setup grub boot loader password restriction

Generate a hash for password

root@Desktop-01:/etc/grub.d# grub-mkpasswd-pbkdf2

Enter password:
Reenter password:

Your PBKDF2 is grub.pbkdf2.sha512.10000…..

Create and define restriction rules for grub

root@Desktop-01:/etc/grub.d# cat 40_custom
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the ‘exec tail’ line above.
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000……
 

Update the grub rules

root@Desktop-01:/etc/grub.d# grub-mkconfig

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the ‘exec tail’ line above.
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000……
### END /etc/grub.d/40_custom ###

root@Desktop-01:/etc/grub.d# update-grub
Generating grub.cfg …
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-2.6.32-5-amd64
Found initrd image: /boot/initrd.img-2.6.32-5-amd64
done
 

Checks the Linux supported release

3.1.1.005-GEN000100.bash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

 
#!/bin/bash
# Copyright (C) 2011 simonalsa
# http://www.simonalsa.com
# Author Simon Alonso Sanchez <simonalsa@simonalsa.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; version 2
# of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 
# Security Technical Implementation Guide (STIG)
# Security Readiness Review (SRR)
# Tested in GNU/Linux Debian distribution
 
# STIG|SRR definition
NUMBER="3.1.1.005"
LABEL="GEN000100"
 
# Section:
SECTION="Linux overview and site information"
 
# Process:
PROCESS="Operating system"
 
# Description:
DESCRIPTION="Checks the Linux supported release"
 
# Include global preferences
if [ -e $PWD/preferences.cfg ]; then
        source $PWD/preferences.cfg
else
        echo -e "Can not include the global preferences at $PWD/preferences.cfg \r"
        exit
fi
 
# Include local preferences
if [ -e $PWD/$NUMBER-$LABEL.prefs ]; then
        source $PWD/$NUMBER-$LABEL.prefs
else
        echo -e "Can not include the local preferences at $PWD/$NUMBER-$LABEL.prefs \r"
        exit
fi
 
# Section.Description
echo -e "STIG|SRR definition \r"
echo -e "\t Number: $NUMBER \r"
echo -e "\t Label: $LABEL \r"
echo -e "\t Section: $SECTION \r"
echo -e "\t Process: $PROCESS \r"
echo -e "\t Description: $DESCRIPTION \r"
echo -e "\r"
 
# Perform
 
if [ -x $CMD_LSB_RELEASE ]; then
 
        CMD=$($CMD_LSB_RELEASE -d -s)
        if [ $? -eq 0 ]; then
                echo -e "Linux LSB release: \r"
                echo -e "\t $CMD \r"
        else
                echo -e "Can not locate the Linux LSB release \r"
        fi
else
        echo -e "Can not locate the $CMD_LSB_RELEASE in the filesystem \r"
        exit
fi
 
 
if [ -x $CMD_UNAME ]; then
        CMD=$($CMD_UNAME)
        if [ $? -eq 0 ]; then
                KERNEL_NAME=$($CMD_UNAME --kernel-name)
                KERNEL_RELEASE=$($CMD_UNAME --kernel-release)
                KERNEL_VERSION=$($CMD_UNAME --kernel-version)
                KERNEL_MACHINE=$($CMD_UNAME --machine)
                KERNEL_PROCESSOR=$($CMD_UNAME --processor)
                KERNEL_HARDWARE=$($CMD_UNAME --hardware-platform)
                KERNEL_OS=$($CMD_UNAME --operating-system)
 
                echo -e "Kernel release: \r"
                echo -e "\t Name: $KERNEL_NAME \r"
                echo -e "\t Release: $KERNEL_RELEASE \r"
                echo -e "\t Version: $KERNEL_VERSION \r"
                echo -e "\t Machine: $KERNEL_MACHINE \r"
                echo -e "\t Processor: $KERNEL_PROCESSOR \r"
                echo -e "\t Hardware: $KERNEL_HARDWARE \r"
                echo -e "\t Operating system: $KERNEL_OS \r"
 
        else
                echo -e "Can not locate the Linux Kernel release \r"
        fi
else
        echo -e "Can not locate the $CMD_UNAME in the filesystem \r"
        exit
fi
 
echo -e "\r"

3.1.1.005-GEN000100.bash

1

# Nothing

Sample output

simonalsa@Desktop-01:~/$ bash 3.1.1.005-GEN000100.bash
STIG|SRR definition
         Number: 3.1.1.005
         Label: GEN000100
         Section: Linux overview and site information
         Process: Operating system
         Description: Checks the Linux supported release

