ldap.conf
nsswitch und pam anbinden
- apt install libnss-ldap libpam-ldap ldap-utils
Wir benutzen nur eine Konfigurationdatei
- ln -sf /etc/ldap/ldap.conf /etc/ldap.conf
- ln -sf /etc/ldap/ldap.conf /etc/libnss-ldap.conf
- ln -sf /etc/ldap/ldap.conf /etc/pam_ldap.conf
Test
ergänzen /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
nsswitch tests
passwd test
getent passwd | grep 3001
leroy:x:2001:3001:leroy:/home/leroy:/bin/bash
group test
getent group | grep 3001
it:*:3001:
id test
id leroy
uid=2001(leroy) gid=3001(it) Gruppen=3001(it)
Anpassen der Pam
Die Authentifizierung(installation nimmt einstellung schon vor)
- cat /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
Das Accounting
- cat /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
Anmeldung mit Gruppenrichtlinien (optional)
/etc/ldap.conf
pam_groupdn cn=it,ou=groups,dc=xinux,dc=net
pam_member_attribute member
Passwort änderungen
gawron:/etc/pam.d# cat common-password
password sufficient pam_ldap.so
password sufficient pam_unix.so
password required pam_deny.so
Die Session
- cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
Passwort für den User setzen
gawron:/etc/pam.d# passwd leroy
New password:
Re-enter new password:
LDAP password information changed for leroy
passwd: password updated successfully
sudo opportunity 1
#First entry should be
auth required pam_group.so use_first_pass
*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,sudo,adm,video
sudo opportunity 2
%it ALL=(ALL:ALL) ALL