====== Arch AD Auth ======
====== Packages ======
pacman -S nss-pam-ldapd krb5 pam-krb5
====== Configs ======
===== Kerberos =====
[libdefaults]
default_realm = ACM.CS
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
[domain_realm]
acm.cs = ACM.CS
.acm.cs = ACM.CS
[logging]
# kdc = CONSOLE
To test run
kinit username
===== LDAP/NSLCD =====
LDAP lookups and auth use nslcd as opposed to the old nss-ldap/pam-ldap packages. Nslcd is faster and more reliable than the old libs.
**Make sure nslcd.conf can only be read by root**
uid nslcd
gid nslcd
uri ldaps://ad1.acm.cs/
uri ldaps://ad2.acm.cs/
ldap_version 3
base dc=acm,dc=cs
binddn apacheacm@acm.cs
bindpw
rootpwmoddn acmpwadmin@acm.cs
rootpwmodpw
base group ou=ACMGroups,dc=acm,dc=cs
base passwd ou=ACMUsers,dc=acm,dc=cs
base shadow ou=ACMUsers,dc=acm,dc=cs
bind_timelimit 30
timelimit 30
ssl on
tls_reqcert allow
**Uncomment the 'Mappings for Active Directory' section**
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
===== NSSwitch =====
Edit the passwd, shadow, and group lines to this
passwd: files ldap [NOTFOUND=return]
shadow: files ldap [NOTFOUND=return]
group: files ldap [NOTFOUND=return]
Test
getent passwd
The LDAP user list should show up
getent group
The LDAP group list should show up
===== Sudo =====
To give admins sudo
%AcmLanAdmins ALL=(ALL) ALL
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account sufficient pam_ldap.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password sufficient pam_ldap.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_permit.so