this:
[userdefault]
mail = [_/]%givenName%.%sn%@mandriva.com
The default configuration authenticates users using the LDAP directory specified in the [ldap] section.
But it is also possible to set up authentication using an external LDAP server.
This optional section tells the MMC agent authentication manager how to authenticate a user. Each Python plugin can register "authenticator" objects to the authentication manager, that then can be used to authenticate users.
The authentication manager tries each authenticator with the supplied login and password until one successfully authenticate the user.
Please note that the user won't be able to log in to the MMC web interface if she/he doesn't have an account in the LDAP directory configured in the [ldap] section of the base plugin. The provisioning system will allow you to automatically create this account.
The base plugin registers two authenticators:
baseldap: this authenticator uses the LDAP directory configured in the [ldap] section of the base plugin to authenticate the user,
externalldap: this authenticator uses an external LDAP directory to authenticate the user.
Table 6. Available options for the "authentication" section
| Option name | Description | Optional | Default value |
|---|---|---|---|
| method | space-separated list of authenticators to try to authenticate a user | yes | baseldap |
The default configuration is:
[authentication]
method = baseldap
This section defines some configuration directives for the baseldap authenticator.
Table 7. Available options for the "authentication_baseldap" section
| Option name | Description | Optional | Default value |
|---|---|---|---|
| authonly | space-separated list of login that will be authentified using this authenticator. Others will be skipped. | yes |
For example, to make the "baseldap" authenticator only authenticate the virtual MMC "root" user:
[authentication_baseldap]
authonly = root
This section defines some configuration directives for the baseldap authenticator.
Table 8. Available options for the "authentication_externalldap" section
| Option name | Description | Optional | Default value |
|---|---|---|---|
| exclude | space-separated list of login that won't be authenticated using this authenticator. | yes | |
| authonly | If set, only the logins from the specified space-separated list of login will be authenticated using this authenticator, other login will be skipped. | yes | |
| mandatory | Set whether this authenticator is mandatory. If it is mandatory and can't be validated during the mmc-agent activation phase, the mmc-agent exits with an error. | yes | True |
| network_timeout | LDAP connection timeout in seconds. If the LDAP connection failed after this timeout, we try the next LDAP server in the list or give up if it the last. | yes | |
| ldapurl | LDAP URL of the LDAP directory to connect to to authenticate user. You can specify multiple LDAP URLs, separated by spaces. Each LDAP server is tried until one successfully accepts a connection. | no | |
| suffix | DN of the LDAP directory where to search users | no | |
| bindname | DN of the LDAP directory account that must be used to bind to the LDAP directory and to perform the user search. If empty, an anonymous bind is done. | no | |
| bindpasswd | Password of the LDAP directory account given by the bindname option. Not needed if bindname is empty. | no | |
| filter | LDAP filter to use to search the user in the LDAP directory | yes | objectClass=* |
| attr | Name of the LDAP attribute that will allow to match a user entry with a LDAP search | no |
For example, to authenticate a user using an Active Directory:
[authentication_externalldap]
exclude = root
ldapurl = ldap://192.168.0.1:389
suffix = cn=Users,dc=adroot,dc=com
bindname = cn=Administrator, cn=Users, dc=adroot, dc=com
bindpasswd = s3cr3t
filter = objectClass=*
attr = cn
This feature allows to automatically create a user account if it does not already exist in the LDAP directory configured in the [ldap] section of the base plugin.
User provisioning is needed for example if an external LDAP is used to authenticate users. The users won't be able to log in to the MMC web interface even if their login and password are rights, because the local LDAP doesn't store thir accounts.
This optional section tells the MMC agent provisioning manager how to provision a user account. Each Python plugin can register "provisioner" objects to the provisioning manager, that then can be used to provision users.
When a user logs in to the MMC web interface, the authenticator manager authenticates this user. If the authentication succeed, then the provisioning manager runs each provisioner.
The authenticator object that successfully authenticates the user must pass to the provisioning manager the user informations, so that the provisioners have data to create or update the user entry.
Table 9. Available options for the "provisioning" section
| Option name | Description | Optional | Default value |
|---|---|---|---|
| method | space-separated list of provisioners | yes |
For example, this configuration tells to use the "externalldap" provisioner to create the user account:
[provisioning]
method = externalldap
This section defines some configuration directives for the externalldap authenticator.
Table 10. Available options for the "authentication_externalldap" section
| Option name | Description | Optional | Default value |
|---|---|---|---|
| exclude | space-separated list of login that won't be provisioned by this provisioner. | yes | |
| ldap_uid | name of the external LDAP field that is corresponding to the local uid field. The uid LDAP attribute is the user login. | no | |
| ldap_givenName | name of the external LDAP field that is corresponding to the local givenName field | no | |
| ldap_sn | name of the external LDAP field that is corresponding to the local sn (SurName) field | no | |
| profile_attr | The ACLs fields of the user that logs in can be filled according to the value of an attribute from the external LDAP. This option should contain the field name. | yes | |
| profile_acl_<profilename> | The ACLs field of the user that logs in with the profile <profilename>. | yes | |
| profile_group_mapping | If enabled, users with the same profile will be put in the same users group. | yes | False |
| profile_group_prefix | If profile_group_mapping is enabled, the created groups name will be prefixed with the given string. | yes |
To create a user account, the MMC agent needs the user's login, password, given name and surname. That's why the ldap_uid, ldap_givenName and ldap_sn options are mandatory.
Here is a simple example of an authenticators and provisioners chain that authenticates users using an Active Directory, and create accounts:
[authentication]
method = baseldap externalldap
[authentication_externalldap]
exclude = root
ldapurl = ldap://192.168.0.1:389
suffix = cn=Users,dc=adroot,dc=com
bindname = cn=Administrator, cn=Users, dc=adroot, dc=com
bindpasswd = s3cr3t
filter = objectClass=*
attr = cn
[provisioning]
method = externalldap
[provisioning_externalldap]
exclude = root
ldap_uid = cn
ldap_givenName = sn
ldap_sn = sn