Integrando o Debian 8 Jessie à base LDAP do campus SJ(Criação)
Revisão de 15h43min de 19 de maio de 2015 por Gabriel.souza (discussão | contribs)
O script shell foi projetado para rodar em sistema Debian versão 7 logo após a instalação. Como há o uso de correções de arquivo (patches), convém não modificar qualquer arquivo manualmente antes deste script:
#!/bin/bash
####################### Função repetição #######################
ldap () {
echo "base dc=cefetsc,dc=edu,dc=br" > $file
echo "uri ldap://200.135.37.117" >>$file
echo "ldap_version 3" >>$file
echo "bind_policy soft" >>$file
}
###############################################################
####################### Configurar LDAP #######################
configLdap() {
aptitude install -y libcurl3 smbnetfs libpam-ldap libnss-ldap nss-updatedb libpam-mount cifs-utils cups-client
## Configuração do LDAP
file=/etc/libnss-ldap.conf
ldap
file=/etc/pam_ldap.conf
ldap
file=/etc/ldap.conf
ldap
## Retirar listagem dos usuário da tela de login
echo "- /etc/gdm3/greeter.dconf-defaults"
patch -p0 -N -r /dev/null << EOF
--- /etc/gdm3/greeter.dconf-defaults-original 2013-05-17 16:52:34.188328939 -0300
+++ /etc/gdm3/greeter.dconf-defaults 2013-05-17 16:52:59.884328074 -0300
@@ -32,7 +32,7 @@
fallback-logo='/usr/share/icons/gnome/48x48/places/debian-swirl.png'
# - Disable user list
-# disable-user-list=true
+disable-user-list=true
# - Disable restart buttons
# disable-restart-buttons=true
# - Show a login welcome message
EOF
## LDAP
echo "- etc/nsswitch.conf"
cat > /etc/nsswitch.conf << EOF
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
EOF
echo "# 20150519 Integração com LDAP do IF-SC São José (1 linha)" >> /etc/pam.d/common-session
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" >> /etc/pam.d/common-session
## Montando pastas de usuário e pastas compartilhadas
echo "- /etc/security/pam_mount.conf.xml"
patch -p0 -N -r /dev/null << EOF
--- /etc/security/pam_mount.conf.xml.original 2015-05-19 13:54:17.419466205 -0300
+++ /etc/security/pam_mount.conf.xml 2015-05-19 14:40:26.098519281 -0300
@@ -13,9 +13,13 @@
<debug enable="0" />
<!-- Volume definitions -->
-
+<volume user="*" uid="1000-1000000" server="dk" path="homes" mountpoint="/media/pessoal/%(USER)/%(USER)" fstype="cifs" options="dir_mode=0711,iocharset=utf8" />
+<volume user="*" uid="1000-1000000" server="dk" path="ctic" mountpoint="/media/pessoal/%(USER)/ctic" fstype="cifs" options="iocharset=utf8" />
+<volume user="*" uid="1000-1000000" server="dk" path="publico" mountpoint="/media/pessoal/%(USER)/publico" fstype="cifs" options="iocharset=utf8" />
+<volume user="*" uid="1000-1000000" server="dk" path="software" mountpoint="/media/pessoal/%(USER)/software" fstype="cifs" options="iocharset=utf8" />
<!-- pam_mount parameters: General tunables -->
+<umount>umount %(MNTPT)</umount>
<!--
<luserconf name=".pam_mount.conf.xml" />
EOF
## Configurar impressoras
echo "- /etc/cups/client.conf"
cat > /etc/cups/client.conf << EOF
ServerName dk
EOF
}
#####################################################################
######################### Começo do script #########################
## Permitindo bolctic.sj se transformar em root
echo "bolctic.sj ALL=(ALL:ALL) ALL" >> /etc/sudoers
## Adicionando fonte ao source.list
rm -r /etc/apt/sources.list
touch /etc/apt/sources.list
echo "deb http://debian.pop-sc.rnp.br/debian stable main contrib non-free" >> /etc/apt/sources.list
echo "deb http://debian.pop-sc.rnp.br/debian jessie-updates main contrib non-free" >> /etc/apt/sources.list
echo "deb http://security.debian.org/ jessie/updates main contrib non-free" >> /etc/apt/sources.list
echo "Atualizando sistema. Caso parar de responder por muito tempo espere mais um pouco."
