Conf de ldap.

* Acces a la base * Conf de pam pour ldap * Conf de nss pour ldap darcs-hash:20080209021350-af139-0dd9ab0a07fd64c38d18efc94d7c82b130d6df17.gz
2008-02-09 03:13:50 +01:00 · 2008-02-09 03:13:50 +01:00 · 1bb9fac1e4
commit 1bb9fac1e4
parent 5d6f9722bb
20 changed files with 363 additions and 49 deletions
--- a/Bundler/ldap.xml
+++ b/Bundler/ldap.xml
@ -1,20 +1,12 @@
-<Bundle name="ldap" version="2.0" revision="$Rev$"
+<Bundle name="ldap" version="2.0">
 	origin="$URL$">
  <ConfigFile name="/etc/ldap/ldap.conf"/>
-  <ConfigFile name="/etc/libnss-ldap.conf"/>
+  <ConfigFile name="/etc/ldap.secret"/>
  <ConfigFile name="/etc/libnss-ldap.secret"/>
  <ConfigFile name="/etc/pam_ldap.conf"/>
  <ConfigFile name="/etc/pam.d/common-account"/>
  <ConfigFile name="/etc/pam.d/common-auth"/>
  <ConfigFile name="/etc/pam.d/common-password"/>
  <ConfigFile name="/etc/pam.d/common-session"/>
  <ConfigFile name="/etc/nsswitch.conf"/>
  <Service name="ssh"/>
  <Action name="del-adm"/>
  <Group name="db-server">
-    <Package name="wfrench"/>
+    <!-- TODO: conf de slapd
 	 <Package name="slapd"/>
-    <Package name="libnss-ldap"/>
+    -->
-    <Package name="libpam-ldap"/>
+    <Package name="wfrench"/>
    <Package name="libpam-cracklib"/>
  </Group>
 </Bundle>
--- a/Bundler/nss.xml
+++ b/Bundler/nss.xml
@ -0,0 +1,11 @@
 <Bundle name="nss">
  <ConfigFile name="/etc/nsswitch.conf"/>
  <Group name="ssh">
    <Service name="ssh"/>
  </Group>
  <Group name="ldap">
    <Package name="libnss-ldap"/>
    <ConfigFile name="/etc/libnss-ldap.conf"/>
    <ConfigFile name="/etc/libnss-ldap.secret"/>
  </Group>
 </Bundle>
--- a/Bundler/pam.xml
+++ b/Bundler/pam.xml
@ -0,0 +1,16 @@
 <Bundle name="pam" version="2.0">
  <ConfigFile name="/etc/pam.d/common-account"/>
  <ConfigFile name="/etc/pam.d/common-auth"/>
  <ConfigFile name="/etc/pam.d/common-password"/>
  <ConfigFile name="/etc/pam.d/common-session"/>
  <Group name="ssh">
    <Service name="ssh"/>
  </Group>
  <Group name="ldap">
    <Package name="libpam-ldap"/>
    <ConfigFile name="/etc/pam_ldap.conf"/>
  </Group>
  <Group name="db-server">
    <Package name="libpam-cracklib"/>
  </Group>
 </Bundle>
--- a/Bundler/ssh.xml
+++ b/Bundler/ssh.xml
@ -1,5 +1,7 @@
 <Bundle name="ssh">
  <!-- Fichiers gere par le plugin SSHbase -->
  <!-- Il faut voir comment on le fait cohabiter avec
       les clés des switchs sur rouge
  <ConfigFile name="/etc/ssh/ssh_host_dsa_key"/>
  <ConfigFile name="/etc/ssh/ssh_host_rsa_key"/>
  <ConfigFile name="/etc/ssh/ssh_host_dsa_key.pub"/>
@ -7,6 +9,7 @@
  <ConfigFile name="/etc/ssh/ssh_host_key"/>
  <ConfigFile name="/etc/ssh/ssh_host_key.pub"/>
  <ConfigFile name="/etc/ssh/ssh_known_hosts"/>
  -->
  <!-- -->
  <ConfigFile name="/etc/ssh/sshd_config"/>
  <ConfigFile name="/etc/ssh/ssh_config"/>
--- a/Bundler/sudo.xml
+++ b/Bundler/sudo.xml
@ -1,4 +1,6 @@
 <Bundle name="sudo" version="2.0">
  <!-- TODO: a faire
       <ConfigFile name="/etc/sudoers"/>
       <Package name="sudo"/>
  -->
 </Bundle>
--- a/Metadata/groups.xml
+++ b/Metadata/groups.xml
@ -133,10 +133,8 @@
    <!-- TODO: passer les serveurs en utf-8 sans tout casser...
