1. Assignment: Install a debian ssh server on a VirtualBox and access to it

config apt-cacher port 3128

sed -i 's#http://#' /etc/apt/sources.list 

install emacs

sudo aptitude install emacs

install config openssh server and make it work

eval `ssh-agent`
exec ssh-agent bash (if ssh-add is not working)

add sam_sshkey.pub to .ssh/authorized_keys

add to /etc/ssh/sshd_config:

AllowUsers xxx

changed in the same file:

PasswordAuthentication no
PermitRootLogin no

If ssh doesn't work check the grp and own of .ssh/authorized_keys

install bash completion

aptitude install bash-completion

add the following to ~/.bashrc or ~/.bash_profile

if [ -f /etc/bash_completion ]; then . /etc/bash_completion fi

Document the work done

Well, that's kind of done but the editing interface of the wiki is not yet clear to me. Few shortcut:

{code 'Enter'
'ctrl' AND '1' XOR '2' XOR '3'
'shift' AND 'ctrl' AND 'b'
'ctrl' AND 'b'
'ctrl' AND 'u'
'ctrl' AND 'i' 
'ctrl' AND 's'


Problems encountered after installation of debian

On start and halt


exim paniclog /var/log/exim4/paniclog has non-zero size, mail system possibly broken


rm /var/log/exim4/paniclog

need to start the network manually dhclient eth0

PROBLEM: when auto eth0 added to interfaces. Nfs interfaces gets stuck on boot.

SOLUTION: there was no 'auto lo' in /etc/network/interfaces. That added plus 'auto eth0' makes it work.

2. Assignement: Install a graphic interface on Debian installation

Install Debian with nothing else than the minimum (except for laptop)

Install XOrg

apt-get install xorg

Install Gnome

apt-get install gnome-core

to test the installation:


change the resolution

CTRL + ALT + '+'  and CTRL + ALT + '-' 

screen the available resolution and change it

xrandr -q
wrands -s resolution 


Install a display manager

apt-get install gdm

to start it



Install proprietary graphic card drivers:

If the kernel isn't compiled you need to install the kernel headers.

Check the kernel version

uname -r

Install the kernel header and link it to the linux file

apt-get install linux-header-...
rm /usr/src/linux
ln -s /usr/src/linux-header-... /usr/src/linux   

Install the compilers

apt-get install gcc g++


 For the nvidia cards

Download the latest drivers from the nvidia website.

Stop gdm (might need a kill)

/etc/init.d/gdm stop

Install the driver

sh NVIDIA...

Don't download the kernel interface. Ask for a compilation of a new interface. Start xconfig ans restart gdm

/etc/init.d/gdm restart 

To remove the logo in xorg.conf

Option "NoLogo" "1"

3. Assignment: Install Amanda & use it


create the directory structure for the folders to keep the backup

mkdir /mnt/backup
#mount $DISK /mnt/backup/
mkdir /mnt/backup/vtapes /mnt/backup/holding /mnt/backup/holding/sam
chown backup.disk -R /mnt/backup/* 

create the config in /etc/amanda

mkdir /etc/amanda/sam-daily
touch /etc/amanda/sam-daily/amanda.conf
touch /etc/amanda/sam-daily/disklist
chown -R backup.backup /etc/amanda/sam-daily


org "sam"
mailto "root"
dumpcycle 7
runspercycle 5
tapecycle 30
dumpuser "backup"
tpchanger "chg-disk:/mnt/backup/vtapes/sam" # a virtual tape changer
#tapedev "/dev/nst0a" # the tapechanger
#tapedev "file:/mnt/backup/vtapes/offering"
changerfile "/var/lib/amanda/sam/changerfile"
labelstr "SAM.*"
label_new_tapes "SAM-%%"
logdir "/var/lib/amanda/sam"
infofile "/var/lib/amanda/sam/curinfo"
indexdir "/var/lib/amanda/sam/index"
tapelist "/var/lib/amanda/sam/tapelist"
runtapes 5
#usetimestamps YES
dtimeout 3600 #seconds per client per dump
holdingdisk hd1 {
 directory "/mnt/backup/holding/sam"
define dumptype comp-tar {
 program "GNUTAR"
 index yes
# record no # Important! avoid interfering with production runs
 auth "bsdtcp"
define dumptype user-tar-span {
 tape_splitsize 445 MB
 auth "bsd"
 #holdingdisk no
 #split_diskbuffer "/mnt/holding/diskbuffer"
 #fallback_splitsize 100M
 comment "tape-spanning user partitions dumped with tar"
 #exclude list "/etc/amanda/sam-daily/exclude-list"
define dumptype user-tar-span-home {
 comment "exluding all the unwanted things from /home"
# exclude list "/etc/amanda/sam-daily/exclude-list"
define tapetype DVD_SIZED_DISK {
 filemark 4 KB
 length 4482 MB
echo debian-server-test-sam.bluelight.av backup amdump >> /var/backups/.amandahosts


debian-server-test-sam.bluelight.av /etc user-tar-span
debian-server-test-sam.bluelight.av /var user-tar-span
debian-server-test-sam.bluelight.av /root user-tar-span
#debian-server-test-sam.bluelight.av /home/./all /home/ {
#exclude append "./media_no_backup"

as the backup user create all the virtual tapes and label them

su backup -c "mkdir /mnt/backup/vtapes/sam"
for i in `seq 30`; do su backup -c "mkdir /mnt/backup/vtapes/sam/slot$i"; done
cd /mnt/backup/vtapes/sam && ln -s slot1 data

create the tapelist

su backup -c "mkdir /var/lib/amanda/sam"
su backup -c "touch /var/lib/amanda/sam/tapelist"

label the tapes

for i in `seq 30`; do su backup -c "/usr/sbin/amlabel sam-daily SAM-$i slot $i"; done

/root/scripts/amanda-backup (after creating the folder)

#mount ${DISK} /mnt/backup
su backup -c "/usr/sbin/amdump sam-daily"
#sleep 5
#umount /mnt/backup
exit 0
chmod +x /root/scripts/amanda-backup 

Recover (example for /etc)

In order to be able to run a recovery add the following line to /etc/amandahosts

localhost root amindexd amidxtaped

Go to the /etc folder

amrecover sam-daily
sethost  debian-server-test-sam.bluelight.av
setdisk /etc
cd (folder name - ls works too)
add (name of the folder to recover or * for everything)    


If the backuo is restored from an external drive:

Problems encountered

...amanda.conf ...Line 54: end of line expected

SOLUTION: Press 'ENTER' at the end of the file and save.


4. Assignment: Weekly backup for server cupcake

First phase: Test on VirtualBox

Clone the amanda disk already created.

Do it by exporting Appliance and then import it preferably with new name.

PROBLEM: the virtual disks use the same lan card and the same MAC address.

SOLUTION: change the MAC address in VirtualBox and change it in the OS:

emacs /etc/udev/rules.d/70-persistent-net-rules

keep the interface with the new MAC address and make sure it is named eth0. Restart the OS.

Create to virtual drive and mount then on the server

Create 1 drive in virtual box and create 2 partitions:

fidsk -l
cfdisk /dev/sdb

format the partitions and mount them:

mkfs.ext3 /dev/sdb1
mkfs.ext3 /dev/sdb2
mkdir /media/backup-data
mkdir /media/backup-data2
mount -t ext3 /dev/sdb1 /media/backup-data
mount -t ext3 /dev/sdb2 /media/backup-data2

Create a daily backup of the second virtual OS

Second phase: Configure CUPCAKE 

Explanation of runscycle and other in amanda.conf

 dumpcycleruns per cycleruntapestapecycletapetype   
 The amount of days you will have a full backup (ex: every 4 weeks = 28)How many backup runs per dumpcycle (ex: every week = 4)How many tapes to use per run (ex: Biggest disklist + a bit / tapetype size = 12)How many tapes are available. The number decrease at every run. Runtapes * runs per cycle + a bit(ex: 50)defines the size of a tape (ex: DVD size: 4,5G)   
2      DLE_110G
3      DLE_245G
4      DLE_31G
7 run12     
14 run12     
21 run12     

Creating the script adapted to the present situation of the server (12/2011)

## this is to automate the amanda setup
## variables used.
FREQ=-weekly # frequence of the backup
MOUNTPOINT1=/media/backup-data # mountpoint for holding
MOUNTPOINT2=/media/backup-data2 # mountpoint for backup
TAPE=`echo ${SERVICE}${FREQ} | tr [a-z] [A-Z]`
## create the directory structure for the folders to keep the backup
mkdir ${MOUNTPOINT1}/amanda ${MOUNTPOINT1}/amanda/holding ${MOUNTPOINT1}/amanda/holding/${SERVICE}${FREQ}
chown backup.disk -R ${MOUNTPOINT2}/amanda/*
chown backup.disk -R ${MOUNTPOINT1}/amanda/*
## create the config in /etc/amanda
mkdir /etc/amanda/${SERVICE}${FREQ}
touch /etc/amanda/${SERVICE}${FREQ}/amanda.conf
touch /etc/amanda/${SERVICE}${FREQ}/disklist
chown -R backup.backup /etc/amanda/${SERVICE}${FREQ}
## The config files
cat << EOF > /etc/amanda/${SERVICE}${FREQ}/amanda.conf
org "Bluelight"
mailto "bluelight@auroville.org.in"
dumpcycle 28
runspercycle 4
runtapes 15
tapecycle 60
dumpuser "backup"
tpchanger "chg-disk" # a virtual tape changer
tapedev "file:/media/backup-data2/amanda/vtapes/bluelight-weekly"
changerfile "/var/lib/amanda/bluelight-weekly/changerfile"
labelstr "BLUELIGHT-WEEKLY-.*"
#label_new_tapes "BLUELIGHT-WEEKLY-%%"
logdir "/var/lib/amanda/bluelight-weekly"
infofile "/var/lib/amanda/bluelight-weekly/curinfo"
indexdir "/var/lib/amanda/bluelight-weekly/index"
tapelist "/var/lib/amanda/bluelight-weekly/tapelist"
holdingdisk hd1 {
 directory "/media/backup-data/amanda/holding/bluelight-weekly"
define dumptype comp-tar {
 program "GNUTAR"
 compress fast
 index yes
# record no # Important! avoid interfering with production runs
define dumptype user-tar-span {
 tape_splitsize 445 MB
 holdingdisk no
 split_diskbuffer "/media/backup-data/amanda/holding/diskbuffer"
 fallback_splitsize 100M
 comment "tape-spanning user partitions dumped with tar"
 compress none
define dumptype user-tar-span-home {
 comment "exluding all the unwanted things from /home"
 exclude list "/etc/exclude-list"
 compress none
define tapetype DVD_SIZED_DISK {
 filemark 4 KB
 length 4482 MB

## create the disklist
cat <<EOF > /etc/amanda/${SERVICE}${FREQ}/disklist
rose.bluelight.av /etc user-tar-span
rose.bluelight.av /root user-tar-span
rose.bluelight.av /var user-tar-span
# /home/aufilduweb/data/Entreprises/Auroville/ user-tar-span
# /var/www/./programming /var/www {
# user-tar-span
## auth "bsdtcp"
# include "./meeting"
# include "./act"
# include "./mm_visitor_access"
#} 2
#this section is for everything in /home
rose.bluelight.av /home/./bharathy /home/ {
 include "./bharathy"
} 1
rose.bluelight.av /home/./juergen /home/ {
 include "./juergen"
} 1
rose.bluelight.av /home/./resources /home/ {
 include "./resources"
} 1
rose.bluelight.av /home/./rest /home/ {
 exclude append "./bharathy"
 exclude append "./juergen"
 exclude append "./resources"
 exclude append "./backup"
 exclude append "./backup_services"
 exclude append "./rdiff-backup"
 exclude append "./classes"
 exclude append "./joy"
 exclude append "./sincerity"
 exclude append "./surrender"
 exclude append "./music"
} 1

