/etc/cfengine/debian-edu/cf.ldapclient is in debian-edu-config 1.818+deb8u2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 | #
# Configure NSS and PAM to use LDAP directory
#
editfiles:
debian.installation.!standalone.!roaming::
{ /etc/nsswitch.conf
LocateLineMatching "# Example configuration of GNU Name Service Switch functionality."
IncrementPointer "3"
BeginGroupIfNoSuchLine "passwd: files ldap"
HashCommentLinesStarting "passwd:"
InsertLine "passwd: files ldap"
EndGroup
BeginGroupIfNoSuchLine "group: files ldap"
HashCommentLinesStarting "group:"
InsertLine "group: files ldap"
EndGroup
# Fetching shadow from LDAP is useful for expiring accounts.
BeginGroupIfNoSuchLine "shadow: files ldap"
HashCommentLinesStarting "shadow:"
InsertLine "shadow: files ldap"
EndGroup
BeginGroupIfNoSuchLine "netgroup: files ldap"
HashCommentLinesStarting "netgroup:"
InsertLine "netgroup: files ldap"
EndGroup
BeginGroupIfNoSuchLine "automount: files ldap"
HashCommentLinesStarting "automount:"
InsertLine "automount: files ldap"
EndGroup
BeginGroupIfNoSuchLine "sudoers: files ldap"
HashCommentLinesStarting "sudoers:"
InsertLine "sudoers: files ldap"
EndGroup
}
debian.installation.!standalone::
# ## Avoid showing the GOsa template as user:
# { /etc/nslcd.conf
# AppendIfNoSuchLine "filter passwd (&(objectClass=posixAccount)(!(objectClass=gosaUserTemplate)))"
# }
{ /etc/ldap/ldap.conf
BeginGroupIfNoLineMatching "^HOST .*"
AppendIfNoSuchLine "HOST $(ldapserver)"
EndGroup
# needed for sudo-ldap:
BeginGroupIfNoLineMatching "^sudoers_base .*"
AppendIfNoSuchLine "sudoers_base ou=sudoers,$(ldapbase)"
EndGroup
# Insert the base-dn, to simplify searching the LDAP and reduce
# typing :-) [barbarossa 2004-07-01]
BeginGroupIfNoLineMatching "^BASE .*"
AppendIfNoSuchLine "BASE $(ldapbase)"
EndGroup
# We want to use the downloaded LDAP SSL certificate to verify the
# connection to the server, and disable the code to not check
# certificates, see bug #1211.
BeginGroupIfNoLineMatching "^TLS_REQCERT .*"
AppendIfNoSuchLine "TLS_REQCERT demand"
EndGroup
AppendIfNoSuchLine "TLS_CACERT /etc/ldap/ssl/ldap-server-pubkey.pem"
}
{ /etc/nslcd.conf
AppendIfNoSuchLine "tls_cacertfile /etc/ldap/ssl/ldap-server-pubkey.pem"
}
shellcommands:
debian.installation.roaming::
"/usr/share/debian-edu-config/tools/setup-roaming"
# Workaround for bug #591773 in nslcd
# FIXME Check if nslcd still pull in libpam-ldapd (bug #591773)
debian.installation.!standalone::
"/usr/bin/apt-get purge -y libpam-ldapd"
# Avoid Network Manager GUI client stationary machines. The users
# can not change the config anyway.
debian.installation.!standalone.!roaming::
"/usr/bin/apt-get purge -y plasma-widget-networkmanagement"
# Avoid packages pulled in by cifs-utils (winbind being a Recommends) and
# winbind (libpam-winbind and libnss-winbind will be purged along
# with winbind).
# FIXME Check if cifs-utils still pull in libpam-winbind (bug #706434).
debian.installation::
"/usr/bin/apt-get purge -y winbind"
|