 	 <Group name="locale"/>
 	 -->
    <!-- TODO: a terminer
    <Group name="ssh"/>
    <Group name="sudo"/>
 	-->
    <Group name="home"/>
    <Group name="mail"/>
    <Group name="apt"/>
@ -145,6 +143,7 @@
    <Bundle name="apt"/>
    <Bundle name="apt-keys"/>
    <Bundle name="nss"/>
  </Group>
  <!-- +=============================+ -->
@ -345,18 +344,13 @@
  <Group name="pam"
 	 comment="authentification par pam"
 	 category="auth-backend">
    <!-- TOTO: a implementer/completer/tester
 	 <Group name="db"/>
    <Bundle name="pam"/>
 	 -->
  </Group>
  <Group name="ldap"
 	 comment="base de donnee ldap"
 	 category="db-backend">
    <!-- TOTO:  a implementer/completer/tester
    <Bundle name="ldap"/>
 	 -->
  </Group>
  <Group name="pgsql"
--- a/Python/etc/ldap.secret
+++ b/Python/etc/ldap.secret
@ -0,0 +1,8 @@
 # -*- mode: python; coding: utf-8 -*-
 include("secrets")
 if has("db-main"):
    print secrets.ldap_password
 else:
    print secrets.ldap_readonly_password
--- a/Python/etc/ldap/ldap.conf
+++ b/Python/etc/ldap/ldap.conf
@ -0,0 +1,15 @@
 # -*- mode: python; coding: utf-8 -*-
 include("ip")
 header("Acces a la base ldap")
@# See ldap.conf(5) for details
@# This file should be world readable but not world writable.
@BASE       dc=crans, dc=org
 if has("db-server"):
    %URI        "ldapi://%2fvar%2frun%2fslapd%2fldapi/"
    %TLS_CACERT "/etc/ssl/certs/CAcrans.pem"
 else:
    %URI        "ldap://%s/" % admipof("ldap")
--- a/Python/etc/libnss-ldap.conf
+++ b/Python/etc/libnss-ldap.conf
@ -0,0 +1,74 @@
 # -*- mode: python; coding: utf-8 -*-
 include("mode/space")
 include("secrets")
 include("ip")
 header("""
 Fichier de configuration pour libnss-ldap.
 Pour des informations détaillées voir libnss-ldap.conf(5)
 ainsi que /usr/share/libnss-ldap/ldap.conf
 """)
@# +----------------------------------------------------+
@# | Configuration de la communiquation avec le serveur |
@# +----------------------------------------------------+
 if has("db-server"):
    @# Socket unix du serveur
    %uri "ldapi://%2fvar%2frun%2fslapd%2fldapi/"
 else:
    @# Addresse du serveur
    %uri "ldap://%s/" % admipof("ldap")
@# The distinguished name of the search base.
 %base "dc=crans,dc=org"
@# The distinguished name to bind to the server with.
@# Optional: default is to bind anonymously.
@# Please do not put double quotes around it as they
@# would be included literally.
 %binddn secrets.ldap_readonly_auth_dn
@# The credentials to bind with.
@# Optional: default is no credential.
 %bindpw secrets.ldap_readonly_password
@# The distinguished name to bind to the server with
@# if the effective user ID is root. Password is
@# stored in /etc/libnss-ldap.secret (mode 600)
@# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
@# of an editor to create the file.
 %rootbinddn secrets.ldap_readonly_auth_dn
@# The LDAP version to use (defaults to 3
@# if supported by client library)
 %ldap_version 3
@# Search timelimit
 %timelimit 5
@# Bind/connect timelimit
 %bind_timelimit 5
@# +------------------+
@# | Bases de données |
@# +------------------+
 # On n'utilise ldap pour résoudre les bases de données
 # passwd, group et shadow
 if has("users"):
    # Sur le serveur des adhérents, on veut que tout
    # les adhérents soit reconnus comme utilisateurs locaux
    %nss_base_passwd "ou=data,dc=crans,dc=org?one"
 else:
    # Sur les autres serveurs on filtre pour que seuls
    # les nounous et les apprentis le soit.
    # Il est important de mettre ce filtrage au niveau de
    # libnss-ldap et pam-ldap car ssh utilise pam pour les
    # mots de passe mais pour l'authentification par clés
    # il n'utilise que nss
    %nss_base_passwd "ou=data,dc=crans,dc=org?one?|(droits=Nounou)(droits=Apprenti)"
 %nss_base_shadow "ou=data,dc=crans,dc=org?one"
 %nss_base_group "ou=Group,dc=crans,dc=org?one"
--- a/Python/etc/libnss-ldap.secret
+++ b/Python/etc/libnss-ldap.secret
@ -0,0 +1,8 @@
 # -*- mode: python; coding: utf-8 -*-
 include("secrets")
 if has("db-main"):
    print secrets.ldap_password
 else:
    print secrets.ldap_readonly_password
--- a/Python/etc/nsswitch.conf
+++ b/Python/etc/nsswitch.conf
@ -0,0 +1,29 @@
 # -*- mode: python; coding: utf-8 -*-
 header("""
 Fichier de configuration des bases de donnees systemes (System
 Databases) et du service de noms (Name Service Switch).
