3125
Kommentar: mention ldap setup
|
3131
converted to 1.6 markup
|
Gelöschter Text ist auf diese Art markiert. | Hinzugefügter Text ist auf diese Art markiert. |
Zeile 1: | Zeile 1: |
[[TableOfContents]] | <<TableOfContents>> |
Zeile 6: | Zeile 6: |
This article describes the current setup of the user webserver hosted at [https://systemausfall.org systemausfall.org]. | This article describes the current setup of the user webserver hosted at [[https://systemausfall.org|systemausfall.org]]. |
Zeile 10: | Zeile 10: |
* serving each user's webspace by a separated user ID with limited permissions (via [http://mpm-itk.sesse.net/ Apache2-mpm-itk]) * using ''auth on bind'' for LDAP authentication within [http://httpd.apache.org Apache] (necessary if you don't want to expose the list of all users) |
* serving each user's webspace by a separated user ID with limited permissions (via [[http://mpm-itk.sesse.net/|Apache2-mpm-itk]]) * using ''auth on bind'' for LDAP authentication within [[http://httpd.apache.org|Apache]] (necessary if you don't want to expose the list of all users) |
Zeile 14: | Zeile 14: |
[[TableOfContents]] | <<TableOfContents>> |
Inhaltsverzeichnis
Overview
This article describes the current setup of the user webserver hosted at systemausfall.org.
The following details will be discussed:
- authentication and user management via LDAP
serving each user's webspace by a separated user ID with limited permissions (via Apache2-mpm-itk)
using auth on bind for LDAP authentication within Apache (necessary if you don't want to expose the list of all users)
- configure the LDAP server for minimal exposure towards the user webserver
Inhaltsverzeichnis
Authentication and user management
User DB based on LDAP
The first step should be the removal of nscd - otherwise you will have fun with caching:
aptitude remove nscd
Install the package libnss-ldap:
apt-get install libnss-ldap
Specify the source and structure of the user data in /etc/libnss-ldap.conf:
base ou=People,o=neofaxe,dc=systemausfall,dc=org uri ldap://ldap.sao ldap_version 3 binddn cn=authentication,dc=systemausfall,dc=org rootbinddn cn=authentication,dc=systemausfall,dc=org pam_filter objectclass=shellAccount pam_min_uid 20000 pam_max_uid 29999 nss_map_objectclass posixAccount shellAccount nss_map_objectclass shadowAccount shellAccount nss_map_attribute uid cn nss_map_attribute homeDirectory loginDirectory pam_login_attribute cn nss_default_attribute_value gidNumber 100 nss_default_attribute_value loginShell /bin/bash
You need to store the credentials of the rootbinddn (a read-only LDAP user) in the file /etc/libnss-ldap.secret and /etc/pam_ldap.conf. Don't forget to run chmod 600 /etc/libnss-ldap.secret /etc/pam_ldap.conf.This step may be omitted if you plan to expose the list of all users to everyone.
Configure the source of user information in /etc/nsswitch.conf:
passwd: compat ldap shadow: compat ldap
Check if it works:
getent passwd
This should give you a list of all local system users and all LDAP accounts.
Try the same command as a non-privileged user again. Now you should not see any LDAP accounts (due to the permissions of libnss-ldap.secret).
PAM setup
Starting with Debian Squeeze the default setup seems to be sufficient for logging into an LDAP enabled system. You just need to install the libpam-ldap package:
apt-get install libpam-ldap
Automatically create home directories on login
There are two approaches regarding the creation of home directories:
- (A) poll the LDAP database regularly and create home directories for new users
- (B) create home directories an demand
We decided for (B) - this keeps the /home directory clean, since only actively used user directories are created.
The following line needs to be added to the end of /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077