Zentrale Benutzerverwaltung mit OpenLDAP und SSS: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 36: Zeile 36:
 
= OpenLDAP Manuelle Einrichtung (OLC)=
 
= OpenLDAP Manuelle Einrichtung (OLC)=
 
[[OpenLDAP Manuelle Einrichtung (OLC)]]
 
[[OpenLDAP Manuelle Einrichtung (OLC)]]
 +
 +
= Sudo Schema (Minimal, OLC) =
 +
* cat <<EOF > /root/sudo-schema.ldif
 +
<pre>
 +
dn: cn=sudo,cn=schema,cn=config
 +
objectClass: olcSchemaConfig
 +
cn: sudo
 +
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
 +
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAsUser $ sudoRunAsGroup ) )
 +
</pre>
 +
EOF
 +
 +
* ldapadd -Y EXTERNAL -H ldapi:/// -f /root/sudo-schema.ldif
  
 
= Konfiguration des Clients =
 
= Konfiguration des Clients =
 
== ldap.conf ==
 
== ldap.conf ==
 
* cat /etc/ldap/ldap.conf
 
* cat /etc/ldap/ldap.conf
  base            dc=it213, dc=int
+
  BASE    dc=it213,dc=int
  uri            ldap://ldap.it213.int
+
  URI    ldap://ldap.it213.int
 
  ldap_version    3
 
  ldap_version    3
  rootbinddn      cn=admin, dc=it213, dc=int
+
  rootbinddn      cn=admin,dc=it213,dc=int
  
 
== Passwort für den Adminzugang eintragen ==
 
== Passwort für den Adminzugang eintragen ==
Zeile 52: Zeile 75:
 
== Stimmt der base dn ==
 
== Stimmt der base dn ==
 
* ldapsearch -x -LLL
 
* ldapsearch -x -LLL
dn: dc=it213,dc=int
 
objectClass: top
 
objectClass: dcObject
 
objectClass: organization
 
o: it213
 
dc: it213
 
  
 
= Grundstruktur =
 
= Grundstruktur =
Zeile 64: Zeile 81:
 
== Erstellen ==
 
== Erstellen ==
 
* cat /root/struktur.ldif  
 
* cat /root/struktur.ldif  
dn: ou=users,dc=it213,dc=int
+
<pre>
objectClass: organizationalUnit
+
dn: ou=users,dc=it213,dc=int
ou: users
+
objectClass: organizationalUnit
+
ou: users
dn: ou=groups,dc=it213,dc=int
+
 
objectClass: organizationalUnit
+
dn: ou=groups,dc=it213,dc=int
ou: groups
+
objectClass: organizationalUnit
+
ou: groups
dn: ou=hosts,dc=it213,dc=int
+
 
objectClass: organizationalUnit
+
dn: ou=hosts,dc=it213,dc=int
ou: hosts
+
objectClass: organizationalUnit
+
ou: hosts
dn: ou=sudo,dc=it213,dc=int
+
 
objectClass: organizationalUnit
+
dn: ou=sudo,dc=it213,dc=int
ou: sudo
+
objectClass: organizationalUnit
 +
ou: sudo
 +
</pre>
  
 
== Anlegen ==
 
== Anlegen ==
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f struktur.ldif  
+
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif  
  
 
= Ldapscripts =
 
= Ldapscripts =
Zeile 89: Zeile 108:
 
== Konfiguration ==
 
== Konfiguration ==
 
=== Hauptkonfiguration ===
 
=== Hauptkonfiguration ===
* cat /etc/ldapscripts/ldapscripts.conf
+
* vim /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://ldap.it213.int"
+
<pre>
SUFFIX="dc=it213,dc=int"
+
SERVER="ldap://ldap.it213.int"
GSUFFIX="ou=groups"
+
SUFFIX="dc=it213,dc=int"
USUFFIX="ou=users"
+
GSUFFIX="ou=groups"
MSUFFIX="ou=hosts"
+
USUFFIX="ou=users"
BINDDN="cn=admin,dc=it213,dc=int"
+
MSUFFIX="ou=hosts"
USHELL="/bin/bash"
+
BINDDN="cn=admin,dc=it213,dc=int"
UHOMES="/home/%u"
+
USHELL="/bin/bash"
CREATEHOMES="yes"
+
UHOMES="/home/%u"
HOMESKEL="/etc/skel"
+
CREATEHOMES="yes"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
+
HOMESKEL="/etc/skel"
GIDSTART="10000"
+
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
UIDSTART="10000"
+
GIDSTART="10000"
MIDSTART="20000"
+
UIDSTART="10000"
GCLASS="posixGroup"
+
MIDSTART="20000"
PASSWORDGEN="pwgen"
+
</pre>
RECORDPASSWORDS="no"
 
