|
|
# installation : OpenLDAP
|
|
|
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
|
## utilisateurs et groupes par défaut
|
|
|
|
|
|
<https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id2578973>
|
|
|
<https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html>
|
|
|
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649%28v=vs.85%29.aspx>
|
|
|
<http://support2.microsoft.com/default.aspx?scid=kb;en-us;243330>
|
|
|
<file:///usr/share/doc/base-passwd/users-and-groups.html>
|
|
|
|
|
|
|---------------------+------------------------------+-------+-------+-----------|
|
|
|
| UNIX | Active Directory (Windows) | GID | Type | Essential |
|
|
|
|---------------------+------------------------------+-------+-------+-----------|
|
|
|
| root | Domain Administrator | 500 | User | No |
|
|
|
| nobody | Domain Guest | 501 | User | No |
|
|
|
| | Domain KRBTGT | 502 | User | No |
|
|
|
| sudo | Domain Admins | 512 | Group | Yes |
|
|
|
| users | Domain Users | 513 | Group | Yes |
|
|
|
| nogroup | Domain Guests | 514 | Group | Yes |
|
|
|
| | Domain Computers | 515 | Group | No |
|
|
|
| | Domain Controllers | 516 | Group | No |
|
|
|
| | Domain Certificate Admins | 517 | Group | No |
|
|
|
| | Domain Schema Admins | 518 | Group | No |
|
|
|
| | Domain Enterprise Admins | 519 | Group | No |
|
|
|
| | Domain Policy Admins | 520 | Group | No |
|
|
|
| | Builtin Admins | 544 | Alias | No |
|
|
|
| | Builtin users | 545 | Alias | No |
|
|
|
| | Builtin Guests | 546 | Alias | No |
|
|
|
| | Builtin Power Users | 547 | Alias | No |
|
|
|
| | Builtin Account Operators | 548 | Alias | No |
|
|
|
| | Builtin System Operators | 549 | Alias | No |
|
|
|
| | Builtin Print Operators | 550 | Alias | No |
|
|
|
| | Builtin Backup Operators | 551 | Alias | No |
|
|
|
| | Builtin Replicator | 552 | Alias | No |
|
|
|
| | Builtin RAS Servers | 553 | Alias | No |
|
|
|
| | Builtin Remote Desktop Users | 555 | Alias | No |
|
|
|
|---------------------+------------------------------+-------+-------+-----------|
|
|
|
| admin_ldap | | 5000 | Group | Yes |
|
|
|
| admin_cloud (admin) | | 5001 | Group | No |
|
|
|
| ORG | | 5002 | Group | Yes |
|
|
|
|---------------------+------------------------------+-------+-------+-----------|
|
|
|
| info.ORG | | 10000 | User | Yes |
|
|
|
| it.ORG | | 10001 | User | Yes |
|
|
|
|---------------------+------------------------------+-------+-------+-----------|
|
|
|
|
|
|
|
|
|
### Windows administration
|
|
|
|
|
|
<https://lists.samba.org/archive/samba-technical/2003-March/027953.html>
|
|
|
<https://lists.samba.org/archive/samba/2005-November/114046.html>
|
|
|
<http://www.calculate-linux.org/main/en/configuration_of_samba_server>
|
|
|
|
|
|
SID = $(net getlocalsid | \
|
|
|
cut -d ' ' -f 6)-$(expr $(id -u PRENOM.NOM) \* 2 + 1000)
|
|
|
|
|
|
* sambaGroupType
|
|
|
|
|
|
* 2 = Domain Groups (disponibles en local)
|
|
|
* 4 = Builtin Groups (pour administrer le domaine)
|
|
|
|
|
|
* compte it.ORG
|
|
|
|
|
|
* compte Samba (donc sambaSamAccount)
|
|
|
