Das HowTo-Wiki|
Größe: 3052
Kommentar: PAM ist fertig
|
Größe: 3047
Kommentar: typos
|
| Gelöschter Text ist auf diese Art markiert. | Hinzugefügter Text ist auf diese Art markiert. |
| Zeile 53: | Zeile 53: |
| Check if the it works: {{{ | Check if it works: {{{ |
| Zeile 69: | Zeile 69: |
| * (A) poll the LDAP database regualarly and create home directories for new users | * (A) poll the LDAP database regularly and create home directories for new users |
Overview
This article describes the current setup of the user webserver hosted at [https://systemausfall.org systemausfall.org].
The following details will be discussed:
- authentication and user management via LDAP
serving each user's webspace by a separated user ID with limited permissions (via [http://mpm-itk.sesse.net/ Apache2-mpm-itk])
using auth on bind for LDAP authentication within [http://httpd.apache.org Apache] (necessary if you don't want to expose the list of all users)
Authentication and user management
User DB based on LDAP
The first step should be the removal of nscd - otherwise you will have fun with caching:
aptitude remove nscd
Install the package libnss-ldap:
apt-get install libnss-ldap
Specify the source and structure of the user data in /etc/libnss-ldap.conf:
base ou=People,o=neofaxe,dc=systemausfall,dc=org uri ldap://ldap.sao ldap_version 3 binddn cn=authentication,dc=systemausfall,dc=org rootbinddn cn=authentication,dc=systemausfall,dc=org pam_filter objectclass=shellAccount pam_min_uid 20000 pam_max_uid 29999 nss_map_objectclass posixAccount shellAccount nss_map_objectclass shadowAccount shellAccount nss_map_attribute uid cn nss_map_attribute homeDirectory loginDirectory pam_login_attribute cn nss_default_attribute_value gidNumber 100 nss_default_attribute_value loginShell /bin/bash
You need to store the credentials of the rootbinddn (a read-only LDAP user) in the file /etc/libnss-ldap.secret and /etc/pam_ldap.conf. Don't forget to run chmod 600 /etc/libnss-ldap.secret /etc/pam_ldap.conf.This step may be omitted if you plan to expose the list of all users to everyone.
Configure the source of user information in /etc/nsswitch.conf:
passwd: compat ldap shadow: compat ldap
Check if it works:
getent passwd
This should give you a list of all local system users and all LDAP accounts.
Try the same command as a non-privileged user again. Now you should not see any LDAP accounts (due to the permissions of libnss-ldap.secret).
PAM setup
Starting with Debian Squeeze the default setup seems to be sufficient for logging into an LDAP enabled system. You just need to install the libpam-ldap package:
apt-get install libpam-ldap
Automatically create home directories on login
There are two approaches regarding the creation of home directories:
- (A) poll the LDAP database regularly and create home directories for new users
- (B) create home directories an demand
We decided for (B) - this keeps the /home directory clean, since only actively used user directories are created.
The following line needs to be added to the end of /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
