Zentrale Benutzerverwaltung mit OpenLDAP und SSS: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(44 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 2: Zeile 2:
 
;passwort nach wahl festlegen
 
;passwort nach wahl festlegen
 
* apt update
 
* apt update
* apt install slapd ldap-utils
+
* DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils
 
 
;slapd: OpenLDAP Standalone Server
 
;ldap-utils: Utilities zum Zugriff auf den LDAP Server
 
  
 
= Grundkonfiguration =
 
= Grundkonfiguration =
= OpenLDAP Configuration Dialogs (slapd) =
+
* dpkg-reconfigure slapd
 
 
The following table lists the exact English prompts encountered during '''dpkg-reconfigure slapd''' and the corresponding inputs for the it213.int environment.
 
  
 
{| class="wikitable"
 
{| class="wikitable"
! Debconf Question !! Description !! Recommended Input / Choice
+
! Debconf Question !! Recommended Input
|-
 
| '''Omit OpenLDAP server configuration?''' || Determines if the installer should skip creating a database. || '''No'''
 
 
|-
 
|-
| '''DNS domain name:''' || Used to construct the base DN of the LDAP directory. || '''it213.int'''
+
| Omit OpenLDAP server configuration? || No
 
|-
 
|-
| '''Organization name:''' || The name of the organization to use in the base DN. || '''it213'''
+
| DNS domain name: || it213.int
 
|-
 
|-
| '''Administrator password:''' || The password for the admin entry (cn=admin). || '''123Start$'''
+
| Organization name: || it213
 
|-
 
|-
| '''Confirm password:''' || Re-enter the password for verification. || '''123Start$'''
+
| Administrator password: || 123Start$
 
|-
 
|-
| '''Database backend to use:''' || The storage engine for the LDAP database. || '''MDB'''
+
| Database backend to use: || MDB
 
|-
 
|-
| '''Do you want the database to be removed when slapd is purged?''' || Whether to delete the data if the package is completely removed. || '''No'''
+
| Remove database when slapd is purged? || No
 
|-
 
|-
| '''Move old database?''' || If a database already exists, should it be moved aside? || '''Yes'''
+
| Move old database? || Yes
 
|-
 
|-
| '''Allow LDAPv2 protocol?''' || Support for the obsolete LDAP version 2. || '''No'''
+
| Allow LDAPv2 protocol? || No
 
|}
 
|}
  
= OpenLDAP Manuelle Einrichtung (OLC)=
+
= ldap.conf setzen =
[[OpenLDAP Manuelle Einrichtung (OLC)]]
+
* vim /etc/ldap/ldap.conf
 
+
<pre>
= Konfiguration des Clients =
+
BASE    dc=it213,dc=int
== ldap.conf ==
+
URI    ldap://ldap.it213.int
* cat /etc/ldap/ldap.conf
+
ldap_version    3
base            dc=it213, dc=int
+
</pre>
uri            ldap://ldap.it213.int
 
ldap_version    3
 
rootbinddn      cn=admin, dc=it213, dc=int
 
pam_password    md5
 
 
 
== Passwort für den Adminzugang eintragen ==
 
* echo 123Start$ > /etc/ldap.secret
 
  
 
= Kontrolle =
 
= Kontrolle =
== Stimmt der base dn ==
 
 
* ldapsearch -x -LLL
 
* ldapsearch -x -LLL
dn: dc=it213,dc=int
 
objectClass: top
 
objectClass: dcObject
 
objectClass: organization
 
o: it213
 
dc: it213
 
  
 
= Grundstruktur =
 
= Grundstruktur =
{{#drawio:it21-ldap}}
+
== Erstellen ==
 +
* cat <<EOF > /root/struktur.ldif
 +
<pre>
 +
dn: ou=users,dc=it213,dc=int
 +
objectClass: organizationalUnit
 +
ou: users
  
 +
dn: ou=groups,dc=it213,dc=int
 +
objectClass: organizationalUnit
 +
ou: groups
  
== Erstellen ==
+
dn: ou=hosts,dc=it213,dc=int
* cat /root/struktur.ldif
+
objectClass: organizationalUnit
dn: ou=users,dc=it213,dc=int
+
ou: hosts
objectClass: organizationalUnit
+
 
ou: users
+
dn: ou=sudo,dc=it213,dc=int
+
objectClass: organizationalUnit
dn: ou=groups,dc=it213,dc=int
+
ou: sudo
objectClass: organizationalUnit
+
</pre>
ou: groups
+
EOF
 
dn: ou=hosts,dc=it213,dc=int
 
objectClass: organizationalUnit
 
ou: hosts
 
  
 
== Anlegen ==
 
== Anlegen ==
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f struktur.ldif  
+
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif  
adding new entry "ou=users,dc=it213,dc=int"
 
adding new entry "ou=groups,dc=it213,dc=int"
 
adding new entry "ou=hosts,dc=it213,dc=int"
 
  
= Ldapscripts =
+
= Benutzer und Gruppen =
== Installation ==
+
* apt install -y ldapscripts
* apt install ldapscripts
 
  
 
== Konfiguration ==
 
== Konfiguration ==
=== Hauptkonfiguration ===
+
* vim /etc/ldapscripts/ldapscripts.conf
* cat /etc/ldapscripts/ldapscripts.conf
+
<pre>
SERVER="ldap://ldap.it213.int"
+
SERVER="ldap://ldap.it213.int"
SUFFIX="dc=it213,dc=int"
+
SUFFIX="dc=it213,dc=int"
GSUFFIX="ou=groups"
+
GSUFFIX="ou=groups"
USUFFIX="ou=users"
+
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
+
MSUFFIX="ou=hosts"
BINDDN="cn=admin,dc=it213,dc=int"
+
BINDDN="cn=admin,dc=it213,dc=int"
USHELL="/bin/bash"
+
USHELL="/bin/bash"
UHOMES="/home/%u"
+
UHOMES="/home/%u"
CREATEHOMES="yes"
+
CREATEHOMES="yes"
HOMESKEL="/etc/skel"
+
HOMESKEL="/etc/skel"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
+
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
GIDSTART="10000"
+
GIDSTART="10000" # Group ID
UIDSTART="10000"
+
UIDSTART="10000" # User ID
MIDSTART="20000"
+
MIDSTART="20000" # Machine ID
GCLASS="posixGroup"
+
GCLASS="posixGroup"   # Leave "posixGroup" here if not sure !
PASSWORDGEN="pwgen"
+
PASSWORDGEN="pwgen"
RECORDPASSWORDS="no"
+
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
+
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
LOGTOFILE="yes"
+
LOGTOFILE="yes"
LOGFILE="/var/log/ldapscripts.log"
+
LOGFILE="/var/log/ldapscripts.log"
LOGTOSYSLOG="no"
+
LOGTOSYSLOG="no"
SYSLOGFACILITY="local4"
+
SYSLOGFACILITY="local4"
SYSLOGLEVEL="info"
+
SYSLOGLEVEL="info"
LDAPSEARCHBIN="/usr/bin/ldapsearch"
+
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
+
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
+
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
+
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
+
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
+
LDAPPASSWDBIN="/usr/bin/ldappasswd"
LDAPSEARCHOPTS="-o ldif-wrap=no"
+
LDAPSEARCHOPTS="-o ldif-wrap=no"
 +
GETENTPWCMD=""
 +
GETENTGRCMD=""
 +
GTEMPLATE=""
 +
UTEMPLATE=""
 +
MTEMPLATE=""
 +
</pre>
  
=== Password Datei ===
 
 
* echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
 
* echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
 +
* chmod 600 /etc/ldapscripts/ldapscripts.passwd
  
== Managment ==
+
== Gruppen ==
=== Struktur ===
 
{{#drawio:it21-2}}
 
 
 
=== Gruppen anlegen ===
 
 
* ldapaddgroup it
 
* ldapaddgroup it
 +
* ldapaddgroup sudo
  
=== Benutzer anlegen ===
+
== Benutzer ==
 
* ldapadduser thomas it
 
* ldapadduser thomas it
 
* ldapadduser tina it
 
* ldapadduser tina it
  
=== Passwörter setzen ===
+
== Passwort ==
 
* ldapsetpasswd thomas
 
* ldapsetpasswd thomas
 
* ldapsetpasswd tina
 
* ldapsetpasswd tina
  
= nsswitch und pam anbinden =
+
== Gruppe zuweisen ==
* [[Zusammenspiel von PAM und NSS]]
+
* ldapaddusertogroup thomas sudo
 +
* ldapaddusertogroup tina sudo
  
== Installation ==
+
= SSSD Anbindung =
* env DEBIAN_FRONTEND=noninteractive apt install -yqq libnss-ldap libpam-ldap nslcd
+
* apt install sssd libnss-sss libpam-sss libsss-sudo
;Wir konfigurieren von Hand
 
  
== ldap.conf ==
+
== Konfiguration ==
* cat /etc/ldap/ldap.conf
+
* vim /etc/sssd/sssd.conf
base            dc=it213, dc=int
+
<pre>
uri            ldap://server.it213.int
+
[sssd]
ldap_version    3
+
config_file_version = 2
rootbinddn      cn=admin, dc=it213, dc=int
+
services = nss, pam, sudo
pam_password    md5
+
domains = it213.int
 
 
== Passwort für den Adminzugang eintragen ==
 
* echo 123Start$ > /etc/ldap.secret
 
 
 
== Wir benutzen nur eine Konfigurationdatei ==
 
* ln -fs /etc/ldap/ldap.conf /etc/libnss-ldap.conf
 
* ln -fs /etc/ldap/ldap.conf /etc/pam_ldap.conf
 
  
== nslcd.conf ==
+
[domain/it213.int]
* cat /etc/nslcd.conf
+
id_provider = ldap
uid nslcd
+
auth_provider = ldap
gid nslcd
+
access_provider = permit
uri ldap://ldap.it213.int
+
sudo_provider = ldap
base dc=it213,dc=int
+
ldap_uri = ldap://ldap.it213.int
 +
ldap_search_base = dc=it213,dc=int
 +
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
 +
ldap_id_use_start_tls = false
 +
ldap_auth_disable_tls_never_use_in_production = true
 +
ldap_tls_reqcert = never
 +
</pre>
 +
;[[Erklärungen sssd-1]]
  
== Nsswitch anpassen ==
+
* chmod 600 /etc/sssd/sssd.conf
* cat /etc/nsswitch.conf  
+
* systemctl restart sssd
passwd:        files ldap
 
group:          files ldap
 
shadow:        files ldap
 
  
== PAM anpassen ==
+
== NSS ==
Falls ein Home Verzeichnis gewünscht ist, muss folgende Datei bearbeitet werden:
+
;Nur Kontrolle
;Eleganter
+
*cat /etc/nsswitch.conf
*pam-auth-update
+
<pre>
;Manuell
 
* '''nano /etc/pam.d/common-session'''
 
session required pam_mkhomedir.so skel=/etc/skel umask=0022
 
  
== Reboot ==
+
passwd:        files systemd sss
!!!Reboot!!!
+
group:         files systemd sss
 
+
shadow:         files systemd sss
= Tests =
+
gshadow:        files systemd
* getent group it
 
it:*:10000:
 
* getent passwd thomas
 
thomas:*:10000:10000:thomas:/home/thomas:/bin/bash
 
* su - tina
 
tina@server:~$
 
 
 
== Dienstverwaltung ==
 
* systemctl start slapd
 
* systemctl stop slapd
 
* systemctl restart slapd
 
 
 
== Portprüfung ==
 
* netstat -lntp | grep slapd
 
tcp       0      0 0.0.0.0:389            0.0.0.0:* LISTEN    499/slapd
 
 
 
= Sudo =
 
Sudo Gruppe auf dem ldap Server anlegen:
 
* ldapaddgroup sudo
 
* ldapaddusertogroup thomas sudo
 
* ldapaddusertogroup tina sudo
 
  
Pakete installieren:
+
hosts:         files dns
* apt install sudo-ldap
+
networks:      files
  
Konfiguration:
+
protocols:     db files
* visudo -f /etc/sudoers.d/ldap-sudoers
+
services:      db files sss
%sudo ALL=(ALL:ALL) ALL
+
ethers:        db files
 +
rpc:           db files
  
* vim /etc/sudo-ldap.conf
+
netgroup:      nis sss
  sudoers_base ou=sudo,dc=it213,dc=int
+
sudoers: files  sss
 +
automount: sss
 +
</pre>
  
Testen:
+
== PAM ==
* su - thomas
+
* pam-auth-update --enable sss mkhomedir
* sudo -l
 
* sudo whoami
 

Aktuelle Version vom 2. April 2026, 10:55 Uhr

Installation

passwort nach wahl festlegen
  • apt update
  • DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils

Grundkonfiguration

  • dpkg-reconfigure slapd
Debconf Question Recommended Input
Omit OpenLDAP server configuration? No
DNS domain name: it213.int
Organization name: it213
Administrator password: 123Start$
Database backend to use: MDB
Remove database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No

ldap.conf setzen

  • vim /etc/ldap/ldap.conf
BASE    dc=it213,dc=int
URI     ldap://ldap.it213.int
ldap_version    3

Kontrolle

  • ldapsearch -x -LLL

Grundstruktur

Erstellen

  • cat <<EOF > /root/struktur.ldif
dn: ou=users,dc=it213,dc=int
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=it213,dc=int
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=it213,dc=int
objectClass: organizationalUnit
ou: hosts

dn: ou=sudo,dc=it213,dc=int
objectClass: organizationalUnit
ou: sudo

EOF

Anlegen

  • ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif

Benutzer und Gruppen

  • apt install -y ldapscripts

Konfiguration

  • vim /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://ldap.it213.int"
SUFFIX="dc=it213,dc=int"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
BINDDN="cn=admin,dc=it213,dc=int"
USHELL="/bin/bash"
UHOMES="/home/%u"
CREATEHOMES="yes"
HOMESKEL="/etc/skel"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
GCLASS="posixGroup"   # Leave "posixGroup" here if not sure !
PASSWORDGEN="pwgen"
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
LOGTOFILE="yes"
LOGFILE="/var/log/ldapscripts.log"
LOGTOSYSLOG="no"
SYSLOGFACILITY="local4"
SYSLOGLEVEL="info"
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
LDAPSEARCHOPTS="-o ldif-wrap=no"
GETENTPWCMD=""
GETENTGRCMD=""
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""
  • echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
  • chmod 600 /etc/ldapscripts/ldapscripts.passwd

Gruppen

  • ldapaddgroup it
  • ldapaddgroup sudo

Benutzer

  • ldapadduser thomas it
  • ldapadduser tina it

Passwort

  • ldapsetpasswd thomas
  • ldapsetpasswd tina

Gruppe zuweisen

  • ldapaddusertogroup thomas sudo
  • ldapaddusertogroup tina sudo

SSSD Anbindung

  • apt install sssd libnss-sss libpam-sss libsss-sudo

Konfiguration

  • vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = it213.int

[domain/it213.int]
id_provider = ldap
auth_provider = ldap
access_provider = permit
sudo_provider = ldap
ldap_uri = ldap://ldap.it213.int
ldap_search_base = dc=it213,dc=int
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
ldap_id_use_start_tls = false
ldap_auth_disable_tls_never_use_in_production = true
ldap_tls_reqcert = never
Erklärungen sssd-1
  • chmod 600 /etc/sssd/sssd.conf
  • systemctl restart sssd

NSS

Nur Kontrolle
  • cat /etc/nsswitch.conf

passwd:         files systemd sss
group:          files systemd sss
shadow:         files systemd sss
gshadow:        files systemd

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers: files  sss
automount:  sss

PAM

  • pam-auth-update --enable sss mkhomedir
Abgerufen von „http://wiki.ixheim.de/index.php?title=Zentrale_Benutzerverwaltung_mit_OpenLDAP_und_SSS&oldid=68348