* dans le groupe "Administrators" pour pouvoir ajouter des ordinateurs au domain
|
|
|
* dans le groupe "Domain Admins" pour pouvoir se connecter à chaque ordinateur comme administrateur local
|
|
|
* il doit être un compte Samba (donc sambaSamAccount)
|
|
|
|
|
|
|
|
|
## commun
|
|
|
|
|
|
# apt-get install slapd ldap-utils
|
|
|
admin:$PASSWORD
|
|
|
[à sauver dans inubo/commun/Clients/$ORG/$ORG.kdb]
|
|
|
# dpkg-reconfigure slapd
|
|
|
slapd slapd/no_configuration boolean false
|
|
|
slapd slapd/domain string $(dnsdomainname)
|
|
|
slapd shared/organization string $ORG
|
|
|
slapd slapd/backend select HDB
|
|
|
slapd slapd/purge_database boolean true
|
|
|
slapd slapd/move_old_database boolean true
|
|
|
slapd slapd/allow_ldap_v2 boolean false
|
|
|
# nano /etc/hosts
|
|
|
[controle if OK]
|
|
|
$IP $(hostname -f) $(hostname)
|
|
|
# nano /etc/ldap/ldap.conf
|
|
|
[replace]
|
|
|
BASE dc=$DOMAIN,dc=$TLD
|
|
|
URI ldap://$(hostname -f)
|
|
|
[replace]
|
|
|
TLS_CACERT /etc/ssl/certs/ssl-cert-snakeoil.pem
|
|
|
# etckeeper commit 'ldap/slapd.d/*: dc=$DOMAIN,dc=$TLD'
|
|
|
|
|
|
|
|
|
## master
|
|
|
|
|
|
# /home/rescue/bin/ldap-add-syncprov.sh
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config*: add syncprov'
|
|
|
|
|
|
# /home/rescue/bin/ldap-add-default-config.sh [$DC $ADMIN]
|
|
|
|
|
|
|
|
|
## slave
|
|
|
|
|
|
<https://www.suse.com/communities/conversations/howto-openldap-24x-replication-sles11sp1/>
|
|
|
|
|
|
# cp /path/to/$MASTER_HOSTNAME.$(dnsdomainname).crt /usr/local/share/ca-certificates/
|
|
|
# chown root:staff !$/$MASTER_HOSTNAME.$(dnsdomainname).crt
|
|
|
# chmod 664 !$
|
|
|
# update-ca-certificates
|
|
|
# /home/rescue/bin/ldap-be-replicant.sh $MASTER_HOSTNAME $RID $PASSWORD [$DC $CN]
|
|
|
# slapcat | grep users
|
|
|
dn: ou=users,dc=itopie,dc=ch
|
|
|
ou: users
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif: be a replicant'
|
|
|
[contrôler /var/log/syslog et n'oublier pas d'ajouter les schemas qui manquent:
|
|
|
<http://www.openldap.org/lists/openldap-software/200606/msg00027.html>
|
|
|
<http://stackoverflow.com/questions/6525984/syncrepl-syncing-but-not-updating>
|
|
|
<http://www.openldap.org/lists/openldap-software/200806/msg00116.html>
|
|
|
ensuite:
|
|
|
# service slapd stop
|
|
|
[delete everything in /var/lib/ldap/ but DB_CONFIG]
|
|
|
# cat <<EOF >/tmp/ldap-reset.ldif
|
|
|
dn: \$DC
|
|
|
objectClass: top
|
|
|
objectClass: dcObject
|
|
|
objectClass: organization
|
|
|
o: \$ORG
|
|
|
dc: \$ORG
|
|
|
|
|
|
dn: cn=admin,\$DC
|
|
|
objectClass: simpleSecurityObject
|
|
|
objectClass: organizationalRole
|
|
|
cn: admin
|
|
|
description: LDAP administrator
|
|
|
userPassword: \$PASSWORD
|
|
|
EOF
|
|
|
# nano /tmp/ldap-reset.ldif
|
|
|
[add correct values for $VARIABLES]
|
|
|
# su -s /bin/sh -c "/usr/sbin/slapadd -F '/etc/ldap/slapd.d' -b 'dc=itopie,dc=ch' -l '/tmp/ldap-reset.ldif'" openldap
|
|
|
# service slapd start
|
|
|
]
|
|
|
|
|
|
|
|
|
## commun, à nouveau
|
|
|
|
|
|
# /home/rescue/bin/ldap-add-STARTTLS.sh [$KEY $CERT $CACERT $VERIFY $ENFORCE]
|
|
|
