User Tools

Site Tools


linux:arch_ad_backend

This is an old revision of the document!




Packages

nss-pam-ldapd

krb5

pam-krb5 (aur)

acm-pam (acm repo)

acm-admins-sudo (acm repo)

Configs

Kerberos

krb5.conf

[libdefaults]
        default_realm = ACM.CS
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]

[domain_realm]
        acm.cs = ACM.CS
        .acm.cs = ACM.CS

[logging]
#       kdc = CONSOLE

To test run

kinit username

LDAP/NSLCD

LDAP lookups and auth use nslcd as opposed to the old nss-ldap/pam-ldap packages. Nslcd is faster and more reliable than the old libs.

Make sure nslcd.conf can only be read by root

nslcd.conf

uid nslcd
gid nslcd

uri ldaps://ad1.acm.cs/
uri ldaps://ad2.acm.cs/

ldap_version 3

base dc=acm,dc=cs

binddn apacheacm@acm.cs
bindpw <ask admin>

rootpwmoddn acmpwadmin@acm.cs
rootpwmodpw <ask admin>

base group ou=ACMGroups,dc=acm,dc=cs
base passwd ou=ACMUsers,dc=acm,dc=cs
base shadow ou=ACMUsers,dc=acm,dc=cs

bind_timelimit 30
timelimit 30

ssl on
tls_reqcert allow

**Uncomment the 'Mappings for Active Directory' section**
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)

NSSwitch

Edit the passwd, shadow, and group lines to this

nsswitch.conf

passwd: files ldap [NOTFOUND=return]
shadow: files ldap [NOTFOUND=return]
group: files ldap [NOTFOUND=return]

Test

getent passwd

The LDAP user list should show up

getent group

The LDAP group list should show up

Sudo

To give admins sudo

sudoers

%AcmLanAdmins ALL=(ALL) ALL

PAM

These files are in /etc/pam.d

Force install acm-pam

pacman -S --force acm-pam

This will install a working PAM stack for auth against the ACM AD domain

linux/arch_ad_backend.1454388989.txt.gz · Last modified: 2021/05/02 21:36 (external edit)