This is an old revision of the document!

Packages

nss-pam-ldapd

krb5

pam-krb5 (aur)

Configs

Kerberos

krb5.conf

[libdefaults]
        default_realm = ACM.CS
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]

[domain_realm]
        acm.cs = ACM.CS
        .acm.cs = ACM.CS

[logging]
#       kdc = CONSOLE

To test run

kinit username

LDAP/NSLCD

LDAP lookups and auth use nslcd as opposed to the old nss-ldap/pam-ldap packages. Nslcd is faster and more reliable than the old libs.

Make sure nslcd.conf can only be read by root

nslcd.conf

uid nslcd
gid nslcd

uri ldaps://ad1.acm.cs/
uri ldaps://ad2.acm.cs/

ldap_version 3

base dc=acm,dc=cs

binddn apacheacm@acm.cs
bindpw <ask admin>

rootpwmoddn acmpwadmin@acm.cs
rootpwmodpw <ask admin>

base group ou=ACMGroups,dc=acm,dc=cs
base passwd ou=ACMUsers,dc=acm,dc=cs
base shadow ou=ACMUsers,dc=acm,dc=cs

bind_timelimit 30
timelimit 30

ssl on
tls_reqcert allow

**Uncomment the 'Mappings for Active Directory' section**
pagesize 1000
referrals off
idle_timelimit 800
filer passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)

NSSwitch

Edit the passwd, shadow, and group lines to this

nsswitch.conf

passwd: compat ldap [NOTFOUND=return]
shadow: compat ldap [NOTFOUND=return]
group: compat ldap [NOTFOUND=return]

Test

getent passwd

The LDAP user list should show up

getent group

The LDAP group list should show up

Sudo

To give admins sudo

sudoers

%AcmLanAdmins ALL=(ALL) ALL

PAM

These files are in /etc/pam.d

UIC ACM

Sidebar

Main Sidebar

Table of Contents

Packages

Configs

Kerberos

LDAP/NSLCD

NSSwitch

Sudo

PAM

UIC ACM

User Tools

Site Tools

Sidebar

Main Sidebar

Table of Contents

Packages

Configs

Kerberos

LDAP/NSLCD

NSSwitch

Sudo

PAM

Page Tools