Aktuelle Version vom 12. Januar 2023, 15:25 Uhr

Anpassen der Pam

Die Authentifizierung(installation nimmt einstellung schon vor)

cat /etc/pam.d/common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

Das Accounting

cat /etc/pam.d/common-account

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
account requisite                       pam_deny.so
account required                        pam_permit.so

Passwort änderungen

use_authtok gegebenfalls entfernen

cat /etc/pam.d/common-password

password        [success=2 default=ignore]      pam_unix.so obscure yescrypt
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

Die Session

cat /etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required pam_mkhomedir.so  skel=/etc/skel umask=0022  
session required                        pam_unix.so
session optional                        pam_ldap.so
session optional                        pam_systemd.so

Anmeldung mit Gruppenrichtlinien (optional)

/etc/ldap.conf
pam_groupdn cn=it,ou=groups,dc=xinux,dc=net
pam_member_attribute member

su -

su - thomas

@@ Zeile 1: / Zeile 1: @@
-==Allgemeines==
-* Betriebssystem: Debian Sarge 3.1
-* Benötigte Pakete heimdal-kdc slapd
-==Installation der Pakete==
+=Anpassen der Pam=
-* Heimdal Kerberos Server
+==Die Authentifizierung(installation nimmt einstellung schon vor)==
-  apt-get install heimdal-kdc
+*cat /etc/pam.d/common-auth
-Es werden weiter Pakete installiert. Man kann die Konfiguration überspringen
+  auth    [success=2 default=ignore]      pam_unix.so nullok
+ auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
+ auth    requisite                       pam_deny.so
+ auth    required                        pam_permit.so
- root@vz4:/etc# cat /etc/krb5.conf
+==Das Accounting==
- [libdefaults]
+*cat /etc/pam.d/common-account
-        default_realm = ALPHA.QUADRANT
+  account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
- [realms]
+  account [success=1 default=ignore]      pam_ldap.so
- ALPHA.QUADRANT = {
+  account requisite                       pam_deny.so
-        kdc = vz4.alpha.quadrant:88
+  account required                        pam_permit.so
-        admin_server =  vz4.alpha.quadrant:749
-        default_domain = alpha.quadrant
-        }
- [domain_realm]
-        alpha.quadrant = ALPHA.QUADRANT
-        .alpha.quadrant = ALPHA.QUADRANT
- [kdc]
-        database = {
-        dbname = ldap:dc=alpha,dc=quadrant
-        }
-Kerberos und Passwort Server nochmal starten
- root@vz4:/usr/local/sbin# /etc/init.d/heimdal-kdc restart
-Kadmin neustarten
- root@vz4:/usr/local/sbin# /etc/init.d/inetd restart
-* Openldap Server
- apt-get install slapd  db4.2-util
-Es werden weitere Pakete installiert.
-Die Konfiguration des slapd
- root@vz4:/etc/ldap# cat /etc/ldap/slapd.conf
- allow                           bind_v2
- include                         /etc/ldap/schema/core.schema
- include                         /etc/ldap/schema/cosine.schema
- include                         /etc/ldap/schema/nis.schema
- include                         /etc/ldap/schema/inetorgperson.schema
- include                         /etc/ldap/schema/misc.schema
- include                         /etc/ldap/schema/krb5-kdc.schema
-  schemacheck                     on
- modulepath                      /usr/lib/ldap
- moduleload                      back_bdb
- pidfile                         /var/run/slapd.pid
- argsfile                        /var/run/slapd.args
- loglevel                        7
- srvtab                          /etc/krb5.keytab
- sasl-host                       vz4.alpha.quadrant
- sasl-realm                      ALPHA.QUADRANT
- database                        bdb
- suffix                          "dc=alpha,dc=quadrant"
- directory                       /var/lib/ldap
- index                           objectClass eq
- rootdn                          "cn=admin,dc=alpha,dc=quadrant"
- rootpw                          "sysadm"
- saslregexp                      "uid=(.*),cn=alpha.quadrant,cn=gssapi,cn=auth" "uid=$1,ou=mitarbeiter,dc=alpha,dc=quadrant"
- access to dn.subtree="dc=alpha,dc=quadrant"
-         by sockurl="ldapi:///" write
- access to *
-        by * read
-Herunterladen des Kerberos Schemas
- root@vz4:/etc/ldap/schema# wget http://www.xinux.de/download/krb5-kdc.schema
-Ldapi aktivieren
-In der Datei /etc/default/slapd muss folgender Eintrag rein
- SLAPD_SERVICES="ldap:/// ldapi:///"
-Neutstart des slapd
- root@vz4:/etc/default# /etc/init.d/slapd restart
-  Stopping OpenLDAP: slapd.
- Starting OpenLDAP: running BDB recovery, slapd.
-Openldap Clients
- root@vz4:/etc/ldap/schema# apt-get install ldap-utils
-Die Konfiguration der ldap utils
- root@vz4:/etc/ldap# cat  ldap.conf
- base            dc=alpha, dc=quadrant
- uri             ldap://127.0.0.1
- ldap_version    3
- rootbinddn      cn=admin, dc=alpha, dc=quadrant
- pam_password    md5
-Installation von Sasl
- root@vz4:/etc/ldap# apt-get install libgsasl7 libsasl2-modules-gssapi-heimdal
-Feststellen welche Sasl mechanismen unterstützt werden.
- root@vz4:/etc/ldap# ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
-  dn:
-  supportedSASLMechanisms: GSSAPI
-  supportedSASLMechanisms: NTLM
-  supportedSASLMechanisms: DIGEST-MD5
-  supportedSASLMechanisms: CRAM-MD5
-Erstellen der Ldap Struktur
- root@vz4:/root/ldap# cat struktur.ldif
- # alpha.quadrant
- dn: dc=alpha,dc=quadrant
- objectClass: dcObject
- objectClass: organization
- o: alpha
- dc: alpha
- # mitarbeiter, alpha.quadrant
- dn: ou=mitarbeiter,dc=alpha,dc=quadrant
- objectClass: organizationalUnit
- ou: mitarbeiter
- # gruppen, alpha.quadrant
- dn: ou=gruppen,dc=alpha,dc=quadrant
- objectClass: organizationalUnit
- ou: gruppen
- # rechner, alpha.quadrant
- dn: ou=rechner,dc=alpha,dc=quadrant
- objectClass: organizationalUnit
- ou: rechner
-Anlegen der Ldap Struktur
- root@vz4:/root/ldap# ldapadd -xD cn=admin,dc=alpha,dc=quadrant -w sysadm -f struktur.ldif
-Initialisierung der REALM
- root@vz4:/etc/default# kadmin -l
- kadmin> init ALPHA.QUADRANT
- Realm max ticket life [unlimited]:
- Realm max renewable ticket life [unlimited]:
-Host Principal anlegen (Option -r erzeugt zufälligen Key - kein Einloggen nötig)
- kadmin> add -r vz4/vz4.alpha.quadrant
-  Max ticket life [1 day]:
- Max renewable life [1 week]:
- Principal expiration time [never]:
- Password expiration time [never]:
- Attributes []:
-Nun soll der erste Dienst angebunden werden, der LDAP Server. Dazu muss
-zun¨achst ein Service-Principal erstellt und in eine Keytab-Datei exportiert werden:
-  kadmin> add -r vz4/vz4.alpha.quadrant
- Max ticket life [1 day]:
- Max renewable life [1 week]:
- Principal expiration time [never]:
- Password expiration time [never]:
- Attributes []:
- kadmin> add -r ldap/vz4.alpha.quadrant
- Max ticket life [1 day]:
- Max renewable life [1 week]:
- Principal expiration time [never]:
- Password expiration time [never]:
- Attributes []:
- kadmin> ext -k /etc/krb5.keytab  ldap/vz4.alpha.quadrant
-Skript zum anlegen der User /usr/local/sbin/user.sh
- #!/bin/bash
- UIDNUMBER=$(($(ldapsearch -xLLLD cn=admin,dc=alpha,dc=quadrant -w sysadm uidNumber | grep uidNumber | cut -f 2 -d : | sort -l -n 1)+1))
- ldapadd -xD cn=admin,dc=alpha,dc=quadrant -w sysadm <<HERE
- dn: uid=$1,ou=mitarbeiter,dc=alpha,dc=quadrant
- cn: $1
- objectClass: account
- objectClass: posixAccount
- objectClass: shadowAccount
- objectClass: top
- objectClass: krb5Principal
- objectClass: krb5KDCEntry
- krb5PrincipalName: $1@ALPHA.QUADRANT
- krb5KeyVersionNumber: 0
- krb5MaxLife: 86400
- krb5MaxRenew: 604800
- krb5KDCFlags: 126
- uid: $1
- uidNumber: $UIDNUMBER
- gidNumber: 1000
- homeDirectory: /home/$1
- loginShell: /bin/bash
- HERE
- kpasswd --admin-principal=kadmin/admin@ALPHA.QUADRANT $1
-User anlegen
+==Passwort änderungen==
+;use_authtok gegebenfalls entfernen
- root@vz6:/usr/local/sbin# user.sh wilma
+*cat /etc/pam.d/common-password
-  adding new entry "uid=wilma,ou=mitarbeiter,dc=alpha,dc=quadrant"
+ password        [success=2 default=ignore]      pam_unix.so obscure yescrypt
+  password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass
-  kadmin/admin@ALPHA.QUADRANT's Password: sysadm
+ password        requisite                       pam_deny.so
-  New password for wilma@ALPHA.QUADRANT: geheim
+ password        required                        pam_permit.so
-  Verifying - New password for wilma@ALPHA.QUADRANT: geheim
-  Success : Password changed
+==Die Session==
+*cat /etc/pam.d/common-session
+ session [default=1]                     pam_permit.so
+  session requisite                       pam_deny.so
+  session required                        pam_permit.so
+ '''session required pam_mkhomedir.so  skel=/etc/skel umask=0022 '''
+ session required                        pam_unix.so
+ session optional                        pam_ldap.so
+  session optional                        pam_systemd.so
+==Anmeldung mit Gruppenrichtlinien (optional)==
+  /etc/ldap.conf
+  pam_groupdn cn=it,ou=groups,dc=xinux,dc=net
+ pam_member_attribute member
+==su -==
+*su - thomas

Pam ldap: Unterschied zwischen den Versionen

Aktuelle Version vom 12. Januar 2023, 15:25 Uhr

Inhaltsverzeichnis

Anpassen der Pam

Die Authentifizierung(installation nimmt einstellung schon vor)

Das Accounting

Passwort änderungen

Die Session

Anmeldung mit Gruppenrichtlinien (optional)

su -

Navigationsmenü

Suche