# ldapsearch -d 5 -v -ZZ -W -D uid=it.$ORG,ou=users,$DC ou=users
|
|
|
[no errors, if without "-d 5" the output will be like:
|
|
|
# users, realise.ch
|
|
|
dn: ou=users,$DC
|
|
|
objectClass: top
|
|
|
objectClass: organizationalUnit
|
|
|
ou: users
|
|
|
]
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config.ldif: add STARTTLS'
|
|
|
|
|
|
# /home/rescue/bin/ldap-anon-auth-replicant-admin-ldap.sh [$DC $ADMIN]
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif: anon, repl, admin_ldap'
|
|
|
|
|
|
# /home/rescue/bin/ldap-add-better-index.sh
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif: better index'
|
|
|
|
|
|
|
|
|
### quota
|
|
|
|
|
|
# apt-get install quota
|
|
|
# /home/rescue/bin/ldap-schema2ldif.sh /usr/share/quota/ldap/quota.schema
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config/cn=schema/cn={4}quota.ldif: new file'
|
|
|
|
|
|
[INVESTIGUER:
|
|
|
schema2ldif <https://bugs.debian.org/753721>
|
|
|
<https://www.ldap-account-manager.org/static/doc/manual/apa.html>]
|
|
|
|
|
|
|
|
|
### clés SSH
|
|
|
|
|
|
sshPublicKey
|
|
|
<http://jpmens.net/2006/03/02/ssh-public-keys-from-ldap/>
|
|
|
<https://wiki.terena.org/display/~federated-user-3/OpenSSH+with+LDAP+public+keys>
|
|
|
<https://code.google.com/p/openssh-lpk/wiki/Main>
|
|
|
|
|
|
OpenSSH_6.2
|
|
|
<http://imil.net/wp/2013/04/29/debian-backport-of-openssh-6-2/>
|
|
|
<https://code.google.com/p/openssh-lpk/issues/detail?id=15>
|
|
|
<https://itsecureadmin.com/2012/09/ssh-public-key-authentication-via-openldap-on-rhelcentos-6-x/>
|
|
|
|
|
|
SSSD
|
|
|
<http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf>
|
|
|
|
|
|
# wget -O /tmp/openssh-lpk_openldap.schema https://openssh-lpk.googlecode.com/files/openssh-lpk_openldap.schema
|
|
|
# /home/rescue/bin/ldap-schema2ldif.sh /tmp/openssh-lpk_openldap.schema
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config/cn=schema/cn={5}openssh-lpk_openldap.ldif'
|
|
|
|
|
|
|
|
|
## phpLDAPadmin
|
|
|
|
|
|
[[Installation Apache avec SSL|apache]]
|
|
|
|
|
|
*[d'habitude que sur le master]*
|
|
|
|
|
|
# apt-get install phpldapadmin
|
|
|
|
|
|
# nano /etc/phpldapadmin/config.php
|
|
|
[comment]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
#$servers->setValue('server','base',array('dc=example,dc=com'));
|
|
|
#$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# etckeeper commit 'phpldapadmin/config.php: no autoform'
|
|
|
|
|
|
# nano /etc/phpldapadmin/config.php
|
|
|
[uncomment and replace]
|
|
|
$servers->setValue('appearance','password_hash','ssha');
|
|
|
# etckeeper commit 'phpldapadmin/config.php: password_hash=ssha'
|
|
|
|
|
|
# nano /etc/phpldapadmin/config.php
|
|
|
[uncomment and replace]
|
|
|
$servers->setValue('auto_number','min',array('uidNumber'=>10000,'gidNumber'=>5000));
|
|
|
# etckeeper commit 'phpldapadmin/config.php: min uidNumber=10000 & gidNumber=5000'
|
|
|
|
|
|
# nano /etc/phpldapadmin/config.php
|
|
|
[uncomment and replace]
|
|
|
$config->custom->appearance['attr_display_order'] = array(
|
|
|
'givenName',
|
|
|
'sn',
|
|
|
'mail',
|
|
|
'gidNumber',
|
|
|
'userPassword',
|
|
|
'uid',
|
|
|
'uidNumber'
|
|
|
);
|
|
|
# etckeeper commit 'phpldapadmin/config.php: better attr_display_order'
|
|
|
|
|
|
# nano /etc/phpldapadmin/templates/creation/posixAccount.xml
|
|
|
[replace]
|
|
|
<rdn>uid</rdn>
|
|
|
# nano /etc/phpldapadmin/templates/creation/sambaSamAccount.xml
|
|
|
[same as above]
|
|
|
# etckeeper commit 'phpldapadmin/templates/creation/*Account.xml: rdn=uid'
|
|
|
|
|
|
# nano /etc/phpldapadmin/templates/creation/posixAccount.xml
|
|
|
[replace]
|
|
|
<attribute id="givenName">
|
|
|
<display>First name</display>
|
|
|
<icon>ldap-uid.png</icon>
|
|
|
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
|
|
|
<onchange>=autoFill(uid;%givenName/l%.%sn/l%)</onchange>
|
|
|
<order>1</order>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
<attribute id="sn">
|
|
|
<display>Last name</display>
|
|
|
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
|
|
|
<onchange>=autoFill(uid;%givenName/l%.%sn/l%)</onchange>
|
|
|
<!-- <onchange>=autoFill(homeDirectory;/home/users/%uid|0-1/l%/%uid%)</onchange> -->
|
|
|
<order>2</order>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
# nano /etc/phpldapadmin/templates/creation/sambaSamAccount.xml
|
|
|
[replace]
|
|
|
<attribute id="givenName">
|
|
|
<display>First name</display>
|
|
|
<icon>ldap-uid.png</icon>
|
|
|
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
|
|
|
<onchange>=autoFill(uid;%givenName/l%.%sn/l%)</onchange>
|
|
|
<order>1</order>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
<attribute id="sn">
|
|
|
<display>Last name</display>
|
|
|
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
|
|
|
<onchange>=autoFill(uid;%givenName/l%.%sn/l%)</onchange>
|
|
|
<order>2</order>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
[replace]
|
|
|
<attribute id="gidNumber">
|
|
|
<display>GID Number</display>
|
|
|
<onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange>
|
|
|
<!-- <onchange>=autoFill(uid;%gidNumber|0-0/T%-%givenName|0-1/l%%sn/l%)</onchange> -->
|
|
|
<order>4</order>
|
|
|
<page>1</page>
|
|
|
<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
|
|
|
</attribute>
|
|
|
# etckeeper commit 'phpldapadmin/templates/creation/*Account.xml: uid=givenName.sn'
|
|
|
|
|
|
# nano /etc/phpldapadmin/templates/creation/posixAccount.xml
|
|
|
[replace]
|
|
|
<attribute id="givenName">
|
|
|
<display>First name</display>
|
|
|
<icon>ldap-uid.png</icon>
|
|
|
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
|
|
|
<onchange>=autoFill(uid;%givenName/l%.%sn/l%)</onchange>
|
|
|
<onchange>=autoFill(mail;%givenName/l%.%sn/l%)</onchange>
|
|
|
<order>1</order>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
<attribute id="sn">
|
|
|
<display>Last name</display>
|
|
|
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
|
|
|
<onchange>=autoFill(uid;%givenName/l%.%sn/l%)</onchange>
|
|
|
<onchange>=autoFill(mail;%givenName/l%.%sn/l%)</onchange>
|
|
|
<!-- <onchange>=autoFill(homeDirectory;/home/users/%uid|0-1/l%/%uid%)</onchange> -->
|
|
|
