Installation

passwort nach wahl festlegen

• apt update
• DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils

Grundkonfiguration

• dpkg-reconfigure slapd

Debconf Question	Recommended Input
Omit OpenLDAP server configuration?	No
DNS domain name:	it213.int
Organization name:	it213
Administrator password:	123Start$
Database backend to use:	MDB
Remove database when slapd is purged?	No
Move old database?	Yes
Allow LDAPv2 protocol?	No

ldap.conf setzen

• vim /etc/ldap/ldap.conf

BASE    dc=it213,dc=int
URI     ldap://ldap.it213.int
ldap_version    3

Kontrolle

• ldapsearch -x -LLL

Grundstruktur

Erstellen

• cat <<EOF > /root/struktur.ldif

dn: ou=users,dc=it213,dc=int
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=it213,dc=int
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=it213,dc=int
objectClass: organizationalUnit
ou: hosts

dn: ou=sudo,dc=it213,dc=int
objectClass: organizationalUnit
ou: sudo

EOF

Anlegen

• ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif

Benutzer und Gruppen

• apt install -y ldapscripts

Konfiguration

• vim /etc/ldapscripts/ldapscripts.conf

SERVER="ldap://ldap.it213.int"
SUFFIX="dc=it213,dc=int"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
BINDDN="cn=admin,dc=it213,dc=int"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
UIDSTART="10000"
GIDSTART="10000"

• echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
• chmod 600 /etc/ldapscripts/ldapscripts.passwd

Gruppen

• ldapaddgroup it
• ldapaddgroup sudo

Benutzer

• ldapadduser thomas it
• ldapadduser tina it

Passwort

• ldapsetpasswd thomas
• ldapsetpasswd tina

Gruppe zuweisen

• ldapaddusertogroup thomas sudo
• ldapaddusertogroup tina sudo

SSSD Anbindung

• apt install sssd libnss-sss libpam-sss libsss-sudo

Konfiguration

• vim /etc/sssd/sssd.conf

[sssd]
services = nss, pam, sudo
domains = it213.int

[domain/it213.int]
id_provider = ldap
auth_provider = ldap
access_provider = permit

sudo_provider = ldap

ldap_uri = ldap://ldap.it213.int
ldap_search_base = dc=it213,dc=int
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int

cache_credentials = True
ldap_id_use_start_tls = false
ldap_tls_reqcert = never

• chmod 600 /etc/sssd/sssd.conf
• systemctl restart sssd

NSS

• sed -i 's/^sudoers:.*/sudoers: files sss/' /etc/nsswitch.conf

PAM

• pam-auth-update --enable sss mkhomedir

Sudo (LDAP)

Schema erweitern

falls sudoRole noch nicht existiert

• cat <<EOF > /root/sudo-schema-fix.ldif

dn: cn={4}sudo,cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAsUser' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoRunAsGroup' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAsUser $ sudoRunAsGroup ) )

EOF

• ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/sudo-schema-fix.ldif

Sudo Regel

• cat <<EOF > /root/sudo.ldif

dn: cn=sudo,ou=sudo,dc=it213,dc=int
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: %sudo
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL

EOF

• ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo.ldif

Cache leeren

• sss_cache -E
• systemctl restart sssd

Test

• su - thomas
• sudo -l
• sudo whoami