Conf de ldap.

* Acces a la base
* Conf de pam pour ldap
* Conf de nss pour ldap

darcs-hash:20080209021350-af139-0dd9ab0a07fd64c38d18efc94d7c82b130d6df17.gz

Python/etc/ldap.secret

@@ -0,0 +1,8 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("secrets")
+
+if has("db-main"):
+    print secrets.ldap_password
+else:
+    print secrets.ldap_readonly_password

Python/etc/ldap/ldap.conf

@@ -0,0 +1,15 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("ip")
+
+header("Acces a la base ldap")
+
+@# See ldap.conf(5) for details
+@# This file should be world readable but not world writable.
+
+@BASE       dc=crans, dc=org
+if has("db-server"):
+    %URI        "ldapi://%2fvar%2frun%2fslapd%2fldapi/"
+    %TLS_CACERT "/etc/ssl/certs/CAcrans.pem"
+else:
+    %URI        "ldap://%s/" % admipof("ldap")

Python/etc/libnss-ldap.conf

@@ -0,0 +1,74 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("mode/space")
+include("secrets")
+include("ip")
+
+header("""
+Fichier de configuration pour libnss-ldap.
+
+Pour des informations détaillées voir libnss-ldap.conf(5)
+ainsi que /usr/share/libnss-ldap/ldap.conf
+""")
+
+@# +----------------------------------------------------+
+@# | Configuration de la communiquation avec le serveur |
+@# +----------------------------------------------------+
+
+if has("db-server"):
+    @# Socket unix du serveur
+    %uri "ldapi://%2fvar%2frun%2fslapd%2fldapi/"
+else:
+    @# Addresse du serveur
+    %uri "ldap://%s/" % admipof("ldap")
+
+@# The distinguished name of the search base.
+%base "dc=crans,dc=org"
+
+@# The distinguished name to bind to the server with.
+@# Optional: default is to bind anonymously.
+@# Please do not put double quotes around it as they
+@# would be included literally.
+%binddn secrets.ldap_readonly_auth_dn
+
+@# The credentials to bind with.
+@# Optional: default is no credential.
+%bindpw secrets.ldap_readonly_password
+
+@# The distinguished name to bind to the server with
+@# if the effective user ID is root. Password is
+@# stored in /etc/libnss-ldap.secret (mode 600)
+@# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
+@# of an editor to create the file.
+%rootbinddn secrets.ldap_readonly_auth_dn
+
+@# The LDAP version to use (defaults to 3
+@# if supported by client library)
+%ldap_version 3
+
+@# Search timelimit
+%timelimit 5
+
+@# Bind/connect timelimit
+%bind_timelimit 5
+
+@# +------------------+
+@# | Bases de données |
+@# +------------------+
+
+# On n'utilise ldap pour résoudre les bases de données
+# passwd, group et shadow
+if has("users"):
+    # Sur le serveur des adhérents, on veut que tout
+    # les adhérents soit reconnus comme utilisateurs locaux
+    %nss_base_passwd "ou=data,dc=crans,dc=org?one"
+else:
+    # Sur les autres serveurs on filtre pour que seuls
+    # les nounous et les apprentis le soit.
+    # Il est important de mettre ce filtrage au niveau de
+    # libnss-ldap et pam-ldap car ssh utilise pam pour les
+    # mots de passe mais pour l'authentification par clés
+    # il n'utilise que nss
+    %nss_base_passwd "ou=data,dc=crans,dc=org?one?|(droits=Nounou)(droits=Apprenti)"
+%nss_base_shadow "ou=data,dc=crans,dc=org?one"
+%nss_base_group "ou=Group,dc=crans,dc=org?one"

Python/etc/libnss-ldap.secret

@@ -0,0 +1,8 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("secrets")
+
+if has("db-main"):
+    print secrets.ldap_password
+else:
+    print secrets.ldap_readonly_password

Python/etc/nsswitch.conf

@@ -0,0 +1,29 @@
+# -*- mode: python; coding: utf-8 -*-
+
+header("""
+Fichier de configuration des bases de donnees systemes (System
+Databases) et du service de noms (Name Service Switch).
+""")
+
+if has("ldap"):
+    db="ldap"
+
+def database(name, res):
+    print name + ": " + " ".join(res)
+
+@# On utilise la base de donnee du crans pour tout ce qui est
+@# compte unix
+database("passwd", ["files", db])
+database("group",  ["files", db])
+database("shadow", ["files", db])
+@
+database("hosts",    ["files", "dns"])
+database("networks", ["files"])
+@
+database("protocols", ["db", "files"])
+database("services",  ["db", "files"])
+@
+database("ethers", ["db", "files"])
+database("rpc",    ["db", "files"])
+@
+database("netgroup", ["nis"])

Python/etc/pam.d/common-account

@@ -0,0 +1,15 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("pam")
+
+header("""
+/etc/pam.d/common-account - authorization settings common to all services
+
+This file is included from other service-specific PAM config files,
+and should contain a list of the authorization modules that define
+the central access policy for use on the system.  The default is to
+only deny service to users whose accounts are expired in /etc/shadow.
+""")
+
+print "account sufficient %s" % pam_module
+print "account required   pam_unix.so use_first_pass"

Python/etc/pam.d/common-auth

@@ -0,0 +1,16 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("pam")
+
+header("""
+/etc/pam.d/common-auth - authentication settings common to all services
+
+This file is included from other service-specific PAM config files,
+and should contain a list of the authentication modules that define
+the central authentication scheme for use on the system
+(e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+traditional Unix authentication mechanisms.
+""")
+
+print "auth sufficient %s" % pam_module
+print "auth required   pam_unix.so nullok_secure use_first_pass"

Python/etc/pam.d/common-password

@@ -0,0 +1,30 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("pam")
+
+header("""
+/etc/pam.d/common-password - password-related modules common to all services
+
+This file is included from other service-specific PAM config files,
+and should contain a list of modules that define  the services to be
+used to change user passwords.  The default is pam_unix
+""")
+
+@# The "nullok" option allows users to change an empty password, else
+@# empty passwords are treated as locked accounts.
+@#
+@# (Add `md5' after the module name to enable MD5 passwords)
+@#
+@# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+@# login.defs. Also the "min" and "max" options enforce the length of the
+@# new password.
+
+print "password   sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
+print "password   required   pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
+
+@# Alternate strength checking for password. Note that this
+@# requires the libpam-cracklib package to be installed.
+@# You will need to comment out the password line above and
+@# uncomment the next two in order to use this.
+@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
+

Python/etc/pam.d/common-session

@@ -0,0 +1,16 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("pam")
+
+header("""
+/etc/pam.d/common-session - session-related modules common to all services
+
+This file is included from other service-specific PAM config files,
+and should contain a list of modules that define tasks to be performed
+at the start and end of sessions of *any* kind (both interactive and
+non-interactive).  The default is pam_unix.
+""")
+
+print "session sufficient %s" % pam_module
+print "session required   pam_unix.so"
+print "session required   pam_mkhomedir.so"

Python/etc/pam_ldap.conf

@@ -0,0 +1,87 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("mode/space")
+include("secrets")
+include("ip")
+
+header("""
+Fichier de configuration de libpam-ldap.
+
+Pour des informations détaillées voir pam_ldap.conf(5)
+""")
+
+@# +----------------------------------------------------+
+@# | Configuration de la communiquation avec le serveur |
+@# +----------------------------------------------------+
+
+@# The distinguished name of the search base.
+%base "dc=crans,dc=org"
+
+if has("db-server"):
+    # Le serveur principale ainsi que les réplica se connectent par
+    # socket unix
+    %uri "ldapi://%2fvar%2frun%2fslapd%2fldapi/"
+else:
+    # Les autres c'est par le réseau
+    %uri "ldap://%s/" % admipof("ldap")
+
+@# The LDAP version to use (defaults to 3
+@# if supported by client library)
+%ldap_version 3
+
+if has("db-main"):
+    @# The distinguished name to bind to the server with
+    @# if the effective user ID is root. Password is
+    @# stored in /etc/ldap.secret (mode 600)
+    %rootbinddn secrets.ldap_auth_dn
+
+else:
+    @# The distinguished name to bind to the server with.
+    @# Optional: default is to bind anonymously.
+    %binddn secrets.ldap_readonly_auth_dn
+
+    @# The credentials to bind with.
+    @# Optional: default is no credential.
+    %bindpw secrets.ldap_readonly_password
+
+@# The port.
+@# Optional: default is 389.
+@#port 389
+
+@# The search scope.
+@#scope sub
+%scope "one"
+@#scope base
+
+if not has("db-main"):
+    @# Search timelimit
+    %timelimit 5
+
+    @# Bind timelimit
+    %bind_timelimit 5
+
+@# Do not hash the password at all; presume
+@# the directory server will do it, if
+@# necessary. This is the default.
+%pam_password "exop"
+
+@# +------------------+
+@# | Bases de données |
+@# +------------------+
+
+# On n'utilise ldap pour résoudre les bases de données
+# passwd, group et shadow
+if has("users"):
+    # Sur le serveur des adhérents, on veut que tout
+    # les adhérents soit reconnus comme utilisateurs locaux
+    %nss_base_passwd "ou=data,dc=crans,dc=org?one"
+else:
+    # Sur les autres serveurs on filtre pour que seuls
+    # les nounous et les apprentis le soit.
+    # Il est important de mettre ce filtrage au niveau de
+    # libnss-ldap et pam-ldap car ssh utilise pam pour les
+    # mots de passe mais pour l'authentification par clés
+    # il n'utilise que nss
+    %nss_base_passwd "ou=data,dc=crans,dc=org?one?|(droits=Nounou)(droits=Apprenti)"
+%nss_base_shadow "ou=data,dc=crans,dc=org?one"
+%nss_base_group "ou=Group,dc=crans,dc=org?one"