Wednesday, September 23, 2015

add ldap authentication to linux client

****** setup ldap server link below *********
http://theamdara.blogspot.com/2015/09/how-to-setup-ldap-server-with-slapd.html

1- install sssd System Security Services Daemon
$ sudo apt-get install sssd sssd-tools libpam-ldap

2- configure sssd to authenticate against ldap server ldap.com and dns name ldap.ldap.com. edit file /etc/sssd/sssd.conf to the following content

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[domain/LDAP]
cache_credentials = true

id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.ldap.com
ldap_search_base = dc=ldap,dc=com
chpass_provider = ldap
ldap_chpass_uri = ldap://ldap.ldap.com
entry_cache_timeout = 600
ldap_network_timeout = 2
ldap_group_member = uniquemember


3- add sssd to pam.d

- file /etc/pam.d/common-account
account    [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so
account    [success=1 default=ignore]    pam_ldap.so
account    requisite            pam_deny.so
account    required            pam_permit.so
account    sufficient            pam_localuser.so
account    [default=bad success=ok user_unknown=ignore]    pam_sss.so 


- file /etc/pam.d/common-auth
auth    [success=3 default=ignore]    pam_unix.so nullok_secure
auth    [success=2 default=ignore]    pam_sss.so use_first_pass
auth    [success=1 default=ignore]    pam_ldap.so use_first_pass
auth    requisite            pam_deny.so
auth    required            pam_permit.so
auth    optional            pam_cap.so 


-file /etc/pam.d/common-password
password    requisite            pam_pwquality.so retry=3
password    [success=3 default=ignore]    pam_unix.so obscure use_authtok try_first_pass sha512
password    sufficient            pam_sss.so
password    [success=1 user_unknown=ignore default=die]    pam_ldap.so use_authtok try_first_pass
password    requisite            pam_deny.so
password    required            pam_permit.so
password    optional    pam_gnome_keyring.so


- file /etc/pam.d/common-session
session    [default=1]            pam_permit.so
session    requisite            pam_deny.so
session    required            pam_permit.so
session optional            pam_umask.so
session    required    pam_unix.so
session    optional            pam_sss.so
session    optional            pam_ldap.so
session    optional    pam_systemd.so 


- file /etc/pam.d/sudo
auth    sufficient    pam_sss.so
auth       required   pam_env.so readenv=1 user_readenv=0
auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive


- file /etc/pam.d/su
auth    sufficient pam_ldap.so
auth       sufficient pam_rootok.so
session       required   pam_env.so readenv=1
account sufficient    pam_ldap.so
session       required   pam_env.so readenv=1 envfile=/etc/default/locale
session    sufficient    pam_ldap.so
session    optional   pam_mail.so nopen
@include common-auth
@include common-account
@include common-session


- file /etc/nsswitch.conf
passwd: files sss
group: files sss
shadow: files sss
hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup: nis sss
sudoers:        files sss



4- testing, and admin in the ldap and we try to generate passwd from ldap

$ sudo reboot

$ sudo getent passwd adam
adam:*:16859:100:adam:/home/adam:/bin/bash


su to ldap user: adam

No comments:

Post a Comment