Serveurs

Permet de montage automatique de homedir depuis olympe, sous ubuntu 18

sudo apt install ldap-utils autofs-ldap ldap-auth-client nscd libnss-ldapd libpam-ldapd libpam-mount

lors de la configuration de nslcd répondre :

URI du serveur LDAP : ldap://ldap.i2m.univ-amu.fr/

Base de recherche du serveur LDAP : dc=i2m,dc=univ-amu,dc=fr

Services de nom à configurer : passwd, group, shadow

lors de la configuration de ldap-auth-config répondre :

LDAP server Uniform Resource Identifier : ldap://ldap.i2m.univ-amu.fr/

Distinguished name of the search base: dc=i2m,dc=univ-amu,dc=fr

LDAP version to use: 3

Make local root Database admin: Oui

Does the LDAP database require login? Non

LDAP account for root: cn=admin,dc=i2m,dc=univ-amu,dc=fr

LDAP root account password: remplir à partir du fichier de mot de passe

Puis configurer le LDAP pour NSS en lancant la commande suivante :

sudo auth-client-config -t nss -p lac_ldap

Configurer le LDAP pour l'authentification dans PAM.

sudo pam-auth-update

lors de la configuration de PAM Profils PAM à activer : Unix authentication, Mount volumes for user, LDAP Authentication, Register user sessions in the systemd control group hierarchy, Inheritable Capabilities Management

Mettre à jour le fichier /etc/ldap/ldap.conf avec le contenu suivant:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=i2m,dc=univ-amu,dc=fr
URI ldap://ldap.i2m.univ-amu.fr
ldap_version 3
scope sub
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password md5
nss_base_passwd ou=accounts,dc=i2m,dc=univ-amu,dc=fr
nss_base_shadow ou=accounts,dc=i2m,dc=univ-amu,dc=fr
nss_base_group  ou=Groups,dc=i2m,dc=univ-amu,dc=fr

ssl start_tls
tls_reqcert allow
tls_checkpeer yes


# TLS certificates (needed for GnuTLS)
TLS_CACERT    /etc/ssl/certs/ca-certificates.crt
tls_cacertdir /etc/ssl/certs

nss_initgroups_ignoreusers avahi,backup,bin,bind,colord,daemon,fetchmail,games,gnats,irc,klog,libuuid,list,lp,mail,man,messagebus,news,nslcd,proxy,root,smmsp,smmta,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data,x2gouser

Mettre à jour le fichier /etc/default/autofs avec le contenu suivant:

# Init syatem options
#

master_map_name="/etc/auto.master"

timeout=300

browse_mode="no"

logging="verbose"

LDAP_URI="ldap://ldap.i2m.univ-amu.fr"

MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"

USE_MISC_DEVICE="yes"
#
# Use OPTIONS to add automount(8) command line options that
# will be used when the daemon is started.
#
#OPTIONS=""
#

Mettre à jour le fichier /etc/auto.master avec le contenu suivant:

#
# Sample auto.master file
# This is a 'master' automounter map and it has the following format:
# mount-point [map-type[,format]:]map [options]
# For details of the format look at auto.master(5).
#
#/misc  /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
#       "nosuid" and "nodev" options unless the "suid" and "dev"
#       options are explicitly given.
#
/net    -hosts
#
# Include /etc/auto.master.d/*.autofs
# The included files must conform to the format of this file.
#
#+dir:/etc/auto.master.d
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
#+auto.master
/home   ldap://ldap.i2m.univ-amu.fr/ou=auto.home,dc=i2m,dc=univ-amu,dc=fr

Modification du fichier /etc/autofs_ldap_auth.conf

<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="yes"
        tlsrequired="no"
        authrequired="no"
/>

Modification du fichier /etc/nsswitch.conf

#/etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

# pre_auth-client-config # passwd:         compat ldap
passwd: files ldap
# pre_auth-client-config # group:          compat ldap
group: files ldap
# pre_auth-client-config # shadow:         compat ldap
shadow: files ldap
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

# pre_auth-client-config # netgroup:       nis
netgroup: nis

automount:      files ldap

On exécute la commande auth-client-config -t nss -p lac_ldap

Modification du fichier /etc/nslcd.conf

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap.i2m.univ-amu.fr

# The search base that will be used for all queries.
base dc=i2m,dc=univ-amu,dc=fr

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl start_tls
tls_reqcert allow
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

On redémarre les services nslcd et nscd : service nslcd restart & service nscd restart

On lance la commande pam-auth-update

On modifie le fichier /etc/pam.d/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional        pam_mount.so
session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
session optional        pam_systemd.so
# end of pam-auth-update config