Zentrale Benutzerverwaltung mit OpenLDAP und SSS: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(23 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 14: Zeile 14:
 
| DNS domain name: || it213.int
 
| DNS domain name: || it213.int
 
|-
 
|-
| Organization name: || it213
+
| Organization name: || it213.int
 
|-
 
|-
 
| Administrator password: || 123Start$
 
| Administrator password: || 123Start$
Zeile 26: Zeile 26:
 
| Allow LDAPv2 protocol? || No
 
| Allow LDAPv2 protocol? || No
 
|}
 
|}
 +
 +
= Port checken =
 +
*ss -4lntp | grep slapd
 +
LISTEN 0      2048        0.0.0.0:389      0.0.0.0:*    users:(("slapd",pid=1365,fd=7))
  
 
= ldap.conf setzen =
 
= ldap.conf setzen =
Zeile 61: Zeile 65:
  
 
== Anlegen ==
 
== Anlegen ==
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif  
+
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif
 +
= Kontrolle =
 +
* ldapsearch -x -LLL
  
 
= Benutzer und Gruppen =
 
= Benutzer und Gruppen =
Zeile 116: Zeile 122:
 
* ldapadduser thomas it
 
* ldapadduser thomas it
 
* ldapadduser tina it
 
* ldapadduser tina it
 +
== Kontrolle ==
 +
* ldapsearch -x
  
 
== Passwort ==
 
== Passwort ==
Zeile 124: Zeile 132:
 
* ldapaddusertogroup thomas sudo
 
* ldapaddusertogroup thomas sudo
 
* ldapaddusertogroup tina sudo
 
* ldapaddusertogroup tina sudo
 +
== Check ==
 +
*ldapsearch -xLLL  cn=sudo
 +
dn: cn=sudo,ou=groups,dc=it213,dc=int
 +
objectClass: posixGroup
 +
cn: sudo
 +
gidNumber: 10001
 +
description: Group account
 +
memberUid: thomas
 +
memberUid: tina
  
 
= SSSD Anbindung =
 
= SSSD Anbindung =
Zeile 132: Zeile 149:
 
<pre>
 
<pre>
 
[sssd]
 
[sssd]
 +
config_file_version = 2
 
services = nss, pam, sudo
 
services = nss, pam, sudo
 
domains = it213.int
 
domains = it213.int
Zeile 139: Zeile 157:
 
auth_provider = ldap
 
auth_provider = ldap
 
access_provider = permit
 
access_provider = permit
 
 
sudo_provider = ldap
 
sudo_provider = ldap
 
 
ldap_uri = ldap://ldap.it213.int
 
ldap_uri = ldap://ldap.it213.int
 
ldap_search_base = dc=it213,dc=int
 
ldap_search_base = dc=it213,dc=int
 
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
 
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
 
cache_credentials = True
 
 
ldap_id_use_start_tls = false
 
ldap_id_use_start_tls = false
 +
ldap_auth_disable_tls_never_use_in_production = true
 
ldap_tls_reqcert = never
 
ldap_tls_reqcert = never
 
</pre>
 
</pre>
 +
;[[Erklärungen sssd-1]]
  
 
* chmod 600 /etc/sssd/sssd.conf
 
* chmod 600 /etc/sssd/sssd.conf
Zeile 157: Zeile 173:
 
;Nur Kontrolle
 
;Nur Kontrolle
 
*cat /etc/nsswitch.conf  
 
*cat /etc/nsswitch.conf  
<pre>
 
  
passwd:        files systemd sss
+
passwd:        files systemd '''sss'''
group:          files systemd sss
+
group:          files systemd '''sss'''
shadow:        files systemd sss
+
shadow:        files systemd '''sss'''
gshadow:        files systemd
+
gshadow:        files systemd
 +
 +
hosts:          files dns
 +
networks:      files
 +
 +
protocols:      db files
 +
services:      db files '''sss'''
 +
ethers:        db files
 +
rpc:            db files
 +
 +
netgroup:      nis sss
 +
sudoers: files  sss
 +
automount:  sss
 +
</pre>
  
hosts:          files dns
+
== PAM ==
networks:      files
+
*grep "^[^#]" /etc/pam.d/common-auth
 
+
auth [success=2 default=ignore] pam_unix.so nullok
protocols:      db files
+
'''auth [success=1 default=ignore] pam_sss.so use_first_pass'''
services:      db files sss
+
  auth requisite pam_deny.so
ethers:        db files
+
  auth required pam_permit.so
rpc:            db files
 
 
 
netgroup:      nis sss
 
sudoers: files sss
 
automount: sss
 
</pre>
 
  
 
== PAM ==
 
== PAM ==
 
* pam-auth-update --enable sss mkhomedir
 
* pam-auth-update --enable sss mkhomedir
 
+
=Tests=
= Sudo (LDAP) =
+
;Funktioniert nsswitch?
 
+
*getent passwd thomas
== Schema erweitern ==
+
thomas:*:10000:10000:thomas:/home/thomas:/bin/bash
; sudo über LDAP funktioniert nur, wenn das sudo-Schema vorhanden ist.
+
*getent passwd tina
; Dieses Schema ist nicht Teil der Standardinstallation von OpenLDAP und muss manuell ergänzt werden.
+
tina:*:10001:10000:tina:/home/tina:/bin/bash
* cat <<EOF > /root/sudo-schema.ldif
+
*getent group it
<pre>
+
it:*:10000:
dn: cn={4}sudo,cn=schema,cn=config
+
;Kann ich mit su - einen Identitätswechel vornehmen?
changetype: modify
+
*su - thomas
add: olcAttributeTypes
+
thomas@ldap:~$ exit
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
*su - tina
-
+
tina@ldap:~$ exit
add: olcAttributeTypes
 
