Mise en place authentification unix/sshd over openldap

misc docs

openldap

slapd.conf

include         /usr/local/etc/openldap/schema/core.schema                
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
                                
                                
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
                                
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb        
                                
database        bdb             
suffix          "dc=geeknode,dc=org"
rootdn          "cn=manager,dc=geeknode,dc=org"

rootpw          {SSHA}xxxxxxx

directory       /var/db/openldap-data

index   objectClass     eq
index    cn,sn,uid,displayName    pres,sub,eq
index    uidNumber,gidNumber      eq

access to attr=userPassword
    by dn="cn=manager,dc=geeknode,dc=org" write
    by dn="cn=proxyuser,dc=geeknode,dc=org" read
    by self write
    by anonymous auth
    by * none

access to attrs=uidNumber,gidNumber
    by dn="cn=manager,dc=geeknode,dc=org" write
    by dn="cn=proxyuser,dc=geeknode,dc=org" read
    by * read
access to *
    by dn="cn=manager,dc=geeknode,dc=org" write
    by self write
    by * read

# pour jabberd beug avec ldap v3 ...
# allow bind_v2

# pour les logs
loglevel 255
logfile /var/log/openldap/geekldap.log

ldap.conf

# La base de notre annuaire 
BASE    o=geeknode,dc=org
# L'URL pour joindre le server
URI     ldap://localhost/

ldap_version       3

# Authentification
rootbinddn         cn=proxyuser,dc=geeknode,dc=org

# Pour NSS & PAM
pam_password       MD5
nss_base_passwd    ou=Utilisateurs,dc=geeknode,dc=org
nss_base_shadow    ou=Utilisateurs,dc=geeknode,dc=org
nss_base_group     ou=Groupes,dc=geeknode,dc=org

partie pam

pam.d/sshd

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth        sufficient    /usr/local/lib/pam_ldap.so    no_warn
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account     required      pam_login_access.so
account         required        pam_unix.so


# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

pam.d/system


# auth
auth            sufficient      pam_opie.so                     no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so               no_warn allow_local
#auth           sufficient      pam_krb5.so                     no_warn try_first_pass
#auth           sufficient      pam_ssh.so                      no_warn try_first_pass
auth            required        pam_unix.so                     no_warn try_first_pass nullok
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so
account         sufficient      /usr/local/lib/pam_ldap.so


# session
#session        optional        pam_ssh.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so                     no_warn try_first_pass
password        required        pam_unix.so                     no_warn try_first_pass
password        sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass

pam.d/passwd

# passwd(1) does not use the auth, account or session services.

# password
#password       requisite       pam_passwdqc.so         enforce=users
password        required        pam_unix.so             no_warn try_first_pass nullok
password    sufficient    /usr/local/lib/pam_ldap.so    use_first_pass

ldif

add_user.ldif


dn: cn=Alex Leg,ou=Utilisateurs,dc=geeknode,dc=org
cn: Alex Leg
sn: bragon
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: bragon
uidNumber: 2000
gidNumber: 2000
gecos: Alex Leg
homeDirectory: /home/bragon
loginShell: /usr/local/bin/zsh
userPassword: {MD5}xxxx

geeknode.ldif


# La racine de l'annuaire
dn: dc=geeknode,dc=org
dc: geeknode
objectclass: top
objectclass: domain
objectclass: domainRelatedObject
description: GeeknodeLdap
associatedDomain: geeknode.org
structuralObjectClass: domain

# Le conteneur pour les utilisateurs
dn: ou=Utilisateurs,dc=geeknode,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Utilisateurs
description: Les utilisateurs
structuralObjectClass: organizationalUnit

# Le conteneur pour les groupes
dn: ou=Groupes,dc=geeknode,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Groupes
description: Les groupes
structuralObjectClass: organizationalUnit

dn: cn=Alex Leg,ou=Utilisateurs,dc=geeknode,dc=org
# Common Name
cn: Alex Leg
# Surnom
sn: bragon
# Les classes parentes
objectclass: top
objectclass: person
objectclass: posixAccount
objectclass: shadowAccount
# Login
uid: bragon
# Identifiant de l'utilisateur
uidnumber: 2000
# Groupe principal de l'utilisateur
gidnumber: 2000
# Nom complet
gecos: Alex Leg
# Shell
loginShell: /usr/local/bin/bash
# Repertoire personnel
homeDirectory: /home/bragon
# Mot de passe
# "slappasswd -h '{MD5}'"
userpassword: {MD5}xxxx

# Groupe LdapUsers
dn: cn=LdapUsers,ou=Groupes,dc=geeknode,dc=org
objectclass: top
objectclass: posixGroup
# Identifiant du groupe
gidNumber: 2000
# Intitule du groupe
cn: LdapUsers
# Membres du groupe
memberUid: bragon

# Notre utilisateur 'proxy' pour verifier les authentifications
dn: cn=proxyuser,dc=geeknode,dc=org
objectClass: top
objectClass: person
cn: proxyuser
# sn est obligatoire
sn: proxyuser
# slappasswd -h '{MD5}'
userPassword: {MD5}xxxxx

add_group.ldif

# Groupe gnadmin
dn: cn=gnadmin,ou=Groupes,dc=geeknode,dc=org
objectclass: top
objectclass: posixGroup
# Identifiant du groupe
gidNumber: 2001
# Intitule du groupe
cn: gnadmin
# Membres du groupe
memberUid: bragon

nsswitch

nsswitch.conf

hosts:          files    dns
networks:       files
protocols:      files
ethers:         files
rpc:            files
netmasks:       files
bootparams:     files
services:       files
passwd:         files    ldap
group:          files    ldap
shadow:         files    ldap
netgroup:       files

commandes pratiques

% getent passwd
% finger bragon
 
ldap_auth.txt · Dernière modification: 2010/08/06 12:57 (modification externe)
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki