[9fans] authentication by LDAP?

[9fans] authentication by LDAP?

[Paweł Lasek]

Hi.

I'm in following situation:

We want to have a plan9 machine in school, however, it must share it's
users database (usernames, passwords, privs and so on) with NetBSD and
Linux. Not only that, we need shared home directories and texmf tree
(we don't have much space so why waste it)

network is made of 3 virtual machines:

nexus: Linux Xen 2.0 host, main server, stores all files
devil: NetBSD 3.0/xen-guest
usagi: Plan9, xen-guest

What I am looking for is a way to hook plan9's databases into LDAP or
something similar, so I could change only the global repository.

Even better if it would be possible to set the rest, like ndb by it :-)

And what about DHCP? For some reason I can't get ISC DHCPD to give
valid info about auth servers and so on, would it work to use
plan9port and plan9's dhcp server?


--
Paweł Lasek
"Once a hitokiri, always a hitokiri. This will never change" - Jine-Ei
http://plasek.jogger.pl [in polish]

Re: [9fans] authentication by LDAP?

[Steve Simon]

Currently there is no ldap client of any sort for plan9 (unless somone
knows different?). I was looking at the RFCs again over chirstmas but
once again I have recoiled from the complexity of it.

I imagine an ldap client which provides a number of interface
directories, one of them which allows arbitary searches of the
ldap database, and perhaps others which hold cached info in the
form of flat files.

One of these flat files could be DNS info from LDAP in ndb(6) format
which you could simply reference in /lib/ndb/local, e.g.

	database=
		file=/lib/ndb/root
		file=/lib/ndb/local
		file=/lib/ndb/common
		file=/mnt/ldap/ndb

This is all very neat but vapourware at present - sorry, If I do get
around to such a thing I will announce it here.

-Steve

Re: [9fans] authentication by LDAP?

[erik quanstrom]

is there anything about ldap that would prevent one from writing an
ldap adaptor for ndb? i was thinking something along these lines

	database=
		file=/lib/ndb/root
		dns=/srv/dns
		file=/lib/ndb/local
		file=/lib/ndb/common
		ldap=/srv/ldaps


ideally, the client could be oblivious to the source of the information.

fat chance, right?

- erik
	
"Steve Simon" <steve@quintile.net> writes

| 
| Currently there is no ldap client of any sort for plan9 (unless somone
| knows different?). I was looking at the RFCs again over chirstmas but
| once again I have recoiled from the complexity of it.
| 
| I imagine an ldap client which provides a number of interface
| directories, one of them which allows arbitary searches of the
| ldap database, and perhaps others which hold cached info in the
| form of flat files.
| 
| One of these flat files could be DNS info from LDAP in ndb(6) format
| which you could simply reference in /lib/ndb/local, e.g.
| 
| 	database=
| 		file=/lib/ndb/root
| 		file=/lib/ndb/local
| 		file=/lib/ndb/common
| 		file=/mnt/ldap/ndb
| 
| This is all very neat but vapourware at present - sorry, If I do get
| around to such a thing I will announce it here.
| 
| -Steve

Re: [9fans] authentication by LDAP?

[Russ Cox]

> is there anything about ldap that would prevent one from writing an
> ldap adaptor for ndb? i was thinking something along these lines

you'd have to put it in libndb, polluting every program
that reads ndb files and the standard library.
i much prefer steve's solution.

russ

Re: [9fans] authentication by LDAP?

[erik quanstrom]

i guess in addition to suffering linux brain dapage, i didn't explain myself well.

if one wrote an ldap fileserver that served up ndb-stype tuples in a standard
format, all the ndb library would need is a hook to talk to this fileserver instead
of parsing an ndb file. you could do the same with dns and other protocols.

- erik

Russ Cox <rsc@swtch.com> writes

| 
| > is there anything about ldap that would prevent one from writing an
| > ldap adaptor for ndb? i was thinking something along these lines
| 
| you'd have to put it in libndb, polluting every program
| that reads ndb files and the standard library.
| i much prefer steve's solution.
| 
| russ

Re: [9fans] authentication by LDAP?

