Zentrale Benutzerverwaltung mit OpenLDAP und SSS: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(→Tests) |
|||
| (11 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 14: | Zeile 14: | ||
| DNS domain name: || it213.int | | DNS domain name: || it213.int | ||
|- | |- | ||
| − | | Organization name: || it213 | + | | Organization name: || it213.int |
|- | |- | ||
| Administrator password: || 123Start$ | | Administrator password: || 123Start$ | ||
| Zeile 26: | Zeile 26: | ||
| Allow LDAPv2 protocol? || No | | Allow LDAPv2 protocol? || No | ||
|} | |} | ||
| + | |||
| + | = Port checken = | ||
| + | *ss -4lntp | grep slapd | ||
| + | LISTEN 0 2048 0.0.0.0:389 0.0.0.0:* users:(("slapd",pid=1365,fd=7)) | ||
= ldap.conf setzen = | = ldap.conf setzen = | ||
| Zeile 61: | Zeile 65: | ||
== Anlegen == | == Anlegen == | ||
| − | * ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif | + | * ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif |
| + | = Kontrolle = | ||
| + | * ldapsearch -x -LLL | ||
= Benutzer und Gruppen = | = Benutzer und Gruppen = | ||
| Zeile 116: | Zeile 122: | ||
* ldapadduser thomas it | * ldapadduser thomas it | ||
* ldapadduser tina it | * ldapadduser tina it | ||
| + | == Kontrolle == | ||
| + | * ldapsearch -x | ||
== Passwort == | == Passwort == | ||
| Zeile 124: | Zeile 132: | ||
* ldapaddusertogroup thomas sudo | * ldapaddusertogroup thomas sudo | ||
* ldapaddusertogroup tina sudo | * ldapaddusertogroup tina sudo | ||
| + | == Check == | ||
| + | *ldapsearch -xLLL cn=sudo | ||
| + | dn: cn=sudo,ou=groups,dc=it213,dc=int | ||
| + | objectClass: posixGroup | ||
| + | cn: sudo | ||
| + | gidNumber: 10001 | ||
| + | description: Group account | ||
| + | memberUid: thomas | ||
| + | memberUid: tina | ||
= SSSD Anbindung = | = SSSD Anbindung = | ||
| Zeile 132: | Zeile 149: | ||
<pre> | <pre> | ||
[sssd] | [sssd] | ||
| + | config_file_version = 2 | ||
services = nss, pam, sudo | services = nss, pam, sudo | ||
domains = it213.int | domains = it213.int | ||
| Zeile 155: | Zeile 173: | ||
;Nur Kontrolle | ;Nur Kontrolle | ||
*cat /etc/nsswitch.conf | *cat /etc/nsswitch.conf | ||
| − | |||
| − | passwd: files systemd sss | + | passwd: files systemd '''sss''' |
| − | group: files systemd sss | + | group: files systemd '''sss''' |
| − | shadow: files systemd sss | + | shadow: files systemd '''sss''' |
| − | gshadow: files systemd | + | gshadow: files systemd |
| + | |||
| + | hosts: files dns | ||
| + | networks: files | ||
| + | |||
| + | protocols: db files | ||
| + | services: db files '''sss''' | ||
| + | ethers: db files | ||
| + | rpc: db files | ||
| + | |||
| + | netgroup: nis sss | ||
| + | sudoers: files sss | ||
| + | automount: sss | ||
| + | </pre> | ||
| − | + | == PAM == | |
| − | + | *grep "^[^#]" /etc/pam.d/common-auth | |
| − | + | auth [success=2 default=ignore] pam_unix.so nullok | |
| − | + | '''auth [success=1 default=ignore] pam_sss.so use_first_pass''' | |
| − | + | auth requisite pam_deny.so | |
| − | + | auth required pam_permit.so | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
== PAM == | == PAM == | ||
* pam-auth-update --enable sss mkhomedir | * pam-auth-update --enable sss mkhomedir | ||
| + | =Tests= | ||
| + | ;Funktioniert nsswitch? | ||
| + | *getent passwd thomas | ||
| + | thomas:*:10000:10000:thomas:/home/thomas:/bin/bash | ||