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
-
 
add: olcAttributeTypes
 
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
-
 
add: olcAttributeTypes
 
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAsUser' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
-
 
add: olcAttributeTypes
 
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoRunAsGroup' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
-
 
add: olcObjectClasses
 
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAsUser $ sudoRunAsGroup ) )
 
</pre>
 
EOF
 
 
 
* ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/sudo-schema.ldif
 
 
 
== Sudo Regel ==
 
* cat <<EOF > /root/sudo.ldif
 
<pre>
 
dn: cn=sudo,ou=sudo,dc=it213,dc=int
 
objectClass: top
 
objectClass: sudoRole
 
cn: sudo
 
sudoUser: %sudo
 
sudoHost: ALL
 
sudoRunAsUser: ALL
 
sudoRunAsGroup: ALL
 
sudoCommand: ALL
 
</pre>
 
EOF
 
 
 
* ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/sudo.ldif
 
 
 
== Cache leeren ==
 
* sss_cache -E
 
* systemctl restart sssd
 
 
 
== Test ==
 
* su - thomas
 
* sudo -l
 
* sudo whoami
 

Aktuelle Version vom 24. April 2026, 06:32 Uhr

Installation

passwort nach wahl festlegen
  • apt update
  • DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils

Grundkonfiguration

  • dpkg-reconfigure slapd
Debconf Question Recommended Input
Omit OpenLDAP server configuration? No
DNS domain name: it213.int
Organization name: it213.int
Administrator password: 123Start$
Database backend to use: MDB
Remove database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No

Port checken

  • ss -4lntp | grep slapd
LISTEN 0      2048         0.0.0.0:389       0.0.0.0:*    users:(("slapd",pid=1365,fd=7))

ldap.conf setzen

  • vim /etc/ldap/ldap.conf
BASE    dc=it213,dc=int
URI     ldap://ldap.it213.int
ldap_version    3

Kontrolle

  • ldapsearch -x -LLL

Grundstruktur

Erstellen

  • cat <<EOF > /root/struktur.ldif
dn: ou=users,dc=it213,dc=int
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=it213,dc=int
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=it213,dc=int
objectClass: organizationalUnit
ou: hosts

dn: ou=sudo,dc=it213,dc=int
objectClass: organizationalUnit
ou: sudo

EOF

Anlegen

  • ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif

Kontrolle

  • ldapsearch -x -LLL

Benutzer und Gruppen

  • apt install -y ldapscripts

Konfiguration

  • vim /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://ldap.it213.int"
SUFFIX="dc=it213,dc=int"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
BINDDN="cn=admin,dc=it213,dc=int"
USHELL="/bin/bash"
UHOMES="/home/%u"
CREATEHOMES="yes"
HOMESKEL="/etc/skel"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
GCLASS="posixGroup"   # Leave "posixGroup" here if not sure !
PASSWORDGEN="pwgen"
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
LOGTOFILE="yes"
LOGFILE="/var/log/ldapscripts.log"
LOGTOSYSLOG="no"
SYSLOGFACILITY="local4"
SYSLOGLEVEL="info"
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
LDAPSEARCHOPTS="-o ldif-wrap=no"
GETENTPWCMD=""
GETENTGRCMD=""
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""
  • echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
  • chmod 600 /etc/ldapscripts/ldapscripts.passwd

Gruppen

  • ldapaddgroup it
  • ldapaddgroup sudo

Benutzer

  • ldapadduser thomas it
  • ldapadduser tina it

Kontrolle

  • ldapsearch -x

Passwort

  • ldapsetpasswd thomas
  • ldapsetpasswd tina

Gruppe zuweisen

  • ldapaddusertogroup thomas sudo
  • ldapaddusertogroup tina sudo

Check

  • ldapsearch -xLLL cn=sudo
dn: cn=sudo,ou=groups,dc=it213,dc=int
objectClass: posixGroup
cn: sudo
gidNumber: 10001
description: Group account
memberUid: thomas
memberUid: tina

SSSD Anbindung

  • apt install sssd libnss-sss libpam-sss libsss-sudo

Konfiguration

  • vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = it213.int

[domain/it213.int]
id_provider = ldap
auth_provider = ldap
access_provider = permit
sudo_provider = ldap
ldap_uri = ldap://ldap.it213.int
ldap_search_base = dc=it213,dc=int
ldap_sudo_search_base = ou=sudo,dc=it213,dc=int
ldap_id_use_start_tls = false
ldap_auth_disable_tls_never_use_in_production = true
ldap_tls_reqcert = never
Erklärungen sssd-1
  • chmod 600 /etc/sssd/sssd.conf
  • systemctl restart sssd

NSS

Nur Kontrolle
  • cat /etc/nsswitch.conf
passwd:         files systemd sss
group:          files systemd sss
shadow:         files systemd sss
gshadow:        files systemd

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers: files  sss
automount:  sss

PAM

  • grep "^[^#]" /etc/pam.d/common-auth
auth	[success=2 default=ignore]	pam_unix.so nullok
auth	[success=1 default=ignore]	pam_sss.so use_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so

PAM

  • pam-auth-update --enable sss mkhomedir

Tests

Funktioniert nsswitch?
  • getent passwd thomas
thomas:*:10000:10000:thomas:/home/thomas:/bin/bash
  • getent passwd tina
tina:*:10001:10000:tina:/home/tina:/bin/bash
  • getent group it
it:*:10000:
Kann ich mit su - einen Identitätswechel vornehmen?
  • su - thomas
thomas@ldap:~$ exit
  • su - tina
tina@ldap:~$ exit
Abgerufen von „http://www.xinux.net/index.php?title=Zentrale_Benutzerverwaltung_mit_OpenLDAP_und_SSS&oldid=68983