What is this about?
This page is supposed to give a few pointers and explanations on how to set up your own integrated network server system for an internet workspace as presented [http://squat.net/connect/wiki/moin.cgi/PublicInternetWorkspace here].
What do I need?
To implement such a solution, you'll need a number of services and features:
* A centralized fileshare, either with NFS or Samba * A centralized login and user database running on LDAP * A uniform login configuration on all machines using PAM * A centralized installation scheme like FAI
Each of the services needed will be discussed seperately.
How do I do it?
Starting with login
Since quite some time, Linux features PAM (Pluggable Authentication Modules). Since we want an integrated setup, I'll start explaining how to combine PAM with LDAP right away. To begin with, install the right software. On Debian this means the following packages:
- ldap
- libldap2
- libpam-ldap
- libnss-ldap
- slapd
First, configure your LDAP server to have a basic tree and an admin dn. Since it doesn't make sense to rewrite already existing documentation, you can refer to the [http://www.tldp.org/HOWTO/LDAP-HOWTO/ Linux LDAP HOWTO] for this. In the configuration for your LDAP server (slapd.conf) you will have to define a root dn. This is an account which will have full access to all entries in the ldap database. Once you have the LDAP running, it is very useful to install phpldapadmin. This is a Debian package which provides you with a nice web-based interface to manage your LDAP data. The way how you enter and change data in the LDAP database can be very annoyingly tedious without a nice GUI frontend like this. It is useful to create a number of subtrees in the directory for later user data and so on. In the examples used here, the main tree is dc=my,dc=org and contains the subtrees ou=system-users,dc=my,dc=org; ou=users,dc=my,dc=org and ou=groups,dc=my,dc=org. Once you have these, it is advisable to create an LDAP account which can later be used for less than full-priviledged access. In this example that account will be called uid=operator,ou=system-users,dc=my,dc=org
After your LDAP server is running, you need to make PAM on each client aware of it. The clients all need to have the packages ldap, libnss-ldap and libpam-ldap installed Once this is done you create/edit the files /etc/pam_ldap.conf and /etc/libnss-ldap.conf file. Those two files can look exactly the same even though some directives are used only by PAM and others only by NSS PAM and NSS together provide the interface between the login mechanism and the LDAP database. Here's what a minimal config would look like:
| host 127.0.0.1 | ||
| base dc=my,dc=org | ||
| binddn uid=operator,ou=system-users,dc=my,dc=org | ||
| bindpw XXXXX | ||
| rootbinddn cn=admin,dc=my,dc=org | ||
| scope sub | ||
| nss_base_passwd ou=users,dc=my,dc=org?one | ||
| nss_base_shadow ou=users,dc=my,dc=org?one | ||
| nss_base_group ou=groups,dc=my,dc=org?one | ||
All of the above directives, except the last three, should be clear to you if you read the LDAP HOWTO (if you didn't read it yet, then do it now!!!) The last three lines are the crucial bit. With those, you tell PAM and NSS where to look in the LDAP database for the sort of stuff that would normally be found in /etc/passwd, /etc/shadow and /etc/groups. If you look in the default config which you get with your package, then you will see, that there is way more you can look up through LDAP this way, but for now we will basically deal with login stuff only.
Now that PAM and NSS know that there is an LDAP database, you also need to tell them to use it.