<order>2</order>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
[add at the end before
|
|
|
</attributes>]
|
|
|
<attribute id="mail">
|
|
|
<display>Email</display>
|
|
|
<icon>mail.png</icon>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
# nano /etc/phpldapadmin/templates/creation/sambaSamAccount.xml
|
|
|
[replace]
|
|
|
<attribute id="givenName">
|
|
|
<display>First name</display>
|
|
|
<icon>ldap-uid.png</icon>
|
|
|
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
|
|
|
<onchange>=autoFill(uid;%givenName/l%.%sn/l%)</onchange>
|
|
|
<onchange>=autoFill(mail;%givenName/l%.%sn/l%)</onchange>
|
|
|
<order>1</order>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
<attribute id="sn">
|
|
|
<display>Last name</display>
|
|
|
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
|
|
|
<onchange>=autoFill(uid;%givenName/l%.%sn/l%)</onchange>
|
|
|
<onchange>=autoFill(mail;%givenName/l%.%sn/l%)</onchange>
|
|
|
<order>2</order>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
[add at the end before
|
|
|
</attributes>]
|
|
|
<attribute id="mail">
|
|
|
<display>Email</display>
|
|
|
<icon>mail.png</icon>
|
|
|
<page>1</page>
|
|
|
</attribute>
|
|
|
# etckeeper commit 'phpldapadmin/templates/creation/*Account.xml: add mail=uid'
|
|
|
|
|
|
# nano /etc/phpldapadmin/templates/creation/posixAccount.xml
|
|
|
[replace]
|
|
|
<attribute id="loginShell">
|
|
|
<display>Login shell</display>
|
|
|
<icon>terminal.png</icon>
|
|
|
<order>9</order>
|
|
|
<page>1</page>
|
|
|
<readonly>1</readonly>
|
|
|
<value>/bin/false</value>
|
|
|
</attribute>
|
|
|
# nano /etc/phpldapadmin/templates/creation/sambaSamAccount.xml
|
|
|
[replace]
|
|
|
<attribute id="loginShell">
|
|
|
<display>Login shell</display>
|
|
|
<icon>terminal.png</icon>
|
|
|
<order>11</order>
|
|
|
<page>1</page>
|
|
|
<readonly>1</readonly>
|
|
|
<value>/bin/false</value>
|
|
|
</attribute>
|
|
|
# etckeeper commit 'phpldapadmin/templates/creation/*Account.xml: loginShell=/bin/false'
|
|
|
|
|
|
# nano /etc/phpldapadmin/templates/creation/sambaSamAccount.xml
|
|
|
[replace]
|
|
|
<attribute id="gidNumber">
|
|
|
<display>GID Number</display>
|
|
|
<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
|
|
|
<!-- <onchange>=autoFill(uid;%gidNumber|0-0/T%-%givenName|0-1/l%%sn/l%)</onchange> -->
|
|
|
<order>4</order>
|
|
|
<page>1</page>
|
|
|
<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
|
|
|
</attribute>
|
|
|
[replace]
|
|
|
<attribute id="uid">
|
|
|
<display>User ID</display>
|
|
|
<onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange>
|
|
|
<order>5</order>
|
|
|
<page>1</page>
|
|
|
<spacer>1</spacer>
|
|
|
</attribute>
|
|
|
# etckeeper commit 'phpldapadmin/templates/creation/sambaSamAccount.xml: homeDirectory=givenName.sn'
|
|
|
|
|
|
# nano /etc/phpldapadmin/templates/creation/sambaSamAccount.xml
|
|
|
[comment]
|
|
|
<!--
|
|
|
<attribute id="sambaPrimaryGroupSID">
|
|
|
<display>Primary Group ID</display>
|
|
|
<helper>
|
|
|
<id>sidpgsuffix</id>
|
|
|
<value></value>
|
|
|
</helper>
|
|
|
<order>13</order>
|
|
|
<page>1</page>
|
|
|
<post>=php.Join(-;%sambaPrimaryGroupSID%,%sidpgsuffix%)</post>
|
|
|
<spacer>1</spacer>
|
|
|
<value><![CDATA[=php.PickList(/;(&(objectClass=sambaGroupMapping));sambaSID;%sambaSID% (%cn%);sambaPrimaryGroupSID;;;;cn)]]></value>
|
|
|
</attribute>
|
|
|
-->
|
|
|
# etckeeper commit 'phpldapadmin/templates/creation/sambaSamAccount.xml: no sambaPrimaryGroupSID'
|
|
|
|
|
|
[si pas VM]
|
|
|
# nano /etc/phpldapadmin/apache.conf
|
|
|
[replace]
|
|
|
Order deny,allow
|
|
|
Deny from all
|
|
|
Allow from $CIDR_NOTATION
|
|
|
# service apache2 reload
|
|
|
# etckeeper commit 'phpldapadmin/apache.conf: Allow from $CIDR_NOTATION'
|
|
|
|
|
|
|
|
|
#### mots de passe
|
|
|
|
|
|
* aller à <http://$IP/phpldapadmin/>
|
|
|
* s'identifier comme:
|
|
|
* uid=it.$ORG,ou=users,dc=$DOMAIN,dc=$TLD
|
|
|
* changer les mots de passe pour:<br />
|
|
|
[à sauver dans inubo/commun/Clients/$ORG/$ORG.kdb]
|
|
|
* cn=lookup
|
|
|
* cn=replicant
|
|
|
* ou=users
|
|
|
* uid=info.$ORG
|
|
|
* uid=it.$ORG
|
|
|
|
|
|
|
|
|
#### Accès à cn=config via phpLDAPAdmin
|
|
|
|
|
|
*Générer un mot de passe pour le compte cn=admin,cn=config*
|
|
|
|
|
|
# slappasswd -h {MD5}
|
|
|
|
|
|
*Créer un LDIF pour la modification du password (ne pas oublier de remplacer le mot de passe par celui généré)*
|
|
|
|
|
|
# nano add_adminconfig.ldif
|
|
|
|
|
|
dn: cn=config
|
|
|
changetype: modify
|
|
|
|
|
|
# usually cn=admin,cn=config is already set by a fresh slapd install
|
|
|
#dn: olcDatabase={0}config,cn=config
|
|
|
#changetype: modify
|
|
|
#add: olcRootDN
|
|
|
#olcRootDN: cn=admin,cn=config
|
|
|
|
|
|
dn: olcDatabase={0}config,cn=config
|
|
|
changetype: modify
|
|
|
add: olcRootPW
|
|
|
olcRootPW: {MD5}theHashedPasswordGeneratedBefore==
|
|
|
|
|
|
# comment this in, if you like to remove root's permission
|
|
|
# to access cn=config; the fallback to unix root is useful
|
|
|
# if cn=admin,cn=config won't work (e.g. lost the password)
|
|
|
#dn: olcDatabase={0}config,cn=config
|
|
|
#changetype: modify
|
|
|
#delete: olcAccess
|
|
|
|
|
|
*Executer le ldif*
|
|
|
|
|
|
# ldapadd -Y EXTERNAL -H ldapi:/// -f add_adminconfig.ldif
|
|
|
|
|
|
Source : [[https://wiki.debian.org/PhpLdapAdmin]]
|
|
|
|
|
|
## authentification via LDAP
|
|
|
|
|
|
|
|
|
### commun
|
|
|
|
|
|
<a name="createhomeonlogin"></a>
|
|
|
|
|
|
# nano /etc/pam.d/common-session
|
|
|
[add at the end]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
|
|
|
## create home directory on login
|
|
|
## <http://wiki.debian.org/LDAP/PAM>
|
|
|
## <http://bugs.debian.org/568577>
|
|
|
session optional pam_mkhomedir.so
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# etckeeper commit 'pam.d/common-session: create home directory on login'
|
|
|
[ne pas oublier d'autoriser l'utilisateur dans LDAP:
|
|
|
authorizedServiceObject:authorizedService:$SERVICE]
|
|
|
|
|
|
|
|
|
### serveur LDAP
|
|
|
|
|
|
# apt-get install nslcd
|
|
|
nslcd/ldap-uris: ldap://(hostname -f)
|
|
|
nslcd/ldap-base: dc=$DOMAIN,dc=$TLD
|
|
|
# cp /usr/share/doc/nslcd/ldapns.* /etc/ldap/schema/
|
