Here's an updated patch that sets additional debconf options for nslcd. I found that these configs were needed while testing the full system in virtualbox.
Regards, James
>From 87744b5b773f1206f306aa8b07cde8c3176e8a00 Mon Sep 17 00:00:00 2001 From: James Valleroy <[email protected]> Date: Wed, 8 Jul 2015 19:46:27 -0400 Subject: [PATCH 1/5] Configure PAM for LDAP user logins. --- setup.d/30_ldap-server | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server index 358c922..e78508d 100755 --- a/setup.d/30_ldap-server +++ b/setup.d/30_ldap-server @@ -21,3 +21,9 @@ objectClass: organizationalUnit ou: groups EOF + +# Configure PAM for LDAP user logins +echo nslcd nslcd/ldap-sasl-mech select EXTERNAL | debconf-set-selections +echo libnss-ldapd libnss-ldapd/nsswitch multiselect group, passwd, shadow \ + | debconf-set-selections +DEBIAN_FRONTEND=noninteractive apt-get install -y nslcd libpam-ldapd libnss-ldapd -- 2.1.4 >From dade15a7a59d7b4196478dca3c147c68b73b0af1 Mon Sep 17 00:00:00 2001 From: James Valleroy <[email protected]> Date: Sun, 26 Jul 2015 12:38:54 -0400 Subject: [PATCH 2/5] Allow only users in admin group to login. --- setup.d/30_ldap-server | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server index e78508d..7809072 100755 --- a/setup.d/30_ldap-server +++ b/setup.d/30_ldap-server @@ -27,3 +27,13 @@ echo nslcd nslcd/ldap-sasl-mech select EXTERNAL | debconf-set-selections echo libnss-ldapd libnss-ldapd/nsswitch multiselect group, passwd, shadow \ | debconf-set-selections DEBIAN_FRONTEND=noninteractive apt-get install -y nslcd libpam-ldapd libnss-ldapd + +# Only users in admin group can login +if ! grep -q "auth\srequired\spam_access.so" /etc/pam.d/common-auth ; then + echo "auth required pam_access.so" >> /etc/pam.d/common-auth +fi + +if ! grep -q "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ + /etc/security/access.conf ; then + echo "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" >> /etc/security/access.conf +fi -- 2.1.4 >From 2ad3156f22af466c5989b70c6b0c06cba991b5a3 Mon Sep 17 00:00:00 2001 From: James Valleroy <[email protected]> Date: Sun, 26 Jul 2015 12:46:43 -0400 Subject: [PATCH 3/5] Fix some issues with ldap-server setup script. --- setup.d/30_ldap-server | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server index 7809072..d8c5091 100755 --- a/setup.d/30_ldap-server +++ b/setup.d/30_ldap-server @@ -9,7 +9,7 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils # Make sure slapd isn't running when we use slapadd service slapd stop -cat <<EOF|slapadd +cat <<EOF |slapadd dn: ou=users,dc=$domain objectClass: top objectClass: organizationalUnit @@ -33,7 +33,8 @@ if ! grep -q "auth\srequired\spam_access.so" /etc/pam.d/common-auth ; then echo "auth required pam_access.so" >> /etc/pam.d/common-auth fi -if ! grep -q "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ +if ! grep -q -- "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ /etc/security/access.conf ; then - echo "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" >> /etc/security/access.conf + printf "%s\n" "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ + >> /etc/security/access.conf fi -- 2.1.4 >From 8ae06491a09d9b954394bb8eb3b471aa41125a11 Mon Sep 17 00:00:00 2001 From: James Valleroy <[email protected]> Date: Sun, 26 Jul 2015 12:58:50 -0400 Subject: [PATCH 4/5] Add admin group to sudoers file. --- setup.d/30_ldap-server | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server index d8c5091..856fcc4 100755 --- a/setup.d/30_ldap-server +++ b/setup.d/30_ldap-server @@ -38,3 +38,7 @@ if ! grep -q -- "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ printf "%s\n" "-:ALL EXCEPT root admin:ALL EXCEPT LOCAL" \ >> /etc/security/access.conf fi + +if ! grep -q "%admin ALL=(root) ALL, !/bin/su" /etc/sudoers ; then + echo "%admin ALL=(root) ALL, !/bin/su" >> /etc/sudoers +fi -- 2.1.4 >From 94b981952746d12354665a2f033f6873aa58685a Mon Sep 17 00:00:00 2001 From: James Valleroy <[email protected]> Date: Sat, 1 Aug 2015 20:06:26 -0400 Subject: [PATCH 5/5] Set more debconf options for nslcd. --- setup.d/30_ldap-server | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server index 856fcc4..d30df4b 100755 --- a/setup.d/30_ldap-server +++ b/setup.d/30_ldap-server @@ -23,6 +23,8 @@ ou: groups EOF # Configure PAM for LDAP user logins +echo nslcd nslcd/ldap-uris string "ldapi:///" | debconf-set-selections +echo nslcd nslcd/ldap-base string "dc=thisbox" | debconf-set-selections echo nslcd nslcd/ldap-sasl-mech select EXTERNAL | debconf-set-selections echo libnss-ldapd libnss-ldapd/nsswitch multiselect group, passwd, shadow \ | debconf-set-selections -- 2.1.4