Linux LSB release:
         Debian GNU/Linux 6.0.3 (squeeze)
Kernel release:
         Name: Linux
         Release: 2.6.32-5-amd64
         Version: #1 SMP Thu Nov 3 03:41:26 UTC 2011
         Machine: x86_64
         Processor: unknown
         Hardware: unknown
         Operating system: GNU/Linux
 

Bash shell script for test the availability about commands in the filesystem

The objective is the reuse about variables and why not all GNU/Linux distributions installs the commands by default in the same place

I am going to allocate  a variable per each different command. This file will be included in other shell scripts.

preferences.cfg

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

CMD_AWK="/usr/bin/awk"
CMD_CAT="/bin/cat"
CMD_CHGRP="/bin/chgrp"
CMD_CHMOD="/bin/chmod"
CMD_DD="/bin/dd"
CMD_DIFF="/usr/bin/diff"
CMD_ECHO="/bin/echo"
CMD_FIND="/usr/bin/find"
CMD_GREP="/bin/grep"
CMD_LAST="/usr/bin/last"
CMD_LASTB="/usr/bin/lastb"
CMD_LS="/bin/ls"
CMD_LSB_RELEASE="/usr/bin/lsb_release"
CMD_MKDIR="/bin/mkdir"
CMD_MKFS="/sbin/mkfs.ext2"
CMD_MKNOD="/bin/mknod"
CMD_MOUNT="/bin/mount"
CMD_MYSQL="/usr/bin/mysql"
CMD_PHP="/usr/bin/php5"
CMD_SED="/bin/sed"
CMD_SEQ="/usr/bin/seq"
CMD_SORT="/usr/bin/sort"
CMD_STAT="/usr/bin/stat"
CMD_TAIL="/usr/bin/tail"
CMD_TOUCH="/bin/touch"
CMD_TUNE2FS="/sbin/tune2fs"
CMD_UNAME="/bin/uname"
CMD_YES="/usr/bin/yes"
CMD_WC="/usr/bin/wc"

This shell script "preferences.bash" checks the availability about each command defined in the variables saved in the data file "preferences.cfg".

preferences.bash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

#!/bin/bash
# Check the availability about the commands that will be used
 
# Include global preferences
source $PWD/preferences.cfg
 
CMD=$($CMD_CAT $PWD/preferences.cfg)
 
echo -e "Check the availability about the commands that will be used \r"
 
# Checks if path is ok
for line in $CMD;
do
        TEST=$($CMD_ECHO "$line" | $CMD_AWK -F= '{ print $2 }' | $CMD_SED 's/"//g')
 
        echo -n ""
        if [ -e $TEST ]; then
                echo -n "[Passed]"
        else
                echo -n "[Failed]"
        fi
 
        echo -n " ... $TEST"
        echo -e "\r"
done;

Sample output

Check the availability about the commands that will be used
[Passed] … /usr/bin/awk
[Passed] … /bin/cat
[Passed] … /bin/chgrp
[Passed] … /bin/chmod
[Passed] … /bin/dd
[Passed] … /usr/bin/diff
[Passed] … /bin/echo
[Passed] … /usr/bin/find
[Passed] … /bin/grep
[Passed] … /usr/bin/last
[Passed] … /usr/bin/lastb
[Passed] … /bin/ls
[Passed] … /usr/bin/lsb_release
[Passed] … /bin/mkdir
[Passed] … /sbin/mkfs.ext2
[Passed] … /bin/mknod
[Passed] … /bin/mount
[Failed] … /usr/bin/mysql
[Failed] … /usr/bin/php5
[Passed] … /bin/sed
[Passed] … /usr/bin/seq
[Passed] … /usr/bin/sort
[Passed] … /usr/bin/stat
[Passed] … /usr/bin/tail
[Passed] … /bin/touch
[Passed] … /sbin/tune2fs
[Passed] … /bin/uname
[Passed] … /usr/bin/yes
[Passed] … /usr/bin/wc
 

DMC (Dynamic Memory Control) feature at Xen XCP

Dynamic Memory Control (DMC) is a technology provided by Xen Cloud Platform (XCP).

DMC allows you to change the amount of host memory assigned to any running virtual server, without rebooting it.

Using DMC, it’s possible to operate a guest virtual machine in one of two modes:

1) Target Mode
    The administrator specifies a memory target for the guest. XCP adjusts the guest’s memory allocation to meet the target.

