projects / matthijs / servers / drsnuggles.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw (from parent 1: 69608f0)
Merge commit 'origin/template' into ldap
authorroot <root@drsnuggles.stderr.nl>
Tue, 5 May 2009 14:26:47 +0000 (16:26 +0200)
committerroot <root@drsnuggles.stderr.nl>
Tue, 5 May 2009 14:26:47 +0000 (16:26 +0200)
* commit 'origin/template':
  rsyslog: Make the main queue disk-assisted as well.
  rsyslog: Enable queuing of log messages.
  nss: Add some comments.
  rsyslog: Send all logs to the log vserver.
  rsyslog: Move all rsyslog log files into a subdir.
  rsyslog: Update logrotate config to new rsyslog config.
  rsyslog: Add default logrotate config.
  rsyslog: Disable logging of kernel messages.
  rsyslog: Enable loggin of mark lines.
  rsyslog: Clean up rsyslog configuration.
  rsyslog: Add default configuration.
  pam: Add pam_permit to the auth section of chfn.
  nss: Update to use our custom LDAP schema.
  apt: Set the Default-Release to "stable".
  pam: Let pam.d/cron include common-account.
  pam: Let pam.d/su include common{account,session}.
  pam: Make common-account also support unix users.
  pam: Add .so to module names in pam.d/other.

etc/apt/apt.conf.d/10default-release [new file with mode: 0644] patch | blob
etc/libnss-ldap.conf patch | blob | history
etc/logrotate.d/rsyslog [new file with mode: 0644] patch | blob
etc/pam.d/chfn patch | blob | history
etc/pam.d/common-account patch | blob | history
etc/pam.d/cron patch | blob | history
etc/pam.d/other patch | blob | history
etc/pam.d/su patch | blob | history
etc/rsyslog.conf [new file with mode: 0644] patch | blob

diff --git a/etc/apt/apt.conf.d/10default-release b/etc/apt/apt.conf.d/10default-release
new file mode 100644 (file)
index 0000000..4143a94
--- /dev/null
+++ b/etc/apt/apt.conf.d/10default-release
@@ -0,0 +1 @@
+APT::Default-Release "stable";
diff --git a/etc/libnss-ldap.conf b/etc/libnss-ldap.conf
index d4991e1d4a19d5a52d12fad5df0518a232eb3316..32b8645997edd7c3170292ec6cb6398614ae1278 100644 (file)
--- a/etc/libnss-ldap.conf
+++ b/etc/libnss-ldap.conf
@@ -11,3 +11,12 @@ uri ldap://ldap.drsnuggles.stderr.nl
 
 # The LDAP version to use
 ldap_version 3
+
+# Use the uniqueMember property, referring to dn's instead of the memberUid
+# property referring to usernames. This allows us to have group members with or
+# without an account, and give a group member an account without having to
+# change all his memberships.
+nss_schema rfc2307bis
+
+# Use our custom posixGroup replacement
+nss_map_objectclass posixGroup simplePosixGroup 
diff --git a/etc/logrotate.d/rsyslog b/etc/logrotate.d/rsyslog
new file mode 100644 (file)
index 0000000..5682508
--- /dev/null
+++ b/etc/logrotate.d/rsyslog
@@ -0,0 +1,26 @@
+/var/log/rsyslog/syslog
+{
+       rotate 7
+       daily
+       missingok
+       notifempty
+       delaycompress
+       compress
+       postrotate
+               invoke-rc.d rsyslog reload > /dev/null
+       endscript
+}
+
+/var/log/rsyslog/*.log
+{
+       rotate 4
+       weekly
+       missingok
+       notifempty
+       compress
+       delaycompress
+       sharedscripts
+       postrotate
+               invoke-rc.d rsyslog reload > /dev/null
+       endscript
+}
diff --git a/etc/pam.d/chfn b/etc/pam.d/chfn
index efbc34b954757ea2d8c7daa4a6f8d80b34bdaa10..58e1d48b2ecd64ed5b88e1fc5e2269da13be42ac 100644 (file)
--- a/etc/pam.d/chfn
+++ b/etc/pam.d/chfn
@@ -4,3 +4,4 @@
 
 # This allows only root to change user infomation at all.
 auth           required        pam_rootok.so
+account         required        pam_permit.so
diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account
index 963b69665b81883d80b384d4ab534d673ee3bec4..9d8619edfdc269bf39a77030f4cf178daba510d8 100644 (file)
--- a/etc/pam.d/common-account
+++ b/etc/pam.d/common-account
@@ -9,5 +9,11 @@
 # Default was:
 #account       required        pam_unix.so
 #
-# LDAP config based on from http://wiki.debian.org/LDAP/PAM
-account         required        pam_ldap.so
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account                required        pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+                                pam_ldap.so
diff --git a/etc/pam.d/cron b/etc/pam.d/cron
index 938d30f297dc0ef8cfb5651bb6385a9ce9f345cd..d85f4138357ec080003270e3843e818d68b6ee48 100644 (file)
--- a/etc/pam.d/cron
+++ b/etc/pam.d/cron
@@ -2,15 +2,13 @@
 # The PAM configuration file for the cron daemon
 #
 
