Zentrale Benutzerverwaltung mit OpenLDAP und SSS: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 3: Zeile 3:
 
* apt update
 
* apt update
 
* DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils
 
* DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils
 
;slapd: OpenLDAP Standalone Server
 
;ldap-utils: Utilities zum Zugriff auf den LDAP Server
 
  
 
= Grundkonfiguration =
 
= Grundkonfiguration =
 
* dpkg-reconfigure slapd
 
* dpkg-reconfigure slapd
 
Die folgende Tabelle führt die exakten englischen Abfragen auf, sowie die empfohlenen Eingaben für die it213.int Umgebung.
 
  
 
{| class="wikitable"
 
{| class="wikitable"
! Debconf Question !! Description !! Recommended Input / Choice
+
! Debconf Question !! Recommended Input
 
|-
 
|-
| '''Omit OpenLDAP server configuration?''' || Determines if the installer should skip creating a database. || '''No'''
+
| Omit OpenLDAP server configuration? || No
 
|-
 
|-
| '''DNS domain name:''' || Used to construct the base DN of the LDAP directory. || '''it213.int'''
+
| DNS domain name: || it213.int
 
|-
 
|-
| '''Organization name:''' || The name of the organization to use in the base DN. || '''it213'''
+
| Organization name: || it213
 
|-
 
|-
| '''Administrator password:''' || The password for the admin entry (cn=admin). || '''123Start$'''
+
| Administrator password: || 123Start$
 
|-
 
|-
| '''Confirm password:''' || Re-enter the password for verification. || '''123Start$'''
+
| Database backend to use: || MDB
 
|-
 
|-
| '''Database backend to use:''' || The storage engine for the LDAP database. || '''MDB'''
+
| Remove database when slapd is purged? || No
 
|-
 
|-
| '''Do you want the database to be removed when slapd is purged?''' || Whether to delete the data if the package is completely removed. || '''No'''
+
| Move old database? || Yes
 
|-
 
|-
| '''Move old database?''' || If a database already exists, should it be moved aside? || '''Yes'''
+
| Allow LDAPv2 protocol? || No
|-
 
| '''Allow LDAPv2 protocol?''' || Support for the obsolete LDAP version 2. || '''No'''
 
 
|}
 
|}
 
= OpenLDAP Manuelle Einrichtung (OLC)=
 
[[OpenLDAP Manuelle Einrichtung (OLC)]]
 
 
= Sudo Schema (Minimal, OLC) =
 
* cat <<EOF > /root/sudo-schema.ldif
 
<pre>
 
dn: cn=sudo,cn=schema,cn=config
 
objectClass: olcSchemaConfig
 
cn: sudo
 
 
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
 
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
 
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
 
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
 
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
 
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAsUser $ sudoRunAsGroup ) )
 
</pre>
 
EOF
 
 
* ldapadd -Y EXTERNAL -H ldapi:/// -f /root/sudo-schema.ldif
 
 
= Konfiguration des Clients =
 
== ldap.conf ==
 
* cat /etc/ldap/ldap.conf
 
BASE    dc=it213,dc=int
 
URI    ldap://ldap.it213.int
 
ldap_version    3
 
rootbinddn      cn=admin,dc=it213,dc=int
 
 
== Passwort für den Adminzugang eintragen ==
 
* echo 123Start$ > /etc/ldap.secret
 
* chmod 600 /etc/ldap.secret
 
  
 
= Kontrolle =
 
= Kontrolle =
== Stimmt der base dn ==
 
 
* ldapsearch -x -LLL
 
* ldapsearch -x -LLL
  
 
= Grundstruktur =
 
= Grundstruktur =
{{#drawio:it21-ldap}}
 
 
 
== Erstellen ==
 
== Erstellen ==
* cat /root/struktur.ldif  
+
* cat <<EOF > /root/struktur.ldif
 
<pre>
 
<pre>
 
dn: ou=users,dc=it213,dc=int
 
dn: ou=users,dc=it213,dc=int
Zeile 98: Zeile 50:
 
ou: sudo
 
ou: sudo
 
</pre>
 
</pre>
 +
EOF
  
 
== Anlegen ==
 
== Anlegen ==
 
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif  
 
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif  
  
= Ldapscripts =
+
= Benutzer und Gruppen =
== Installation ==
 
 
* apt install ldapscripts
 
* apt install ldapscripts
  
 
== Konfiguration ==
 
== Konfiguration ==
=== Hauptkonfiguration ===
 
 
* vim /etc/ldapscripts/ldapscripts.conf
 
* vim /etc/ldapscripts/ldapscripts.conf
 
<pre>
 
<pre>
Zeile 114: Zeile 65:
 
GSUFFIX="ou=groups"
 
GSUFFIX="ou=groups"
 
USUFFIX="ou=users"
 
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
 
 
BINDDN="cn=admin,dc=it213,dc=int"
 
BINDDN="cn=admin,dc=it213,dc=int"
USHELL="/bin/bash"
 
UHOMES="/home/%u"
 
CREATEHOMES="yes"
 
HOMESKEL="/etc/skel"
 
 
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
 
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
 +
UIDSTART="10000"
 
GIDSTART="10000"
 
GIDSTART="10000"
UIDSTART="10000"
 
MIDSTART="20000"
 
 
</pre>
 
</pre>
  
=== Password Datei ===
 
 
* echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
 
* echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
 
* chmod 600 /etc/ldapscripts/ldapscripts.passwd
 
* chmod 600 /etc/ldapscripts/ldapscripts.passwd
  
== Managment ==
+
== Gruppen ==
=== Gruppen anlegen ===
 
 
* ldapaddgroup it
 
* ldapaddgroup it
 +
* ldapaddgroup sudo
  
=== Benutzer anlegen ===
+
== Benutzer ==
 
* ldapadduser thomas it
 
* ldapadduser thomas it
 
* ldapadduser tina it
 
* ldapadduser tina it
  
=== Passwörter setzen ===
+
== Passwort ==
 
* ldapsetpasswd thomas
 
* ldapsetpasswd thomas
 
* ldapsetpasswd tina
 
* ldapsetpasswd tina
  
= nsswitch und pam anbinden via SSSD =
+
== Gruppe zuweisen ==
== Installation ==
+
* ldapaddusertogroup thomas sudo
 +
* ldapaddusertogroup tina sudo
 +
 
 +
= SSSD Anbindung =
 
* apt install sssd libnss-sss libpam-sss libsss-sudo
 
* apt install sssd libnss-sss libpam-sss libsss-sudo
  
== SSSD Konfiguration ==
+
== Konfiguration ==
 
* vim /etc/sssd/sssd.conf
 
* vim /etc/sssd/sssd.conf
 
<pre>
 
<pre>
Zeile 165: Zeile 112:
  
 
cache_credentials = True
 
cache_credentials = True
 
 
ldap_id_use_start_tls = false
 
ldap_id_use_start_tls = false
ldap_auth_disable_tls_never_use_in_production = true
 
 
ldap_tls_reqcert = never
 
ldap_tls_reqcert = never
 
</pre>
 
</pre>
Zeile 174: Zeile 119:
 
* systemctl restart sssd
 
* systemctl restart sssd
  
== System-Integration ==
+
== NSS ==
 +
* sed -i 's/^sudoers:.*/sudoers: files sss/' /etc/nsswitch.conf
 +
 
 +
== PAM ==
 
* pam-auth-update --enable sss mkhomedir
 
* pam-auth-update --enable sss mkhomedir
  
== Kontrolle ==
+
= Sudo (LDAP) =
* cat /etc/nsswitch.conf
+
 
 +
== Schema erweitern ==
 +
; falls sudoRole noch nicht existiert
 +
* cat <<EOF > /root/sudo-schema-fix.ldif
 
<pre>
 
<pre>
passwd:         files systemd sss
+
dn: cn={4}sudo,cn=schema,cn=config
group:         files systemd sss
+
changetype: modify
shadow:         files systemd sss
+
add: olcAttributeTypes
sudoers:       files sss
+
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
-
 +
add: olcAttributeTypes
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
-
 +
add: olcAttributeTypes
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
-
 +
add: olcAttributeTypes
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAsUser' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
-
 +
add: olcAttributeTypes
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoRunAsGroup' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
-
 +
add: olcObjectClasses
 +
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAsUser $ sudoRunAsGroup ) )
 
</pre>
 
</pre>
 +
EOF
  
= Sudo =
+
* ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/sudo-schema-fix.ldif
== Sudo-Regeln anlegen ==
+
 
* cat /root/sudo_rules.ldif
+
== Sudo Regel ==
 +
* cat <<EOF > /root/sudo.ldif
 
<pre>
 
<pre>
dn: cn=%sudo,ou=sudo,dc=it213,dc=int
+
dn: cn=sudo,ou=sudo,dc=it213,dc=int
 
objectClass: top
 
objectClass: top
 
objectClass: sudoRole
 
objectClass: sudoRole
cn: %sudo
+
cn: sudo
 
sudoUser: %sudo
 
sudoUser: %sudo
 
sudoHost: ALL
 
sudoHost: ALL
Zeile 200: Zeile 168:
 
sudoCommand: ALL
 
sudoCommand: ALL
 
</pre>
 
</pre>
 +
EOF
  
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo_rules.ldif
+
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo.ldif
  
== Gruppenverwaltung ==
+
== Cache leeren ==
* ldapaddgroup sudo
+
* sss_cache -E
* ldapaddusertogroup thomas sudo
+
* systemctl restart sssd
* ldapaddusertogroup tina sudo
 
  
== Testen ==
+
== Test ==
 
* su - thomas
 
* su - thomas
 
* sudo -l
 
* sudo -l
 
* sudo whoami
 
* sudo whoami

Version vom 2. April 2026, 08:32 Uhr

Installation

passwort nach wahl festlegen
  • apt update
  • DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils

Grundkonfiguration

  • dpkg-reconfigure slapd
Debconf Question Recommended Input
Omit OpenLDAP server configuration? No
DNS domain name: it213.int
Organization name: it213
Administrator password: 123Start$
Database backend to use: MDB
Remove database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No

Kontrolle

  • ldapsearch -x -LLL

Grundstruktur

Erstellen

  • cat <<EOF > /root/struktur.ldif
dn: ou=users,dc=it213,dc=int
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=it213,dc=int
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=it213,dc=int
objectClass: organizationalUnit
ou: hosts

dn: ou=sudo,dc=it213,dc=int
objectClass: organizationalUnit
ou: sudo

EOF

Anlegen

  • ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif

Benutzer und Gruppen

  • apt install ldapscripts

Konfiguration

  • vim /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://ldap.it213.int"
SUFFIX="dc=it213,dc=int"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
BINDDN="cn=admin,dc=it213,dc=int"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
UIDSTART="10000"
GIDSTART="10000"
  • echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
  • chmod 600 /etc/ldapscripts/ldapscripts.passwd

Gruppen

  • ldapaddgroup it
  • ldapaddgroup sudo

Benutzer

  • ldapadduser thomas it
  • ldapadduser tina it

Passwort

  • ldapsetpasswd thomas
  • ldapsetpasswd tina

Gruppe zuweisen

  • ldapaddusertogroup thomas sudo
  • ldapaddusertogroup tina sudo

SSSD Anbindung

  • apt install sssd libnss-sss libpam-sss libsss-sudo

Konfiguration

  • vim /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
domains = it213.int

[domain/it213.int]
id_provider = ldap
auth_provider = ldap
access_provider = permit

sudo_provider = ldap

ldap_uri = ldap://ldap.it213.int
ldap_search_base = dc=it213,dc=int
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int

cache_credentials = True
ldap_id_use_start_tls = false
ldap_tls_reqcert = never
  • chmod 600 /etc/sssd/sssd.conf
  • systemctl restart sssd

NSS

  • sed -i 's/^sudoers:.*/sudoers: files sss/' /etc/nsswitch.conf

PAM

  • pam-auth-update --enable sss mkhomedir

Sudo (LDAP)

Schema erweitern

falls sudoRole noch nicht existiert
  • cat <<EOF > /root/sudo-schema-fix.ldif
dn: cn={4}sudo,cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAsUser' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoRunAsGroup' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAsUser $ sudoRunAsGroup ) )

EOF

  • ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/sudo-schema-fix.ldif

Sudo Regel

  • cat <<EOF > /root/sudo.ldif
dn: cn=sudo,ou=sudo,dc=it213,dc=int
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: %sudo
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL

EOF

  • ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo.ldif

Cache leeren

  • sss_cache -E
  • systemctl restart sssd

Test

  • su - thomas
  • sudo -l
  • sudo whoami
Abgerufen von „http://wiki.ixheim.de/index.php?title=Zentrale_Benutzerverwaltung_mit_OpenLDAP_und_SSS&oldid=68292