Inhaltsverzeichnis
This article describes the current setup of the user webserver hosted at systemausfall.org.
The following details will be discussed:
- authentication and user management via LDAP
serving each user's webspace by a separated user ID with limited permissions (via Apache2-mpm-itk)
using auth on bind for LDAP authentication within Apache (necessary if you don't want to expose the list of all users)
- configure the LDAP server for minimal exposure towards the user webserver
Authentication and user management
User DB based on LDAP
The first step should be the removal of nscd - otherwise you will have fun with caching:
aptitude remove nscd
Install the package libnss-ldap:
apt-get install libnss-ldap
Specify the source and structure of the user data in /etc/libnss-ldap.conf:
base ou=People,o=neofaxe,dc=systemausfall,dc=org uri ldap://ldap.sao ldap_version 3 binddn cn=authentication,dc=systemausfall,dc=org rootbinddn cn=authentication,dc=systemausfall,dc=org pam_filter objectclass=shellAccount pam_min_uid 20000 pam_max_uid 29999 nss_map_objectclass posixAccount shellAccount nss_map_objectclass shadowAccount shellAccount nss_map_attribute uid cn nss_map_attribute homeDirectory loginDirectory pam_login_attribute cn nss_default_attribute_value gidNumber 100 nss_default_attribute_value loginShell /bin/bash
You need to store the credentials of the rootbinddn (a read-only LDAP user) in the file /etc/libnss-ldap.secret and /etc/pam_ldap.conf. Don't forget to run chmod 600 /etc/libnss-ldap.secret /etc/pam_ldap.conf.This step may be omitted if you plan to expose the list of all users to everyone.
Configure the source of user information in /etc/nsswitch.conf:
passwd: compat ldap shadow: compat ldap
Check if it works:
getent passwd
This should give you a list of all local system users and all LDAP accounts.
Try the same command as a non-privileged user again. Now you should not see any LDAP accounts (due to the permissions of libnss-ldap.secret).
PAM setup
Starting with Debian Squeeze the default setup seems to be sufficient for logging into an LDAP enabled system. You just need to install the libpam-ldap package:
apt-get install libpam-ldap
Automatically create home directories on login
There are two approaches regarding the creation of home directories:
- (A) poll the LDAP database regularly and create home directories for new users
- (B) create home directories an demand
We decided for (B) - this keeps the /home directory clean, since only actively used user directories are created.
The following line needs to be added to the end of /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077