Wednesday, September 23, 2015

add ldap authentication to linux client

****** setup ldap server link below *********

1- install sssd System Security Services Daemon
$ sudo apt-get install sssd sssd-tools libpam-ldap

2- configure sssd to authenticate against ldap server and dns name edit file /etc/sssd/sssd.conf to the following content

config_file_version = 2
services = nss, pam
domains = LDAP

cache_credentials = true

id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://
ldap_search_base = dc=ldap,dc=com
chpass_provider = ldap
ldap_chpass_uri = ldap://
entry_cache_timeout = 600
ldap_network_timeout = 2
ldap_group_member = uniquemember

3- add sssd to pam.d

- file /etc/pam.d/common-account
account    [success=2 new_authtok_reqd=done default=ignore]
account    [success=1 default=ignore]
account    requisite  
account    required  
account    sufficient  
account    [default=bad success=ok user_unknown=ignore] 

- file /etc/pam.d/common-auth
auth    [success=3 default=ignore] nullok_secure
auth    [success=2 default=ignore] use_first_pass
auth    [success=1 default=ignore] use_first_pass
auth    requisite  
auth    required  
auth    optional   

-file /etc/pam.d/common-password
password    requisite   retry=3
password    [success=3 default=ignore] obscure use_authtok try_first_pass sha512
password    sufficient  
password    [success=1 user_unknown=ignore default=die] use_authtok try_first_pass
password    requisite  
password    required  
password    optional

- file /etc/pam.d/common-session
session    [default=1]  
session    requisite  
session    required  
session optional  
session    required
session    optional  
session    optional  
session    optional 

- file /etc/pam.d/sudo
auth    sufficient
auth       required readenv=1 user_readenv=0
auth       required readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

- file /etc/pam.d/su
auth    sufficient
auth       sufficient
session       required readenv=1
account sufficient
session       required readenv=1 envfile=/etc/default/locale
session    sufficient
session    optional nopen
@include common-auth
@include common-account
@include common-session

- file /etc/nsswitch.conf
passwd: files sss
group: files sss
shadow: files sss
hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup: nis sss
sudoers:        files sss

4- testing, and admin in the ldap and we try to generate passwd from ldap

$ sudo reboot

$ sudo getent passwd adam

su to ldap user: adam

No comments:

Post a Comment