Inhaltsverzeichnis

Authentication and user management

This article describes the current setup of the user webserver hosted at systemausfall.org.

The following details will be discussed:

authentication and user management via LDAP
serving each user's webspace by a separated user ID with limited permissions (via Apache2-mpm-itk)
using auth on bind for LDAP authentication within Apache (necessary if you don't want to expose the list of all users)
configure the LDAP server for minimal exposure towards the user webserver

Authentication and user management

User DB based on LDAP

The first step should be the removal of nscd - otherwise you will have fun with caching:

aptitude remove nscd

Install the package libnss-ldap:

apt-get install libnss-ldap

Specify the source and structure of the user data in /etc/libnss-ldap.conf:

base ou=People,o=neofaxe,dc=systemausfall,dc=org
uri ldap://ldap.sao
ldap_version 3
binddn cn=authentication,dc=systemausfall,dc=org
rootbinddn cn=authentication,dc=systemausfall,dc=org
pam_filter objectclass=shellAccount
pam_min_uid 20000
pam_max_uid 29999
nss_map_objectclass posixAccount shellAccount
nss_map_objectclass shadowAccount shellAccount
nss_map_attribute uid cn
nss_map_attribute homeDirectory loginDirectory
pam_login_attribute cn
nss_default_attribute_value gidNumber 100 
nss_default_attribute_value loginShell /bin/bash

You need to store the credentials of the rootbinddn (a read-only LDAP user) in the file /etc/libnss-ldap.secret and /etc/pam_ldap.conf. Don't forget to run chmod 600 /etc/libnss-ldap.secret /etc/pam_ldap.conf.This step may be omitted if you plan to expose the list of all users to everyone.

Configure the source of user information in /etc/nsswitch.conf:

passwd:         compat ldap
shadow:         compat ldap

Check if it works:

getent passwd

This should give you a list of all local system users and all LDAP accounts.

Try the same command as a non-privileged user again. Now you should not see any LDAP accounts (due to the permissions of libnss-ldap.secret).

PAM setup

Starting with Debian Squeeze the default setup seems to be sufficient for logging into an LDAP enabled system. You just need to install the libpam-ldap package:

apt-get install libpam-ldap

Automatically create home directories on login

There are two approaches regarding the creation of home directories:

(A) poll the LDAP database regularly and create home directories for new users
(B) create home directories an demand

We decided for (B) - this keeps the /home directory clean, since only actively used user directories are created.

The following line needs to be added to the end of /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077