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
 
LOGTOFILE="yes"
 
LOGFILE="/var/log/ldapscripts.log"
 
LOGTOSYSLOG="no"
 
SYSLOGFACILITY="local4"
 
SYSLOGLEVEL="info"
 
LDAPSEARCHBIN="/usr/bin/ldapsearch"
 
LDAPADDBIN="/usr/bin/ldapadd"
 
LDAPDELETEBIN="/usr/bin/ldapdelete"
 
LDAPMODIFYBIN="/usr/bin/ldapmodify"
 
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
 
LDAPPASSWDBIN="/usr/bin/ldappasswd"
 
LDAPSEARCHOPTS="-o ldif-wrap=no"
 
  
 
=== Password Datei ===
 
=== Password Datei ===
 
* echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
 
* echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
*chmod 600 /etc/ldapscripts/ldapscripts.passwd
+
* chmod 600 /etc/ldapscripts/ldapscripts.passwd
  
 
== Managment ==
 
== Managment ==
=== Struktur ===
 
{{#drawio:it21-2}}
 
 
 
=== Gruppen anlegen ===
 
=== Gruppen anlegen ===
 
* ldapaddgroup it
 
* ldapaddgroup it
Zeile 141: Zeile 143:
  
 
= nsswitch und pam anbinden via SSSD =
 
= nsswitch und pam anbinden via SSSD =
Anbindung für Debian 13 (Trixie).
 
 
 
== Installation ==
 
== Installation ==
 
* apt install sssd libnss-sss libpam-sss libsss-sudo
 
* apt install sssd libnss-sss libpam-sss libsss-sudo
Zeile 156: Zeile 156:
 
id_provider = ldap
 
id_provider = ldap
 
auth_provider = ldap
 
auth_provider = ldap
 
# Erlaubt allen LDAP-Usern den Login
 
 
access_provider = permit
 
access_provider = permit
  
 
sudo_provider = ldap
 
sudo_provider = ldap
 +
 
ldap_uri = ldap://ldap.it213.int
 
ldap_uri = ldap://ldap.it213.int
 
ldap_search_base = dc=it213,dc=int
 
ldap_search_base = dc=it213,dc=int
 
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
 
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
 +
 
cache_credentials = True
 
cache_credentials = True
  
# TLS Deaktivierung (WICHTIG für Testumgebungen ohne Zertifikate)
 
 
ldap_id_use_start_tls = false
 
ldap_id_use_start_tls = false
 
ldap_auth_disable_tls_never_use_in_production = true
 
ldap_auth_disable_tls_never_use_in_production = true
 
ldap_tls_reqcert = never
 
ldap_tls_reqcert = never
 
</pre>
 
</pre>
 +
 
* chmod 600 /etc/sssd/sssd.conf
 
* chmod 600 /etc/sssd/sssd.conf
 
* systemctl restart sssd
 
* systemctl restart sssd
  
 
== System-Integration ==
 
== System-Integration ==
* pam-auth-update --enable sss mkhomedir=
+
* pam-auth-update --enable sss mkhomedir
==Kontrolle der nsswitch.conf==
+
 
*cat /etc/nsswitch.conf  
+
== Kontrolle ==
 +
* cat /etc/nsswitch.conf
 
<pre>
 
<pre>
 
passwd:        files systemd sss
 
passwd:        files systemd sss
 
group:          files systemd sss
 
group:          files systemd sss
 
shadow:        files systemd sss
 
shadow:        files systemd sss
gshadow:        files systemd
+
sudoers:        files sss
 
 
hosts:          files dns
 
networks:      files
 
 
 
protocols:      db files
 
services:      db files sss
 
ethers:        db files
 
rpc:            db files
 
 
 
netgroup:      nis sss
 
sudoers: files  sss
 
automount:  sss
 
 
</pre>
 
</pre>
  
Zeile 211: Zeile 200:
 
sudoCommand: ALL
 
sudoCommand: ALL
 
</pre>
 
</pre>
 +
 
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo_rules.ldif
 
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo_rules.ldif
  

Version vom 2. April 2026, 08:17 Uhr

Installation

passwort nach wahl festlegen
  • apt update
  • DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils
slapd
OpenLDAP Standalone Server
ldap-utils
Utilities zum Zugriff auf den LDAP Server

Grundkonfiguration

  • dpkg-reconfigure slapd

Die folgende Tabelle führt die exakten englischen Abfragen auf, sowie die empfohlenen Eingaben für die it213.int Umgebung.

