|
netfrag.org . Pad . LinuxOnStage
|
--------------------------------------------------------------------------------------------------
First focus: Three services: imap, smtp, ftp
Second focus: All services (e.g. for intranet purposes): +samba, +http
Additional services: nntp, ldap
--------------------------------------------------------------------------------------------------
Stage 1: early days
x(jjj) Classical Linux/UNIX: /etc/passwd, no encryption
Stage 1.5: current
x(jjj) sendmail and uw-imap with TLS and/or SSL
x(jok) cvs access via ssh, no cvspserver!
Stage 2: todo
o saslauthd/sasldb instead of passwd/PAM for IMAP and SMTP Authentication
o hybrid sasldb / PAM configuration to migrate user per user
o user-based change password
o sasl + PAM for FTP (is it possible to query LDAP via PAM?)
Stage 3:
x(jan, 2004-11) LDAP Backend for Basic Authentication (SASL)
x SMTP (using sendmail)
x IMAP (using CMU Cyrus)
o FTP
- ProFTPD + mod_ldap: http://horde.net/~jwm/software/proftpd-ldap/
- PAM with vsftpd & LDAP: http://archives.neohapsis.com/archives/pam-list/2003-02/0004.html
x(jan) LDAP Backend for Basic Configuration
x sendmail virtusertable
x sendmail maps
o all other sendmail configuration options from /etc/mail:
access, aliases, local-host-names, mailertable, masquerade-domains, relay-domains, trusted-users
Stage 3.5:
o Other Application Data to LDAP?
x(jan,jon) Horde Preferences
o(jan,jok) Global and Shared Address Books
x MySQL / BerkeleyDB as LDAP backend for performance/security/stability reasons
o Try other LDAP backend (ldbm, mysql, etc.)
x OpenLDAP 3.0 already runs with Berkeley
Stage 4:
o LDAP Backend for Advanced Authentication
x(jan) Samba <-> PAM
o mod_auth_ldap, etc.
o /home directory at non standard paths or
o No /home directory required
o what about:
o ".forward"?
o "public_html"?
o other configuration files in /home
Stage 5:
o(jon, 2003-01) All together with Kerberos/GSSAPI
o more recent state-of-the-art freaky stuff....
o authentication using smartcards or OTP?
x(jan) Mail routing between heterogenous systems (Windows: Microsoft Exchange, Linux: Sendmail)
using the "smtp8" mailer - Q: could/should we use this mailer for "normal" sendmail backup MX, too?
Production Issues:
o handle and use full ldap acl's
o make ordinary user change attributes inside own container below sendmail's
area for e.g. /etc/mail/access to give blacklists to each user
--------------------------------------------------------------------------------------------------
Common Todos:
o lookat: LDAP replication
o do: authenticate LDAP itself using SASL
x quirks: delete /var/spool/mqueue/.hoststats/localhost if modifying sendmail.cf before restart
o build: console ldap client
o get: ldap schema- & permission editor
o lookat: nss_ldap
o lookat: migrationtools
o A generic "comment" field inside each (e.g. SendmailMAP) container
o lookat: web based ldap admin, e.g. phpLDAPAdmin
o lookat: Directory administrator: http://diradmin.open-it.org/
Ideas:
o iptables2ldap
o store new certificates directly to LDAP!? make/use hooks to/in
o OpenCA
o ElyCA
o also configure in some associated container which (web) applications
each user/domain has installed, e.g. phpMyAdmin, awstats, etc. & related (configuration) parameters
--------------------------------------------------------------------------------------------------
Other more advanced sysadmin stuff:
o logging
o remote logging
o logging to mysql
o mod_log_mysql_simple - Simple Database Logging for Apache
http://www.steve.org.uk/Software/mod-log-mysql-simple/
o WinCVS & Kerberos?
o RBAC
----- Revision r1.1 - 24 Nov 2004 - 14:42 - Main.joko
|