-
For a laptop, centralized user directories and password checking is
-a bit troubling. Laptops are typically used also when not connected
-to the network, and it is vital for a user to be able to log in or
-unlock the screen saver also when a central server is unavailable.
-This is possible by caching passwords and directory information (user
-and group attributes) locally, and the packages to do so are available
-in Debian. Here follow two recipes to set this up in Debian/Squeeze.
-It is also possible to set up in Debian/Lenny, but require more manual
-setup there because pam-auth-update is missing in Lenny.
-
-
LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir
-
-This is the traditional method with a twist. The password caching is
-provided by libpam-ccreds (version 10-4 or later is needed on
-Squeeze), and the directory caching is done by nscd. The directory
-lookup and password checking is done using LDAP. If one want to use
-Kerberos for password checking the libpam-ldapd package can be
-replaced with libpam-krb5 or libpam-heimdal. If one is happy having a
-local home directory with the path listed in LDAP, one can use the
-pam_mkhomedir module from pam-modules to make this happen instead of
-using libpam-mklocaluser. A setup for pam-auth-update to enable
-pam_mkhomedir will have to be written until a fix for
-
bug #568577 is in the
-archive. Because I believe it is a bad idea to have local home
-directories using misleading paths like /site/server/partition/, I
-prefer to create a local user with the home directory in /home/. This
-is done using the libpam-mklocaluser package.
-
-
These packages need to be installed and configured
-
-
-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
-
-
-
The ldapd packages will ask for LDAP connection information, and
-one have to fill in the values that fits ones own site. Make sure the
-PAM part uses encrypted connections, to make sure the password is not
-sent in clear text to the LDAP server. I've been unable to get TLS
-certificate checking for a self signed certificate working, which make
-LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
-is talking to the correct LDAP server), and very much welcome feedback
-on how to get this working.
-
-
Because nscd do not have a default configuration fit for offline
-caching until bug #485282
-is fixed, this configuration should be used instead of the one
-currently in /etc/nscd.conf. The changes are in the fields
-reload-count and positive-time-to-live, and is based on the
-instructions I found in the
-LDAP for Mobile Laptops
-instructions by Flyn Computing.
-
-
- debug-level 0
- reload-count unlimited
- paranoia no
-
- enable-cache passwd yes
- positive-time-to-live passwd 2592000
- negative-time-to-live passwd 20
- suggested-size passwd 211
- check-files passwd yes
- persistent passwd yes
- shared passwd yes
- max-db-size passwd 33554432
- auto-propagate passwd yes
-
- enable-cache group yes
- positive-time-to-live group 2592000
- negative-time-to-live group 20
- suggested-size group 211
- check-files group yes
- persistent group yes
- shared group yes
- max-db-size group 33554432
- auto-propagate group yes
-
- enable-cache hosts no
- positive-time-to-live hosts 2592000
- negative-time-to-live hosts 20
- suggested-size hosts 211
- check-files hosts yes
- persistent hosts yes
- shared hosts yes
- max-db-size hosts 33554432
-
- enable-cache services yes
- positive-time-to-live services 2592000
- negative-time-to-live services 20
- suggested-size services 211
- check-files services yes
- persistent services yes
- shared services yes
- max-db-size services 33554432
-
-
-
While we wait for a mechanism to update /etc/nsswitch.conf
-automatically like the one provided in
-bug #496915, the file
-content need to be manually replaced to ensure LDAP is used as the
-directory service on the machine. /etc/nsswitch.conf should normally
-look like this:
-
-
-passwd: files ldap
-group: files ldap
-shadow: files ldap
-hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks: files
-protocols: files
-services: files
-ethers: files
-rpc: files
-netgroup: files ldap
-
-
-
The important parts are that ldap is listed last for passwd, group,
-shadow and netgroup.
-
-
With these changes in place, any user in LDAP will be able to log
-in locally on the machine using for example kdm, get a local home
-directory created and have the password as well as user and group
-attributes cached.
-
-
LDAP/Kerberos + nss-updatedb + libpam-ccreds +
- libpam-mklocaluser/pam_mkhomedir
-
-
Because nscd have had its share of problems, and seem to have
-problems doing proper caching, I've seen suggestions and recipes to
-use nss-updatedb to copy parts of the LDAP database locally when the
-LDAP database is available. I have not tested such setup, because I
-discovered sssd.
-
-
LDAP/Kerberos + sssd + libpam-mklocaluser
-
-
A more flexible and robust setup than the nscd combination
-mentioned earlier that has shown up recently, is the
-sssd package from Redhat.
-It is part of the FreeIPA project
-to provide a Active Directory like directory service for Linux
-machines. The sssd system combines the caching of passwords and user
-information into one package, and remove the need for nscd and
-libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version
-1.2 do not support netgroups, but it is said that it will support this
-in version 1.5 expected to show up later in 2010. Because the
-sssd package
-was missing in Debian, I ended up co-maintaining it with Werner, and
-version 1.2 is now in testing.
-
-
These packages need to be installed and configured to get the
-roaming setup I want
-
-
-libpam-sss libnss-sss libpam-mklocaluser
-
-
-The complete setup of sssd is done by editing/creating
-
/etc/sssd/sssd.conf.
-
-
-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = INTERN
-
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[domain/INTERN]
-enumerate = false
-cache_credentials = true
-
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
-
-ldap_uri = ldap://ldap
-ldap_search_base = dc=skole,dc=skolelinux,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-
-
-
I got the same problem here with certificate checking. Had to set
-"ldap_tls_reqcert = never" to get it working.
-
-
With the libnss-sss package in testing at the moment, the
-nsswitch.conf file is update automatically, so there is no need to
-modify it manually.
-
-
If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.
+
Via en
+blogpost fra Simon Phipps i går, fant jeg en referanse til
+en
+artikkel i Washington Times som igjen refererer til en artikkel i
+det fagfellevurderte tidsskriftet Journal of Transportation Security
+med tittelen
+"An
+evaluation of airport x-ray backscatter units based on image
+characteristics" som enkelt konstaterer at
+pornoscannerne
+som kler av reisende på flyplasser ikke er i stand til å avsløre det
+produsenten og amerikanske myndigheter sier de skal avsløre. Kort
+sagt, de bedrer ikke sikkerheten. Reisende må altså la ansatte på
+flyplasser se dem
+nakne eller la seg beføle i skrittet uten grunn. Jeg vil
+fortsette å nekte å bruke disse pornoskannerne, unngå flyplasser der
+de er tatt i bruk, og reise med andre transportmidler enn fly hvis jeg
+kan.