This page is specific to Ubuntu versions 8.04

If you find this information applicable to additional versions/releases, please edit this page and modify this header to reflect that. Please also include any necessary modifications for this information to apply to the additional versions.


OpenLDAP, NFS and SSL with LTSP5

In this guide there are two server machines. The first is a server with two network cards (LTSP5). The second server has the home directory (NFS) and centralized logging (OpenLDAP, SSL).

The installation sequence follows:

  1. Install LTSP5 on the server with the two network cards. Install Webmin with package 'libio-socket-ssl-perl'.
  2. On the OpenLDAP-server, install:
    1. OpenLDAP service
    2. SSL encryption
    3. Webmin with package 'libio-socket-ssl-perl'
    4. LDAP client programs
  3. On the LTSP5-server, install the LDAP client programs and edit all the PAM files.

Both servers' superuser (sudo-user) is local, they have not been exported to the OpenLDAP-server. LTSP5-server has also one normal local user. These IDs appear in the /etc/passwd file similar to below.

LTSP5

admin-ltsp5:x:1000:1000:Administrator LTSP5,,,:/root/admin-ltsp5:/bin/bash
user-ltsp5:x:1001:1001:User LTSP5,,,,:/root/user-ltsp5:/bin/bash

OpenLDAP

admin-openldap:x:1000:1000:Administrator OpenLDAP,,,:/root/admin-openldap:/bin/bash

All installation files are located here: http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/

LAN, addresses, IDs and passwords

This guide uses this kind of basic local area network.

             Internet
             |
 ----------- Router/Switch -----------
 | (eth0)                     (eth0) |
 LTSP5-server          OpenLDAP-server
 | (eth1)
 Switch
 |
 Thin Client

LAN IP-addresses are as follows. LTSP5 server doing the NAT translation between thin clients and Internet.

(i) Router/Switch - 192.168.1.1 | LTSP5-server - 192.168.1.2 - ubuntu-ltsp5 | OpenLDAP-server - 192.168.1.3 - ubuntu-openldap | Thin Client - 192.168.0.10 - ubuntu-10

IDs and passwords, which were used in this installation.

(i) ubuntu-ltsp5 - admin-ltsp5 - TP2009ltsp | ubuntu-openldap - admin-openldap - TP2009ltsp | ubuntu-10 - ltsp001 - edubuntu

OpenLDAP server manager and the NSS-user IDs and passwords are as follows.

(i) cn=manager,dc=arkki,dc=info - TP2009ldap | cn=nss,dc=arkki,dc=info - TP2009nss

OpenLDAP-server's directory structure is this in this guide.

dc=info
 |
 dc=arkki----|----------|
 |           |          |
 ou=Users    ou=Groups  cn=nss
 |           |          
 |           cn=Users
 |
 cn=ltsp001, ltsp002 ...

OpenLDAP installation

Install package 'slapd' on the OpenLDAP-server. Necessary programs for processing OpenLDAP database are in the package 'ldap-utils'.

sudo apt-get install slapd ldap-utils

OpenLDAP (slapd) installation opens a text-based setup program, but it can be safely ignored. Copy the original configuration file and copy only the following lines in the new configuration file or/and remove the all the original lines.

(i) Basic mode for all the /etc-directory's files are "644". One exception is the file 'ldap.secret'. It has to be in the mode "600"!

OpenLDAP-server's manager-user's password has to create first. The password is "TP2009ldap". Encrypted password will be placed in the slapd.conf file.

slappasswd -h {MD5}
New password: 
Re-enter new password: 
{MD5}0H0NPb1xLD770iuQqZYkqQ==
root@ubuntu-openldap:~#

sudo nano /etc/ldap/slapd.conf

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid

argsfile        /var/run/slapd/slapd.args

loglevel        256

modulepath      /usr/lib/ldap
moduleload      back_hdb

sizelimit 500

tool-threads 1

backend         hdb
database        hdb

suffix          "dc=arkki,dc=info"

rootdn          "cn=manager,dc=arkki,dc=info"
rootpw          {MD5}0H0NPb1xLD770iuQqZYkqQ==

directory       "/var/lib/ldap"

dbconfig set_cachesize 0 2097152 0

dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index           objectClass eq

lastmod         on

checkpoint      512 30

access to attrs=userPassword,shadowLastChange
        by dn="cn=manager,dc=arkki,dc=info" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=manager,dc=arkki,dc=info" write
        by dn="cn=nss,dc=arkki,dc=info" read
        by * auth

Add to the /etc/syslog.conf file next line, and create the log-file, too.

local4.* /var/log/ldap.log

sudo touch /var/log/ldap.log

Start the OpenLDAP server.

