⇤ ← Revision 1 vom 2011-05-10 21:13:57
2700
Kommentar: init
|
3052
PAM ist fertig
|
Gelöschter Text ist auf diese Art markiert. | Hinzugefügter Text ist auf diese Art markiert. |
Zeile 9: | Zeile 9: |
* authentication and user management via LDAP * serving each user's webspace by a separated user ID with limited permissions (via [http://mpm-itk.sesse.net/ Apache2-mpm-itk]) * using ''auth on bind'' for LDAP authentication within [http://httpd.apache.org Apache] (necessary if you don't want to expose the list of all users) |
* authentication and user management via LDAP * serving each user's webspace by a separated user ID with limited permissions (via [http://mpm-itk.sesse.net/ Apache2-mpm-itk]) * using ''auth on bind'' for LDAP authentication within [http://httpd.apache.org Apache] (necessary if you don't want to expose the list of all users) |
Zeile 19: | Zeile 19: |
The first step should be the removal of {{{nscd}}} - otherwise you will have fun with caching: {{{ aptitude remove nscd }}} |
|
Zeile 42: | Zeile 46: |
You need to store the credentials of the ''rootbinddn'' (a read-only LDAP user) in the file {{{/etc/libnss-ldap.secret}}} - don't forget to run {{{chmod 600 /etc/libnss-ldap.secret}}}. Don't add any newline or whitespace. This step may be omitted if you plan to expose the list of all users to everyone. | You need to store the credentials of the ''rootbinddn'' (a read-only LDAP user) in the file {{{/etc/libnss-ldap.secret}}} and {{{/etc/pam_ldap.conf}}}. Don't forget to run {{{chmod 600 /etc/libnss-ldap.secret /etc/pam_ldap.conf}}}.This step may be omitted if you plan to expose the list of all users to everyone. |
Zeile 65: | Zeile 69: |
* (A) poll the LDAP database regualarly and create home directories for new users * (B) create home directories an demand |
* (A) poll the LDAP database regualarly and create home directories for new users * (B) create home directories an demand |
Zeile 69: | Zeile 73: |
The following line needs to be added to the end of {{{/etc/pam.d/common-session}}} and {{{/etc/pam.d/common-session-noninteractive}}}: {{{ session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 }}} |
Overview
This article describes the current setup of the user webserver hosted at [https://systemausfall.org systemausfall.org].
The following details will be discussed:
- authentication and user management via LDAP
serving each user's webspace by a separated user ID with limited permissions (via [http://mpm-itk.sesse.net/ Apache2-mpm-itk])
using auth on bind for LDAP authentication within [http://httpd.apache.org Apache] (necessary if you don't want to expose the list of all users)
Authentication and user management
User DB based on LDAP
The first step should be the removal of nscd - otherwise you will have fun with caching:
aptitude remove nscd
Install the package libnss-ldap:
apt-get install libnss-ldap
Specify the source and structure of the user data in /etc/libnss-ldap.conf:
base ou=People,o=neofaxe,dc=systemausfall,dc=org uri ldap://ldap.sao ldap_version 3 binddn cn=authentication,dc=systemausfall,dc=org rootbinddn cn=authentication,dc=systemausfall,dc=org pam_filter objectclass=shellAccount pam_min_uid 20000 pam_max_uid 29999 nss_map_objectclass posixAccount shellAccount nss_map_objectclass shadowAccount shellAccount nss_map_attribute uid cn nss_map_attribute homeDirectory loginDirectory pam_login_attribute cn nss_default_attribute_value gidNumber 100 nss_default_attribute_value loginShell /bin/bash
You need to store the credentials of the rootbinddn (a read-only LDAP user) in the file /etc/libnss-ldap.secret and /etc/pam_ldap.conf. Don't forget to run chmod 600 /etc/libnss-ldap.secret /etc/pam_ldap.conf.This step may be omitted if you plan to expose the list of all users to everyone.
Configure the source of user information in /etc/nsswitch.conf:
passwd: compat ldap shadow: compat ldap
Check if the it works:
getent passwd
This should give you a list of all local system users and all LDAP accounts.
Try the same command as a non-privileged user again. Now you should not see any LDAP accounts (due to the permissions of libnss-ldap.secret).
PAM setup
Starting with Debian Squeeze the default setup seems to be sufficient for logging into an LDAP enabled system. You just need to install the libpam-ldap package:
apt-get install libpam-ldap
Automatically create home directories on login
There are two approaches regarding the creation of home directories:
- (A) poll the LDAP database regualarly and create home directories for new users
- (B) create home directories an demand
We decided for (B) - this keeps the /home directory clean, since only actively used user directories are created.
The following line needs to be added to the end of /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077