Table of Contents

Arch AD Auth

Packages

pacman -S nss-pam-ldapd krb5 pam-krb5

Configs

Kerberos

/etc/krb5.conf

[libdefaults]
        default_realm = ACM.CS
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]

[domain_realm]
        acm.cs = ACM.CS
        .acm.cs = ACM.CS

[logging]
#       kdc = CONSOLE

To test run

kinit username

LDAP/NSLCD

LDAP lookups and auth use nslcd as opposed to the old nss-ldap/pam-ldap packages. Nslcd is faster and more reliable than the old libs.

Make sure nslcd.conf can only be read by root

/etc/nslcd.conf

uid nslcd
gid nslcd

uri ldaps://ad1.acm.cs/
uri ldaps://ad2.acm.cs/

ldap_version 3

base dc=acm,dc=cs

binddn apacheacm@acm.cs
bindpw <ask admin>

rootpwmoddn acmpwadmin@acm.cs
rootpwmodpw <ask admin>

base group ou=ACMGroups,dc=acm,dc=cs
base passwd ou=ACMUsers,dc=acm,dc=cs
base shadow ou=ACMUsers,dc=acm,dc=cs

bind_timelimit 30
timelimit 30

ssl on
tls_reqcert allow

**Uncomment the 'Mappings for Active Directory' section**
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)

NSSwitch

Edit the passwd, shadow, and group lines to this

/etc/nsswitch.conf

passwd: files ldap [NOTFOUND=return]
shadow: files ldap [NOTFOUND=return]
group: files ldap [NOTFOUND=return]

Test

getent passwd

The LDAP user list should show up

getent group

The LDAP group list should show up

Sudo

To give admins sudo

/etc/sudoers.d/AcmLanAdmins

%AcmLanAdmins ALL=(ALL) ALL

/etc/pam.d/system-auth

auth      sufficient pam_ldap.so
auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   sufficient pam_ldap.so
account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  sufficient pam_ldap.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_ldap.so
session   optional  pam_permit.so