linux:arch_ad_backend
Differences
This shows you the differences between two versions of the page.
|
linux:arch_ad_backend [2014/11/18 16:01] walter [Packages] |
linux:arch_ad_backend [2021/05/02 21:36] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Packages ====== | ||
| - | |||
| - | nss-pam-ldapd | ||
| - | |||
| - | krb5 | ||
| - | |||
| - | pam-krb5 (aur) | ||
| - | |||
| - | acm-pam (acm repo) | ||
| - | |||
| - | acm-admin-sudoers (acm repo) | ||
| - | ====== Configs ====== | ||
| - | |||
| - | ===== Kerberos ===== | ||
| - | |||
| - | <file|krb5.conf> | ||
| - | [libdefaults] | ||
| - | default_realm = ACM.CS | ||
| - | dns_lookup_realm = false | ||
| - | dns_lookup_kdc = true | ||
| - | |||
| - | [realms] | ||
| - | |||
| - | [domain_realm] | ||
| - | acm.cs = ACM.CS | ||
| - | .acm.cs = ACM.CS | ||
| - | |||
| - | [logging] | ||
| - | # kdc = CONSOLE | ||
| - | |||
| - | </file> | ||
| - | |||
| - | To test run | ||
| - | <code>kinit username</code> | ||
| - | |||
| - | ===== LDAP/NSLCD ===== | ||
| - | |||
| - | LDAP lookups and auth use nslcd as opposed to the old nss-ldap/pam-ldap packages. Nslcd is faster and more reliable than the old libs. | ||
| - | |||
| - | **Make sure nslcd.conf can only be read by root** | ||
| - | <file|nslcd.conf> | ||
| - | uid nslcd | ||
| - | gid nslcd | ||
| - | |||
| - | uri ldaps://ad1.acm.cs/ | ||
| - | uri ldaps://ad2.acm.cs/ | ||
| - | |||
| - | ldap_version 3 | ||
| - | |||
| - | base dc=acm,dc=cs | ||
| - | |||
| - | binddn apacheacm@acm.cs | ||
| - | bindpw <ask admin> | ||
| - | |||
| - | rootpwmoddn acmpwadmin@acm.cs | ||
| - | rootpwmodpw <ask admin> | ||
| - | |||
| - | base group ou=ACMGroups,dc=acm,dc=cs | ||
| - | base passwd ou=ACMUsers,dc=acm,dc=cs | ||
| - | base shadow ou=ACMUsers,dc=acm,dc=cs | ||
| - | |||
| - | bind_timelimit 30 | ||
| - | timelimit 30 | ||
| - | |||
| - | ssl on | ||
| - | tls_reqcert allow | ||
| - | |||
| - | **Uncomment the 'Mappings for Active Directory' section** | ||
| - | pagesize 1000 | ||
| - | referrals off | ||
| - | idle_timelimit 800 | ||
| - | filer passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | ||
| - | map passwd uid sAMAccountName | ||
| - | map passwd homeDirectory unixHomeDirectory | ||
| - | map passwd gecos displayName | ||
| - | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | ||
| - | map shadow uid sAMAccountName | ||
| - | map shadow shadowLastChange pwdLastSet | ||
| - | filter group (objectClass=group) | ||
| - | |||
| - | </file> | ||
| - | |||
| - | ===== NSSwitch ===== | ||
| - | |||
| - | Edit the passwd, shadow, and group lines to this | ||
| - | <file|nsswitch.conf> | ||
| - | passwd: compat ldap [NOTFOUND=return] | ||
| - | shadow: compat ldap [NOTFOUND=return] | ||
| - | group: compat ldap [NOTFOUND=return] | ||
| - | </file> | ||
| - | |||
| - | Test | ||
| - | <code>getent passwd</code> | ||
| - | The LDAP user list should show up | ||
| - | <code>getent group</code> | ||
| - | The LDAP group list should show up | ||
| - | |||
| - | ===== Sudo ===== | ||
| - | |||
| - | To give admins sudo | ||
| - | <file|sudoers> | ||
| - | %AcmLanAdmins ALL=(ALL) ALL | ||
| - | </file> | ||
| - | |||
| - | ===== PAM ===== | ||
| - | |||
| - | These files are in /etc/pam.d | ||
| - | |||
| - | FIXME | ||
linux/arch_ad_backend.txt ยท Last modified: 2021/05/02 21:36 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