/etc/init.d/slapd start
Starting OpenLDAP: slapd.

Create the basic design of the OpenLDAP-server. The file is 'base.ldif'.

dn: dc=arkki,dc=info
objectclass: organization
objectclass: dcObject
o: Arkki
dc: arkki
description: Arkki - Asmo Koskinen

dn: ou=Hosts,dc=arkki,dc=info
ou: Hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: arkki.info

dn: ou=People,dc=arkki,dc=info
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: arkki.info

dn: ou=Groups,dc=arkki,dc=info
ou: Groups
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: arkki.info

dn: cn=users,ou=Groups,dc=arkki,dc=info
objectClass: posixGroup
cn: users
gidNumber: 10000

Run this file on the OpenLDAP-server. Manager-user's password is "TP2009ldap".

ldapadd -W -x -D "cn=manager,dc=arkki,dc=info" -f base.ldif
Enter LDAP Password: 
adding new entry "dc=arkki,dc=info"

adding new entry "ou=Hosts,dc=arkki,dc=info"

adding new entry "ou=People,dc=arkki,dc=info"

adding new entry "ou=Groups,dc=arkki,dc=info"

adding new entry "cn=users,ou=Groups,dc=arkki,dc=info"

OpenLDAP-server's manager- and nss-users

OpenLDAP server has two users with different roles. Manager-user can write, read and execute the data. NSS-user can just read.

Create nss-user, first make new 'nss.ldif' file.

dn: cn=nss, dc=arkki,dc=info
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: nss
description: LDAP NSS user
userPassword: {MD5}iJ/UWG+ALKWLTgwEmmZj4Q==

The encrypted password is created same way as with manager-user. Place passwd directly in the 'nss.ldif' file. The password is "TP2009nss". Then run 'nss.ldif' file in the OpenLDAP-server.

slappasswd -h {MD5}
New password: 
Re-enter new password: 
{MD5}iJ/UWG+ALKWLTgwEmmZj4Q==

ldapadd -W -x -D "cn=manager,dc=arkki,dc=info" -f nss.ldif
Enter LDAP Password: 
adding new entry "cn=nss, dc=arkki,dc=info"

Restart the OpenLDAP-server.

/etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.

OpenLDAP-server has Webmin software. Here are screenshots about Webmin program with module LDAP Server.

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_01.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_02.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_03.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_04.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_05.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_06.png

SSL-encryption on the OpenLDAP-server

Without SSL-encryption all the passwords through a local network are visible clear. First read this guide, https://help.ubuntu.com/community/SecuringOpenLDAPConnections

Warning /!\ You have to use DNS (files or server) for both servers!

admin-ltsp5@ubuntu-ltsp5:~$ cat /etc/hosts
127.0.0.1       localhost
192.168.1.2     ubuntu-ltsp5
192.168.1.3     ubuntu-openldap
192.168.0.10    ubuntu-10

The most important thing is to put in the "Common Name" line the OpenLDAP-server's DNS name, in this guide "ubuntu-openldap". This information must be in all the client machines 'hosts' files, if you do not have DNS-server somewhere on the LAN.

The SSL-certificate is a rsa-key with a length of 1024 bits and valid for 10 years. The certificate is named after the server itself.

sudo openssl req -newkey rsa:1024 -x509 -nodes -out ubuntu-openldap.pem -keyout ubuntu-openldap.pem -days 3650
Generating a 1024 bit RSA private key
[--]
writing new private key to 'ubuntu-openldap.pem'
[--]
Common Name (eg, YOUR name) []:ubuntu-openldap

SSL-certificate information and the location have to add to the 'slapd.conf' file. In this guide new directory has been created - '/etc/ldap/ssl'. New 'ubuntu-openldap.pem' file is placed in this new directory.

Add these lines in the '/etc/ldap/slapd.conf' file.

TLSCACertificateFile  /etc/ldap/ssl/ubuntu-openldap.pem
TLSCertificateFile    /etc/ldap/ssl/ubuntu-openldap.pem
TLSCertificateKeyFile /etc/ldap/ssl/ubuntu-openldap.pem

Edit the '/etc/default/slapd' file. Add new row - SLAPD_SERVICES="ldap:/// ldaps:///"- but do not do anything else.

SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldap:/// ldaps:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
SLAPD_OPTIONS=""

Test the new certificate on the OpenLDAP-server.

openssl s_client -connect ubuntu-openldap:636 -showcerts
[--]
Server certificate
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ubuntu-openldap
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ubuntu-openldap
---
No client certificate CA names sent
---
SSL handshake has read 1095 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
[--]

LDAP client programs on the OpenLDAP-server

To use Webmin, OpenLDAP-server needs LDAP client programs.

Warning /!\ OpenLDAP-server do not use itself OpenLDAP-services. And do not edit 'PAM' files on the OpenLDAP-server. But use SSL encryption on the OpenLDAP-server. Remember that the mode for the 'ldap.secret' should be "600." Only the root user is allowed to read it!

Install LDAP client programs.

sudo apt-get install ldap-auth-client libpam-ldap libnss-ldap

Make the following changes to configuration files. Copy and save original files.

/etc/ldap/ldap.conf

BASE    dc=arkki,dc=info
uri ldaps://ubuntu-openldap
TLS_REQCERT allow

/etc/ldap.conf

base dc=arkki,dc=info

uri ldaps://ubuntu-openldap
TLS_REQCERT allow

ldap_version 3

binddn cn=nss,dc=arkki,dc=info
bindpw TP2009nss

rootbinddn cn=manager,dc=arkki,dc=info

pam_password md5

nss_base_passwd         ou=People,dc=arkki,dc=info?one
nss_base_shadow         ou=People,dc=arkki,dc=info?one
nss_base_group          ou=Group,dc=arkki,dc=info?one

nss_initgroups_ignoreusers backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,news,openldap,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data

/etc/ldap.secret

TP2009ldap

/etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Create new users on the OpenLDAP-server

In this guide 30 new users were created on the OpenLDAP-server. Create the 'users.txt' file and use it with Webmin.

create:ltsp001:edubuntu:10001:10000:LTSP 001:/home/ltsp001:/bin/bash:::::
create:ltsp002:edubuntu:10002:10000:LTSP 002:/home/ltsp002:/bin/bash:::::
create:ltsp003:edubuntu:10003:10000:LTSP 003:/home/ltsp003:/bin/bash:::::
create:ltsp004:edubuntu:10004:10000:LTSP 004:/home/ltsp004:/bin/bash:::::
create:ltsp005:edubuntu:10005:10000:LTSP 005:/home/ltsp005:/bin/bash:::::
create:ltsp006:edubuntu:10006:10000:LTSP 006:/home/ltsp006:/bin/bash:::::
create:ltsp007:edubuntu:10007:10000:LTSP 007:/home/ltsp007:/bin/bash:::::
create:ltsp008:edubuntu:10008:10000:LTSP 008:/home/ltsp008:/bin/bash:::::
create:ltsp009:edubuntu:10009:10000:LTSP 009:/home/ltsp009:/bin/bash:::::
create:ltsp010:edubuntu:10010:10000:LTSP 010:/home/ltsp010:/bin/bash:::::
create:ltsp011:edubuntu:10011:10000:LTSP 011:/home/ltsp011:/bin/bash:::::
create:ltsp012:edubuntu:10012:10000:LTSP 012:/home/ltsp012:/bin/bash:::::
create:ltsp013:edubuntu:10013:10000:LTSP 013:/home/ltsp013:/bin/bash:::::
create:ltsp014:edubuntu:10014:10000:LTSP 014:/home/ltsp014:/bin/bash:::::
create:ltsp015:edubuntu:10015:10000:LTSP 015:/home/ltsp015:/bin/bash:::::
create:ltsp016:edubuntu:10016:10000:LTSP 016:/home/ltsp016:/bin/bash:::::
create:ltsp017:edubuntu:10017:10000:LTSP 017:/home/ltsp017:/bin/bash:::::
create:ltsp018:edubuntu:10018:10000:LTSP 018:/home/ltsp018:/bin/bash:::::
create:ltsp019:edubuntu:10019:10000:LTSP 019:/home/ltsp019:/bin/bash:::::
create:ltsp020:edubuntu:10020:10000:LTSP 020:/home/ltsp020:/bin/bash:::::
create:ltsp021:edubuntu:10021:10000:LTSP 021:/home/ltsp021:/bin/bash:::::
create:ltsp022:edubuntu:10022:10000:LTSP 022:/home/ltsp022:/bin/bash:::::
create:ltsp023:edubuntu:10023:10000:LTSP 023:/home/ltsp023:/bin/bash:::::
create:ltsp024:edubuntu:10024:10000:LTSP 024:/home/ltsp024:/bin/bash:::::
create:ltsp025:edubuntu:10025:10000:LTSP 025:/home/ltsp025:/bin/bash:::::
create:ltsp026:edubuntu:10026:10000:LTSP 026:/home/ltsp026:/bin/bash:::::
create:ltsp027:edubuntu:10027:10000:LTSP 027:/home/ltsp027:/bin/bash:::::
create:ltsp028:edubuntu:10028:10000:LTSP 028:/home/ltsp028:/bin/bash:::::
create:ltsp029:edubuntu:10029:10000:LTSP 029:/home/ltsp029:/bin/bash:::::
create:ltsp030:edubuntu:10030:10000:LTSP 029:/home/ltsp030:/bin/bash:::::