 """)
 if has("ldap"):
    db="ldap"
 def database(name, res):
    print name + ": " + " ".join(res)
@# On utilise la base de donnee du crans pour tout ce qui est
@# compte unix
 database("passwd", ["files", db])
 database("group",  ["files", db])
 database("shadow", ["files", db])
@
 database("hosts",    ["files", "dns"])
 database("networks", ["files"])
@
 database("protocols", ["db", "files"])
 database("services",  ["db", "files"])
@
 database("ethers", ["db", "files"])
 database("rpc",    ["db", "files"])
@
 database("netgroup", ["nis"])
--- a/Python/etc/pam.d/common-account
+++ b/Python/etc/pam.d/common-account
@ -0,0 +1,15 @@
 # -*- mode: python; coding: utf-8 -*-
 include("pam")
 header("""
 /etc/pam.d/common-account - authorization settings common to all services
 This file is included from other service-specific PAM config files,
 and should contain a list of the authorization modules that define
 the central access policy for use on the system.  The default is to
 only deny service to users whose accounts are expired in /etc/shadow.
 """)
 print "account sufficient %s" % pam_module
 print "account required   pam_unix.so use_first_pass"
--- a/Python/etc/pam.d/common-auth
+++ b/Python/etc/pam.d/common-auth
@ -0,0 +1,16 @@
 # -*- mode: python; coding: utf-8 -*-
 include("pam")
 header("""
 /etc/pam.d/common-auth - authentication settings common to all services
 This file is included from other service-specific PAM config files,
 and should contain a list of the authentication modules that define
 the central authentication scheme for use on the system
 (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 traditional Unix authentication mechanisms.
 """)
 print "auth sufficient %s" % pam_module
 print "auth required   pam_unix.so nullok_secure use_first_pass"
--- a/Python/etc/pam.d/common-password
+++ b/Python/etc/pam.d/common-password
@ -0,0 +1,30 @@
 # -*- mode: python; coding: utf-8 -*-
 include("pam")
 header("""
 /etc/pam.d/common-password - password-related modules common to all services
 This file is included from other service-specific PAM config files,
 and should contain a list of modules that define  the services to be
 used to change user passwords.  The default is pam_unix
 """)
@# The "nullok" option allows users to change an empty password, else
@# empty passwords are treated as locked accounts.
@#
@# (Add `md5' after the module name to enable MD5 passwords)
@#
@# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
@# login.defs. Also the "min" and "max" options enforce the length of the
@# new password.
 print "password   sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
 print "password   required   pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
@# Alternate strength checking for password. Note that this
@# requires the libpam-cracklib package to be installed.
@# You will need to comment out the password line above and
@# uncomment the next two in order to use this.
@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
--- a/Python/etc/pam.d/common-session
+++ b/Python/etc/pam.d/common-session
@ -0,0 +1,16 @@
 # -*- mode: python; coding: utf-8 -*-
 include("pam")
 header("""
 /etc/pam.d/common-session - session-related modules common to all services
 This file is included from other service-specific PAM config files,
 and should contain a list of modules that define tasks to be performed
 at the start and end of sessions of *any* kind (both interactive and
 non-interactive).  The default is pam_unix.
 """)
 print "session sufficient %s" % pam_module
 print "session required   pam_unix.so"
 print "session required   pam_mkhomedir.so"
--- a/Python/etc/pam_ldap.conf
+++ b/Python/etc/pam_ldap.conf
@ -0,0 +1,87 @@
 # -*- mode: python; coding: utf-8 -*-
 include("mode/space")
 include("secrets")
 include("ip")
 header("""
 Fichier de configuration de libpam-ldap.
 Pour des informations détaillées voir pam_ldap.conf(5)
 """)
@# +----------------------------------------------------+
@# | Configuration de la communiquation avec le serveur |
@# +----------------------------------------------------+
@# The distinguished name of the search base.
 %base "dc=crans,dc=org"
 if has("db-server"):
    # Le serveur principale ainsi que les réplica se connectent par
    # socket unix
    %uri "ldapi://%2fvar%2frun%2fslapd%2fldapi/"
 else:
    # Les autres c'est par le réseau
    %uri "ldap://%s/" % admipof("ldap")
@# The LDAP version to use (defaults to 3
@# if supported by client library)
 %ldap_version 3
 if has("db-main"):
    @# The distinguished name to bind to the server with
    @# if the effective user ID is root. Password is
    @# stored in /etc/ldap.secret (mode 600)
    %rootbinddn secrets.ldap_auth_dn
 else:
    @# The distinguished name to bind to the server with.
    @# Optional: default is to bind anonymously.
    %binddn secrets.ldap_readonly_auth_dn
    @# The credentials to bind with.
    @# Optional: default is no credential.
    %bindpw secrets.ldap_readonly_password
@# The port.
@# Optional: default is 389.
@#port 389
@# The search scope.
@#scope sub
 %scope "one"
@#scope base
 if not has("db-main"):
    @# Search timelimit
    %timelimit 5
    @# Bind timelimit
    %bind_timelimit 5
@# Do not hash the password at all; presume
@# the directory server will do it, if
@# necessary. This is the default.
 %pam_password "exop"
@# +------------------+
@# | Bases de données |
@# +------------------+
 # On n'utilise ldap pour résoudre les bases de données
 # passwd, group et shadow
 if has("users"):
    # Sur le serveur des adhérents, on veut que tout
    # les adhérents soit reconnus comme utilisateurs locaux
    %nss_base_passwd "ou=data,dc=crans,dc=org?one"
 else:
    # Sur les autres serveurs on filtre pour que seuls
    # les nounous et les apprentis le soit.
    # Il est important de mettre ce filtrage au niveau de
    # libnss-ldap et pam-ldap car ssh utilise pam pour les
    # mots de passe mais pour l'authentification par clés
    # il n'utilise que nss
    %nss_base_passwd "ou=data,dc=crans,dc=org?one?|(droits=Nounou)(droits=Apprenti)"
 %nss_base_shadow "ou=data,dc=crans,dc=org?one"
 %nss_base_group "ou=Group,dc=crans,dc=org?one"
--- a/Rules/packages-common.xml
+++ b/Rules/packages-common.xml
@ -12,6 +12,4 @@
  <Package name="apt-mirror" version="0.4.4-4-crans1"/>
  <Package name="vim" version="1:7.0-122+1etch3"/>
  <Package name="htop" version="0.6.3-1"/>
  <Package name="darcs" version="1.0.9~rc1-0.1"/>
  <Package name="bind9" version="1:9.3.4-2etch1"/>
 </Rules>
--- a/Rules/rules.xml
+++ b/Rules/rules.xml
@ -37,4 +37,16 @@
  <Directory name="/mirror/apt-mirror/var" owner="apt-mirror" group="apt-mirror" perms="0755"/>
  <Directory name="/mirror/apt-mirror/skel" owner="apt-mirror" group="apt-mirror" perms="0755"/>
  <Directory name="/mirror/apt-mirror/mirror" owner="apt-mirror" group="apt-mirror" perms="0755"/>
  <Service name="ssh" status="on"/>
  <!-- Suppression du groupe adm de /etc/group pour forcer sudo à regarder dans la base -->
  <Action name="del-adm"
 	  timing="post" when="modified" status="check"
 	  command="grep '^adm:' /etc/group &amp;&amp;
 		   a=$(mktemp) &amp;&amp;
 		   awk -F':' '$1 != &quot;adm&quot;' &amp;&amp;
 		   mv $a /etc/group &amp;&amp;
 		   rm -f $a &amp;&amp;
 		   grpconv"/>
 </Rules>
--- a/TGenshi/etc/ldap/ldap.conf/template.txt
+++ b/TGenshi/etc/ldap/ldap.conf/template.txt
@ -1,20 +0,0 @@
 # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
 #
 # LDAP Defaults
 #
 #A ne modifier que sur VERT
 # See ldap.conf(5) for details
 # This file should be world readable but not world writable.
 BASE       dc=crans, dc=org
 #if "db-server" in $metadata.groups
 URI        ldapi://%2fvar%2frun%2fslapd%2fldapi/
 TLS_CACERT /etc/ssl/certs/CAcrans.pem
 #else
 URI        ldap://ldap.adm.crans.org
 #end if
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
--- a/etc/python/pam.py
+++ b/etc/python/pam.py
@ -0,0 +1,8 @@
 # -*- mode: python; coding: utf-8 -*-
 #
 # Module pour pam
 if has("ldap"):
    pam_module = "pam_ldap.so"
 else:
    pam_module = ""