Plinth has been switched to using ldapscripts to manage the LDAP users and groups (https://github.com/freedombox/Plinth/pull/164).
I'm attaching an updated patch (replaces the previous patch) that will work with the change to Plinth. Here are the changes: 1. Use the method described in "Allowing logins on a per-group basis" from https://wiki.debian.org/LDAP/PAM to restrict logins to admin group. 2. Add the admin group to the sudoers file. Regards, James
From 87744b5b773f1206f306aa8b07cde8c3176e8a00 Mon Sep 17 00:00:00 2001 From: James Valleroy <[email protected]> Date: Wed, 8 Jul 2015 19:46:27 -0400 Subject: [PATCH 1/4] Configure PAM for LDAP user logins. --- setup.d/30_ldap-server | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server index 358c922..e78508d 100755 --- a/setup.d/30_ldap-server +++ b/setup.d/30_ldap-server @@ -21,3 +21,9 @@ objectClass: organizationalUnit ou: groups EOF + +# Configure PAM for LDAP user logins +echo nslcd nslcd/ldap-sasl-mech select EXTERNAL | debconf-set-selections +echo libnss-ldapd libnss-ldapd/nsswitch multiselect group, passwd, shadow \ + | debconf-set-selections +DEBIAN_FRONTEND=noninteractive apt-get install -y nslcd libpam-ldapd libnss-ldapd -- 2.1.4 From dade15a7a59d7b4196478dca3c147c68b73b0af1 Mon Sep 17 00:00:00 2001 From: James Valleroy <[email protected]> Date: Sun, 26 Jul 2015 12:38:54 -0400 Subject: [PATCH 2/4] Allow only users in admin group to login. --- setup.d/30_ldap-server | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server index e78508d..7809072 100755 --- a/setup.d/30_ldap-server +++ b/setup.d/30_ldap-server @@ -27,3 +27,13 @@ echo nslcd nslcd/ldap-sasl-mech select EXTERNAL | debconf-set-selections echo libnss-ldapd libnss-ldapd/nsswitch multiselect group, passwd, shadow \ | debconf-set-selections DEBIAN_FRONTEND=noninteractive apt-get install -y nslcd libpam-ldapd libnss-ldapd + +# Only users in admin group can login +if ! grep -q "auth\srequired\spam_access.so" /etc/pam.d/common-auth ; then + echo "auth required pam_access.so" >> /etc/pam.d/common-auth +fi + +if ! grep -q "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ + /etc/security/access.conf ; then + echo "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" >> /etc/security/access.conf +fi -- 2.1.4 From 2ad3156f22af466c5989b70c6b0c06cba991b5a3 Mon Sep 17 00:00:00 2001 From: James Valleroy <[email protected]> Date: Sun, 26 Jul 2015 12:46:43 -0400 Subject: [PATCH 3/4] Fix some issues with ldap-server setup script. --- setup.d/30_ldap-server | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server index 7809072..d8c5091 100755 --- a/setup.d/30_ldap-server +++ b/setup.d/30_ldap-server @@ -9,7 +9,7 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils # Make sure slapd isn't running when we use slapadd service slapd stop -cat <<EOF|slapadd +cat <<EOF |slapadd dn: ou=users,dc=$domain objectClass: top objectClass: organizationalUnit @@ -33,7 +33,8 @@ if ! grep -q "auth\srequired\spam_access.so" /etc/pam.d/common-auth ; then echo "auth required pam_access.so" >> /etc/pam.d/common-auth fi -if ! grep -q "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ +if ! grep -q -- "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ /etc/security/access.conf ; then - echo "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" >> /etc/security/access.conf + printf "%s\n" "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ + >> /etc/security/access.conf fi -- 2.1.4 From 8ae06491a09d9b954394bb8eb3b471aa41125a11 Mon Sep 17 00:00:00 2001 From: James Valleroy <[email protected]> Date: Sun, 26 Jul 2015 12:58:50 -0400 Subject: [PATCH 4/4] Add admin group to sudoers file. --- setup.d/30_ldap-server | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server index d8c5091..856fcc4 100755 --- a/setup.d/30_ldap-server +++ b/setup.d/30_ldap-server @@ -38,3 +38,7 @@ if ! grep -q -- "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ printf "%s\n" "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ >> /etc/security/access.conf fi + +if ! grep -q "%admin ALL=(root) ALL, !/bin/su" /etc/sudoers ; then + echo "%admin ALL=(root) ALL, !/bin/su" >> /etc/sudoers +fi -- 2.1.4
