Work on Bookworm image nss-ldap
The classic libnss-ldap has been removed from Bookworm. nslcd is needed to make the new libnss-ldapd work.
This commit is contained in:
parent
b56b02ab1e
commit
d2dfa332d3
5 changed files with 39 additions and 328 deletions
|
@ -7,7 +7,7 @@ RUN apt-get update \
|
||||||
apt-get install -y --no-install-recommends \
|
apt-get install -y --no-install-recommends \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
dumb-init \
|
dumb-init \
|
||||||
libnss-ldap \
|
libnss-ldapd \
|
||||||
nullmailer \
|
nullmailer \
|
||||||
openssl \
|
openssl \
|
||||||
php-mail-mime \
|
php-mail-mime \
|
||||||
|
@ -33,4 +33,4 @@ RUN apt-get update \
|
||||||
# broken as of Tue Nov 15 07:42:37 CET 2022
|
# broken as of Tue Nov 15 07:42:37 CET 2022
|
||||||
# php-mail https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000653
|
# php-mail https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000653
|
||||||
|
|
||||||
ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/
|
ADD --chown=root:root nsswitch.conf nslcd.conf /etc/
|
||||||
|
|
|
@ -1,323 +0,0 @@
|
||||||
###DEBCONF###
|
|
||||||
# the configuration of this file will be done by debconf as long as the
|
|
||||||
# first line of the file says '###DEBCONF###'
|
|
||||||
#
|
|
||||||
# you should use dpkg-reconfigure libnss-ldap to configure this file.
|
|
||||||
#
|
|
||||||
# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $
|
|
||||||
#
|
|
||||||
# This is the configuration file for the LDAP nameservice
|
|
||||||
# switch library and the LDAP PAM module.
|
|
||||||
#
|
|
||||||
# PADL Software
|
|
||||||
# http://www.padl.com
|
|
||||||
#
|
|
||||||
|
|
||||||
# Your LDAP server. Must be resolvable without using LDAP.
|
|
||||||
# Multiple hosts may be specified, each separated by a
|
|
||||||
# space. How long nss_ldap takes to failover depends on
|
|
||||||
# whether your LDAP client library supports configurable
|
|
||||||
# network or connect timeouts (see bind_timelimit).
|
|
||||||
#host 127.0.0.1
|
|
||||||
|
|
||||||
# The distinguished name of the search base.
|
|
||||||
base dc=gnuviech,dc=internal
|
|
||||||
|
|
||||||
# Another way to specify your LDAP server is to provide an
|
|
||||||
uri ldap://10.0.0.11/
|
|
||||||
# Unix Domain Sockets to connect to a local LDAP Server.
|
|
||||||
#uri ldap://127.0.0.1/
|
|
||||||
#uri ldaps://127.0.0.1/
|
|
||||||
#uri ldapi://%2fvar%2frun%2fldapi_sock/
|
|
||||||
# Note: %2f encodes the '/' used as directory separator
|
|
||||||
|
|
||||||
# The LDAP version to use (defaults to 3
|
|
||||||
# if supported by client library)
|
|
||||||
ldap_version 3
|
|
||||||
|
|
||||||
# The distinguished name to bind to the server with.
|
|
||||||
# Optional: default is to bind anonymously.
|
|
||||||
# Please do not put double quotes around it as they
|
|
||||||
# would be included literally.
|
|
||||||
#binddn cn=proxyuser,dc=padl,dc=com
|
|
||||||
|
|
||||||
# The credentials to bind with.
|
|
||||||
# Optional: default is no credential.
|
|
||||||
#bindpw secret
|
|
||||||
|
|
||||||
# The distinguished name to bind to the server with
|
|
||||||
# if the effective user ID is root. Password is
|
|
||||||
# stored in /etc/libnss-ldap.secret (mode 600)
|
|
||||||
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
|
|
||||||
# of an editor to create the file.
|
|
||||||
#rootbinddn cn=manager,dc=example,dc=net
|
|
||||||
|
|
||||||
# The port.
|
|
||||||
# Optional: default is 389.
|
|
||||||
#port 389
|
|
||||||
|
|
||||||
# The search scope.
|
|
||||||
#scope sub
|
|
||||||
#scope one
|
|
||||||
#scope base
|
|
||||||
|
|
||||||
# Search timelimit
|
|
||||||
#timelimit 30
|
|
||||||
|
|
||||||
# Bind/connect timelimit
|
|
||||||
#bind_timelimit 30
|
|
||||||
|
|
||||||
# Reconnect policy:
|
|
||||||
# hard_open: reconnect to DSA with exponential backoff if
|
|
||||||
# opening connection failed
|
|
||||||
# hard_init: reconnect to DSA with exponential backoff if
|
|
||||||
# initializing connection failed
|
|
||||||
# hard: alias for hard_open
|
|
||||||
# soft: return immediately on server failure
|
|
||||||
#bind_policy hard
|
|
||||||
|
|
||||||
# Connection policy:
|
|
||||||
# persist: DSA connections are kept open (default)
|
|
||||||
# oneshot: DSA connections destroyed after request
|
|
||||||
#nss_connect_policy persist
|
|
||||||
|
|
||||||
# Idle timelimit; client will close connections
|
|
||||||
# (nss_ldap only) if the server has not been contacted
|
|
||||||
# for the number of seconds specified below.
|
|
||||||
#idle_timelimit 3600
|
|
||||||
|
|
||||||
# Use paged rseults
|
|
||||||
#nss_paged_results yes
|
|
||||||
|
|
||||||
# Pagesize: when paged results enable, used to set the
|
|
||||||
# pagesize to a custom value
|
|
||||||
#pagesize 1000
|
|
||||||
|
|
||||||
# Filter to AND with uid=%s
|
|
||||||
#pam_filter objectclass=account
|
|
||||||
|
|
||||||
# The user ID attribute (defaults to uid)
|
|
||||||
#pam_login_attribute uid
|
|
||||||
|
|
||||||
# Search the root DSE for the password policy (works
|
|
||||||
# with Netscape Directory Server)
|
|
||||||
#pam_lookup_policy yes
|
|
||||||
|
|
||||||
# Check the 'host' attribute for access control
|
|
||||||
# Default is no; if set to yes, and user has no
|
|
||||||
# value for the host attribute, and pam_ldap is
|
|
||||||
# configured for account management (authorization)
|
|
||||||
# then the user will not be allowed to login.
|
|
||||||
#pam_check_host_attr yes
|
|
||||||
|
|
||||||
# Check the 'authorizedService' attribute for access
|
|
||||||
# control
|
|
||||||
# Default is no; if set to yes, and the user has no
|
|
||||||
# value for the authorizedService attribute, and
|
|
||||||
# pam_ldap is configured for account management
|
|
||||||
# (authorization) then the user will not be allowed
|
|
||||||
# to login.
|
|
||||||
#pam_check_service_attr yes
|
|
||||||
|
|
||||||
# Group to enforce membership of
|
|
||||||
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
|
|
||||||
|
|
||||||
# Group member attribute
|
|
||||||
#pam_member_attribute uniquemember
|
|
||||||
|
|
||||||
# Specify a minium or maximum UID number allowed
|
|
||||||
#pam_min_uid 0
|
|
||||||
#pam_max_uid 0
|
|
||||||
|
|
||||||
# Template login attribute, default template user
|
|
||||||
# (can be overriden by value of former attribute
|
|
||||||
# in user's entry)
|
|
||||||
#pam_login_attribute userPrincipalName
|
|
||||||
#pam_template_login_attribute uid
|
|
||||||
#pam_template_login nobody
|
|
||||||
|
|
||||||
# HEADS UP: the pam_crypt, pam_nds_passwd,
|
|
||||||
# and pam_ad_passwd options are no
|
|
||||||
# longer supported.
|
|
||||||
#
|
|
||||||
# Do not hash the password at all; presume
|
|
||||||
# the directory server will do it, if
|
|
||||||
# necessary. This is the default.
|
|
||||||
#pam_password clear
|
|
||||||
|
|
||||||
# Hash password locally; required for University of
|
|
||||||
# Michigan LDAP server, and works with Netscape
|
|
||||||
# Directory Server if you're using the UNIX-Crypt
|
|
||||||
# hash mechanism and not using the NT Synchronization
|
|
||||||
# service.
|
|
||||||
#pam_password crypt
|
|
||||||
|
|
||||||
# Remove old password first, then update in
|
|
||||||
# cleartext. Necessary for use with Novell
|
|
||||||
# Directory Services (NDS)
|
|
||||||
#pam_password nds
|
|
||||||
|
|
||||||
# RACF is an alias for the above. For use with
|
|
||||||
# IBM RACF
|
|
||||||
#pam_password racf
|
|
||||||
|
|
||||||
# Update Active Directory password, by
|
|
||||||
# creating Unicode password and updating
|
|
||||||
# unicodePwd attribute.
|
|
||||||
#pam_password ad
|
|
||||||
|
|
||||||
# Use the OpenLDAP password change
|
|
||||||
# extended operation to update the password.
|
|
||||||
#pam_password exop
|
|
||||||
|
|
||||||
# Redirect users to a URL or somesuch on password
|
|
||||||
# changes.
|
|
||||||
#pam_password_prohibit_message Please visit http://internal to change your password.
|
|
||||||
|
|
||||||
# Use backlinks for answering initgroups()
|
|
||||||
#nss_initgroups backlink
|
|
||||||
|
|
||||||
# Enable support for RFC2307bis (distinguished names in group
|
|
||||||
# members)
|
|
||||||
#nss_schema rfc2307bis
|
|
||||||
|
|
||||||
# RFC2307bis naming contexts
|
|
||||||
# Syntax:
|
|
||||||
# nss_base_XXX base?scope?filter
|
|
||||||
# where scope is {base,one,sub}
|
|
||||||
# and filter is a filter to be &'d with the
|
|
||||||
# default filter.
|
|
||||||
# You can omit the suffix eg:
|
|
||||||
# nss_base_passwd ou=People,
|
|
||||||
# to append the default base DN but this
|
|
||||||
# may incur a small performance impact.
|
|
||||||
#nss_base_passwd ou=People,dc=padl,dc=com?one
|
|
||||||
#nss_base_shadow ou=People,dc=padl,dc=com?one
|
|
||||||
#nss_base_group ou=Group,dc=padl,dc=com?one
|
|
||||||
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
|
|
||||||
#nss_base_services ou=Services,dc=padl,dc=com?one
|
|
||||||
#nss_base_networks ou=Networks,dc=padl,dc=com?one
|
|
||||||
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
|
|
||||||
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
|
|
||||||
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
|
|
||||||
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
|
|
||||||
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
|
|
||||||
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
|
|
||||||
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
|
|
||||||
|
|
||||||
# attribute/objectclass mapping
|
|
||||||
# Syntax:
|
|
||||||
#nss_map_attribute rfc2307attribute mapped_attribute
|
|
||||||
#nss_map_objectclass rfc2307objectclass mapped_objectclass
|
|
||||||
|
|
||||||
# configure --enable-nds is no longer supported.
|
|
||||||
# NDS mappings
|
|
||||||
#nss_map_attribute uniqueMember member
|
|
||||||
|
|
||||||
# Services for UNIX 3.5 mappings
|
|
||||||
#nss_map_objectclass posixAccount User
|
|
||||||
#nss_map_objectclass shadowAccount User
|
|
||||||
#nss_map_attribute uid msSFU30Name
|
|
||||||
#nss_map_attribute uniqueMember msSFU30PosixMember
|
|
||||||
#nss_map_attribute userPassword msSFU30Password
|
|
||||||
#nss_map_attribute homeDirectory msSFU30HomeDirectory
|
|
||||||
#nss_map_attribute homeDirectory msSFUHomeDirectory
|
|
||||||
#nss_map_objectclass posixGroup Group
|
|
||||||
#pam_login_attribute msSFU30Name
|
|
||||||
#pam_filter objectclass=User
|
|
||||||
#pam_password ad
|
|
||||||
|
|
||||||
# configure --enable-mssfu-schema is no longer supported.
|
|
||||||
# Services for UNIX 2.0 mappings
|
|
||||||
#nss_map_objectclass posixAccount User
|
|
||||||
#nss_map_objectclass shadowAccount user
|
|
||||||
#nss_map_attribute uid msSFUName
|
|
||||||
#nss_map_attribute uniqueMember posixMember
|
|
||||||
#nss_map_attribute userPassword msSFUPassword
|
|
||||||
#nss_map_attribute homeDirectory msSFUHomeDirectory
|
|
||||||
#nss_map_attribute shadowLastChange pwdLastSet
|
|
||||||
#nss_map_objectclass posixGroup Group
|
|
||||||
#nss_map_attribute cn msSFUName
|
|
||||||
#pam_login_attribute msSFUName
|
|
||||||
#pam_filter objectclass=User
|
|
||||||
#pam_password ad
|
|
||||||
|
|
||||||
# RFC 2307 (AD) mappings
|
|
||||||
#nss_map_objectclass posixAccount user
|
|
||||||
#nss_map_objectclass shadowAccount user
|
|
||||||
#nss_map_attribute uid sAMAccountName
|
|
||||||
#nss_map_attribute homeDirectory unixHomeDirectory
|
|
||||||
#nss_map_attribute shadowLastChange pwdLastSet
|
|
||||||
#nss_map_objectclass posixGroup group
|
|
||||||
#nss_map_attribute uniqueMember member
|
|
||||||
#pam_login_attribute sAMAccountName
|
|
||||||
#pam_filter objectclass=User
|
|
||||||
#pam_password ad
|
|
||||||
|
|
||||||
# configure --enable-authpassword is no longer supported
|
|
||||||
# AuthPassword mappings
|
|
||||||
#nss_map_attribute userPassword authPassword
|
|
||||||
|
|
||||||
# AIX SecureWay mappings
|
|
||||||
#nss_map_objectclass posixAccount aixAccount
|
|
||||||
#nss_base_passwd ou=aixaccount,?one
|
|
||||||
#nss_map_attribute uid userName
|
|
||||||
#nss_map_attribute gidNumber gid
|
|
||||||
#nss_map_attribute uidNumber uid
|
|
||||||
#nss_map_attribute userPassword passwordChar
|
|
||||||
#nss_map_objectclass posixGroup aixAccessGroup
|
|
||||||
#nss_base_group ou=aixgroup,?one
|
|
||||||
#nss_map_attribute cn groupName
|
|
||||||
#nss_map_attribute uniqueMember member
|
|
||||||
#pam_login_attribute userName
|
|
||||||
#pam_filter objectclass=aixAccount
|
|
||||||
#pam_password clear
|
|
||||||
|
|
||||||
# For pre-RFC2307bis automount schema
|
|
||||||
#nss_map_objectclass automountMap nisMap
|
|
||||||
#nss_map_attribute automountMapName nisMapName
|
|
||||||
#nss_map_objectclass automount nisObject
|
|
||||||
#nss_map_attribute automountKey cn
|
|
||||||
#nss_map_attribute automountInformation nisMapEntry
|
|
||||||
|
|
||||||
# Netscape SDK LDAPS
|
|
||||||
#ssl on
|
|
||||||
|
|
||||||
# Netscape SDK SSL options
|
|
||||||
#sslpath /etc/ssl/certs
|
|
||||||
|
|
||||||
# OpenLDAP SSL mechanism
|
|
||||||
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
|
|
||||||
#ssl start_tls
|
|
||||||
#ssl on
|
|
||||||
|
|
||||||
# OpenLDAP SSL options
|
|
||||||
# Require and verify server certificate (yes/no)
|
|
||||||
# Default is to use libldap's default behavior, which can be configured in
|
|
||||||
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
|
|
||||||
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
|
|
||||||
#tls_checkpeer yes
|
|
||||||
|
|
||||||
# CA certificates for server certificate verification
|
|
||||||
# At least one of these are required if tls_checkpeer is "yes"
|
|
||||||
#tls_cacertfile /etc/ssl/ca.cert
|
|
||||||
#tls_cacertdir /etc/ssl/certs
|
|
||||||
|
|
||||||
# Seed the PRNG if /dev/urandom is not provided
|
