User Tools

Site Tools

Trace: docker_host_on_centos_7 ubuntu_14.04_ldap_client
ubuntu_14.04_ldap_client

Table of Contents

LDAP client on Ubuntu 14.04

Installation

apt-get install sssd libnss-sss libpam-sss auth-client-config

Configuration

sssd

/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[nss]

[pam]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.mngt.rtd.helux.nl/,ldap://ldap.mngt.bh.helux.nl/
ldap_search_base = dc=helux,dc=nl

ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/certs/cacert.pem

cache_credentials = true
enumerate = true
chmod 0600 /etc/sssd/sssd.conf
cd /etc/ssl/certs
wget http://ldap.mngt.rtd.helux.nl/cacert.pem
/etc/auth-client-config/profile.d/acc-sssd
[sssd]
nss_passwd=     passwd:         compat sss
nss_group=      group:          compat sss
nss_shadow=     shadow:         compat
nss_netgroup=   netgroup:       nis

pam_auth=       auth    [success=3 default=ignore]      pam_unix.so nullok_secure try_first_pass
                auth    requisite                       pam_succeed_if.so uid >= 500 quiet
                auth    [success=1 default=ignore]      pam_sss.so use_first_pass
                auth    requisite                       pam_deny.so
                auth    required                        pam_permit.so

pam_account=    account required                                        pam_unix.so
                account sufficient                                      pam_localuser.so
                account sufficient                                      pam_succeed_if.so uid < 500 quiet
                account [default=bad success=ok user_unknown=ignore]    pam_sss.so
                account required                                        pam_permit.so

pam_password=   password        sufficient      pam_unix.so obscure sha512
                password        sufficient      pam_sss.so use_authtok
                password        required        pam_deny.so

pam_session=    session required                        pam_mkhomedir.so skel=/etc/skel/ umask=0077
                session optional                        pam_keyinit.so revoke
                session required                        pam_limits.so
                session [success=1 default=ignore]      pam_sss.so
                session required                        pam_unix.so
auth-client-config -a -p sssd

Enable homedir creation

/usr/share/pam-configs/mkhomedir
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
  required  pam_mkhomedir.so umask=0022 skel=/etc/skel

Enable allow change of password using passwd tool

remove use_authok

/etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
# -- removed comment header talking about various options --

# here are the per-package modules (the "Primary" block)
password	[success=2 default=ignore]	pam_unix.so obscure sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
pam-auth-update
disable: Pwquality password strength checking
enable: SSS authentication
disable: LDAP authentication
enable: activate mkhomedir (only when not using NFS mount)
service sssd restart
ubuntu_14.04_ldap_client.txt · Last modified: by herwarth

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki