Bug#792233: freedombox-setup: Configure PAM for LDAP user logins

Sun, 12 Jul 2015 17:19:29 -0700 

Package: freedombox-setup
Severity: wishlist
Tags: patch

The attached patch will allow some LDAP users to login to the system. To
login, the user must have objectClass of posixAccount, and also must be
in the admin group. I will also make a pull request for Plinth to setup
users and manage groups.

From 87744b5b773f1206f306aa8b07cde8c3176e8a00 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalle...@mailbox.org>
Date: Wed, 8 Jul 2015 19:46:27 -0400
Subject: [PATCH 1/2] Configure PAM for LDAP user logins.

---
 setup.d/30_ldap-server | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server
index 358c922..e78508d 100755
--- a/setup.d/30_ldap-server
+++ b/setup.d/30_ldap-server
@@ -21,3 +21,9 @@ objectClass: organizationalUnit
 ou: groups
 
 EOF
+
+# Configure PAM for LDAP user logins
+echo nslcd nslcd/ldap-sasl-mech select EXTERNAL | debconf-set-selections
+echo libnss-ldapd libnss-ldapd/nsswitch multiselect group, passwd, shadow \
+    | debconf-set-selections
+DEBIAN_FRONTEND=noninteractive apt-get install -y nslcd libpam-ldapd libnss-ldapd
-- 
2.1.4


From bb2d589cd4cc8b66d05b31b44f2a0ae4dbf3b191 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalle...@mailbox.org>
Date: Sun, 12 Jul 2015 12:32:38 -0400
Subject: [PATCH 2/2] Allow only users in admin group to login.

---
 first-run.d/50_ldap-server | 15 +++++++++++++++
 setup.d/30_ldap-server     |  5 +++++
 2 files changed, 20 insertions(+)

diff --git a/first-run.d/50_ldap-server b/first-run.d/50_ldap-server
index 6b45da8..e8051fe 100755
--- a/first-run.d/50_ldap-server
+++ b/first-run.d/50_ldap-server
@@ -12,4 +12,19 @@ changetype: modify
 replace: olcRootDN
 olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: memberof.la
+
+EOF
+
+cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
+dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+
 EOF
diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server
index e78508d..6d96c87 100755
--- a/setup.d/30_ldap-server
+++ b/setup.d/30_ldap-server
@@ -27,3 +27,8 @@ echo nslcd nslcd/ldap-sasl-mech select EXTERNAL | debconf-set-selections
 echo libnss-ldapd libnss-ldapd/nsswitch multiselect group, passwd, shadow \
     | debconf-set-selections
 DEBIAN_FRONTEND=noninteractive apt-get install -y nslcd libpam-ldapd libnss-ldapd
+
+# Only users in admin group can login
+if ! grep -q "filter passwd (&(objectClass=posixAccount)(memberOf=cn=admin,ou=groups,dc=thisbox))" /etc/nslcd.conf ; then
+    echo "filter passwd (&(objectClass=posixAccount)(memberOf=cn=admin,ou=groups,dc=thisbox))" >>/etc/nslcd.conf
+fi
-- 
2.1.4

Reply via email to