|
||||||
#tls_randfile /var/run/egd-pool
|
|
||||||
|
|
||||||
# SSL cipher suite
|
|
||||||
# See man ciphers for syntax
|
|
||||||
#tls_ciphers TLSv1
|
|
||||||
|
|
||||||
# Client certificate and key
|
|
||||||
# Use these, if your server requires client authentication.
|
|
||||||
#tls_cert
|
|
||||||
#tls_key
|
|
||||||
|
|
||||||
# Disable SASL security layers. This is needed for AD.
|
|
||||||
#sasl_secprops maxssf=0
|
|
||||||
|
|
||||||
# Override the default Kerberos ticket cache location.
|
|
||||||
#krb5_ccname FILE:/etc/.ldapcache
|
|
||||||
|
|
32
bookworm_php8/nslcd.conf
Normal file
32
bookworm_php8/nslcd.conf
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
# /etc/nslcd.conf
|
||||||
|
# nslcd configuration file. See nslcd.conf(5)
|
||||||
|
# for details.
|
||||||
|
|
||||||
|
# The user and group nslcd should run as.
|
||||||
|
uid nslcd
|
||||||
|
gid nslcd
|
||||||
|
|
||||||
|
# The location at which the LDAP server(s) should be reachable.
|
||||||
|
uri ldap://10.0.0.11/
|
||||||
|
|
||||||
|
# The search base that will be used for all queries.
|
||||||
|
base dc=gnuviech,dc=internal
|
||||||
|
|
||||||
|
# The LDAP protocol version to use.
|
||||||
|
#ldap_version 3
|
||||||
|
|
||||||
|
# The DN to bind with for normal lookups.
|
||||||
|
#binddn cn=annonymous,dc=example,dc=net
|
||||||
|
#bindpw secret
|
||||||
|
|
||||||
|
# The DN used for password modifications by root.
|
||||||
|
#rootpwmoddn cn=admin,dc=example,dc=com
|
||||||
|
|
||||||
|
# SSL options
|
||||||
|
#ssl off
|
||||||
|
#tls_reqcert never
|
||||||
|
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
|
||||||
|
|
||||||
|
# The search scope.
|
||||||
|
#scope sub
|
||||||
|
|
|
@ -4,9 +4,10 @@
|
||||||
# If you have the `glibc-doc-reference' and `info' packages installed, try:
|
# If you have the `glibc-doc-reference' and `info' packages installed, try:
|
||||||
# `info libc "Name Service Switch"' for information about this file.
|
# `info libc "Name Service Switch"' for information about this file.
|
||||||
|
|
||||||
passwd: compat ldap
|
passwd: files ldap
|
||||||
group: compat ldap
|
group: files ldap
|
||||||
shadow: compat
|
shadow: files ldap
|
||||||
|
gshadow: files
|
||||||
|
|
||||||
hosts: files dns
|
hosts: files dns
|
||||||
networks: files
|
networks: files
|
||||||
|
|
|
@ -6,6 +6,7 @@ sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \
|
||||||
< /usr/local/etc/fpm-pool.conf.tmpl \
|
< /usr/local/etc/fpm-pool.conf.tmpl \
|
||||||
> "/etc/php/8.2/fpm/pool.d/${FPM_USER}.conf"
|
> "/etc/php/8.2/fpm/pool.d/${FPM_USER}.conf"
|
||||||
|
|
||||||
|
/etc/init.d/nslcd start
|
||||||
/etc/init.d/nullmailer start
|
/etc/init.d/nullmailer start
|
||||||
mkdir -p /run/php
|
mkdir -p /run/php
|
||||||
/usr/sbin/php-fpm8.2 --nodaemonize
|
/usr/sbin/php-fpm8.2 --nodaemonize
|
||||||
|
|
Loading…
Reference in a new issue