netfrag.org . Pad . LinuxOnStage


--------------------------------------------------------------------------------------------------
First focus: Three services: imap, smtp, ftp
Second focus: All services (e.g. for intranet purposes): +samba, +http
Additional services: nntp, ldap

--------------------------------------------------------------------------------------------------
Stage 1: early days
  x(jjj) Classical Linux/UNIX: /etc/passwd, no encryption

Stage 1.5: current
  x(jjj) sendmail and uw-imap with TLS and/or SSL
  x(jok) cvs access via ssh, no cvspserver!

Stage 2: todo
  o saslauthd/sasldb instead of passwd/PAM for IMAP and SMTP Authentication
  o hybrid sasldb / PAM configuration to migrate user per user
  o user-based change password
  o sasl + PAM for FTP (is it possible to query LDAP via PAM?)

Stage 3:
  x(jan, 2004-11) LDAP Backend for Basic Authentication (SASL)
    x SMTP (using sendmail)
    x IMAP (using CMU Cyrus)
    o FTP
      - ProFTPD + mod_ldap: http://horde.net/~jwm/software/proftpd-ldap/
      - PAM with vsftpd & LDAP: http://archives.neohapsis.com/archives/pam-list/2003-02/0004.html
  x(jan) LDAP Backend for Basic Configuration
    x sendmail virtusertable
    x sendmail maps
    o all other sendmail configuration options from /etc/mail:
       access, aliases, local-host-names, mailertable, masquerade-domains, relay-domains, trusted-users

Stage 3.5:
  o Other Application Data to LDAP?
     x(jan,jon) Horde Preferences
     o(jan,jok) Global and Shared Address Books
  x MySQL / BerkeleyDB as LDAP backend for performance/security/stability reasons
     o Try other LDAP backend (ldbm, mysql, etc.)
     x OpenLDAP 3.0 already runs with Berkeley

Stage 4:
  o LDAP Backend for Advanced Authentication
     x(jan) Samba <-> PAM
     o mod_auth_ldap, etc.
  o /home directory at non standard paths or 
  o No /home directory required
  o what about:
     o ".forward"?
     o "public_html"?
     o other configuration files in /home

Stage 5:
  o(jon, 2003-01) All together with Kerberos/GSSAPI
  o more recent state-of-the-art freaky stuff....
    o authentication using smartcards or OTP?
    x(jan) Mail routing between heterogenous systems (Windows: Microsoft Exchange, Linux: Sendmail)
              using the "smtp8" mailer - Q: could/should we use this mailer for "normal" sendmail backup MX, too?

Production Issues:
  o handle and use full ldap acl's
     o make ordinary user change attributes inside own container below sendmail's 
        area for e.g. /etc/mail/access to give blacklists to each user

--------------------------------------------------------------------------------------------------
Common Todos:
  o lookat: LDAP replication
  o do: authenticate LDAP itself using SASL
  x quirks: delete /var/spool/mqueue/.hoststats/localhost if modifying sendmail.cf before restart
  o build: console ldap client
  o get: ldap schema- & permission editor
  o lookat: nss_ldap
  o lookat: migrationtools
  o A generic "comment" field inside each (e.g. SendmailMAP) container
  o lookat: web based ldap admin, e.g. phpLDAPAdmin
  o lookat: Directory administrator: http://diradmin.open-it.org/

Ideas:
  o iptables2ldap
  o store new certificates directly to LDAP!? make/use hooks to/in
     o OpenCA
     o ElyCA
  o also configure in some associated container which (web) applications 
     each user/domain has installed, e.g. phpMyAdmin, awstats, etc. & related (configuration) parameters

--------------------------------------------------------------------------------------------------
Other more advanced sysadmin stuff:
  o logging
     o remote logging
     o logging to mysql
        o mod_log_mysql_simple - Simple Database Logging for Apache
           http://www.steve.org.uk/Software/mod-log-mysql-simple/
  o WinCVS & Kerberos?
  o RBAC

----- Revision r1.1 - 24 Nov 2004 - 14:42 - Main.joko