2) Dynamic Range Mode
    The administrator specifies a dynamic memory range for the guest. XCP chooses a target from within the range and adjusts the guest’s memory allocation to meet the target. Dynamic memory range represents the lower and upper limit of a dynamic memory range.  It’s the minimum and maximun amount of memory that the administrator is happy for a guest to use.

You can alter the VM’s DMC mode "as you want" online without reboot it.

Check http://wiki.xensource.com/xenwiki/Dynamic_Memory_Control for more information

For example:

1) Mode As Target Mode ( 160 MB )
[root@thor ~]# xe vm-memory-target-set uuid=9e07177c-5bee-61a3-f743-6675f6a6a81e target=167772160
[root@thor ~]# xe vm-param-list uuid=9e07177c-5bee-61a3-f743-6675f6a6a81e | grep "memory-" | grep -v "last" | grep -v "recomendation"
…
…
memory-static-max ( RW): 167772160
memory-static-min ( RW): 67108864
…
…

[root@thor ~]# xe vm-param-get uuid=9e07177c-5bee-61a3-f743-6675f6a6a81e param-name=memory-target
167772160

"DNS-Server-XX"

2) Mode As Dynamic Range Mode ( [64...128] MB )

Set VM’s DMC limits
[root@thor ~]# xe vm-memory-dynamic-range-set uuid=9e07177c-5bee-61a3-f743-6675f6a6a81e min=67108864 max=134217728

Check VM’s DMS limits

[root@thor ~]# xe vm-param-list uuid=9e07177c-5bee-61a3-f743-6675f6a6a81e | grep "memory-" | grep -v "last" | grep -v "recommendations"
…
…
memory-dynamic-max ( RW): 134217728
memory-dynamic-min ( RW): 67108864
…
…

[root@thor ~]# xe vm-param-get uuid=9e07177c-5bee-61a3-f743-6675f6a6a81e param-name=memory-target
134217728
 

"DNS-Server-XX"

Really nice powerfull feature
 

Xen XCP Backup/export all the virtual machines that are in halted state availables in Xen XCP’s domain

This script export all the virtual machines that are in halted state availables in Xen XCP’s domain.

The process is simple. Exports the virtual machine to the filesystem and compress the exported virtual machine into the filesystem. Repeat the process for each one virtual machine available in the Xen XCP’s domain.

Finally (as you want) shut down the host

Backup.bash

      1 #/bin/bash
      2
      3 DATESTAMP=$(date +%F)
      4
      5 UUIDS=$(xe vm-list | grep uuid | awk -F: ‘ { print $2 }’ | sed ‘s/ //g’)
      6
      7 for UUID in $UUIDS
      8 do
      9         NAME=$(xe vm-list uuid=$UUID | grep name | awk -F: ‘ { print $2 }’ | sed ‘s/ //g’)
     10         if [ $NAME != "Controldomainonhost" ]; then
     11                 xe vm-export filename=/backup/$UUID\_$NAME\_$DATESTAMP.xva uuid=$UUID
     12                 if [ $? -eq 0 ]; then
     13                         echo -e "The virtual machine $NAME has been exported"
     14                 else
     15                         echo -e "Can not export the virtual machine $NAME"
     16                 fi
     17
     18                 gzip -9 /backup/$UUID\_$NAME\_$DATESTAMP.xva
     19                 rm -f /backup/$UUID\_$NAME\_$DATESTAMP.xva
     20         fi
     21 done
     22
     23
     24 shutdown -h now
 

Result

[root@thor 20120118]# ls -lh *.gz | awk ‘{ print $9,"(",$5,")" }’
10761c7f-70a2-1263-43d4-53fdd059cf81_Log-Server-1.0_2012-01-18.xva.gz ( 417M )
16d0b2d3-51c1-e692-7f90-2473277b0f50_Web-Server-2.0_2012-01-18.xva.gz ( 1.1G )
1b8feb8e-04fe-2a4e-5716-dde1e375b2f9_LDAP-Server-2.0_2012-01-18.xva.gz ( 394M )
3e7ae452-52fb-7f3b-b105-087981a8a8b0_Application-Server-01_2012-01-18.xva.gz ( 994M )
46f069fb-0ca1-cbb0-d64c-2a5ea1d2a4bb_File-Server-2.0_2012-01-18.xva.gz ( 37G )
526e3294-b61b-7c39-debb-325d238c85f9_DNS-Server-1.0_2012-01-18.xva.gz ( 731M )
668d4e9b-cb44-24f7-7d23-2e0efc6627c3_Sql-Server-1.0_2012-01-18.xva.gz ( 7.4G )
6a7bea88-8b49-bc77-6cc9-06601aea6eaf_XCP-Server-1.1_2012-01-18.xva.gz ( 515M )
88357478-ac9e-51d1-b27d-2a9da6d75a3d_LDAP-Server-1.0_2012-01-18.xva.gz ( 380M )
910cbd07-3dde-974d-5595-3021103ad656_File-Server-1.0_2012-01-18.xva.gz ( 78G )
9e07177c-5bee-61a3-f743-6675f6a6a81e_DNS-Server-2.0_2012-01-18.xva.gz ( 435M )
f8c2291a-a387-69ca-a95e-e0383f717f83_Debian-Desktop-1.0_2012-01-18.xva.gz ( 1.1G )
 