## as the backup user create all the virtual tapes and label them
su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}"
for i in `seq 30`; do su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}/slot$i"; done
cd ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ} && ln -s slot1 data

## create the tapelist
su backup -c "mkdir /var/lib/amanda/${SERVICE}${FREQ}"
su backup -c "touch /var/lib/amanda/${SERVICE}${FREQ}/tapelist"

## label the tapes
for i in `seq 30`; do su backup -c "/usr/sbin/amlabel ${SERVICE}${FREQ} ${TAPE}-$i slot $i"; done
[ -d /root/scripts ] || mkdir /root/scripts

## create the starting script
cat <<EOF > /root/scripts/amanda-${SERVICE}${FREQ}-backup
su backup -c "/usr/sbin/amdump ${SERVICE}${FREQ}"
sleep 20
# if the machine should stay on after the backup create a file in / called no
# ie touch /no
if [ -f /no ]
 rm -f /no
 exit 0
exit 0
chmod +x /root/scripts/amanda-${SERVICE}${FREQ}-backup
exit 0

Create a crontab entry

 # m h dom mon dow command
17 12 * * 1-4 /root/scripts/backup-bluelight
17 12 * * 5 /root/scripts/backup-bluelight-weekly

changed the runscycle of the daily backup to 4 in amanda.conf



amrecover bluelight-weekly
AMRECOVER Version 2.5.2p1. Contacting server on localhost ...
[request failed: timeout waiting for ACK]


amrecover bluelight-weekly -s cupcake.bluelight.av -t cupcake.bluelight.av

5. Assignment: Make a weekly -Offsite backup of the TownHall


Install rdiff on the server and the working station.


apt-get install rdiff-backup


and create a backup folder in the server (ex: /backup/servername/)

Login using ssh key

As root on the working station create the key, do not enter any paraphrase.

ssh-keygen -t rsa

Copy the public key to the server

scp /root/.ssh/id_rsa.pub root@

Write the public into the .ssh/authorized_keys of the user (in his home folder) you want to login to

cat id_rsa.pub >> /root/.ssh/authorized_keys

change in /etc/ssh/sshd_config:

PasswordAuthentication no
PermitRootLogin without-password

If ssh doesn't work check the grp and own of .ssh/authorized_keys or check the name of the file...

Create a backup list


- /

Create an ssh alias to access the server


Host backup-server
 User root
 Identityfile /root/.ssh/id_rsa_backup_raspberry
 Protocol 2

test the backup with:

rdiff-backup --force --include-globbing-filelist /root/rdiff-backups/backup-list-server / backup-server::/backup/raspberry/

Secure the ssh authentication

In /root/.ssh/authorized_keys add the following before 'ssh-rsa....'

command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty 

so the file's line looks like:

command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAA[......]3UV/ root@raspberry

Command line to remove old backup

rdiff-backup --remove-older-than 2W backup-server::/backup/raspberry/


6. Configure a LDAP Fat Server/Client




Install and configure LTSP

On the server:

if not done before configure the sources.list file to use the cache of the server:

sed -i 's#http://#' /etc/apt/sources.list
sed -i 's#http:/#' /etc/apt/sources.list.d/medibuntu.list
apt-get update 

Install ltsp-server-standalone:

sudo apt-get install ltsp-server-standalone

Edit the installation option of ltsp-build-client:

# The chroot architecture. 
# ubuntu-desktop and edubuntu-desktop are tested. 
# If you test with [k|x]ubuntu-desktop, edit this page and mention if it worked OK. 
# kubuntu lucid (10.10) working okay. 
# Space separated list of programs to install. 
# The java plugin installation contained in ubuntu-restricted-extras 
# needs some special care, so let's use it as an example. 
# This is needed to answer "yes" to the Java EULA. 
# We'll create that file in the next step. 
# This uses the server apt cache to speed up downloading. 
# This locks the servers dpkg, so you can't use apt on 
# the server while building the chroot. 