|
|
[if nslcd < 0.9.2:
|
|
|
# nano /etc/ldap/schema/ldapns.ldif
|
|
|
[add empty space at the end of]
|
|
|
DESC 'Auxiliary object class for adding authorizedService attribute' SUP top
|
|
|
]
|
|
|
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/ldap/schema/ldapns.ldif
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config/cn=schema/cn={6}ldapns.ldif new file'
|
|
|
|
|
|
*[si authentification locale et pas SSH, autrement voir workstation ci-dessous]*
|
|
|
|
|
|
<a name="ldaplocalauthentication"></a>
|
|
|
|
|
|
# apt-get install libnss-ldapd libpam-ldapd
|
|
|
libnss-ldapd/nsswitch: group, passwd, shadow
|
|
|
# nano /etc/nslcd.conf
|
|
|
[add at the end]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
|
|
|
## <http://bugs.debian.org/740662>
|
|
|
# Check that the user has a proper authorizedService value if the
|
|
|
# attribute is present (emulates pam_ldap's pam_check_service_attr,
|
|
|
# authorizedService is provided by /usr/share/doc/nslcd/ldapns.schema)
|
|
|
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=\\\\*))))
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# dpkg-reconfigure nslcd
|
|
|
nslcd/ldap-auth-type: simple
|
|
|
nslcd/ldap-binddn: cn=lookup,$DC
|
|
|
[si TLS:
|
|
|
nslcd/ldap-starttls: true
|
|
|
nslcd/ldap-reqcert: demand]
|
|
|
# nano /etc/nslcd.conf
|
|
|
[add]
|
|
|
tls_cacertfile /etc/ssl/certs/ssl-cert-snakeoil.pem
|
|
|
# service nslcd restart
|
|
|
# getent passwd
|
|
|
# etckeeper commit 'nslcd.conf: LDAP authentication'
|
|
|
|
|
|
*[- si besoin de uptime 100%]*
|
|
|
|
|
|
[BUG:
|
|
|
<https://bugs.debian.org/645229>]
|
|
|
|
|
|
# apt-get install libpam-ccreds nscd
|
|
|
# nano /etc/pam.d/common-account
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
## let pam-ccreds work
|
|
|
## <https://bugs.debian.org/618722>
|
|
|
account optional pam_deny.so
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# etckeeper commit 'pam.d/common-account: (#618722) let pam-ccreds work'
|
|
|
|
|
|
|
|
|
### workstation
|
|
|
|
|
|
<http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html>
|
|
|
|
|
|
# apt-get install sssd libpam-sss libnss-sss ldap-utils
|
|
|
# cat <<EOF >/etc/sssd/sssd.conf
|
|
|
[sssd]
|
|
|
config_file_version = 2
|
|
|
services = nss, pam
|
|
|
domains = LDAP
|
|
|
|
|
|
[nss]
|
|
|
filter_users = root
|
|
|
filter_groups = root
|
|
|
|
|
|
[pam]
|
|
|
|
|
|
[domain/LDAP]
|
|
|
debug_level = 0x0400
|
|
|
|
|
|
# Note that enabling enumeration will have a moderate performance impact.
|
|
|
# Consequently, the default value for enumeration is FALSE.
|
|
|
# Refer to the sssd.conf man page for full details.
|
|
|
## <http://samba.2283325.n4.nabble.com/sssd-getent-problem-with-Samba-4-0-td4646727.html>
|
|
|
enumerate = false
|
|
|
# Allow offline logins by locally storing password hashes (default: false).
|
|
|
cache_credentials = true
|
|
|
|
|
|
id_provider = ldap
|
|
|
auth_provider = ldap
|
|
|
access_provider = ldap
|
|
|
chpass_provider = ldap
|
|
|
|
|
|
ldap_uri = ldap://\$SERVER.$(dnsdomainname)
|
|
|
ldap_search_base = \$DC
|
|
|
# ldap_schema can be set to "rfc2307", which stores group member names in the
|
|
|
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
|
|
|
# the "member" attribute. If you do not know this value, ask your LDAP
|
|
|
# administrator.
|
|
|
ldap_schema = rfc2307
|
|
|
|
|
|
ldap_default_bind_dn = cn=lookup,\$DC
|
|
|
ldap_default_authtok_type = password
|
|
|
ldap_default_authtok = \$PASSWORD
|
|
|
|
|
|
# one of the three:
|
|
|
## =====
|
|
|
#ldap_access_order = authorizedService
|
|
|
#ldap_user_authorized_service = authorizedService
|
|
|
## =====
|
|
|
#ldap_access_order = host
|
|
|
#ldap_user_authorized_host = host
|
|
|
## =====
|
|
|
### memberOf does not work with posixGroup, but groupOfNames, thus rfc2307bis
|
|
|
### <http://www.openldap.org/lists/openldap-technical/200801/msg00170.html>
|
|
|
### <http://www.olearycomputers.com/ll/ldap/openldap_groups.html>
|
|
|
### <http://stackoverflow.com/questions/8121980/openldap-memberof-overlay-configuration-in-ubuntu-11-04>
|
|
|
### <http://ubuntuforums.org/showthread.php?t=1902334>
|
|
|
### rfc2307bis is however expired and live conversion is not possible
|
|
|
### <http://www.openldap.org/lists/openldap-software/200311/msg00360.html>
|
|
|
### <http://www.openldap.org/lists/openldap-technical/201209/msg00123.html>
|
|
|
### <http://serverfault.com/questions/224750/dn-based-linux-groups-from-ldap>
|
|
|
#ldap_access_filter = memberOf=cn=\$GROUP,ou=groups,\$DC
|
|
|
#ldap_access_filter = gidNumber=\$GID
|
|
|
|
|
|
ldap_user_search_base = ou=users,\$DC
|
|
|
ldap_group_search_base = ou=groups,\$DC
|
|
|
|
|
|
## SSSD requires TLS for LDAP authentication
|
|
|
ldap_tls_cacert = /etc/ssl/certs/\$SERVER.$(dnsdomainname).pem
|
|
|
ldap_tls_reqcert = demand
|
|
|
ldap_id_use_start_tls = true
|
|
|
EOF
|
|
|
# nano /etc/sssd/sssd.conf
|
|
|
[add correct values for $VARIABLES]
|
|
|
# chmod 600 !$
|
|
|
|
|
|
*[si workstation]*
|
|
|
|
|
|
# cp /path/to/$SERVER_HOSTNAME.$(dnsdomainname).crt /usr/local/share/ca-certificates/
|
|
|
# chown root:staff !$/$SERVER_HOSTNAME.$(dnsdomainname).crt
|
|
|
# chmod 664 !$
|
|
|
# update-ca-certificates
|
|
|
|
|
|
*[de toute façon]*
|
|
|
|
|
|
# service sssd restart
|
|
|
# getent passwd it.$ORG
|
|
|
# etckeeper commit 'sssd/sssd.conf: LDAP authentication'
|
|
|
|
|
|
|
|
|
### clés SSH via SSSD
|
|
|
|
|
|
[if openssh-server < 6.2:
|
|
|
# apt-get install -t wheezy-backports openssh-server
|
|
|
]
|
|
|
|
|
|
[BUG:
|
|
|
<https://lists.debian.org/20150727095955.GA27961@gismo.pca.it>]
|
|
|
|
|
|
# apt-get install libnl-route-3-200
|
|
|
# apt-mark auto libnl-route-3-200
|
|
|
# apt-get install -t wheezy-backports sssd
|
|
|
|
|
|
# nano /etc/sssd/sssd.conf
|
|
|
[replace]
|
|
|
services = nss, pam, ssh
|
|
|
[add after
|
|
|
[pam]]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
|
|
|
[ssh]
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[add after
|
|
|
ldap_group_search_base = ou=groups,$DC]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
|
|
|
## <https://code.google.com/p/openssh-lpk/>
|
|
|
ldap_user_ssh_public_key = sshPublicKey
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# service sssd restart
|
|
|
# nano /etc/ssh/sshd_config
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
[add before
|
|
|
KerberosAuthentication no]
|
|
|
## Make sure we do not kinit ourselves and let SSSD do it
|
|
|
[add before
|
|
|
UsePAM yes]
|
|
|
## Needed by SSSD
|
|
|
[add after
|
|
|
UsePAM yes]
|
|
|
## Get authorized_keys from SSSD
|
|
|
## <http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf>
|
|
|
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
|
|
|
AuthorizedKeysCommandUser root
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# service ssh restart
|
|
|
# etckeeper commit 'ssh/sshd_config: AuthorizedKeysCommand sss_ssh_authorizedkeys' |