Jump to: navigation, search

This page contains information regarding user authentication on machines of the lab.

LDAP Authentication on Debian

The whole process has been scripted using Ansible and can be ran using the ldap.yml playbook.

Install CACert root certificate

As stated on the CACert wiki, Debian no longer distributes CACert root certificates as part of Debian packages. To install the root certificate:

# wget http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
# openssl x509 -in root.crt -fingerprint | head -n1
# openssl x509 -in class3.crt -fingerprint | head -n1
# mv root.crt /usr/local/share/ca-certificates/cacert-root.crt
# mv class3.crt /usr/local/share/ca-certificates/cacert-class3.crt
# update-ca-certificates

Base setup

$ apt-get install nslcd libpam-ldapd libnss-ldapd
  • /etc/nslcd.conf:
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://ldap.tolabaki.gr:636/

# The search base that will be used for all queries.
base dc=tolabaki,dc=gr

# The DN to bind with for normal lookups.
binddn cn=agent,dc=tolabaki,dc=gr
bindpw <secret>

# SSL options
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/cacert-root.pem
  • /etc/nsswitch.conf
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Create and mount users' home directories

Create home directories on first login

The pam_mkhomedir is responsible for creating non-existent home directories on the client for each LDAP user upon initial login. Since debian jessie, if libpam-modules is installed, it is automatically loaded on the machine. Later on, these user directories are going to be mountpoints for the real NFS directories.

Make NFS play nicely with LDAP

If the machine is using NFSv4 to share directories with a server, you need:

  • /etc/idmapd.conf
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
Domain = tolabaki.gr

Nobody-User = nobody
Nobody-Group = nogroup

Method = nsswitch

Set up the directories to be mounted


User Access Control for servers

  • Disallow login for 'user' (required for all machines except the LTSP fat client):
commit 97f187e46ee97bb1419ccfb3da7bb00ff0850675
Author: gkiagia <gkiagia@idea.tolabaki.gr>
Date:   Tue Oct 9 22:02:33 2012 +0300

    Disallow login for 'user'

diff --git a/pam.d/login b/pam.d/login
index 1c8af15..069f5c7 100644
--- a/pam.d/login
+++ b/pam.d/login
@@ -70,7 +70,7 @@ auth       optional   pam_group.so
 # Uncomment and edit /etc/security/access.conf if you need to
 # set access limits.
 # (Replaces /etc/login.access file)
-# account  required       pam_access.so
+account  required       pam_access.so
 # Sets up user limits according to /etc/security/limits.conf
 # (Replaces the use of /etc/limits in old login)
diff --git a/pam.d/sshd b/pam.d/sshd
index c108cdf..30f5b8e 100644
--- a/pam.d/sshd
+++ b/pam.d/sshd
@@ -15,7 +15,7 @@ account    required     pam_nologin.so
 # Uncomment and edit /etc/security/access.conf if you need to set complex
 # access limits that are hard to express in sshd_config.
-# account  required     pam_access.so
+account  required     pam_access.so
 # Standard Un*x authorization.
 @include common-account
diff --git a/security/access.conf b/security/access.conf
index 74c5fbe..29347ed 100644
--- a/security/access.conf
+++ b/security/access.conf
@@ -1,3 +1,6 @@
+- : user : ALL
 # Login access control table.
 # Comment line must start with "#", no space at front.

A smarter security line for the servers can be:

- : ALL EXCEPT ladmin (sudo) : ALL

This will allow access only to ladmin and anybody who is in the "sudo" group (i.e. the admins - see the Sudoers section below as well).


To enable a user to be an admin, simply edit /etc/group and add his name next to the line starting with "sudo".

In the future we may reconsider this policy...