<<TableOfContents>>

This article describes the current setup of the user webserver hosted at [[https://systemausfall.org|systemausfall.org]].

The following details will be discussed:
 * authentication and user management via LDAP
 * serving each user's webspace by a separated user ID with limited permissions (via [[http://mpm-itk.sesse.net/|Apache2-mpm-itk]])
 * using ''auth on bind'' for LDAP authentication within [[http://httpd.apache.org|Apache]] (necessary if you don't want to expose the list of all users)
 * configure the LDAP server for minimal exposure towards the user webserver


= Authentication and user management =
== User DB based on LDAP ==

The first step should be the removal of {{{nscd}}} - otherwise you will have fun with caching: {{{
aptitude remove nscd
}}}

Install the package {{{libnss-ldap}}}: {{{
apt-get install libnss-ldap
}}}

Specify the source and structure of the user data in {{{/etc/libnss-ldap.conf}}}: {{{
base ou=People,o=neofaxe,dc=systemausfall,dc=org
uri ldap://ldap.sao
ldap_version 3
binddn cn=authentication,dc=systemausfall,dc=org
rootbinddn cn=authentication,dc=systemausfall,dc=org
pam_filter objectclass=shellAccount
pam_min_uid 20000
pam_max_uid 29999
nss_map_objectclass posixAccount shellAccount
nss_map_objectclass shadowAccount shellAccount
nss_map_attribute uid cn
nss_map_attribute homeDirectory loginDirectory
pam_login_attribute cn
nss_default_attribute_value gidNumber 100 
nss_default_attribute_value loginShell /bin/bash 
}}}

You need to store the credentials of the ''rootbinddn'' (a read-only LDAP user) in the file {{{/etc/libnss-ldap.secret}}} and {{{/etc/pam_ldap.conf}}}. Don't forget to run {{{chmod 600 /etc/libnss-ldap.secret /etc/pam_ldap.conf}}}.This step may be omitted if you plan to expose the list of all users to everyone.

Configure the source of user information in {{{/etc/nsswitch.conf}}}: {{{
passwd:         compat ldap
shadow:         compat ldap
}}}

Check if it works: {{{
getent passwd
}}}
This should give you a list of all local system users and all LDAP accounts.

Try the same command as a non-privileged user again. Now you should not see any LDAP accounts (due to the permissions of ''libnss-ldap.secret'').


== PAM setup ==
Starting with Debian ''Squeeze'' the default setup seems to be sufficient for logging into an LDAP enabled system. You just need to install the {{{libpam-ldap}}} package: {{{
apt-get install libpam-ldap
}}}


== Automatically create home directories on login ==
There are two approaches regarding the creation of home directories:
 * (A) poll the LDAP database regularly and create home directories for new users
 * (B) create home directories an demand

We decided for (B) - this keeps the {{{/home}}} directory clean, since only actively used user directories are created.

The following line needs to be added to the end of {{{/etc/pam.d/common-session}}} and {{{/etc/pam.d/common-session-noninteractive}}}: {{{
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
}}}