aptitude update 1>/dev/null
aptitude safe-upgrade -y
aptitude install -y vlc unrar vim ssh libcurl3 ntfs-3g dkms cifs-utils ntp openjdk-7-jdk openjdk-7-jre icedtea-7-plugin flashplugin-nonfree pkg-mozilla-archive-keyring chromium chromium-l10n pepperflashplugin-nonfree
echo "deb http://mozilla.debian.net/ jessie-backports iceweasel-release" >> /etc/apt/sources.list
aptitude update 1>/dev/null
aptitude safe-upgrade -y
aptitude -t jessie-backports install -y libreoffice iceweasel
## Ativando o recursos auto completar
echo "- /etc/bash.bashrc"
patch -p0 -N -r /dev/null << EOF
--- /etc/bash.bashrc-original 2013-05-22 17:54:58.758238491 -0300
+++ /etc/bash.bashrc 2013-05-22 17:55:24.510237767 -0300
@@ -29,13 +29,13 @@
#esac
# enable bash completion in interactive shells
-#if ! shopt -oq posix; then
-# if [ -f /usr/share/bash-completion/bash_completion ]; then
-# . /usr/share/bash-completion/bash_completion
-# elif [ -f /etc/bash_completion ]; then
-# . /etc/bash_completion
-# fi
-#fi
+if ! shopt -oq posix; then
+ if [ -f /usr/share/bash-completion/bash_completion ]; then
+ . /usr/share/bash-completion/bash_completion
+ elif [ -f /etc/bash_completion ]; then
+ . /etc/bash_completion
+ fi
+fi
# if the command-not-found package is installed, use it
if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then
EOF
## Negando acesso do aluno ao ssh
echo "DenyUsers aluno" >> /etc/ssh/sshd_config
## Configuração do NTP
cp -p /usr/share/zoneinfo/America/Sao_Paulo /etc/localtime
echo "- /etc/ntp.conf"
cat > /etc/ntp.conf << EOF
# "memoria" para o escorregamento de frequencia do micro
# pode ser necessario criar esse arquivo manualmente com
# o comando touch ntp.drift
driftfile /etc/ntp.drift
# estatisticas do ntp que permitem verificar o historico
# de funcionamento e gerar graficos
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# servidores publicos do projeto ntp.br
server a.st1.ntp.br iburst
server b.st1.ntp.br iburst
server c.st1.ntp.br iburst
server d.st1.ntp.br iburst
server gps.ntp.br iburst
server a.ntp.br iburst
server b.ntp.br iburst
server c.ntp.br iburst
# outros servidores
# server outro-servidor.dominio.br iburst
# configuracoes de restricao de acesso
restrict default kod notrap nomodify nopeer
restrict -6 default kod notrap nomodify nopeer
EOF
aptitude update 1>/dev/null
update-flashplugin-nonfree --install
aptitude safe-upgrade -y
####################### Configurar LDAP #########################
configLdap ##Comente essa linha se não quiser configurar o ldap#
#################################################################
## Fim do script
echo -n "É fortemente recomendado que você reinicie a máquina AGORA. Deseja fazer isso? [S/n]: "
read choose
case $choose in
"n" | "N")
exit
;;
"s" | "S" | "")
reboot
;;
*)
echo "Opção inválida, tente novamente mais tarde."
;;
esac
Nota: percebe-se, em Volume definitions, os compartilhamentos do servidor principal de arquivos (DK) que serão montados automaticamente - neste caso 7 (homes, tele, cgeral, licenciatura, software e comum). Pode-se, depois, adequar o arquivo /etc/security/pam_mount.conf.xml, após a execução do script, adicionando ou removendo compartilhamentos.
Configurando o wpasupplicant
Para computadores que somente tem interface wireless e precisam autenticar no LDAP:
apt-get install wpasupplicant
</syntaxhighlight>
Depois de instalar o pacote wpasupplicant é necessário criar e configurar o arquivo /etc/wpa_supplicant/wpa_supplicant.conf :
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
network={
ssid="IFSC-ADM"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="<USUÁRIO>"
password="<SENHA>"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
</syntaxhighlight>
Por último adicionar ao arquivo /etc/network/interfaces :
auto wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
</syntaxhighlight>