Xen XCP Shutdown all virtual machines which are running and are using the Xen XCP’s guest tools

This simple script lets read the uuid and name about each Xen XCP’s VM and shutdown one by one if the Xen Guest Tools are installed in each VM

Take care about NFS’s mounts because if the NFS server goes offline before the NFS clients then you must stop the services manually before the shutdown process will be effective

The script must be runned as Xen XCP domain administrator privileges

Shutdown.bash

      1 #/bin/bash
      2
      3 DATESTAMP=$(date +%F)
      4
      5 UUIDS=$(xe vm-list | grep uuid | awk -F: ‘ { print $2 }’ | sed ‘s/ //g’)
      6
      7 for UUID in $UUIDS
      8 do
      9         NAME=$(xe vm-list uuid=$UUID | grep name | awk -F: ‘ { print $2 }’ | sed ‘s/ //g’)
     10         if [ $NAME != "Controldomainonhost" ]; then
     11                 xe vm-shutdown uuid=$UUID
     12                 if [ $? -eq 0 ]; then
     13                         echo -e "The virtual machine $NAME has been stopped"
     14                 else
     15                         echo -e "Can not stop the virtual machine $NAME"
     16                 fi
     17         fi
     18 done
     19
     20
     21 #shutdown -h now
 

Console stdout

[root@thor Script]# bash Shutdown.bash
The virtual machine Application-Server-01 has been stopped
The virtual machine LDAP-Server-1.0 has been stopped
The virtual machine LDAP-Server-2.0 has been stopped
The virtual machine File-Server-1.0 has been stopped
The virtual machine Web-Server-2.0 has been stopped
The virtual machine File-Server-2.0 has been stopped
You attempted an operation on a VM that was not in an appropriate power state at  the time; for example, you attempted to start a VM that was already running.  The parameters returned are the VM’s handle, and the expected and actual VM state at the time of the call.
vm: 10761c7f-70a2-1263-43d4-53fdd059cf81 (Log-Server-1.0)
expected: running
actual: halted
Can not stop the virtual machine Log-Server-1.0
The virtual machine Application-Server-03 has been stopped
The virtual machine Debian-Desktop-1.0 has been stopped
The virtual machine DNS-Server-1.0 has been stopped
The virtual machine Application-Server-02 has been stopped
The virtual machine DNS-Server-2.0 has been stopped
The virtual machine Sql-Server-1.0 has been stopped
The virtual machine Web-Server-1.0 has been stopped
The virtual machine Web-Server-3.0 has been stopped
 

LDAP Master/Provider configuration

LDAP Master/Provider configuration

Configure the LDAP Master as provider

File: provider.ldif

IOF>
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog

# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=thor,dc=loc
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE

# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE

# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
<EOF

Copy de DB_CONFIG

shell# sudo -u openldap mkdir /var/lib/ldap/accesslog
shell# sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/

Add the provider LDIF to the LDAP master

shell# ldapadd -Y EXTERNAL -H ldapi:/// -f provider.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
modifying entry "cn=module{0},cn=config"
adding new entry "olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={1}hdb,cn=config"
adding new entry "olcOverlay=accesslog,olcDatabase={1}hdb,cn=config"

LDAP Slave/Consumer configuration

LDAP Slave/Consumer configuration

Add the additional schema files

shell# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
shell# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
shell# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Configure the LDAP Slave as consumer

File: consumer.ldif

#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

# syncrepl specific indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://LDAP-01.thor.loc bindmethod=simple binddn="cn=admin,dc=thor,dc=loc"
 credentials=XXXX searchbase="dc=thor,dc=loc" logbase="cn=accesslog"
 logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
 type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldap://LDAP-01.thor.loc

Add the LDIF file to the configuration tree
shell# ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
modifying entry "olcDatabase={1}hdb,cn=config"

Default Linux configuration services such as ssh, login, etc for authentication against a LDAP server

Default Linux configuration services such as ssh, login, etc for authentication against a LDAP server

Install the PAM ldap module and NSS lib

shell# apt-get install libnss-ldap libpam-ldap ldap-utils

Configure the libnss-ldap package
LDAP server URI: ldap://LDAP-02.thor.loc:389/
Distinguished name of the search base: dc=thor,dc=loc
LDAP version to use: 3
LDAP account for root: cn=admin,dc=thor,dc=loc
LDAP root account password: XXXX

The password is stored in /etc/libnss-ldap.secret

Configure the libpam-ldap package
Allow LDAP admin account to behave like local root? Yes
Does the LDAP database require login? No
LDAP administrative account: cn=admin,dc=thor,dc=loc
LDAP administrative password: XXXX

The password is stored in /etc/pam_ldap.secret

Local encryption algorithm to use for passwords: crypt

Automatic configure about PAM files

File: /etc/pam.d/common-auth
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

File: /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
account requisite                       pam_deny.so
account required                        pam_permit.so

File: /etc/pam.d/common-password
password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

File: /etc/pam.d/common-session
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required                pam_unix.so
session optional                        pam_ldap.so
session optional             pam_mkhomedir.so skel=/etc/skel umask=077

File: /etc/pam.d/common-session-noninteractive
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required                pam_unix.so
session optional                        pam_ldap.so

Manual NSS configuration

File /etc/nsswitch.conf

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       ldap
 

Base installation about slapd daemon

Base installation about slapd daemon

shell# apt-get install slapd ldap-utils

Provide the LDAP administrator password

Setting up libltdl7 (2.2.6b-2) …
Setting up libperl5.10 (5.10.1-17squeeze2) …
Setting up libslp1 (1.2.1-7.8) …
Setting up ldap-utils (2.4.23-7.2) …
Setting up odbcinst (2.2.14p2-1) …
Setting up odbcinst1debian2 (2.2.14p2-1) …
Setting up unixodbc (2.2.14p2-1) …
Setting up slapd (2.4.23-7.2) …
  Creating new user openldap… done.
  Creating initial configuration… done.
  Creating LDAP directory… done.
Starting OpenLDAP: slapd.

Test the slapd daemon
root@LDAP-02:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}hdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}hdb,cn=config

Setup the SHA LDAP administrator password in the config database
shell# slappasswd
{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXX

shell# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

Cute & Paste

dn: olcDatabase={0}config,cn=config
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXX
modifying entry "olcDatabase={0}config,cn=config"

Display the LDAP server configuration

shell# slapcat
dn: dc=thor,dc=loc
objectClass: top
objectClass: dcObject
objectClass: organization
o: thor.loc
dc: thor
structuralObjectClass: organization
entryUUID: c4db9414-a018-1030-8c55-0544f97800ac
creatorsName: cn=admin,dc=thor,dc=loc
createTimestamp: 20111110185139Z
entryCSN: 20111110185139.949528Z#000000#000#000000
modifiersName: cn=admin,dc=thor,dc=loc
modifyTimestamp: 20111110185139Z

dn: cn=admin,dc=thor,dc=loc
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9bjMvbzA1UnFWTGFYTlBUMzlPZUxJNlBEZXNzZUhlN24=
structuralObjectClass: organizationalRole
entryUUID: c503f1b6-a018-1030-8c56-0544f97800ac
creatorsName: cn=admin,dc=thor,dc=loc
createTimestamp: 20111110185140Z
entryCSN: 20111110185140.214073Z#000000#000#000000
modifiersName: cn=admin,dc=thor,dc=loc
modifyTimestamp: 20111110185140Z

Configure the LDAP database

File: config.ldif

IOF>
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=thor,dc=loc
-
replace: olcRootDN
olcRootDN: cn=admin,dc=thor,dc=loc
-
replace: olcAccess
olcAccess: to attrs=userPassword by dn="cn=admin,dc=thor,dc=loc" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=thor,dc=loc" write by * read
-
<EOF

shell# ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"

Test the new configuration

sheel# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcLastMod: TRUE
olcRootPW: {SSHA}n3/o05RqVLaXNPT39OeLI6PDesseHe7n
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcSuffix: dc=thor,dc=loc
olcRootDN: cn=admin,dc=thor,dc=loc
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=thor,dc=loc" write by a
 nonymous auth by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=admin,dc=thor,dc=loc" write by * read