This page contains information regarding user authentication on machines of the lab.
LDAP Authentication on Debian
The whole process has been scripted using Ansible and can be ran using the ldap.yml playbook.
Install CACert root certificate
As stated on the CACert wiki, Debian no longer distributes CACert root certificates as part of Debian packages. To install the root certificate:
# wget http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt # openssl x509 -in root.crt -fingerprint | head -n1 # openssl x509 -in class3.crt -fingerprint | head -n1 VERIFY FINGERPRINTS BEFORE CONTINUING (https://www.cacert.org/index.php?id=3) # mv root.crt /usr/local/share/ca-certificates/cacert-root.crt # mv class3.crt /usr/local/share/ca-certificates/cacert-class3.crt # update-ca-certificates
$ apt-get install nslcd libpam-ldapd libnss-ldapd
# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldaps://ldap.tolabaki.gr:636/ # The search base that will be used for all queries. base dc=tolabaki,dc=gr # The DN to bind with for normal lookups. binddn cn=agent,dc=tolabaki,dc=gr bindpw <secret> # SSL options tls_reqcert demand tls_cacertfile /etc/ssl/certs/cacert-root.pem
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Create and mount users' home directories
Create home directories on first login
The pam_mkhomedir is responsible for creating non-existent home directories on the client for each LDAP user upon initial login. Since debian jessie, if libpam-modules is installed, it is automatically loaded on the machine. Later on, these user directories are going to be mountpoints for the real NFS directories.
Make NFS play nicely with LDAP
If the machine is using NFSv4 to share directories with a server, you need:
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs # set your own domain here, if id differs from FQDN minus hostname Domain = tolabaki.gr [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = nsswitch
Set up the directories to be mounted
User Access Control for servers
- Disallow login for 'user' (required for all machines except the LTSP fat client):
commit 97f187e46ee97bb1419ccfb3da7bb00ff0850675 Author: gkiagia <email@example.com> Date: Tue Oct 9 22:02:33 2012 +0300 Disallow login for 'user' diff --git a/pam.d/login b/pam.d/login index 1c8af15..069f5c7 100644 --- a/pam.d/login +++ b/pam.d/login @@ -70,7 +70,7 @@ auth optional pam_group.so # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) -# account required pam_access.so +account required pam_access.so # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) diff --git a/pam.d/sshd b/pam.d/sshd index c108cdf..30f5b8e 100644 --- a/pam.d/sshd +++ b/pam.d/sshd @@ -15,7 +15,7 @@ account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. -# account required pam_access.so +account required pam_access.so # Standard Un*x authorization. @include common-account diff --git a/security/access.conf b/security/access.conf index 74c5fbe..29347ed 100644 --- a/security/access.conf +++ b/security/access.conf @@ -1,3 +1,6 @@ +- : user : ALL + + # Login access control table. # # Comment line must start with "#", no space at front.
A smarter security line for the servers can be:
- : ALL EXCEPT ladmin (sudo) : ALL
This will allow access only to ladmin and anybody who is in the "sudo" group (i.e. the admins - see the Sudoers section below as well).
To enable a user to be an admin, simply edit /etc/group and add his name next to the line starting with "sudo".
In the future we may reconsider this policy...