+# cron uses pam_set_cred so it needs a working auth section. It does not do
+# any other real authentication.
 auth          sufficient          pam_unix.so
-@include      common-auth
 
-# This is required instead of sufficient, since pam_unix mostly does checks
-# based on NSS, so this will also work for ldap users.
-account       required          pam_unix.so
-# We use a custom control spec so we won't fail on user_unknown special
-account       [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so
+@include      common-auth
 
+@include      common-account
 
 @include      common-session
 
diff --git a/etc/pam.d/other b/etc/pam.d/other
index 867cf9172956768ea8ab3ccc44445c3f6d30f35a..f7ff035277bb650c4c15e79931db179d6d536d80 100644 (file)
--- a/etc/pam.d/other
+++ b/etc/pam.d/other
@@ -8,7 +8,7 @@
 #
 # We deny any pam calls not explicitely allowed elsewhere.
 
-auth        required pam_deny
-account     required pam_deny
-session     required pam_deny
-password    required pam_deny
+auth        required pam_deny.so
+account     required pam_deny.so
+session     required pam_deny.so
+password    required pam_deny.so
diff --git a/etc/pam.d/su b/etc/pam.d/su
index ab107dafb95d59cc6e511382c1871cacb3f0f798..eabc90992852d77b5d939467737adb13dc447cde 100644 (file)
--- a/etc/pam.d/su
+++ b/etc/pam.d/su
@@ -4,3 +4,5 @@
 
 # This allows root to su without passwords (normal operation)
 auth       sufficient pam_rootok.so
+@include   common-account
+@include   common-session
diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf
new file mode 100644 (file)
index 0000000..c6e706b
--- /dev/null
+++ b/etc/rsyslog.conf
@@ -0,0 +1,103 @@
+#  /etc/rsyslog.conf   Configuration file for rsyslog v3.
+#
+#                      For more information see 
+#                      /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad immark   # provides --MARK-- message capability
+$MarkMessagePeriod  900 # mark messages appear every 15 Minutes
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+# Store any queues here. This directory is not created automatically, so it
+# must already exist!
+$WorkDirectory /var/spool/rsyslog
+
+# Use a (disk-assisted) main queue
+# Use a linked list for queueing
+$MainMsgQueueType LinkedList
+# Name to use for the queue file
+$MainMsgQueueFileName main
+# save in-memory data if rsyslog shuts down
+$MainMsgQueueSaveOnShutdown on
+
+#######################
+#### Local logging ####
+#######################
+
+#
+# Log each facility into its own log
+auth,authpriv.*                        /var/log/rsyslog/auth.log
+cron.*                         -/var/log/rsyslog/user.log
+daemon.*                       -/var/log/rsyslog/daemon.log
+kern.*                         -/var/log/rsyslog/kern.log
+lpr.*                          -/var/log/rsyslog/lpr.log
+mail.*                         -/var/log/rsyslog/mail.log
+user.*                         -/var/log/rsyslog/user.log
+local0,local1,local2,\
+       local3,local4,local5,\
+       local6,local7.*         -/var/log/rsyslog/local.log
+
+# Omitted facilities: syslog, news, uucp, ftp
+
+# All logs end up in syslog as weel as the corresponding facility log above
+# (except for auth, mail which only end up in the facility log for privacy
+# reasons and debug which only ends up in the debug log below to prevent
+# flooding).
+*.*;\
+       *.!=debug;\
+       auth,authpriv.none;\
+       mail.none               -/var/log/rsyslog/syslog
+
+# Debug entries end up in debug.log as well as the corresponding facility log
+# above (except for auth and mail, which only end up in the facility logs for
+# privacy reasons).
+*.=debug;\
+       auth,authpriv.none;\
+       news.none;mail.none     -/var/log/rsyslog/debug.log
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg                                *
+
+########################
+#### Remote logging ####
+########################
+
+# Send all log entries to the log vserver, but queue them in memory as well as
+# on disk if needed.
+# Use a linked list for queueing
+$ActionQueueType LinkedList
+# Name to use for the queue file
+$ActionQueueFileName remote
+# infinite retries on insert failure
+$ActionResumeRetryCount -1
+# save in-memory data if rsyslog shuts down
+$ActionQueueSaveOnShutdown on
+*.*                            @@log;RSYSLOG_SyslogProtocol23Format
Configuration files for drsnuggles.stderr.nl