Systems Outage: June 30 - July 2
More info at l.khoury.to/jun30-outage
Systems provides a LDAP (Lightweight Directory Access Protocol) cluster which can be used to authenticate CCIS users. This document will show how to convert a vanilla Ubuntu machine into one where CCIS users can login.
sudo apt-get install libpam-ldap nscd
PAM (Pluggable Authentication Modules) is an API for authentication. The package libpam-ldapd provides the LDAP module for PAM.
Running the above line will pop-up a ncurses window asking for the ldap URI.
Distinguished name of search base
Make local root Database admin
Does your LDAP require login?
ssl start_tls tls_checkpeer no
/etc/nsswitch.conf looks like:
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat group: compat shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
You need to have these lines instead.
passwd: files ldap group: files ldap shadow: files ldap netgroup: ldap
Traditionally (before NIS), a machine only had to look at its
/etc/passwd to authenticate a user. With the rise of NIS (and later LDAP) as a centralized mechanism of authentication, the
/etc/nsswitch.conf was designated to specify the search order.
passwd: files ldap tells the system to look at the file
/etc/passwd first, then LDAP.
/etc/pam.d/sshd should have these lines:
# Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so
Uncomment (or add) the line:
account required pam_access.so.
Our standard configuration looks like:
+ : (systems) (elders) (crew) : ALL - : ALL : ALL
The command `sudo` allows non-root users to run certain (or all) commands as root.
Add the netgroup elders and systems (required) and add additional lines for crewbies.
to edit the sudoers file.
%elders ALL=(ALL) ALL %systems ALL=(ALL) ALL somecrewbie1 ALL=(ALL) ALL somecrewbie2 ALL=(ALL) ALL