======LDAP client on Ubuntu 14.04======
=====Installation=====
  apt-get install sssd libnss-sss libpam-sss auth-client-config

=====Configuration=====
====sssd====
<code - /etc/sssd/sssd.conf>
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[nss]

[pam]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.mngt.rtd.helux.nl/,ldap://ldap.mngt.bh.helux.nl/
ldap_search_base = dc=helux,dc=nl

ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/certs/cacert.pem

cache_credentials = true
enumerate = true
</code>
  chmod 0600 /etc/sssd/sssd.conf

  cd /etc/ssl/certs
  wget http://ldap.mngt.rtd.helux.nl/cacert.pem

<code - /etc/auth-client-config/profile.d/acc-sssd>
[sssd]
nss_passwd=     passwd:         compat sss
nss_group=      group:          compat sss
nss_shadow=     shadow:         compat
nss_netgroup=   netgroup:       nis

pam_auth=       auth    [success=3 default=ignore]      pam_unix.so nullok_secure try_first_pass
                auth    requisite                       pam_succeed_if.so uid >= 500 quiet
                auth    [success=1 default=ignore]      pam_sss.so use_first_pass
                auth    requisite                       pam_deny.so
                auth    required                        pam_permit.so

pam_account=    account required                                        pam_unix.so
                account sufficient                                      pam_localuser.so
                account sufficient                                      pam_succeed_if.so uid < 500 quiet
                account [default=bad success=ok user_unknown=ignore]    pam_sss.so
                account required                                        pam_permit.so

pam_password=   password        sufficient      pam_unix.so obscure sha512
                password        sufficient      pam_sss.so use_authtok
                password        required        pam_deny.so

pam_session=    session required                        pam_mkhomedir.so skel=/etc/skel/ umask=0077
                session optional                        pam_keyinit.so revoke
                session required                        pam_limits.so
                session [success=1 default=ignore]      pam_sss.so
                session required                        pam_unix.so
</code>

  auth-client-config -a -p sssd
  
====Enable homedir creation====
<code - /usr/share/pam-configs/mkhomedir>
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
  required  pam_mkhomedir.so umask=0022 skel=/etc/skel
</code>

====Enable allow change of password using passwd tool====
remove use_authok
  
<code - /etc/pam.d/common-password>
#
# /etc/pam.d/common-password - password-related modules common to all services
# -- removed comment header talking about various options --

# here are the per-package modules (the "Primary" block)
password	[success=2 default=ignore]	pam_unix.so obscure sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
</code>
  pam-auth-update

  disable: Pwquality password strength checking
  enable: SSS authentication
  disable: LDAP authentication
  enable: activate mkhomedir (only when not using NFS mount)

  service sssd restart


{{tag>linux}}