[debian-edu-commits] r80265 - in trunk/src/educlient: debian etc etc/NetworkManager/dispatcher.d etc/default etc/ldap
gfwp-guest at alioth.debian.org
gfwp-guest at alioth.debian.org
Wed May 29 05:47:03 UTC 2013
Author: gfwp-guest
Date: 2013-05-29 05:47:02 +0000 (Wed, 29 May 2013)
New Revision: 80265
Removed:
trunk/src/educlient/etc/ldap.conf
Modified:
trunk/src/educlient/debian/README.Debian
trunk/src/educlient/debian/changelog
trunk/src/educlient/debian/control
trunk/src/educlient/debian/install
trunk/src/educlient/etc/NetworkManager/dispatcher.d/02debian-edu-config
trunk/src/educlient/etc/auto.master
trunk/src/educlient/etc/auto.net
trunk/src/educlient/etc/auto.smb
trunk/src/educlient/etc/autofs_ldap_auth.conf
trunk/src/educlient/etc/default/autofs
trunk/src/educlient/etc/default/nfs-common
trunk/src/educlient/etc/idmapd.conf
trunk/src/educlient/etc/krb5.conf
trunk/src/educlient/etc/ldap/ldap.conf
trunk/src/educlient/etc/nslcd.conf
trunk/src/educlient/etc/nsswitch.conf
Log:
Second preliminar educlient 0.6-1
Modified: trunk/src/educlient/debian/README.Debian
===================================================================
--- trunk/src/educlient/debian/README.Debian 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/debian/README.Debian 2013-05-29 05:47:02 UTC (rev 80265)
@@ -23,37 +23,21 @@
OS DEPENDANT NOTES:
-Debian Wheezy / Sid:
- Should work out of the box.
+Debian Jessie / Sid:
+ Note tested.
-Debian Squeeze
- Not tested, of course. Pick DebianEdu workstation instead !
+Debian Wheezy
+ Not tested.
-Ubuntu 10.04
- Works very fine; Keep care of putting in GOsa the SAME hostname
- that is present in /etc/hostname or alternatively,
- you'll have to set it manually as root editing /etc/hostname.
- The automatic update of the hostname from the server is
- actually not working on this OS. (Old network-manager problem)
-
-Ubuntu 11.04
- Works out of the box. The system complains at login that
- ICEauthority cannot be updated, but after this the login is
- complete. Probably the gdm starts too quickly, before the
- complete export of the NFS4 share directories. KDM may work better?
-
-Ubuntu 11.10
- Works out of the box, but prior to installation it is mandatory
- to replace the lightdm login manager. Choose gdm or kdm at your taste.
-
Ubuntu 12.04 (fresh install, daily build 11 march 2012)
Works, with hassle for the login manager. Lightdm doesn't allow
remote user selection. Gdm at the moment is broken. Kdm works.
- Apparently I got also problems in connecting to GOsa with
- the provided Firefox. GOsa registration succeeded from another
- machine.
+ The workstation needs to be added manually into GOsa as network
+ device; sitesummary2ldap doesn't detect the machine.
+
+Ubuntu 13.04
-Feel free to test with other OS, like Ubuntu 10.10, Knoppix, Mint, or
+Feel free to test with other OS, Knoppix, Mint, or
whatever. In such a case, PLEASE, give a feedback in the debian-edu
mailing list.
Modified: trunk/src/educlient/debian/changelog
===================================================================
--- trunk/src/educlient/debian/changelog 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/debian/changelog 2013-05-29 05:47:02 UTC (rev 80265)
@@ -1,14 +1,10 @@
educlient (0.6-1) UNRELEASED; urgency=low
- [ Petter Reinholdtsen ]
- * Remove LDAP shema and SSL certificate script files, that are only
- useful on the LDAP server.
- * Put files in /usr/ as part of the package, and stop using divert
- to put them in place. No need to use postinst setup to make the
- binaries and perl module available.
- * Refresh krb5.conf content from wheezy and remove all unused settings.
+ * Removed unused files (ldap schemas and certificates)
+ * Updated config files for wheezy
+ * Updated README.Debian
- -- Petter Reinholdtsen <pere at debian.org> Tue, 28 May 2013 22:34:17 +0200
+ -- Giorgio Pioda <gfwp at ticino.com> Tue, 28 May 2013 16:10:31 +0200
educlient (0.5-1) unstable; urgency=low
Modified: trunk/src/educlient/debian/control
===================================================================
--- trunk/src/educlient/debian/control 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/debian/control 2013-05-29 05:47:02 UTC (rev 80265)
@@ -11,7 +11,7 @@
Package: educlient
Architecture: all
-Pre-Depends: ntp, krb5-user, krb5-config, krb5-clients, krb5-auth-dialog, libpam-krb5, libpam-ldapd, ldap-utils, libnss-ldapd, libnss-myhostname, sudo-ldap, autofs5-ldap, libsasl2-modules-ldap, smbldap-tools, libterm-readkey-perl, libnet-dns-perl, libnet-ldap-perl
+Pre-Depends: ntp, krb5-user, krb5-config, krb5-clients, krb5-auth-dialog, libpam-krb5, libpam-ldapd, ldap-utils, libnss-ldapd, libnss-myhostname, sudo-ldap, autofs5-ldap, libsasl2-modules-ldap, smbldap-tools, libterm-readkey-perl, libnet-dns-perl, libnet-ldap-perl, kdm
Description: Config. package to bind Debian and Ubuntu to Edubuntu Mainserver.
This script provides a quick connection of a fresh installed Debian
or Ubuntu OS as client workstation to a DebianEdu mainserver.
Modified: trunk/src/educlient/debian/install
===================================================================
--- trunk/src/educlient/debian/install 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/debian/install 2013-05-29 05:47:02 UTC (rev 80265)
@@ -1,2 +1,2 @@
etc /usr/share/educlient
-usr
+usr /usr/share/educlient
Modified: trunk/src/educlient/etc/NetworkManager/dispatcher.d/02debian-edu-config
===================================================================
--- trunk/src/educlient/etc/NetworkManager/dispatcher.d/02debian-edu-config 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/NetworkManager/dispatcher.d/02debian-edu-config 2013-05-29 05:47:02 UTC (rev 80265)
@@ -1,8 +1,5 @@
#!/bin/sh
-#Modified from the original DebianEdu to update the hostname in any case for educlient.deb package
-#Giorgio Pioda
-
set -e
if [ -z "$1" ]; then
@@ -12,18 +9,18 @@
case "$2" in
up|vpn-up)
-# if [ -e /etc/debian-edu/config ] ; then
-# . /etc/debian-edu/config
-# fi
+ if [ -e /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+ fi
# All profiles except Main-Server. Listing them all to avoid
# activating this code unless some profile is defined in
# /etc/debian-edu/config.
-# if [ -n "$DHCP4_HOST_NAME" ] && \
-# echo "$PROFILE" | egrep -q 'Workstation|Roaming-Workstation|Thin-Client-Server|Minimal|Standalone' ; then
+ if [ -n "$DHCP4_HOST_NAME" ] && \
+ echo "$PROFILE" | egrep -q 'Workstation|Roaming-Workstation|Thin-Client-Server|Minimal|Standalone' ; then
echo "$DHCP4_HOST_NAME" > /etc/hostname
-# logger -t debian-edu-config "Update hostname from DHCP via NetworkManager to '$DHCP4_HOST_NAME'."
-# fi
+ logger -t debian-edu-config "Update hostname from DHCP via NetworkManager to '$DHCP4_HOST_NAME'."
+ fi
;;
down|vpn-down|hostname)
;;
Modified: trunk/src/educlient/etc/auto.master
===================================================================
--- trunk/src/educlient/etc/auto.master 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/auto.master 2013-05-29 05:47:02 UTC (rev 80265)
@@ -12,6 +12,10 @@
#
#/net -hosts
#
+# Include /etc/auto.master.d/*.autofs
+#
++dir:/etc/auto.master.d
+#
# Include central master map if it can be found using
# nsswitch sources.
#
Modified: trunk/src/educlient/etc/auto.net
===================================================================
--- trunk/src/educlient/etc/auto.net 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/auto.net 2013-05-29 05:47:02 UTC (rev 80265)
@@ -38,7 +38,7 @@
# Newer distributions get this right
SHOWMOUNT="$SMNT --no-headers -e $key"
-$SHOWMOUNT | LC_ALL=C sort -k 1 | \
+$SHOWMOUNT | LC_ALL=C cut -d' ' -f1 | LC_ALL=C sort -u | \
awk -v key="$key" -v opts="$opts" -- '
BEGIN { ORS=""; first=1 }
{ if (first) { print opts; first=0 }; print " \\\n\t" $1, key ":" $1 }
Modified: trunk/src/educlient/etc/auto.smb
===================================================================
--- trunk/src/educlient/etc/auto.smb 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/auto.smb 2013-05-29 05:47:02 UTC (rev 80265)
@@ -26,6 +26,7 @@
# Enclose mount dir and location in quotes
# Double quote "$" in location as it is special
gsub(/\$$/, "\\$", loc);
+ gsub(/\&/,"\\\\&",loc)
print " \\\n\t \"/" dir "\"", "\"://" key "/" loc "\""
}
END { if (!first) print "\n"; else exit 1 }
Modified: trunk/src/educlient/etc/autofs_ldap_auth.conf
===================================================================
--- trunk/src/educlient/etc/autofs_ldap_auth.conf 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/autofs_ldap_auth.conf 2013-05-29 05:47:02 UTC (rev 80265)
@@ -1,66 +1,7 @@
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
-The attributes are:
-
-usetls - Determines whether an encrypted connection to the ldap server
- should be attempted. Legal values for the entry are:
- "yes"
- "no"
-
-tlsrequired - This flag tells whether the ldap connection must be
- encrypted. If set to "yes", the automounter will fail to start
- if an encrypted connection cannot be established. Legal values
- for this option include:
- "yes"
- "no"
-
-authrequired - This option tells whether an authenticated connection to
- the ldap server is required in order to perform ldap queries.
- If this flag is set to yes, then only authenticated connections
- will be allowed. If it is set to no then authentication is not
- needed for ldap server connections. Finally, if it is set to
- autodetect then the ldap server will be queried to establish
- a suitable authentication mechanism. If no suitable mechanism
- can be found, connections to the ldap server are made without
- authentication.
- Legal values for this option include:
- "yes"
- "no"
- "autodetect"
-
-authtype - This attribute can be used to specify a preferred
- authentication mechanism. In normal operations, the
- automounter will attempt to authenticate to the ldap server
- using the list of supportedSASLmechanisms obtained from the
- directory server. Explicitly setting the authtype will bypass
- this selection and only try the mechanism specified. Legal
- values for this attribute include:
- "GSSAPI"
- "LOGIN"
- "PLAIN"
- "ANONYMOUS"
- "DIGEST-MD5"
-
-user - This attribute holds the authentication identity used by
- authentication mechanisms that require it. Legal values for
- this attribute include any printable characters that can be
- used by the selected authentication mechanism.
-
-secret - This attribute holds the secret used by authentication
- mechanisms that require it. Legal values for this attribute
- include any printable characters that can be used by the
- selected authentication mechanism.
-
-clientprinc - When using GSSAPI authentication, this attribute is
- consulted to determine the principal name to use when
- authenticating to the directory server. By default, this will
- be set to "autofsclient/<fqdn>@<REALM>.
-
-credentialcache - When using GSSAPI authentication, this attribute
- can be used to specify an externally configured credential
- cache that is used during authentication. By default, autofs
- will setup a memory based credential cache.
+See autofs_ldap_auth.conf(5) for more information.
-->
<autofs_ldap_sasl_conf
Modified: trunk/src/educlient/etc/default/autofs
===================================================================
--- trunk/src/educlient/etc/default/autofs 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/default/autofs 2013-05-29 05:47:02 UTC (rev 80265)
@@ -14,6 +14,15 @@
#
#NEGATIVE_TIMEOUT=60
#
+# MOUNT_WAIT - time to wait for a response from mount(8).
+# Setting this timeout can cause problems when
+# mount would otherwise wait for a server that
+# is temporarily unavailable, such as when it's
+# restarting. The defailt of waiting for mount(8)
+# usually results in a wait of around 3 minutes.
+#
+#MOUNT_WAIT=-1
+#
# UMOUNT_WAIT - time to wait for a response from umount(8).
#
#UMOUNT_WAIT=12
@@ -25,10 +34,7 @@
# MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by
# mount.nfs(8). Since we can't identify
# the default automatically we need to
-# set it in our configuration. This will
-# only make a difference for replicated
-# map entries as availability probing isn't
-# used for single host map entries.
+# set it in our configuration.
#
#MOUNT_NFS_DEFAULT_PROTOCOL=3
#
@@ -118,11 +124,6 @@
#
# General global options
#
-# If the kernel supports using the autofs miscellanous device
-# and you wish to use it you must set this configuration option
-# to "yes" otherwise it will not be used.
-USE_MISC_DEVICE="yes"
-#
#OPTIONS=""
#
-LDAPURI=ldap://ldap.intern
+LDAPURI=ldap://ldap
Modified: trunk/src/educlient/etc/default/nfs-common
===================================================================
--- trunk/src/educlient/etc/default/nfs-common 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/default/nfs-common 2013-05-29 05:47:02 UTC (rev 80265)
@@ -9,11 +9,13 @@
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
-# For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
+# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
+# NEED_IDMAPD=
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
+# NEED_GSSD=
NEED_GSSD=yes
Modified: trunk/src/educlient/etc/idmapd.conf
===================================================================
--- trunk/src/educlient/etc/idmapd.conf 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/idmapd.conf 2013-05-29 05:47:02 UTC (rev 80265)
@@ -2,6 +2,8 @@
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
+# set your own domain here, if id differs from FQDN minus hostname
+# Domain = localdomain
Domain = intern
[Mapping]
Modified: trunk/src/educlient/etc/krb5.conf
===================================================================
--- trunk/src/educlient/etc/krb5.conf 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/krb5.conf 2013-05-29 05:47:02 UTC (rev 80265)
@@ -39,14 +39,102 @@
fcc-mit-ticketflags = true
[realms]
- INTERN = {
- kdc = kerberos.intern
- admin_server = kerberos.intern
- default_domain = intern
+ ATHENA.MIT.EDU = {
+ kdc = kerberos.mit.edu:88
+ kdc = kerberos-1.mit.edu:88
+ kdc = kerberos-2.mit.edu:88
+ admin_server = kerberos.mit.edu
+ default_domain = mit.edu
}
+ MEDIA-LAB.MIT.EDU = {
+ kdc = kerberos.media.mit.edu
+ admin_server = kerberos.media.mit.edu
+ }
+ ZONE.MIT.EDU = {
+ kdc = casio.mit.edu
+ kdc = seiko.mit.edu
+ admin_server = casio.mit.edu
+ }
+ MOOF.MIT.EDU = {
+ kdc = three-headed-dogcow.mit.edu:88
+ kdc = three-headed-dogcow-1.mit.edu:88
+ admin_server = three-headed-dogcow.mit.edu
+ }
+ CSAIL.MIT.EDU = {
+ kdc = kerberos-1.csail.mit.edu
+ kdc = kerberos-2.csail.mit.edu
+ admin_server = kerberos.csail.mit.edu
+ default_domain = csail.mit.edu
+ krb524_server = krb524.csail.mit.edu
+ }
+ IHTFP.ORG = {
+ kdc = kerberos.ihtfp.org
+ admin_server = kerberos.ihtfp.org
+ }
+ GNU.ORG = {
+ kdc = kerberos.gnu.org
+ kdc = kerberos-2.gnu.org
+ kdc = kerberos-3.gnu.org
+ admin_server = kerberos.gnu.org
+ }
+ 1TS.ORG = {
+ kdc = kerberos.1ts.org
+ admin_server = kerberos.1ts.org
+ }
+ GRATUITOUS.ORG = {
+ kdc = kerberos.gratuitous.org
+ admin_server = kerberos.gratuitous.org
+ }
+ DOOMCOM.ORG = {
+ kdc = kerberos.doomcom.org
+ admin_server = kerberos.doomcom.org
+ }
+ ANDREW.CMU.EDU = {
+ kdc = kerberos.andrew.cmu.edu
+ kdc = kerberos2.andrew.cmu.edu
+ kdc = kerberos3.andrew.cmu.edu
+ admin_server = kerberos.andrew.cmu.edu
+ default_domain = andrew.cmu.edu
+ }
+ CS.CMU.EDU = {
+ kdc = kerberos.cs.cmu.edu
+ kdc = kerberos-2.srv.cs.cmu.edu
+ admin_server = kerberos.cs.cmu.edu
+ }
+ DEMENTIA.ORG = {
+ kdc = kerberos.dementix.org
+ kdc = kerberos2.dementix.org
+ admin_server = kerberos.dementix.org
+ }
+ stanford.edu = {
+ kdc = krb5auth1.stanford.edu
+ kdc = krb5auth2.stanford.edu
+ kdc = krb5auth3.stanford.edu
+ master_kdc = krb5auth1.stanford.edu
+ admin_server = krb5-admin.stanford.edu
+ default_domain = stanford.edu
+ }
+ UTORONTO.CA = {
+ kdc = kerberos1.utoronto.ca
+ kdc = kerberos2.utoronto.ca
+ kdc = kerberos3.utoronto.ca
+ admin_server = kerberos1.utoronto.ca
+ default_domain = utoronto.ca
+ }
[domain_realm]
- .intern = INTERN
+ .mit.edu = ATHENA.MIT.EDU
+ mit.edu = ATHENA.MIT.EDU
+ .media.mit.edu = MEDIA-LAB.MIT.EDU
+ media.mit.edu = MEDIA-LAB.MIT.EDU
+ .csail.mit.edu = CSAIL.MIT.EDU
+ csail.mit.edu = CSAIL.MIT.EDU
+ .whoi.edu = ATHENA.MIT.EDU
+ whoi.edu = ATHENA.MIT.EDU
+ .stanford.edu = stanford.edu
+ .slac.stanford.edu = SLAC.STANFORD.EDU
+ .toronto.edu = UTORONTO.CA
+ .utoronto.ca = UTORONTO.CA
[login]
krb4_convert = true
Modified: trunk/src/educlient/etc/ldap/ldap.conf
===================================================================
--- trunk/src/educlient/etc/ldap/ldap.conf 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/ldap/ldap.conf 2013-05-29 05:47:02 UTC (rev 80265)
@@ -11,7 +11,11 @@
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
-HOST tjener.intern
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT /etc/ssl/certs/ca-certificates.crt
+
+HOST ldap
sudoers_base ou=sudoers,dc=skole,dc=skolelinux,dc=no
BASE dc=skole,dc=skolelinux,dc=no
TLS_REQCERT demand
Deleted: trunk/src/educlient/etc/ldap.conf
===================================================================
--- trunk/src/educlient/etc/ldap.conf 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/ldap.conf 2013-05-29 05:47:02 UTC (rev 80265)
@@ -1,297 +0,0 @@
-###DEBCONF###
-##
-## Configuration of this file will be managed by debconf as long as the
-## first line of the file says '###DEBCONF###'
-##
-## You should use dpkg-reconfigure to configure this file via debconf
-##
-
-#
-# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
-#
-# This is the configuration file for the LDAP nameservice
-# switch library and the LDAP PAM module.
-#
-# PADL Software
-# http://www.padl.com
-#
-
-# Your LDAP server. Must be resolvable without using LDAP.
-# Multiple hosts may be specified, each separated by a
-# space. How long nss_ldap takes to failover depends on
-# whether your LDAP client library supports configurable
-# network or connect timeouts (see bind_timelimit).
-#host 127.0.0.1
-
-# The distinguished name of the search base.
-base dc=skolelinux,dc=no
-
-# Another way to specify your LDAP server is to provide an
-uri ldapi://ldap/
-# Unix Domain Sockets to connect to a local LDAP Server.
-#uri ldap://127.0.0.1/
-#uri ldaps://127.0.0.1/
-#uri ldapi://%2fvar%2frun%2fldapi_sock/
-# Note: %2f encodes the '/' used as directory separator
-
-# The LDAP version to use (defaults to 3
-# if supported by client library)
-ldap_version 3
-
-# The distinguished name to bind to the server with.
-# Optional: default is to bind anonymously.
-#binddn cn=proxyuser,dc=padl,dc=com
-
-# The credentials to bind with.
-# Optional: default is no credential.
-#bindpw secret
-
-# The distinguished name to bind to the server with
-# if the effective user ID is root. Password is
-# stored in /etc/ldap.secret (mode 600)
-#rootbinddn cn=manager,dc=padl,dc=com
-
-# The port.
-# Optional: default is 389.
-#port 389
-
-# The search scope.
-#scope sub
-#scope one
-#scope base
-
-# Search timelimit
-#timelimit 30
-
-# Bind/connect timelimit
-#bind_timelimit 30
-
-# Reconnect policy: hard (default) will retry connecting to
-# the software with exponential backoff, soft will fail
-# immediately.
-#bind_policy hard
-
-# Idle timelimit; client will close connections
-# (nss_ldap only) if the server has not been contacted
-# for the number of seconds specified below.
-#idle_timelimit 3600
-
-# Filter to AND with uid=%s
-#pam_filter objectclass=account
-
-# The user ID attribute (defaults to uid)
-#pam_login_attribute uid
-
-# Search the root DSE for the password policy (works
-# with Netscape Directory Server)
-#pam_lookup_policy yes
-
-# Check the 'host' attribute for access control
-# Default is no; if set to yes, and user has no
-# value for the host attribute, and pam_ldap is
-# configured for account management (authorization)
-# then the user will not be allowed to login.
-#pam_check_host_attr yes
-
-# Check the 'authorizedService' attribute for access
-# control
-# Default is no; if set to yes, and the user has no
-# value for the authorizedService attribute, and
-# pam_ldap is configured for account management
-# (authorization) then the user will not be allowed
-# to login.
-#pam_check_service_attr yes
-
-# Group to enforce membership of
-#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
-
-# Group member attribute
-#pam_member_attribute uniquemember
-
-# Specify a minium or maximum UID number allowed
-#pam_min_uid 0
-#pam_max_uid 0
-
-# Template login attribute, default template user
-# (can be overriden by value of former attribute
-# in user's entry)
-#pam_login_attribute userPrincipalName
-#pam_template_login_attribute uid
-#pam_template_login nobody
-
-# HEADS UP: the pam_crypt, pam_nds_passwd,
-# and pam_ad_passwd options are no
-# longer supported.
-#
-# Do not hash the password at all; presume
-# the directory server will do it, if
-# necessary. This is the default.
-pam_password md5
-
-# Hash password locally; required for University of
-# Michigan LDAP server, and works with Netscape
-# Directory Server if you're using the UNIX-Crypt
-# hash mechanism and not using the NT Synchronization
-# service.
-#pam_password crypt
-
-# Remove old password first, then update in
-# cleartext. Necessary for use with Novell
-# Directory Services (NDS)
-#pam_password clear_remove_old
-#pam_password nds
-
-# RACF is an alias for the above. For use with
-# IBM RACF
-#pam_password racf
-
-# Update Active Directory password, by
-# creating Unicode password and updating
-# unicodePwd attribute.
-#pam_password ad
-
-# Use the OpenLDAP password change
-# extended operation to update the password.
-#pam_password exop
-
-# Redirect users to a URL or somesuch on password
-# changes.
-#pam_password_prohibit_message Please visit http://internal to change your password.
-
-# RFC2307bis naming contexts
-# Syntax:
-# nss_base_XXX base?scope?filter
-# where scope is {base,one,sub}
-# and filter is a filter to be &'d with the
-# default filter.
-# You can omit the suffix eg:
-# nss_base_passwd ou=People,
-# to append the default base DN but this
-# may incur a small performance impact.
-#nss_base_passwd ou=People,dc=padl,dc=com?one
-#nss_base_shadow ou=People,dc=padl,dc=com?one
-#nss_base_group ou=Group,dc=padl,dc=com?one
-#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
-#nss_base_services ou=Services,dc=padl,dc=com?one
-#nss_base_networks ou=Networks,dc=padl,dc=com?one
-#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
-#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
-#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
-#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
-#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
-#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
-#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
-
-# attribute/objectclass mapping
-# Syntax:
-#nss_map_attribute rfc2307attribute mapped_attribute
-#nss_map_objectclass rfc2307objectclass mapped_objectclass
-
-# configure --enable-nds is no longer supported.
-# NDS mappings
-#nss_map_attribute uniqueMember member
-
-# Services for UNIX 3.5 mappings
-#nss_map_objectclass posixAccount User
-#nss_map_objectclass shadowAccount User
-#nss_map_attribute uid msSFU30Name
-#nss_map_attribute uniqueMember msSFU30PosixMember
-#nss_map_attribute userPassword msSFU30Password
-#nss_map_attribute homeDirectory msSFU30HomeDirectory
-#nss_map_attribute homeDirectory msSFUHomeDirectory
-#nss_map_objectclass posixGroup Group
-#pam_login_attribute msSFU30Name
-#pam_filter objectclass=User
-#pam_password ad
-
-# configure --enable-mssfu-schema is no longer supported.
-# Services for UNIX 2.0 mappings
-#nss_map_objectclass posixAccount User
-#nss_map_objectclass shadowAccount user
-#nss_map_attribute uid msSFUName
-#nss_map_attribute uniqueMember posixMember
-#nss_map_attribute userPassword msSFUPassword
-#nss_map_attribute homeDirectory msSFUHomeDirectory
-#nss_map_attribute shadowLastChange pwdLastSet
-#nss_map_objectclass posixGroup Group
-#nss_map_attribute cn msSFUName
-#pam_login_attribute msSFUName
-#pam_filter objectclass=User
-#pam_password ad
-
-# RFC 2307 (AD) mappings
-#nss_map_objectclass posixAccount user
-#nss_map_objectclass shadowAccount user
-#nss_map_attribute uid sAMAccountName
-#nss_map_attribute homeDirectory unixHomeDirectory
-#nss_map_attribute shadowLastChange pwdLastSet
-#nss_map_objectclass posixGroup group
-#nss_map_attribute uniqueMember member
-#pam_login_attribute sAMAccountName
-#pam_filter objectclass=User
-#pam_password ad
-
-# configure --enable-authpassword is no longer supported
-# AuthPassword mappings
-#nss_map_attribute userPassword authPassword
-
-# AIX SecureWay mappings
-#nss_map_objectclass posixAccount aixAccount
-#nss_base_passwd ou=aixaccount,?one
-#nss_map_attribute uid userName
-#nss_map_attribute gidNumber gid
-#nss_map_attribute uidNumber uid
-#nss_map_attribute userPassword passwordChar
-#nss_map_objectclass posixGroup aixAccessGroup
-#nss_base_group ou=aixgroup,?one
-#nss_map_attribute cn groupName
-#nss_map_attribute uniqueMember member
-#pam_login_attribute userName
-#pam_filter objectclass=aixAccount
-#pam_password clear
-
-# Netscape SDK LDAPS
-#ssl on
-
-# Netscape SDK SSL options
-#sslpath /etc/ssl/certs
-
-# OpenLDAP SSL mechanism
-# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
-#ssl start_tls
-#ssl on
-
-# OpenLDAP SSL options
-# Require and verify server certificate (yes/no)
-# Default is to use libldap's default behavior, which can be configured in
-# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
-# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
-#tls_checkpeer yes
-
-# CA certificates for server certificate verification
-# At least one of these are required if tls_checkpeer is "yes"
-#tls_cacertfile /etc/ssl/ca.cert
-#tls_cacertdir /etc/ssl/certs
-
-# Seed the PRNG if /dev/urandom is not provided
-#tls_randfile /var/run/egd-pool
-
-# SSL cipher suite
-# See man ciphers for syntax
-#tls_ciphers TLSv1
-
-# Client certificate and key
-# Use these, if your server requires client authentication.
-#tls_cert
-#tls_key
-
-# Disable SASL security layers. This is needed for AD.
-#sasl_secprops maxssf=0
-
-# Override the default Kerberos ticket cache location.
-#krb5_ccname FILE:/etc/.ldapcache
-
-# SASL mechanism for PAM authentication - use is experimental
-# at present and does not support password policy control
-#pam_sasl_mech DIGEST-MD5
-nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sync,sys,syslog,usbmux,uucp,www-data
Modified: trunk/src/educlient/etc/nslcd.conf
===================================================================
--- trunk/src/educlient/etc/nslcd.conf 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/nslcd.conf 2013-05-29 05:47:02 UTC (rev 80265)
@@ -7,7 +7,7 @@
gid nslcd
# The location at which the LDAP server(s) should be reachable.
-uri ldap://ldap/
+uri ldap://ldap
# The search base that will be used for all queries.
base dc=skole,dc=skolelinux,dc=no
@@ -19,10 +19,14 @@
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
# SSL options
-#ssl off
+ssl start_tls
tls_reqcert demand
# The search scope.
#scope sub
+tls_cacertfile /etc/ldap/ssl/ldap-server-pubkey.pem
Modified: trunk/src/educlient/etc/nsswitch.conf
===================================================================
--- trunk/src/educlient/etc/nsswitch.conf 2013-05-29 05:41:42 UTC (rev 80264)
+++ trunk/src/educlient/etc/nsswitch.conf 2013-05-29 05:47:02 UTC (rev 80265)
@@ -7,9 +7,14 @@
passwd: files ldap
group: files ldap
shadow: files ldap
+netgroup: files ldap
+automount: files ldap
+sudoers: files ldap
+# passwd: compat ldap
+# group: compat ldap
+# shadow: compat ldap
-#hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 myhostname
-hosts: files dns myhostname
+hosts: files myhostname dns
networks: files ldap
protocols: db files
@@ -17,6 +22,5 @@
ethers: db files
rpc: db files
-netgroup: nis ldap
-automount: files ldap
-sudoers: files ldap
+# netgroup: nis ldap
+# sudoers: files ldap
More information about the debian-edu-commits
mailing list