Here are screenshots about Webmin's modules (LDAP Client and LDAP Users and Grops) on the OpenLDAP-server.

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Client_07.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Client_08.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Client_09.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Client_10.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Client_11.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Client_12.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Client_13.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Client_14.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Users_15.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/OpenLDAP_Users_16.png

Home Directory Share NFS service

Home directories for the thin clients are exported from the OpenLDAP-server with the NFS-service. Install on the OpenLDAP-server the 'nfs-kernel-server' package.

sudo apt-get install nfs-kernel-server

Add a line to the /etc/exports file.

/home  192.168.1.0/255.255.255.0(rw,no_root_squash,async,no_subtree_check)

Restart nfs-kernel-server.

sudo /etc/init.d/nfs-kernel-server restart

 * Stopping NFS kernel daemon                       [ OK ] 
 * Unexporting directories for NFS kernel daemon... [ OK ]
 * Exporting directories for NFS kernel daemon...   [ OK ]
 * Starting NFS kernel daemon                       [ OK ]

LDAP client programs on the LTSP5-server

Install LDAP client programs in the same manner as on the OpenLDAP server. When you are sure that you can reach and browse over an SSL connection the OpenLDAP-server, then you are ready to edit 'PAM' files. Below are screenshots about Webmin on the LTSP5-server.

Warning /!\ Remember that the file format ldap.secret should be "600." Only the root user is allowed to read it!

Install the LDAP client programs.

sudo apt-get install ldap-auth-client libpam-ldap libnss-ldap libpam-modules libpam-cracklib libpam-ccreds libpam-mount

Backup ldap.conf.

cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.orig

Then make the following changes to the configuration files.

/etc/ldap/ldap.conf

BASE    dc=arkki,dc=info
uri ldaps://ubuntu-openldap
TLS_REQCERT allow

/etc/ldap.conf

base dc=arkki,dc=info

uri ldaps://ubuntu-openldap
TLS_REQCERT allow

ldap_version 3

binddn cn=nss,dc=arkki,dc=info
bindpw TP2009nss

rootbinddn cn=manager,dc=arkki,dc=info

pam_password md5

nss_base_passwd         ou=People,dc=arkki,dc=info?one
nss_base_shadow         ou=People,dc=arkki,dc=info?one
nss_base_group          ou=Group,dc=arkki,dc=info?one

nss_initgroups_ignoreusers backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,news,openldap,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data

/etc/ldap.secret

TP2009ldap

/etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/LTSP5_Client_01.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/LTSP5_Client_02.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/LTSP5_Client_03.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/LTSP5_Client_04.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/LTSP5_Client_05.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/LTSP5_Client_06.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/LTSP5_Client_07.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/LTSP5_Users_08.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-Perusasennus/LTSP5_Users_09.png

Test LDAP client programs on the LTSP5-server

First test the SSL connection this way.

admin-ltsp5@ubuntu-ltsp5:~$ openssl s_client -connect ubuntu-openldap:636 -showcerts
CONNECTED(00000003)
depth=0 [--]CN=ubuntu-openldap[--]
verify error:num=18:self signed certificate
verify return:1

Then the 'passwd' file. Local users in addition to the OpenLDAP-users should appear.

admin-ltsp5@ubuntu-ltsp5:~$ getent passwd
root:x:0:0:root:/root:/bin/bash
[--]
admin-ltsp5:x:1000:1000:Administrator LTSP5,,,:/root/admin-ltsp5:/bin/bash
user-ltsp5:x:1001:1001:User LTSP5,,,,:/root/user-ltsp5:/bin/bash
[--]
ltsp001:x:10001:10000:LTSP 001:/home/ltsp001:/bin/bash
ltsp002:x:10002:10000:LTSP 002:/home/ltsp002:/bin/bash
[--]
ltsp029:x:10029:10000:LTSP 029:/home/ltsp029:/bin/bash
ltsp030:x:10030:10000:LTSP 029:/home/ltsp030:/bin/bash
admin-ltsp5@ubuntu-ltsp5:~$

Then you can test the nss-user.

admin-ltsp5@ubuntu-ltsp5:~$ ldapsearch -x -D "cn=nss,dc=arkki,dc=info" -W -u "cn=LTSP 001"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=arkki,dc=info> (default) with scope subtree
# filter: cn=LTSP 001
# requesting: ALL
#

# ltsp001, People, arkki.info
dn: uid=ltsp001,ou=People,dc=arkki,dc=info
ufn: ltsp001, People, arkki.info
cn: LTSP 001
uid: ltsp001
uidNumber: 10001
loginShell: /bin/bash
homeDirectory: /home/ltsp001
gidNumber: 10000
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
sn: LTSP 001

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
admin-ltsp5@ubuntu-ltsp5:~$

Only the manager-user can see the encrypted password.

admin-ltsp5@ubuntu-ltsp5:~$ ldapsearch -x -D "cn=manager,dc=arkki,dc=info" -W -u "cn=LTSP 001"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=arkki,dc=info> (default) with scope subtree
# filter: cn=LTSP 001
# requesting: ALL
#

# ltsp001, People, arkki.info
dn: uid=ltsp001,ou=People,dc=arkki,dc=info
ufn: ltsp001, People, arkki.info
cn: LTSP 001
uid: ltsp001
uidNumber: 10001
loginShell: /bin/bash
homeDirectory: /home/ltsp001
gidNumber: 10000
userPassword:: e2NyeXB0fVJRSVVuM0VYQ3plWHc=
shadowLastChange: 14285
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
sn: LTSP 001

# search result
search: 2
result: 0 Successaan 

# numResponses: 2
# numEntries: 1
admin-ltsp5@ubuntu-ltsp5:~$

Edit 'PAM' files LTSP5-server

When you are sure that you can connect from the LTSP5-server to the OpenLDAP-server over SSL-encryption, you are ready to edit 'PAM' files.

Warning /!\ Touching '/etc/pam.d/*' files in the system is an extremely critical process. Copy and save your 'PAM' files . If no login is possible, then the LTSP5-server must start in the single mode, and on the command line copy back the original 'PAM' files.

Warning /!\ When editing you should launch one or more console (Ctrl-Alt-F1) without X and login as a root (sudo -s). If X/GDM is not responding you can continue on the console.

Wholly new files are '/etc/pam.d/common-pammount' and '/etc/security/pam_mount.conf.xml'. Delete or comment out (#) the original lines or create entirely new files.

These are edited 'PAM' files.

/etc/pam.d/common-password - password-related modules common to all services

password   required     pam_mount.so use_authtok shadow md5
password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_authtok md5
password   required     pam_deny.so

/etc/pam.d/common-auth - authentication settings common to all services

account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so

/etc/pam.d/common-account - authorization settings common to all services

auth       required     pam_mount.so
auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok use_first_pass
auth       sufficient   pam_ldap.so try_first_pass
auth       required     pam_deny.so

/etc/pam.d/common-session - session-related modules common to all services

session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    optional     pam_ldap.so
session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_mount.so shadow md5 use_authtok
session    optional     pam_ldap.so

/etc/pam.d/common-pammount

auth       optional   pam_mount.so try_first_pass
session    optional   pam_mount.so try_first_pass

/etc/security/pam_mount.conf.xml

Add this line.

<volume fstype="nfs" server="192.168.1.3" path="/home/%(USER)" mountpoint="~"/>

Thin client and '*.log' files

This guide used the following 'lts.conf' file. Thin client is Asus Eee 701 4G.

[00:22:15:15:4B:4C]
X_CONF=/etc/X11/asus-eee-xorg.conf
X_COLOR_DEPTH=16
LDM_DIRECTX=True
LDM_AUTOLOGIN=True
LDM_USERNAME=ltsp001
LDM_PASSWORD=edubuntu

Here are some lines from the 'log' files.

LTSP5-server

Feb 16 12:44:00 ubuntu-ltsp5 dhcpd: DHCPOFFER on 192.168.0.10 to 00:22:15:15:4b:4c via eth1
Feb 16 12:44:00 ubuntu-ltsp5 dhcpd: DHCPREQUEST for 192.168.0.10 (192.168.0.254) from 00:22:15:15:4b:4c via eth1
Feb 16 12:44:00 ubuntu-ltsp5 dhcpd: DHCPACK on 192.168.0.10 to 00:22:15:15:4b:4c via eth1
Feb 16 12:44:01 ubuntu-ltsp5 dhcpd: DHCPREQUEST for 192.168.0.10 (192.168.0.254) from 00:22:15:15:4b:4c via eth1
Feb 16 12:44:01 ubuntu-ltsp5 dhcpd: DHCPACK on 192.168.0.10 to 00:22:15:15:4b:4c via eth1
Feb 16 12:44:01 ubuntu-ltsp5 nbdrootd[6352]: connect from 192.168.0.10 (192.168.0.10)
Feb 16 12:44:01 ubuntu-ltsp5 nbd_server[6353]: connect from 192.168.0.10, assigned file is /opt/ltsp/images/i386.img
Feb 16 12:44:01 ubuntu-ltsp5 nbd_server[6353]: Size of exported file/device is 198713344

Feb 16 12:44:24 ubuntu-ltsp5 sshd[6363]: Accepted password for ltsp001 from 192.168.0.10 port 59870 ssh2
Feb 16 12:44:24 ubuntu-ltsp5 sshd[6365]: pam_unix(sshd:session): session opened for user ltsp001 by (uid=0)
Feb 16 12:44:24 ubuntu-ltsp5 sshd[6365]: pam_mount(mount.c:182) realpath of volume "/home/ltsp001" is "/home/ltsp001"

OpenLDAP-server

Feb 16 12:43:40 ubuntu-openldap slapd[4878]: conn=4 fd=21 ACCEPT from IP=192.168.1.2:44913 (IP=0.0.0.0:636) 
Feb 16 12:43:40 ubuntu-openldap slapd[4878]: conn=4 fd=21 TLS established tls_ssf=256 ssf=256 
Feb 16 12:43:40 ubuntu-openldap slapd[4878]: conn=4 op=0 BIND dn="cn=nss,dc=arkki,dc=info" method=128 
Feb 16 12:43:40 ubuntu-openldap slapd[4878]: conn=4 op=0 BIND dn="cn=nss,dc=arkki,dc=info" mech=SIMPLE ssf=0 
Feb 16 12:43:40 ubuntu-openldap slapd[4878]: conn=4 op=0 RESULT tag=97 err=0 text= 
Feb 16 12:43:40 ubuntu-openldap slapd[4878]: conn=4 op=1 SRCH base="ou=People,dc=arkki,dc=info" scope=1 deref=0 filter="(objectClass=posixAccount)" 
Feb 16 12:43:40 ubuntu-openldap slapd[4878]: conn=4 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 
Feb 16 12:43:40 ubuntu-openldap slapd[4878]: conn=4 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text= 


CategoryLtsp

UbuntuLTSP/OpenLDAP_NFS_SSL (last edited 2009-05-21 11:06:13 by asmok)