====== Mise en place authentification unix/sshd over openldap ======
===== misc docs =====
http://www.zytrax.com/books/ldap/
http://julp.developpez.com/freebsd/replicat-ldap/
http://articles.mongueurs.net/magazines/linuxmag65.html
http://www.cru.fr/documentation/ldap/index
http://www.bortzmeyer.org/comptes-unix-ldap.html
===== openldap =====
==== slapd.conf ====
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb
database bdb
suffix "dc=geeknode,dc=org"
rootdn "cn=manager,dc=geeknode,dc=org"
rootpw {SSHA}xxxxxxx
directory /var/db/openldap-data
index objectClass eq
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
access to attr=userPassword
by dn="cn=manager,dc=geeknode,dc=org" write
by dn="cn=proxyuser,dc=geeknode,dc=org" read
by self write
by anonymous auth
by * none
access to attrs=uidNumber,gidNumber
by dn="cn=manager,dc=geeknode,dc=org" write
by dn="cn=proxyuser,dc=geeknode,dc=org" read
by * read
access to *
by dn="cn=manager,dc=geeknode,dc=org" write
by self write
by * read
# pour jabberd beug avec ldap v3 ...
# allow bind_v2
# pour les logs
loglevel 255
logfile /var/log/openldap/geekldap.log
==== ldap.conf ====
# La base de notre annuaire
BASE o=geeknode,dc=org
# L'URL pour joindre le server
URI ldap://localhost/
ldap_version 3
# Authentification
rootbinddn cn=proxyuser,dc=geeknode,dc=org
# Pour NSS & PAM
pam_password MD5
nss_base_passwd ou=Utilisateurs,dc=geeknode,dc=org
nss_base_shadow ou=Utilisateurs,dc=geeknode,dc=org
nss_base_group ou=Groupes,dc=geeknode,dc=org
===== partie pam =====
==== pam.d/sshd ====
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
==== pam.d/system ====
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account sufficient /usr/local/lib/pam_ldap.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
==== pam.d/passwd ====
# passwd(1) does not use the auth, account or session services.
# password
#password requisite pam_passwdqc.so enforce=users
password required pam_unix.so no_warn try_first_pass nullok
password sufficient /usr/local/lib/pam_ldap.so use_first_pass
===== ldif =====
==== add_user.ldif ====
dn: cn=Alex Leg,ou=Utilisateurs,dc=geeknode,dc=org
cn: Alex Leg
sn: bragon
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: bragon
uidNumber: 2000
gidNumber: 2000
gecos: Alex Leg
homeDirectory: /home/bragon
loginShell: /usr/local/bin/zsh
userPassword: {MD5}xxxx
==== geeknode.ldif ====
# La racine de l'annuaire
dn: dc=geeknode,dc=org
dc: geeknode
objectclass: top
objectclass: domain
objectclass: domainRelatedObject
description: GeeknodeLdap
associatedDomain: geeknode.org
structuralObjectClass: domain
# Le conteneur pour les utilisateurs
dn: ou=Utilisateurs,dc=geeknode,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Utilisateurs
description: Les utilisateurs
structuralObjectClass: organizationalUnit
# Le conteneur pour les groupes
dn: ou=Groupes,dc=geeknode,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Groupes
description: Les groupes
structuralObjectClass: organizationalUnit
dn: cn=Alex Leg,ou=Utilisateurs,dc=geeknode,dc=org
# Common Name
cn: Alex Leg
# Surnom
sn: bragon
# Les classes parentes
objectclass: top
objectclass: person
objectclass: posixAccount
objectclass: shadowAccount
# Login
uid: bragon
# Identifiant de l'utilisateur
uidnumber: 2000
# Groupe principal de l'utilisateur
gidnumber: 2000
# Nom complet
gecos: Alex Leg
# Shell
loginShell: /usr/local/bin/bash
# Repertoire personnel
homeDirectory: /home/bragon
# Mot de passe
# "slappasswd -h '{MD5}'"
userpassword: {MD5}xxxx
# Groupe LdapUsers
dn: cn=LdapUsers,ou=Groupes,dc=geeknode,dc=org
objectclass: top
objectclass: posixGroup
# Identifiant du groupe
gidNumber: 2000
# Intitule du groupe
cn: LdapUsers
# Membres du groupe
memberUid: bragon
# Notre utilisateur 'proxy' pour verifier les authentifications
dn: cn=proxyuser,dc=geeknode,dc=org
objectClass: top
objectClass: person
cn: proxyuser
# sn est obligatoire
sn: proxyuser
# slappasswd -h '{MD5}'
userPassword: {MD5}xxxxx
==== add_group.ldif ====
# Groupe gnadmin
dn: cn=gnadmin,ou=Groupes,dc=geeknode,dc=org
objectclass: top
objectclass: posixGroup
# Identifiant du groupe
gidNumber: 2001
# Intitule du groupe
cn: gnadmin
# Membres du groupe
memberUid: bragon
===== nsswitch =====
==== nsswitch.conf ====
hosts: files dns
networks: files
protocols: files
ethers: files
rpc: files
netmasks: files
bootparams: files
services: files
passwd: files ldap
group: files ldap
shadow: files ldap
netgroup: files
===== commandes pratiques =====
% getent passwd
% finger bragon