This shows you the differences between two versions of the page.
linux:arch_ad_backend [2016/10/19 23:04] walter [Packages] |
linux:arch_ad_backend [2021/05/02 21:36] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Arch AD Auth ====== | ||
- | ====== Packages ====== | ||
- | |||
- | nss-pam-ldapd | ||
- | |||
- | krb5 | ||
- | |||
- | pam-krb5 | ||
- | |||
- | acm-pam ([[linux:acm_custom_repo|acm repo]]) | ||
- | |||
- | acm-admins-sudo ([[linux:acm_custom_repo|acm repo]]) | ||
- | ====== Configs ====== | ||
- | |||
- | ===== Kerberos ===== | ||
- | |||
- | <file|krb5.conf> | ||
- | [libdefaults] | ||
- | default_realm = ACM.CS | ||
- | dns_lookup_realm = false | ||
- | dns_lookup_kdc = true | ||
- | |||
- | [realms] | ||
- | |||
- | [domain_realm] | ||
- | acm.cs = ACM.CS | ||
- | .acm.cs = ACM.CS | ||
- | |||
- | [logging] | ||
- | # kdc = CONSOLE | ||
- | |||
- | </file> | ||
- | |||
- | To test run | ||
- | <code>kinit username</code> | ||
- | |||
- | ===== LDAP/NSLCD ===== | ||
- | |||
- | LDAP lookups and auth use nslcd as opposed to the old nss-ldap/pam-ldap packages. Nslcd is faster and more reliable than the old libs. | ||
- | |||
- | **Make sure nslcd.conf can only be read by root** | ||
- | <file|nslcd.conf> | ||
- | uid nslcd | ||
- | gid nslcd | ||
- | |||
- | uri ldaps://ad1.acm.cs/ | ||
- | uri ldaps://ad2.acm.cs/ | ||
- | |||
- | ldap_version 3 | ||
- | |||
- | base dc=acm,dc=cs | ||
- | |||
- | binddn apacheacm@acm.cs | ||
- | bindpw <ask admin> | ||
- | |||
- | rootpwmoddn acmpwadmin@acm.cs | ||
- | rootpwmodpw <ask admin> | ||
- | |||
- | base group ou=ACMGroups,dc=acm,dc=cs | ||
- | base passwd ou=ACMUsers,dc=acm,dc=cs | ||
- | base shadow ou=ACMUsers,dc=acm,dc=cs | ||
- | |||
- | bind_timelimit 30 | ||
- | timelimit 30 | ||
- | |||
- | ssl on | ||
- | tls_reqcert allow | ||
- | |||
- | **Uncomment the 'Mappings for Active Directory' section** | ||
- | pagesize 1000 | ||
- | referrals off | ||
- | idle_timelimit 800 | ||
- | filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) | ||
- | map passwd uid sAMAccountName | ||
- | map passwd homeDirectory unixHomeDirectory | ||
- | map passwd gecos displayName | ||
- | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) | ||
- | map shadow uid sAMAccountName | ||
- | map shadow shadowLastChange pwdLastSet | ||
- | filter group (objectClass=group) | ||
- | |||
- | </file> | ||
- | |||
- | ===== NSSwitch ===== | ||
- | |||
- | Edit the passwd, shadow, and group lines to this | ||
- | <file|nsswitch.conf> | ||
- | passwd: files ldap [NOTFOUND=return] | ||
- | shadow: files ldap [NOTFOUND=return] | ||
- | group: files ldap [NOTFOUND=return] | ||
- | </file> | ||
- | |||
- | Test | ||
- | <code>getent passwd</code> | ||
- | The LDAP user list should show up | ||
- | <code>getent group</code> | ||
- | The LDAP group list should show up | ||
- | |||
- | ===== Sudo ===== | ||
- | |||
- | To give admins sudo | ||
- | <file|sudoers> | ||
- | %AcmLanAdmins ALL=(ALL) ALL | ||
- | </file> | ||
- | |||
- | ===== PAM ===== | ||
- | |||
- | These files are in /etc/pam.d | ||
- | |||
- | Force install acm-pam | ||
- | <code> | ||
- | pacman -S --force acm-pam | ||
- | </code> | ||
- | |||
- | This will install a working PAM stack for auth against the ACM AD domain |