Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Login Script

  • 24-05-2006 3:36pm
    #1
    Registered Users, Registered Users 2 Posts: 15,817 ✭✭✭✭


    Bit of a wierd one, and I'm feeling a little bit out of my depth, but this is something I want to learn:
    We have an LDAP server for user accounts. Currently, users can login to Windows suites [default] or [when enabled] Suse Desktop suites. User's network drives are spread across a few netware servers, so for users that have Linux suite logins enabled, their homeDirectory attribute reads something like /home/[NWservername]/[dirOnNWserver]/[userid].
    I'm putting together a SLES 9 system to provide a programming environment for two or 3 faculties, each with their own [partially overlapping] requirements (eg C,C++,Java,Python,LAMP with CVS).
    I have LDAP authentication working; that is to say, I can login but then get dumped in / with bare bash.
    We are going to use local homedirs in the form /home/[userid], and I wish to have access control.
    This is where I'm stuck.
    I'm thinking of using a flat-file of valid userids as input to a script that generates a homedir if one doesn't exist already for each userid in the flat file, chown [userid]:users /home/[userid], and chmod 701 /home/[userid].
    If a user doesn't have any Linux-related LDAP attributes (ie. loginshell:, homeDirectory:, uidNumber: etc.), they can't login at the moment - I've a feeling I'm missing something.
    That is fine, I'll be using the same flat text file for a script to make the relevent modifications to the valid users' LDAP entries. However, I would rather something a little more robust, as if a user has Linux suite logins enabled, they can still log into the box but won't have a homedir, which isn't good.
    I'm not exactly au fait with what LDAP can achieve, but I'd like to see it have a seperate group of attributes for this server/environment, where only users with these attributes can log in.

    Does anyone have a clue what I'm on about?


Comments

  • Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    Sort-of...

    what's your Netware setup like? Are you using NDS? If so you problems could be over. Post a bit about it and i might be able to help you.

    Assuming you can logon at all to a machine through LDAP, pam_mkhomedir will create the directory for you.


  • Registered Users, Registered Users 2 Posts: 15,817 ✭✭✭✭po0k


    Yeah, just after finding that this afternoon after spending the morning arsing trying to reinvent the wheel, only to be shown how easy it was (Thx Niall)

    {edit}I think I've got the majority of the basics sorted, have enabled pam_mkhomedir in /etc/pam.d/sshd with the following line:
    • session required pam_mkhomedir.so skel=/root/test/skel umask=0022

    SLES9.3 RC5 (SP3) doesn't seem to have pam_mkhomedir though, can't find it with a search in YaST, updating package lists using a Novell account, possibly a JoePleb-type account, apparently it has been added to our licence group but things aren't working nicely. I really miss apt and debian.{/edit}
    ffs *sigh*

    I'm now getting more clued in to what LDAP can do, though without any real access to our server. The Netware stuff is pretty much handled by one guy and he's quite busy and therefore hard to get hold of.

    Is it possible to use pam_filter successfully in combination with LDAP as a method of limiting/controlling who can login to what host?

    Or specifying per-host homeDirectory: entries for each user?

    That *should* <?> mostly solve the ACL requirement and the possible homeDir conflict with the ordinary linux suites.


  • Registered Users, Registered Users 2 Posts: 15,817 ✭✭✭✭po0k


    got pam_mkhomedir working.
    login as: mrjangles
    Using keyboard-interactive authentication.
    Password:
    Creating directory '/home/mrjangles'.
    Creating directory '/home/mrjangles/bin'.
    Creating directory '/home/mrjangles/Documents'.
    Creating directory '/home/mrjangles/public_html'.
    Creating directory '/home/mrjangles/.xemacs'.
    Creating directory '/home/mrjangles/.fonts'.
    Last login: T-1
    mrjangles@host:~> ls
    bin Documents public_html


  • Registered Users, Registered Users 2 Posts: 15,817 ✭✭✭✭po0k


    Issue with mkhomedir.

    Point of info: 'LDAP server' is Novell eDirectory with NDS-> LDAP mappings.
    Bulk of users with functional linux suite accounts have the following set:
    homeDirectory: /home/netwareserver/dir/uid
    As the admin isn't particularly enthusiastic (yet) about creating a new attributetype or objectclass entry in the schema of a live (and working) system for something like homeDirectoryLocal: or objectclass: xyzAccount to service my project's needs, we tried to work-around as follows:
    [NDS] Postal Code -> homeDirectoryLocal [LDAP]
    I put nss_map_attribute homeDirectory homeDirectoryLocal in ldap.conf and tried to login using a test account. It bitched about not being able to create homedir /home/x/y/uid and failed (as it should, I'm still tweaking pam).
    On the test account we tried, ldapsearch -foo uid="testuserid" returned attribute PostalCode: /home/[uid] instead of homeDirectoryLocal.
    "Aaah, gotcha" I thought, changed nss_map_attribute homeDirectory postalCode and tried again.
    Same story.

    Am I missing a trick here?

    2nd issue is that NDS doesn't seem to have a host: attribute or equivalent, nor is there a host: mapping from LDAP to an NDS attribute.
    I was previously under the impression that host: was a standard attribute?
    I want to use pam_check_host_attr yes

    I'm *getting* there.


  • Registered Users, Registered Users 2 Posts: 15,817 ✭✭✭✭po0k


    Ok, translation is working.
    However, pam_mkhomedir isn't creating homedirs for new users.
    login as: [uid]
    Using keyboard-interactive authentication.
    Password:
    Last login: bleh
    Could not chdir to home directory /home/[uid]: No such file or directory
    [uid]@host:/>
    
    so something's going wrong between pam_ldap.so fetching homeDirectory: and/or postalCode: and the hand-off to pam_mkhomedir.so

    Going to try pam_warn.so to see if I can get more info out of what's going on.


  • Advertisement
Advertisement