Debconf Question Description Recommended Input / Choice
Omit OpenLDAP server configuration? Determines if the installer should skip creating a database. No
DNS domain name: Used to construct the base DN of the LDAP directory. it213.int
Organization name: The name of the organization to use in the base DN. it213
Administrator password: The password for the admin entry (cn=admin). 123Start$
Confirm password: Re-enter the password for verification. 123Start$
Database backend to use: The storage engine for the LDAP database. MDB
Do you want the database to be removed when slapd is purged? Whether to delete the data if the package is completely removed. No
Move old database? If a database already exists, should it be moved aside? Yes
Allow LDAPv2 protocol? Support for the obsolete LDAP version 2. No

OpenLDAP Manuelle Einrichtung (OLC)

OpenLDAP Manuelle Einrichtung (OLC)

Sudo Schema (Minimal, OLC)

  • cat <<EOF > /root/sudo-schema.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo

olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAsUser $ sudoRunAsGroup ) )

EOF

  • ldapadd -Y EXTERNAL -H ldapi:/// -f /root/sudo-schema.ldif

Konfiguration des Clients

ldap.conf

  • cat /etc/ldap/ldap.conf
BASE    dc=it213,dc=int
URI     ldap://ldap.it213.int
ldap_version    3
rootbinddn      cn=admin,dc=it213,dc=int

Passwort für den Adminzugang eintragen

  • echo 123Start$ > /etc/ldap.secret
  • chmod 600 /etc/ldap.secret

Kontrolle

Stimmt der base dn

  • ldapsearch -x -LLL

Grundstruktur

Erstellen

  • cat /root/struktur.ldif
dn: ou=users,dc=it213,dc=int
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=it213,dc=int
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=it213,dc=int
objectClass: organizationalUnit
ou: hosts

dn: ou=sudo,dc=it213,dc=int
objectClass: organizationalUnit
ou: sudo

Anlegen

  • ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif

Ldapscripts

Installation

  • apt install ldapscripts

Konfiguration

Hauptkonfiguration

  • vim /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://ldap.it213.int"
SUFFIX="dc=it213,dc=int"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
BINDDN="cn=admin,dc=it213,dc=int"
USHELL="/bin/bash"
UHOMES="/home/%u"
CREATEHOMES="yes"
HOMESKEL="/etc/skel"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
GIDSTART="10000"
UIDSTART="10000"
MIDSTART="20000"

Password Datei

  • echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
  • chmod 600 /etc/ldapscripts/ldapscripts.passwd

Managment

Gruppen anlegen

  • ldapaddgroup it

Benutzer anlegen

  • ldapadduser thomas it
  • ldapadduser tina it

Passwörter setzen

  • ldapsetpasswd thomas
  • ldapsetpasswd tina

nsswitch und pam anbinden via SSSD

Installation

  • apt install sssd libnss-sss libpam-sss libsss-sudo

SSSD Konfiguration

  • vim /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
domains = it213.int

[domain/it213.int]
id_provider = ldap
auth_provider = ldap
access_provider = permit

sudo_provider = ldap

ldap_uri = ldap://ldap.it213.int
ldap_search_base = dc=it213,dc=int
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int

cache_credentials = True

ldap_id_use_start_tls = false
ldap_auth_disable_tls_never_use_in_production = true
ldap_tls_reqcert = never
  • chmod 600 /etc/sssd/sssd.conf
  • systemctl restart sssd

System-Integration

  • pam-auth-update --enable sss mkhomedir

Kontrolle

  • cat /etc/nsswitch.conf
passwd:         files systemd sss
group:          files systemd sss
shadow:         files systemd sss
sudoers:        files sss

Sudo

Sudo-Regeln anlegen

  • cat /root/sudo_rules.ldif
dn: cn=%sudo,ou=sudo,dc=it213,dc=int
objectClass: top
objectClass: sudoRole
cn: %sudo
sudoUser: %sudo
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
  • ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo_rules.ldif

Gruppenverwaltung

  • ldapaddgroup sudo
  • ldapaddusertogroup thomas sudo
  • ldapaddusertogroup tina sudo

Testen

  • su - thomas
  • sudo -l
  • sudo whoami
Abgerufen von „http://wiki.ixheim.de/index.php?title=Zentrale_Benutzerverwaltung_mit_OpenLDAP_und_SSS&oldid=68291