LUM (Linux User Management)

Linux User Management
(LUM)

3/24/2006
Eric Low

Linux User Management (LUM) is essentially an eDirectory wrapper that lets Linux Users log in with accounts stored and managed in a central location, namely your Netware server. More than anything, it replaces the use of /etc/passwd and /etc/shadow files on the workstation. It also uses the user account information stored in eDirectory to let users access network file and printer resources. In addition, it still lets users log in through methods such as xdm and gdm, without worrying about eDirectory context and such, and then provide seamless access to those network resources. It uses LDAP to do the requests.

Every Linux workstation relying on LUM will need to have a corresponding Linux Workstation Object in the eDirectory tree. Whether or not these use up a license in Netware, I don't know. Every user in LUM will need to have a class extension on their eDirectory account as well (eDirectory users must be manually converted to LUM users before they can use it). Linux Workstation Objects and LUM users must also belong to an LUM group. The user must also be a member of a group enabled for Linux and stored in the properties of the LUM Workstation Object.

According to the Novell LUM Guide:

When a user logs in to a Linux computer running Linux User Management (LUM), the request is redirected to eDirectory and checked against information in eDirectory. For this to work, the computers and eDirectory must be configured as follows:

* The target workstation must be running LUM software and point to the Linux/UNIX Config object on the network.
* The target workstation must have a representative Linux/UNIX Workstation object in eDirectory, created when LUM components are installed.
* The user must be enabled for Linux. The user must be a member of a group enabled for Linux and stored in the properties of Linux/UNIX Workstation object. The Linux/UNIX Config object must specify the context of the Linux Workstation object.

. . .

In addition to the typical Linux-related properties (for example, Group ID), the eDirectory Group object extended for Linux holds some additional properties:

* UamPosixWorkstationList: Lists the UNIX Workstation objects that the group has permissions to access.
* Description: Displays an alternative description.

Also:

[When a user tries to log into a LUM enabled Linux Workstation,] the Linux computer checks its corresponding Linux/UNIX Workstation object in eDirectory for the list of groups approved to log in. Each approved group is searched for the username of the user requesting access. When the first matching username is found, the login is allowed using the UID, GID, password, and other login information stored in eDirectory. If the username is not found in any of the groups, the login is not allowed.

When you extend a user object for Linux, the eDirectory User object holds Linux-related properties, such as user ID, primary group ID, primary group name, location of home directory, and preferred shell.

First, I had to install LUM, since I had not done so in our initial installation. Apparently, LUM is installed as part of Novell Nterprise Linux Services (NNLS). Here is the installation guide.

It appears that NNLS can only be installed on top of SLES (SuSE Linux Enterprise Server) or a couple version of Enterprise Red Hat. I did not want to install SLES, but I could not find any other way to extend the eDirectory schema! More than anything, I needed to create a Linux/Unix Config Object in our Organizational Unit. You can not do much without it, and it is done automatically when setting up LUM on your SLES (when you add your first workstation, I think - or maybe even when you first extend the schema).

LUM also appears to be installed with OES - Linux. We installed OES - Netware, and this component is mysteriously missing! The only thing that seems to be installed is the iManager extensions. Argh... can we run it at all?

LUM Object rights:

A Linux Config object is created during OES product installation and
configuration. The [Public] trustee is assigned [Read] rights to the Linux
W orkstation contexts attribute.

A Linux W orkstation object is created during product configuration and installation. The [Public]trustee is assigned [Read] rights to the Group Membership attribute and [Compare]rights to the CN attribute. W hen an eDirectory user is being assigned a Linux profile, the following trustees are assigned:

- [Read] rights for all Linux-related attributes to the [Public] trustee
- [Read] rights for the Group Membership attribute to the [Public] trustee
- [Compare] right for the CN attribute to the [Public] trustee

These trustee assignments occur only when a Linux profile is being assigned to a user. When the Linux profile is deleted, these trustee assignments do not revert, because these assignments could have been modified by the administrator.

When an eDirectory group is assigned a Linux profile, the following trustees are assigned:

- [Read] rights for the Members attribute to the [Public] trustee
- [Read] rights for all Linux-related attributes to the [Public] trustee

How to install LUM on a SuSE workstation.

All of our Linux users run SuSE, so I installed the LUM RPM through YaST. The rpm is called novell-lum

*** To display all users that have access to a workstation, use the namuserlist command. To display all users that a workstation knows about, both local and in eDirectory, use the getent command. Read more here.

*** If you create a user object through iManager, it will ask you if you wish to enable LUM or Samba for that user. There is no other easy way to do this automatically along with user creation.

*** The location of the Linux Config Object is stored in the local nam.conf file on a workstation.

*** Nice document on pam_ldap.

*** Configure PAM (pam.conf) to look in NDS first (for accounts/passwords) and then fall back to local Linux files.

*** LDAP Configuration for PAM

*** Loopback driver to automatically LUM-enable users.

Linux User Management, or LUM or here

Excellent paper here.