UIC ACM

User Tools

Site Tools

Trace:
linux:arch_ad_backend

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux:arch_ad_backend [2018/06/11 17:25]
bmiddha 		linux:arch_ad_backend [2021/05/02 21:36]
Line 1: Line 1:
-====== Arch AD Auth ====== 
  
-====== Packages ====== 
- 
-nss-pam-ldapd 
- 
-krb5  
- 
-pam-krb5 
- 
-====== Configs ====== 
- 
-===== Kerberos ===== 
- 
-<​file|/​etc/​krb5.conf>​ 
-[libdefaults] 
-        default_realm = ACM.CS 
-        dns_lookup_realm = false 
-        dns_lookup_kdc = true 
- 
-[realms] 
- 
-[domain_realm] 
-        acm.cs = ACM.CS 
-        .acm.cs = ACM.CS 
- 
-[logging] 
-#       kdc = CONSOLE 
- 
-</​file>​ 
- 
-To test run 
-<​code>​kinit username</​code>​ 
- 
-===== LDAP/NSLCD ===== 
- 
-LDAP lookups and auth use nslcd as opposed to the old nss-ldap/​pam-ldap packages. Nslcd is faster and more reliable than the old libs. 
- 
-**Make sure nslcd.conf can only be read by root** 
-<​file|/​etc/​nslcd.conf>​ 
-uid nslcd 
-gid nslcd 
- 
-uri ldaps://​ad1.acm.cs/​ 
-uri ldaps://​ad2.acm.cs/​ 
- 
-ldap_version 3 
- 
-base dc=acm,​dc=cs 
- 
-binddn apacheacm@acm.cs 
-bindpw <ask admin> 
- 
-rootpwmoddn acmpwadmin@acm.cs 
-rootpwmodpw <ask admin> 
- 
-base group ou=ACMGroups,​dc=acm,​dc=cs 
-base passwd ou=ACMUsers,​dc=acm,​dc=cs 
-base shadow ou=ACMUsers,​dc=acm,​dc=cs 
- 
-bind_timelimit 30 
-timelimit 30 
- 
-ssl on 
-tls_reqcert allow 
- 
-**Uncomment the '​Mappings for Active Directory'​ section** 
-pagesize 1000 
-referrals off 
-idle_timelimit 800 
-filter passwd (&​(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:​1.2.840.113556.1.4.803:​=2))) 
-map passwd uid sAMAccountName 
-map passwd homeDirectory unixHomeDirectory 
-map passwd gecos displayName 
-filter shadow (&​(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:​1.2.840.113556.1.4.803:​=2))) 
-map shadow uid sAMAccountName 
-map shadow shadowLastChange pwdLastSet 
-filter group (objectClass=group) 
- 
-</​file>​ 
- 
-===== NSSwitch ===== 
- 
-Edit the passwd, shadow, and group lines to this 
-<​file|/​etc/​nsswitch.conf>​ 
-passwd: files ldap [NOTFOUND=return] 
-shadow: files ldap [NOTFOUND=return] 
-group: files ldap [NOTFOUND=return] 
-</​file>​ 
- 
-Test 
-<​code>​getent passwd</​code>​ 
-The LDAP user list should show up 
-<​code>​getent group</​code>​ 
-The LDAP group list should show up 
- 
-===== Sudo ===== 
- 
-To give admins sudo 
-<​file|/​etc/​sudoers.d/​AcmLanAdmins>​ 
-%AcmLanAdmins ALL=(ALL) ALL 
-</​file>​ 
- 
-<​file|/​etc/​pam.d/​system-auth>​ 
-auth      sufficient pam_ldap.so 
-auth      required ​ pam_unix.so ​    ​try_first_pass nullok 
-auth      optional ​ pam_permit.so 
-auth      required ​ pam_env.so 
- 
-account ​  ​sufficient pam_ldap.so 
-account ​  ​required ​ pam_unix.so 
-account ​  ​optional ​ pam_permit.so 
-account ​  ​required ​ pam_time.so 
- 
-password ​ sufficient pam_ldap.so 
-password ​ required ​ pam_unix.so ​    ​try_first_pass nullok sha512 shadow 
-password ​ optional ​ pam_permit.so 
- 
-session ​  ​required ​ pam_limits.so 
-session ​  ​required ​ pam_unix.so 
-session ​  ​optional ​ pam_ldap.so 
-session ​  ​optional ​ pam_permit.so 
-</​file>​ 
linux/arch_ad_backend.txt ยท Last modified: 2021/05/02 21:36 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki