Zentrale Benutzerverwaltung mit OpenLDAP und SSS: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 8: Zeile 8:
  
 
= Grundkonfiguration =
 
= Grundkonfiguration =
*dpkg-reconfigure slapd
+
* dpkg-reconfigure slapd
  
 
Die folgende Tabelle führt die exakten englischen Abfragen auf, sowie die empfohlenen Eingaben für die it213.int Umgebung.
 
Die folgende Tabelle führt die exakten englischen Abfragen auf, sowie die empfohlenen Eingaben für die it213.int Umgebung.
Zeile 19: Zeile 19:
 
| '''DNS domain name:''' || Used to construct the base DN of the LDAP directory. || '''it213.int'''
 
| '''DNS domain name:''' || Used to construct the base DN of the LDAP directory. || '''it213.int'''
 
|-
 
|-
| '''Organization name:''' || The name of the organization to use in the base DN. || '''it213.int'''
+
| '''Organization name:''' || The name of the organization to use in the base DN. || '''it213'''
 
|-
 
|-
 
| '''Administrator password:''' || The password for the admin entry (cn=admin). || '''123Start$'''
 
| '''Administrator password:''' || The password for the admin entry (cn=admin). || '''123Start$'''
Zeile 30: Zeile 30:
 
|-
 
|-
 
| '''Move old database?''' || If a database already exists, should it be moved aside? || '''Yes'''
 
| '''Move old database?''' || If a database already exists, should it be moved aside? || '''Yes'''
 +
|-
 +
| '''Allow LDAPv2 protocol?''' || Support for the obsolete LDAP version 2. || '''No'''
 
|}
 
|}
  
= OpenLDAP Manuelle Einrichtung (OLC) =
+
= OpenLDAP Manuelle Einrichtung (OLC)=
 
[[OpenLDAP Manuelle Einrichtung (OLC)]]
 
[[OpenLDAP Manuelle Einrichtung (OLC)]]
  
= Server Vorbereitung =
+
= Konfiguration des Clients =
== Grundstruktur ==
+
== ldap.conf ==
{{#drawio:it213-ldap}}
+
* cat /etc/ldap/ldap.conf
 +
base            dc=it213, dc=int
 +
uri            ldap://ldap.it213.int
 +
ldap_version    3
 +
rootbinddn      cn=admin, dc=it213, dc=int
 +
pam_password    md5
  
=== Erstellen ===
+
== Passwort für den Adminzugang eintragen ==
* cat <<EOF > /root/struktur.ldif
+
* echo 123Start$ > /etc/ldap.secret
<pre>
 
dn: ou=users,dc=it213,dc=int
 
objectClass: organizationalUnit
 
ou: users
 
  
dn: ou=groups,dc=it213,dc=int
+
= Kontrolle =
objectClass: organizationalUnit
+
== Stimmt der base dn ==
ou: groups
+
* ldapsearch -x -LLL
 +
dn: dc=it213,dc=int
 +
objectClass: top
 +
objectClass: dcObject
 +
objectClass: organization
 +
o: it213
 +
dc: it213
  
dn: ou=hosts,dc=it213,dc=int
+
= Grundstruktur =
objectClass: organizationalUnit
+
{{#drawio:it21-ldap}}
ou: hosts
 
  
dn: ou=sudo,dc=it213,dc=int
+
== Erstellen ==
objectClass: organizationalUnit
+
* cat /root/struktur.ldif
ou: sudo
+
dn: ou=users,dc=it213,dc=int
</pre>
+
objectClass: organizationalUnit
EOF
+
ou: users
 +
 +
dn: ou=groups,dc=it213,dc=int
 +
objectClass: organizationalUnit
 +
ou: groups
 +
 +
dn: ou=hosts,dc=it213,dc=int
 +
objectClass: organizationalUnit
 +
ou: hosts
  
=== Anlegen ===
+
== Anlegen ==
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif
+
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f struktur.ldif  
 +
adding new entry "ou=users,dc=it213,dc=int"
 +
adding new entry "ou=groups,dc=it213,dc=int"
 +
adding new entry "ou=hosts,dc=it213,dc=int"
  
 
= Ldapscripts =
 
= Ldapscripts =
Zeile 76: Zeile 95:
 
  MSUFFIX="ou=hosts"
 
  MSUFFIX="ou=hosts"
 
  BINDDN="cn=admin,dc=it213,dc=int"
 
  BINDDN="cn=admin,dc=it213,dc=int"
 +
USHELL="/bin/bash"
 +
UHOMES="/home/%u"
 +
CREATEHOMES="yes"
 +
HOMESKEL="/etc/skel"
 
  BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
 
  BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
 
  GIDSTART="10000"
 
  GIDSTART="10000"
 
  UIDSTART="10000"
 
  UIDSTART="10000"
 +
MIDSTART="20000"
 +
GCLASS="posixGroup"
 +
PASSWORDGEN="pwgen"
 +
RECORDPASSWORDS="no"
 +
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
 +
LOGTOFILE="yes"
 +
LOGFILE="/var/log/ldapscripts.log"
 +
LOGTOSYSLOG="no"
 +
SYSLOGFACILITY="local4"
 +
SYSLOGLEVEL="info"
 +
LDAPSEARCHBIN="/usr/bin/ldapsearch"
 +
LDAPADDBIN="/usr/bin/ldapadd"
 +
LDAPDELETEBIN="/usr/bin/ldapdelete"
 +
LDAPMODIFYBIN="/usr/bin/ldapmodify"
 +
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
 +
LDAPPASSWDBIN="/usr/bin/ldappasswd"
 +
LDAPSEARCHOPTS="-o ldif-wrap=no"
  
 
=== Password Datei ===
 
=== Password Datei ===
 
* echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
 
* echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
  
== Management ==
+
== Managment ==
 
=== Struktur ===
 
=== Struktur ===
{{#drawio:it213-2}}
+
{{#drawio:it21-2}}
  
=== Gruppen und Benutzer ===
+
=== Gruppen anlegen ===
 
* ldapaddgroup it
 
* ldapaddgroup it
 +
 +
=== Benutzer anlegen ===
 
* ldapadduser thomas it
 
* ldapadduser thomas it
 
* ldapadduser tina it
 
* ldapadduser tina it
 +
 +
=== Passwörter setzen ===
 
* ldapsetpasswd thomas
 
* ldapsetpasswd thomas
 
* ldapsetpasswd tina
 
* ldapsetpasswd tina
  
= Client Anbindung via SSSD =
+
= nsswitch und pam anbinden via SSSD =
Da sudo-ldap veraltet ist, nutzen wir SSSD für NSS, PAM und Sudo.
+
Da sudo-ldap und nslcd veraltet sind, erfolgt die Anbindung über SSSD.
  
 
== Installation ==
 
== Installation ==
 
* apt install sssd libnss-sss libpam-sss libsss-sudo
 
* apt install sssd libnss-sss libpam-sss libsss-sudo
  
== Konfiguration ==
+
== SSSD Konfiguration ==
 
* vim /etc/sssd/sssd.conf
 
* vim /etc/sssd/sssd.conf
 
<pre>
 
<pre>
Zeile 111: Zeile 155:
 
auth_provider = ldap
 
auth_provider = ldap
 
sudo_provider = ldap
 
sudo_provider = ldap
 
 
ldap_uri = ldap://ldap.it213.int
 
ldap_uri = ldap://ldap.it213.int
 
ldap_search_base = dc=it213,dc=int
 
ldap_search_base = dc=it213,dc=int
 
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
 
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
 
ldap_id_use_start_tls = false
 
ldap_id_use_start_tls = false
 
 
cache_credentials = True
 
cache_credentials = True
 
ldap_tls_reqcert = allow
 
ldap_tls_reqcert = allow
 
</pre>
 
</pre>
 
 
* chmod 600 /etc/sssd/sssd.conf
 
* chmod 600 /etc/sssd/sssd.conf
 
* systemctl restart sssd
 
* systemctl restart sssd
  
== System Integration ==
+
== Nsswitch anpassen ==
=== nsswitch.conf ===
+
* cat /etc/nsswitch.conf  
* vim /etc/nsswitch.conf
 
 
  passwd:        files sss
 
  passwd:        files sss
 
  group:          files sss
 
  group:          files sss
Zeile 132: Zeile 172:
 
  sudoers:        files sss
 
  sudoers:        files sss
  
=== PAM mkhomedir ===
+
== PAM anpassen ==
 
* pam-auth-update --enable mkhomedir
 
* pam-auth-update --enable mkhomedir
  
= Sudo im LDAP =
+
= Tests =
== Sudo-Regeln anlegen ==
+
* getent group it
Damit SSSD Sudo-Regeln findet, müssen diese als Objekte im LDAP existieren.
+
it:*:10000:
* cat <<EOF > /root/sudo_rules.ldif
+
* getent passwd thomas
 +
thomas:*:10000:10000:thomas:/home/thomas:/bin/bash
 +
* su - tina
 +
tina@server:~$
 +
 
 +
== Dienstverwaltung ==
 +
* systemctl start slapd
 +
* systemctl restart sssd
 +
 
 +
== Portprüfung ==
 +
* netstat -lntp | grep slapd
 +
tcp        0      0 0.0.0.0:389            0.0.0.0:* LISTEN    499/slapd
 +
 
 +
= Sudo =
 +
== Sudo-Struktur im LDAP ==
 +
Wir legen die benötigten Sudo-Regeln direkt im LDAP an:
 +
* cat /root/sudo_rules.ldif
 
<pre>
 
<pre>
dn: cn=defaults,ou=sudo,dc=it213,dc=int
+
dn: ou=sudo,dc=it213,dc=int
objectClass: sudoRole
+
objectClass: organizationalUnit
cn: defaults
+
ou: sudo
sudoOption: env_reset
 
sudoOption: mail_badpass
 
sudoOption: secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
  
 
dn: cn=%sudo,ou=sudo,dc=it213,dc=int
 
dn: cn=%sudo,ou=sudo,dc=it213,dc=int
Zeile 156: Zeile 209:
 
sudoCommand: ALL
 
sudoCommand: ALL
 
</pre>
 
</pre>
EOF
 
 
 
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo_rules.ldif
 
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo_rules.ldif
  
== Gruppenzuweisung ==
+
== Gruppenverwaltung ==
 
* ldapaddgroup sudo
 
* ldapaddgroup sudo
 
* ldapaddusertogroup thomas sudo
 
* ldapaddusertogroup thomas sudo
 
* ldapaddusertogroup tina sudo
 
* ldapaddusertogroup tina sudo
  
= Tests und Kontrolle =
+
== Lokale Berechtigung (Fallback) ==
== Identität ==
+
* visudo -f /etc/sudoers.d/ldap-sudoers
* getent group it
+
%sudo ALL=(ALL:ALL) ALL
* getent passwd thomas
 
* id tina
 
  
== Sudo Check ==
+
== Testen ==
 
* su - thomas
 
* su - thomas
 
* sudo -l
 
* sudo -l
 
* sudo whoami
 
* sudo whoami
 
== Dienstverwaltung ==
 
* systemctl status slapd
 
* systemctl status sssd
 
* netstat -lntp | grep slapd
 

Version vom 2. April 2026, 06:39 Uhr

Installation

passwort nach wahl festlegen
  • apt update
  • DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils
slapd
OpenLDAP Standalone Server
ldap-utils
Utilities zum Zugriff auf den LDAP Server

Grundkonfiguration

  • dpkg-reconfigure slapd

Die folgende Tabelle führt die exakten englischen Abfragen auf, sowie die empfohlenen Eingaben für die it213.int Umgebung.

Debconf Question Description Recommended Input / Choice
Omit OpenLDAP server configuration? Determines if the installer should skip creating a database. No
DNS domain name: Used to construct the base DN of the LDAP directory. it213.int
Organization name: The name of the organization to use in the base DN. it213
Administrator password: The password for the admin entry (cn=admin). 123Start$
Confirm password: Re-enter the password for verification. 123Start$
Database backend to use: The storage engine for the LDAP database. MDB
Do you want the database to be removed when slapd is purged? Whether to delete the data if the package is completely removed. No
Move old database? If a database already exists, should it be moved aside? Yes
Allow LDAPv2 protocol? Support for the obsolete LDAP version 2. No

OpenLDAP Manuelle Einrichtung (OLC)

OpenLDAP Manuelle Einrichtung (OLC)

Konfiguration des Clients

ldap.conf

  • cat /etc/ldap/ldap.conf
base            dc=it213, dc=int
uri             ldap://ldap.it213.int
ldap_version    3
rootbinddn      cn=admin, dc=it213, dc=int
pam_password    md5

Passwort für den Adminzugang eintragen

  • echo 123Start$ > /etc/ldap.secret

Kontrolle

Stimmt der base dn

  • ldapsearch -x -LLL
dn: dc=it213,dc=int
objectClass: top
objectClass: dcObject
objectClass: organization
o: it213
dc: it213

Grundstruktur

Erstellen

  • cat /root/struktur.ldif
dn: ou=users,dc=it213,dc=int
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=it213,dc=int
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=it213,dc=int
objectClass: organizationalUnit
ou: hosts

Anlegen

  • ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f struktur.ldif
adding new entry "ou=users,dc=it213,dc=int"
adding new entry "ou=groups,dc=it213,dc=int"
adding new entry "ou=hosts,dc=it213,dc=int"

Ldapscripts

Installation

  • apt install ldapscripts

Konfiguration

Hauptkonfiguration

  • cat /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://ldap.it213.int"
SUFFIX="dc=it213,dc=int"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
BINDDN="cn=admin,dc=it213,dc=int"
USHELL="/bin/bash"
UHOMES="/home/%u"
CREATEHOMES="yes"
HOMESKEL="/etc/skel"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
GIDSTART="10000"
UIDSTART="10000"
MIDSTART="20000"
GCLASS="posixGroup"
PASSWORDGEN="pwgen"
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
LOGTOFILE="yes"
LOGFILE="/var/log/ldapscripts.log"
LOGTOSYSLOG="no"
SYSLOGFACILITY="local4"
SYSLOGLEVEL="info"
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
LDAPSEARCHOPTS="-o ldif-wrap=no"

Password Datei

  • echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd

Managment

Struktur

Gruppen anlegen

  • ldapaddgroup it

Benutzer anlegen

  • ldapadduser thomas it
  • ldapadduser tina it

Passwörter setzen

  • ldapsetpasswd thomas
  • ldapsetpasswd tina

nsswitch und pam anbinden via SSSD

Da sudo-ldap und nslcd veraltet sind, erfolgt die Anbindung über SSSD.

Installation

  • apt install sssd libnss-sss libpam-sss libsss-sudo

SSSD Konfiguration

  • vim /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
domains = it213.int

[domain/it213.int]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://ldap.it213.int
ldap_search_base = dc=it213,dc=int
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
ldap_id_use_start_tls = false
cache_credentials = True
ldap_tls_reqcert = allow
  • chmod 600 /etc/sssd/sssd.conf
  • systemctl restart sssd

Nsswitch anpassen

  • cat /etc/nsswitch.conf
passwd:         files sss
group:          files sss
shadow:         files sss
sudoers:        files sss

PAM anpassen

  • pam-auth-update --enable mkhomedir

Tests

  • getent group it
it:*:10000:
  • getent passwd thomas
thomas:*:10000:10000:thomas:/home/thomas:/bin/bash
  • su - tina
tina@server:~$

Dienstverwaltung

  • systemctl start slapd
  • systemctl restart sssd

Portprüfung

  • netstat -lntp | grep slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:* LISTEN     499/slapd

Sudo

Sudo-Struktur im LDAP

Wir legen die benötigten Sudo-Regeln direkt im LDAP an:

  • cat /root/sudo_rules.ldif
dn: ou=sudo,dc=it213,dc=int
objectClass: organizationalUnit
ou: sudo

dn: cn=%sudo,ou=sudo,dc=it213,dc=int
objectClass: sudoRole
cn: %sudo
sudoUser: %sudo
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
  • ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo_rules.ldif

Gruppenverwaltung

  • ldapaddgroup sudo
  • ldapaddusertogroup thomas sudo
  • ldapaddusertogroup tina sudo

Lokale Berechtigung (Fallback)

  • visudo -f /etc/sudoers.d/ldap-sudoers
%sudo ALL=(ALL:ALL) ALL

Testen

  • su - thomas
  • sudo -l
  • sudo whoami
Abgerufen von „http://wiki.ixheim.de/index.php?title=Zentrale_Benutzerverwaltung_mit_OpenLDAP_und_SSS&oldid=68282