From: root Date: Tue, 5 May 2009 14:26:47 +0000 (+0200) Subject: Merge commit 'origin/template' into ldap X-Git-Url: https://git.stderr.nl/gitweb?a=commitdiff_plain;h=1986cdeccd75c56fd2a4833461f18be634f6b039;hp=69608f04d4132ee8909f1d9b17f74948ad035242;p=matthijs%2Fservers%2Fdrsnuggles.git Merge commit 'origin/template' into ldap * commit 'origin/template': rsyslog: Make the main queue disk-assisted as well. rsyslog: Enable queuing of log messages. nss: Add some comments. rsyslog: Send all logs to the log vserver. rsyslog: Move all rsyslog log files into a subdir. rsyslog: Update logrotate config to new rsyslog config. rsyslog: Add default logrotate config. rsyslog: Disable logging of kernel messages. rsyslog: Enable loggin of mark lines. rsyslog: Clean up rsyslog configuration. rsyslog: Add default configuration. pam: Add pam_permit to the auth section of chfn. nss: Update to use our custom LDAP schema. apt: Set the Default-Release to "stable". pam: Let pam.d/cron include common-account. pam: Let pam.d/su include common{account,session}. pam: Make common-account also support unix users. pam: Add .so to module names in pam.d/other. --- diff --git a/etc/apt/apt.conf.d/10default-release b/etc/apt/apt.conf.d/10default-release new file mode 100644 index 0000000..4143a94 --- /dev/null +++ b/etc/apt/apt.conf.d/10default-release @@ -0,0 +1 @@ +APT::Default-Release "stable"; diff --git a/etc/libnss-ldap.conf b/etc/libnss-ldap.conf index d4991e1..32b8645 100644 --- a/etc/libnss-ldap.conf +++ b/etc/libnss-ldap.conf @@ -11,3 +11,12 @@ uri ldap://ldap.drsnuggles.stderr.nl # The LDAP version to use ldap_version 3 + +# Use the uniqueMember property, referring to dn's instead of the memberUid +# property referring to usernames. This allows us to have group members with or +# without an account, and give a group member an account without having to +# change all his memberships. +nss_schema rfc2307bis + +# Use our custom posixGroup replacement +nss_map_objectclass posixGroup simplePosixGroup diff --git a/etc/logrotate.d/rsyslog b/etc/logrotate.d/rsyslog new file mode 100644 index 0000000..5682508 --- /dev/null +++ b/etc/logrotate.d/rsyslog @@ -0,0 +1,26 @@ +/var/log/rsyslog/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript +} + +/var/log/rsyslog/*.log +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript +} diff --git a/etc/pam.d/chfn b/etc/pam.d/chfn index efbc34b..58e1d48 100644 --- a/etc/pam.d/chfn +++ b/etc/pam.d/chfn @@ -4,3 +4,4 @@ # This allows only root to change user infomation at all. auth required pam_rootok.so +account required pam_permit.so diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account index 963b696..9d8619e 100644 --- a/etc/pam.d/common-account +++ b/etc/pam.d/common-account @@ -9,5 +9,11 @@ # Default was: #account required pam_unix.so # -# LDAP config based on from http://wiki.debian.org/LDAP/PAM -account required pam_ldap.so +# pam_unix does general checks based on NSS info, so it also works for ldap +# users. +account required pam_unix.so + +# pam_ldap does additional checks (in particular checking the host ldap +# attribute) but needs to be ignored when it does not know about a user. +account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \ + pam_ldap.so diff --git a/etc/pam.d/cron b/etc/pam.d/cron index 938d30f..d85f413 100644 --- a/etc/pam.d/cron +++ b/etc/pam.d/cron @@ -2,15 +2,13 @@ # The PAM configuration file for the cron daemon # +# cron uses pam_set_cred so it needs a working auth section. It does not do +# any other real authentication. auth sufficient pam_unix.so -@include common-auth -# This is required instead of sufficient, since pam_unix mostly does checks -# based on NSS, so this will also work for ldap users. -account required pam_unix.so -# We use a custom control spec so we won't fail on user_unknown special -account [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so +@include common-auth +@include common-account @include common-session diff --git a/etc/pam.d/other b/etc/pam.d/other index 867cf91..f7ff035 100644 --- a/etc/pam.d/other +++ b/etc/pam.d/other @@ -8,7 +8,7 @@ # # We deny any pam calls not explicitely allowed elsewhere. -auth required pam_deny -account required pam_deny -session required pam_deny -password required pam_deny +auth required pam_deny.so +account required pam_deny.so +session required pam_deny.so +password required pam_deny.so diff --git a/etc/pam.d/su b/etc/pam.d/su index ab107da..eabc909 100644 --- a/etc/pam.d/su +++ b/etc/pam.d/su @@ -4,3 +4,5 @@ # This allows root to su without passwords (normal operation) auth sufficient pam_rootok.so +@include common-account +@include common-session diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf new file mode 100644 index 0000000..c6e706b --- /dev/null +++ b/etc/rsyslog.conf @@ -0,0 +1,103 @@ +# /etc/rsyslog.conf Configuration file for rsyslog v3. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad immark # provides --MARK-- message capability +$MarkMessagePeriod 900 # mark messages appear every 15 Minutes + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + +# Store any queues here. This directory is not created automatically, so it +# must already exist! +$WorkDirectory /var/spool/rsyslog + +# Use a (disk-assisted) main queue +# Use a linked list for queueing +$MainMsgQueueType LinkedList +# Name to use for the queue file +$MainMsgQueueFileName main +# save in-memory data if rsyslog shuts down +$MainMsgQueueSaveOnShutdown on + +####################### +#### Local logging #### +####################### + +# +# Log each facility into its own log +auth,authpriv.* /var/log/rsyslog/auth.log +cron.* -/var/log/rsyslog/user.log +daemon.* -/var/log/rsyslog/daemon.log +kern.* -/var/log/rsyslog/kern.log +lpr.* -/var/log/rsyslog/lpr.log +mail.* -/var/log/rsyslog/mail.log +user.* -/var/log/rsyslog/user.log +local0,local1,local2,\ + local3,local4,local5,\ + local6,local7.* -/var/log/rsyslog/local.log + +# Omitted facilities: syslog, news, uucp, ftp + +# All logs end up in syslog as weel as the corresponding facility log above +# (except for auth, mail which only end up in the facility log for privacy +# reasons and debug which only ends up in the debug log below to prevent +# flooding). +*.*;\ + *.!=debug;\ + auth,authpriv.none;\ + mail.none -/var/log/rsyslog/syslog + +# Debug entries end up in debug.log as well as the corresponding facility log +# above (except for auth and mail, which only end up in the facility logs for +# privacy reasons). +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/rsyslog/debug.log +# +# Emergencies are sent to everybody logged in. +# +*.emerg * + +######################## +#### Remote logging #### +######################## + +# Send all log entries to the log vserver, but queue them in memory as well as +# on disk if needed. +# Use a linked list for queueing +$ActionQueueType LinkedList +# Name to use for the queue file +$ActionQueueFileName remote +# infinite retries on insert failure +$ActionResumeRetryCount -1 +# save in-memory data if rsyslog shuts down +$ActionQueueSaveOnShutdown on +*.* @@log;RSYSLOG_SyslogProtocol23Format