====== Client LDAP avec autofs ======
==== Client sous Ubuntu 16.04 ====
Avant de suivre l'installation suivante, s'il y a des comptes locaux sur la machine cliente, il faut les déplacer si on souhaite les utiliser plus tard.
Pour cela, on utilise la commande : ''usermod -d NEWHOME -m USER''
Il ne faut pas crée le nouveau home, il est créé automatiquement.
* Installation des paquets suivant : ''ldap-utils'' ''autofs-ldap'' ''ldap-auth-client'' ''nscd'' ''libnss-ldapd'' ''libpam-ldapd'' ''libpam-mount''
* Modification du fichier ''/etc/ldap/ldap.conf''
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=i2m,dc=univ-amu,dc=fr
URI ldap://ldap.i2m.univ-amu.fr
ldap_version 3
scope sub
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password md5
nss_base_passwd ou=accounts,dc=i2m,dc=univ-amu,dc=fr
nss_base_shadow ou=accounts,dc=i2m,dc=univ-amu,dc=fr
nss_base_group ou=Groups,dc=i2m,dc=univ-amu,dc=fr
ssl start_tls
tls_reqcert allow
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/openldap/ca-certs
tls_cacertdir /etc/ssl/certs
nss_initgroups_ignoreusers avahi,backup,bin,bind,colord,daemon,fetchmail,games,gnats,irc,klog,libuuid,list,lp,mail,man,messagebus,news,nslcd,proxy,root,smmsp,smmta,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data,x2gouser
* Modification du fichier ''/etc/default/autofs''
#
# Init syatem options
#
# If the kernel supports using the autofs miscellanous device
# and you wish to use it you must set this configuration option
# to "yes" otherwise it will not be used.
#
master_map_name="/etc/auto.master"
timeout=300
browse_mode="no"
logging="verbose"
LDAP_URI="ldap://ldap.i2m.univ-amu.fr"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"
USE_MISC_DEVICE="yes"
#
# Use OPTIONS to add automount(8) command line options that
# will be used when the daemon is started.
#
#OPTIONS=""
#
* Modification du fichier ''/etc/auto.master''
#
# Sample auto.master file
# This is a 'master' automounter map and it has the following format:
# mount-point [map-type[,format]:]map [options]
# For details of the format look at auto.master(5).
#
#/misc /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
# "nosuid" and "nodev" options unless the "suid" and "dev"
# options are explicitly given.
#
/net -hosts
#
# Include /etc/auto.master.d/*.autofs
# The included files must conform to the format of this file.
#
#+dir:/etc/auto.master.d
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
#+auto.master
/home ldap://ldap.i2m.univ-amu.fr/ou=auto.home,dc=i2m,dc=univ-amu,dc=fr
* Modification du fichier ''/etc/autofs_ldap_auth.conf''
* Modification du fichier ''/etc/nsswitch.conf''
/etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: compat ldap
passwd: files ldap
# pre_auth-client-config # group: compat ldap
group: files ldap
# pre_auth-client-config # shadow: compat ldap
shadow: files ldap
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
# pre_auth-client-config # netgroup: nis
netgroup: nis
automount: files ldap
* On exécute la commande ''auth-client-config -t nss -p lac_ldap''
* Modification du fichier ''/etc/nslcd.conf''
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap.i2m.univ-amu.fr
# The search base that will be used for all queries.
base dc=i2m,dc=univ-amu,dc=fr
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
ssl start_tls
tls_reqcert allow
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
* On redémarre les services nslcd et nscd : ''service nslcd restart'' & ''service nscd restart''
* On lance la commande ''pam-auth-update''
* On modifie le fichier ''/etc/pam.d/common-session''
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_mount.so
session [success=ok default=ignore] pam_ldap.so minimum_uid=1000
session optional pam_systemd.so
# end of pam-auth-update config
* On récupère les certificats de protis et on les place dans le répertoire ''/etc/ssl/certs/'' scp -r chabrol@147.94.64.48:/home/chabrol/cert/* /etc/ssl/openldap
* On crée le répertoire : ''mkdir -p /etc/ssl/openldap''
* Copie du certificat de protis ''/etc/ssl/openldap/ca-certs'' sur la machine cliente (au même emplacement)
* On redémarre autofs : ''service autofs restart''
* Le fichier ''/etc/ldap.conf'' devrait ressembler à ça :
###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##
# The distinguished name of the search base.
base dc=i2m,dc=univ-amu,dc=fr
# Another way to specify your LDAP server is to provide an
uri ldap://ldap.i2m.univ-amu.fr
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The port.
# Optional: default is 389.
#port 389
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5
# Netscape SDK LDAPS
#ssl on
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5