Create and edit the following file for the unattented Java and msttcorefonts installation:

# Do you agree with the DLJ license terms?
sun-java6-bin shared/accepted-sun-dlj-v1-1 boolean true
sun-java6-jre shared/accepted-sun-dlj-v1-1 boolean true
# In order to install this package, you must accept the license terms, the
# "TrueType core fonts for the Web EULA ". Not accepting will cancel the
# installation. Do you accept the EULA license terms?
ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula boolean true

If LTSP is install on an Oneiric system (otherwise go to the next step):

The fat client plugin blacklists some packages that don't make sense to have in a fat client chroot.

Unfortunately in Oneiric xdiagnose depends on one of those packages, apport, so the fat client plugin needs to be manually edited for ltsp-build-client to complete successfully.  

Open the following file and remove the word "apport" from line 43:



 Build the client (even if using the cache of the server some of the files will be downloaded on the internet, if a solution is found please update (smile) )

ltsp-build-client --mirror --security-mirror --updates-mirror

if this doesn't work you can always modify the configuration files:

emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/000-basic-configuration
emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/010-updates-mirrors

You can use the fat chroot also to run thin clients, not only fat ones. This way you can have a mix of powerful and not powerful clients, that they will become "fat" or "thin" based upon their RAM (consider fat chroot a "superset" of a thin one, so thin boot uses only a small but common part of it).  The parameter that affects the RAM threshold is:


that defaults to 300 (MB).  So if you want your client boot as FAT ones only if they have more than 800MB edit lts.conf and put:


Another interesting feature is have a server's directory available to all the fat clients.  For instance, to have the fat clients mount as their own /srv the /srv of the server add this parameter:




Install and configure DHCP

Configure /etc/network/interfaces

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static

cp /etc/ltsp/dhcpd.conf /etc/ltsp/dhcpd-backup.conf

emacs /etc/ltsp/dhcpd.conf

# Default LTSP dhcpd.conf config file.
subnet netmask {
 option domain-name "LSTPtest.av";
 option domain-name-servers;
 option broadcast-address;
 option routers;
# next-server;
# get-lease-hostnames true;
 option subnet-mask;
 option root-path "/opt/ltsp/i386";
 if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
 filename "/ltsp/i386/pxelinux.0";
 } else {
 filename "/ltsp/i386/nbi.img";

sudo /etc/init.d/networking restart

sudo /etc/init.d/isc-dhcp-server restart


If problems kill NetworkManager or even uninstall it as it interfere with the dhcp config.

killall NetworkManager



Install and configure LDAP


emacs /etc/hosts localhost server.bluelight.av server

emacs /etc/hostname


hostname -f

(reboot if necessary)


apt-get install slapd ldap-utils


cd /etc/ldap/

emacs add_content.ldif

ldapadd -x -D cn=admin,dc=bluelight,dc=av -W -f add_content.ldif

ldapsearch -x -LLL -b dc=bluelight,dc=av 'uid=john' cn gidNumber

Modifying the slapd Configuration Database

emacs uid_index.ldif

dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uid eq,pres,sub

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif

emacs schema_convert.conf

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema

mkdir ldif_output

slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema

(use the output for the next command)

slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={2}corba,cn=schema,cn=config -l cn=corba.ldif

emacs cn\=corba.ldif

#remove the {?}  for the following lines

dn: cn=corba,cn=schema,cn=config 
cn: corba

#also delete the following lines

structuralObjectClass: olcSchemaConfig
entryUUID: 52109a02-66ab-1030-8be2-bbf166230478
creatorsName: cn=config
createTimestamp: 20110829165435Z 
entryCSN: 20110829165435.935248Z#000000#000#000000 
modifiersName: cn=config 
modifyTimestamp: 20110829165435Z 

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=corba.ldif

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn



emacs logging.ldif

dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif

emacs /etc/rsyslog.conf

#add the following lines at the end of the file

# Disable rate limiting (default is 200 messages in 5 seconds; below we make the 5 become 0)
$SystemLogRateLimitInterval 0

service rsyslog restart


emacs provider_sync.ldif

# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=bluelight,dc=av
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days

emacs /etc/apparmor.d/local/usr.sbin.slapd

#add the following lines to the file

/var/lib/ldap/accesslog/ r,
/var/lib/ldap/accesslog/** rwk,

sudo -u openldap mkdir /var/lib/ldap/accesslog

sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog

sudo service apparmor reload

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif

service slapd restart

LDAP Authentication

apt-get install libnss-ldap

auth-client-config -t nss -p lac_ldap



User and Group Management


apt-get install ldapscripts

emacs /etc/ldapscripts/ldapscripts.conf


sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"

chmod 400 /etc/ldapscripts/ldapscripts.passwd

emacs /usr/share/ldapscripts/runtime.debian


#if the next command doesn't work compare the runtime file with the one from: http://ubuntuforums.org/showthread.php?t=1488232


ldapadduser geo users

Install and configure NFS

Apt-get install nfs-kernel-server

emacs /etc/exports

#add the following


emacs /etc/security/group.conf

#add the following at the end of the file


emacs /etc/auth-client-config/profile.d/bl-ldap

nss_group=group: files ldap
nss_passwd=passwd: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_account=account sufficient pam_ldap.so
 account required pam_unix.so
pam_auth=auth sufficient pam_ldap.so
 auth required pam_unix.so nullok_secure use_first_pass
pam_password=password sufficient pam_ldap.so
 password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session required pam_unix.so
 session required pam_mkhomedir.so skel=/etc/skel/
 session optional pam_ldap.so
 session optional pam_foreground.so

auth-client-config -S > /etc/auth-client-config/profile.d/original

auth-client-config -p bl-ldap -a

emacs /etc/pam.d/gdm

#add before "@include common-auth"

auth optional pam_group.so


On the client:

Chroot in the client's system




Install and configure LDAP

following is working for clients using 8.04 and 8.10
install some software

aptitude install auth-client-config ldap-auth-client

provide the uri for the ldap server: ldap://
provide the distinguished name: dc=bluelight,dc=av
LDAP version 3
Make local root database: yes
Does the LDAP database require login? no
LDAP account for root: cn=admin,dc=bluelight,dc=av

safe following as a file in /etc/auth-client-config/profile.d/bl-ldap

nss_group=group: files ldap
nss_passwd=passwd: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_account=account    sufficient   pam_ldap.so
        account    required     pam_unix.so
pam_auth=auth       sufficient   pam_ldap.so
        auth       required     pam_unix.so nullok_secure use_first_pass
pam_password=password   sufficient   pam_ldap.so
        password   required     pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required     pam_unix.so
        session    required     pam_mkhomedir.so skel=/etc/skel/
        session    optional     pam_ldap.so
        session    optional     pam_foreground.so

safe the current settings and tell pam to use ldap

auth-client-config -S > /etc/auth-client-config/profile.d/original
auth-client-config -p bl-ldap -a

add following to /etc/security/group.conf


add following line to /etc/pam.d/gdm right before @include common-auth

auth	optional	pam_group.so

make sure that the ldap settings are correct, as specified in /etc/ldap.conf

base dc=bluelight,dc=av
uri ldap://
ldap_version 3
rootbinddn cn=admin,dc=bluelight,dc=av
pam_password md5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcpd,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,nbd,news,polkituser,proxy,pulse,root,saned,sshd,statd,sync,sys,syslog,uucp,www-data

little reminder, see following grep command to strip of the comments and newlines

grep -v -e ^$ -e ^# /etc/ldap.conf 

Make the client ready for nfs

install the needed packets

aptitude install nfs-client

make the fstab ready for mounting the home directory	/home	nfs4 _netdev,auto 0 0


For Ubuntu 12.04 LTS

By default, Unity login window won't display LDAP users. In order to enable manual login, add this option in /etc/lightdm/lightdm.conf:
