Client LDAP avec autofs

• Installation des paquets suivant : ldap-utils autofs-ldap ldap-auth-client nscd libnss-ldapd libpam-ldapd libpam-mount

• Modification du fichier /etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=i2m,dc=univ-amu,dc=fr
URI     ldap://ldap.i2m.univ-amu.fr

ldap_version 3

scope sub
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password md5

nss_base_passwd ou=accounts,dc=i2m,dc=univ-amu,dc=fr
nss_base_shadow ou=accounts,dc=i2m,dc=univ-amu,dc=fr
nss_base_group  ou=Groups,dc=i2m,dc=univ-amu,dc=fr

ssl start_tls
tls_reqcert allow

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/openldap/ca-certs
tls_cacertdir /etc/ssl/certs

nss_initgroups_ignoreusers avahi,backup,bin,bind,colord,daemon,fetchmail,games,gnats,irc,klog,libuuid,list,lp,mail,man,messagebus,news,nslcd,proxy,root,smmsp,smmta,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data,x2gouser

• Modification du fichier /etc/default/autofs

#
# Init syatem options
#
# If the kernel supports using the autofs miscellanous device
# and you wish to use it you must set this configuration option
# to "yes" otherwise it will not be used.
#

master_map_name="/etc/auto.master"

timeout=300

browse_mode="no"

logging="verbose"

LDAP_URI="ldap://ldap.i2m.univ-amu.fr"

MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"

USE_MISC_DEVICE="yes"
#
# Use OPTIONS to add automount(8) command line options that
# will be used when the daemon is started.
#
#OPTIONS=""
#

• Modification du fichier /etc/auto.master

#
# Sample auto.master file
# This is a 'master' automounter map and it has the following format:
# mount-point [map-type[,format]:]map [options]
# For details of the format look at auto.master(5).
#
#/misc  /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
#       "nosuid" and "nodev" options unless the "suid" and "dev"
#       options are explicitly given.
#
/net    -hosts
#
# Include /etc/auto.master.d/*.autofs
# The included files must conform to the format of this file.
#
#+dir:/etc/auto.master.d
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
#+auto.master
/home   ldap://ldap.i2m.univ-amu.fr/ou=auto.home,dc=i2m,dc=univ-amu,dc=fr

• Modification du fichier /etc/autofs_ldap_auth.conf

<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="yes"
        tlsrequired="no"
        authrequired="no"
/>

• Modification du fichier /etc/nsswitch.conf

 /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

# pre_auth-client-config # passwd:         compat ldap
passwd: files ldap
# pre_auth-client-config # group:          compat ldap
group: files ldap
# pre_auth-client-config # shadow:         compat ldap
shadow: files ldap
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

# pre_auth-client-config # netgroup:       nis
netgroup: nis

automount:      files ldap

• On exécute la commande auth-client-config -t nss -p lac_ldap

• Modification du fichier /etc/nslcd.conf

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap.i2m.univ-amu.fr

# The search base that will be used for all queries.
base dc=i2m,dc=univ-amu,dc=fr

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl start_tls
tls_reqcert allow
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

• On redémarre les services nslcd et nscd : service nslcd restart & service nscd restart
• On lance la commande pam-auth-update

• On modifie le fichier /etc/pam.d/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional        pam_mount.so
session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
session optional        pam_systemd.so
# end of pam-auth-update config

• On récupère les certificats de protis et on les place dans le répertoire /etc/ssl/certs/

  scp -r chabrol@147.94.64.48:/home/chabrol/cert/* /etc/ssl/openldap

• On crée le répertoire : mkdir -p /etc/ssl/openldap
• Copie du certificat de protis /etc/ssl/openldap/ca-certs sur la machine cliente (au même emplacement)
• On redémarre autofs : service autofs restart

• Le fichier /etc/ldap.conf devrait ressembler à ça :

###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##

# The distinguished name of the search base.
base dc=i2m,dc=univ-amu,dc=fr

# Another way to specify your LDAP server is to provide an
uri ldap://ldap.i2m.univ-amu.fr

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The port.
# Optional: default is 389.
#port 389

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5

# Netscape SDK LDAPS
#ssl on

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5