[Russ Cox]

> if one wrote an ldap fileserver that served up ndb-stype tuples in a standard
> format, all the ndb library would need is a hook to talk to this fileserver instead
> of parsing an ndb file. you could do the same with dns and other protocols.

yes.  and steve was saying that the hook could be
you mount the file server somewhere and then use
the name of its ndb file in /lib/ndb/local.  ndb can just
access a file like it always has been, never caring
what kind of file server provides the file.

russ

Re: [9fans] authentication by LDAP?

[erik quanstrom]

i read to much into "in the form of flat files." i guess we're in noisy agreement.

- erik


Russ Cox <rsc@swtch.com> writes

| 
| > if one wrote an ldap fileserver that served up ndb-stype tuples in a standard
| > format, all the ndb library would need is a hook to talk to this fileserver instead
| > of parsing an ndb file. you could do the same with dns and other protocols.
| 
| yes.  and steve was saying that the hook could be
| you mount the file server somewhere and then use
| the name of its ndb file in /lib/ndb/local.  ndb can just
| access a file like it always has been, never caring
| what kind of file server provides the file.
| 
| russ

Re: [9fans] authentication by LDAP?

[Paweł Lasek]

On 1/2/06, Steve Simon <steve@quintile.net> wrote:
>
> One of these flat files could be DNS info from LDAP in ndb(6) format
> which you could simply reference in /lib/ndb/local, e.g.
[...]
> This is all very neat but vapourware at present - sorry, If I do get
> around to such a thing I will announce it here.

It looks like it will be the first job in our 'Hack club' :D

IDEA:
On linux machine, every x hours, a cron job will check ldap database
for new/changed/deleted entries and translate them to format supported
by plan9 software (updating the fileserver's user database in the
process).

And I decided not to read RFC's nor libldap manual/code... python-ldap
or perl-ldap will be used, and since perl-ldap is written entirely in
Perl, it might be possible to set it working as native plan9
fileserver (If you call perl program native :) )


The only problem I have is:
* Is there a simple way to setup linux box as ndb/auth/fileserver and
so on for plan9?
* How can I configure some unix DHCP server to send fileserver/auth
info to plan9   (I tried with ISC DHCPd... for some reason I can't get
it working)
* OR set-up Plan9's dhcp server (dhcp info isn't going to change that
often as to use LDAP :P )


> -Steve
>


--
Paweł Lasek
"Once a hitokiri, always a hitokiri. This will never change" - Jine-Ei
http://plasek.jogger.pl [in polish]
http://plasek.wordpress.com [in polish too ;-) ]

Re: [9fans] authentication by LDAP?

[Dan Cross]

On Tue, Jan 03, 2006 at 03:20:46PM +0100, Pawe? Lasek wrote:
> It looks like it will be the first job in our 'Hack club' :D

The first rule of Hack Club is...You don't talk about Hack Club!

	- Dan C.

Re: [9fans] authentication by LDAP?

[Paweł Lasek]

On 1/3/06, Dan Cross <cross@math.psu.edu> wrote:

> The first rule of Hack Club is...You don't talk about Hack Club!

Good One ;-)


However, we're not aspiring to be any kind of secret organisation ;-P
so it's not that useful.

And the name isn't mine -- it's literal translation of someone's else
idea (nobody thought of anything better... at least we didn't fought
over hostnames ^_-)

(Although we still didn't started official stuff as we want to bring
up Xen with at least linux working + we need to find a place so server
could work 24/7)

>         - Dan C.
>
>

--
Paweł Lasek
"Once a hitokiri, always a hitokiri. This will never change" - Jine-Ei
http://plasek.wordpress.com [in polish]

Re: [9fans] authentication by LDAP?

[erik quanstrom]

Paweł Lasek <pawel.lasek@gmail.com> writes

[...]

| The only problem I have is:
| * Is there a simple way to setup linux box as ndb/auth/fileserver and
| so on for plan9?

ndb works pretty well for me.

| * How can I configure some unix DHCP server to send fileserver/auth
| info to plan9   (I tried with ISC DHCPd... for some reason I can't get
| it working)

russ has ip/dhcpd working.

if i understand the ip/dhcp code from a really quick read i think you want


	vendor-option-space "plan9_";
	option plan9_.fs "fileserver";
	option plan9_.auth "authserver";