| + | *getent passwd tina | ||
| + | tina:*:10001:10000:tina:/home/tina:/bin/bash | ||
| + | *getent group it | ||
| + | it:*:10000: | ||
| + | ;Kann ich mit su - einen Identitätswechel vornehmen? | ||
| + | *su - thomas | ||
| + | thomas@ldap:~$ exit | ||
| + | *su - tina | ||
| + | tina@ldap:~$ exit | ||
Aktuelle Version vom 24. April 2026, 06:32 Uhr
Installation
- passwort nach wahl festlegen
- apt update
- DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils
Grundkonfiguration
- dpkg-reconfigure slapd
| Debconf Question | Recommended Input |
|---|---|
| Omit OpenLDAP server configuration? | No |
| DNS domain name: | it213.int |
| Organization name: | it213.int |
| Administrator password: | 123Start$ |
| Database backend to use: | MDB |
| Remove database when slapd is purged? | No |
| Move old database? | Yes |
| Allow LDAPv2 protocol? | No |
Port checken
- ss -4lntp | grep slapd
LISTEN 0 2048 0.0.0.0:389 0.0.0.0:* users:(("slapd",pid=1365,fd=7))
ldap.conf setzen
- vim /etc/ldap/ldap.conf
BASE dc=it213,dc=int URI ldap://ldap.it213.int ldap_version 3
Kontrolle
- ldapsearch -x -LLL
Grundstruktur
Erstellen
- cat <<EOF > /root/struktur.ldif
dn: ou=users,dc=it213,dc=int objectClass: organizationalUnit ou: users dn: ou=groups,dc=it213,dc=int objectClass: organizationalUnit ou: groups dn: ou=hosts,dc=it213,dc=int objectClass: organizationalUnit ou: hosts dn: ou=sudo,dc=it213,dc=int objectClass: organizationalUnit ou: sudo
EOF
Anlegen
- ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f /root/struktur.ldif
Kontrolle
- ldapsearch -x -LLL
Benutzer und Gruppen
- apt install -y ldapscripts
Konfiguration
- vim /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://ldap.it213.int" SUFFIX="dc=it213,dc=int" GSUFFIX="ou=groups" USUFFIX="ou=users" MSUFFIX="ou=hosts" BINDDN="cn=admin,dc=it213,dc=int" USHELL="/bin/bash" UHOMES="/home/%u" CREATEHOMES="yes" HOMESKEL="/etc/skel" BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" GIDSTART="10000" # Group ID UIDSTART="10000" # User ID MIDSTART="20000" # Machine ID GCLASS="posixGroup" # Leave "posixGroup" here if not sure ! PASSWORDGEN="pwgen" RECORDPASSWORDS="no" PASSWORDFILE="/var/log/ldapscripts_passwd.log" LOGTOFILE="yes" LOGFILE="/var/log/ldapscripts.log" LOGTOSYSLOG="no" SYSLOGFACILITY="local4" SYSLOGLEVEL="info" LDAPSEARCHBIN="/usr/bin/ldapsearch" LDAPADDBIN="/usr/bin/ldapadd" LDAPDELETEBIN="/usr/bin/ldapdelete" LDAPMODIFYBIN="/usr/bin/ldapmodify" LDAPMODRDNBIN="/usr/bin/ldapmodrdn" LDAPPASSWDBIN="/usr/bin/ldappasswd" LDAPSEARCHOPTS="-o ldif-wrap=no" GETENTPWCMD="" GETENTGRCMD="" GTEMPLATE="" UTEMPLATE="" MTEMPLATE=""
- echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
- chmod 600 /etc/ldapscripts/ldapscripts.passwd
Gruppen
- ldapaddgroup it
- ldapaddgroup sudo
Benutzer
- ldapadduser thomas it
- ldapadduser tina it
Kontrolle
- ldapsearch -x
Passwort
- ldapsetpasswd thomas
- ldapsetpasswd tina
Gruppe zuweisen
- ldapaddusertogroup thomas sudo
- ldapaddusertogroup tina sudo
Check
- ldapsearch -xLLL cn=sudo
dn: cn=sudo,ou=groups,dc=it213,dc=int objectClass: posixGroup cn: sudo gidNumber: 10001 description: Group account memberUid: thomas memberUid: tina
SSSD Anbindung
- apt install sssd libnss-sss libpam-sss libsss-sudo
Konfiguration
- vim /etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam, sudo domains = it213.int [domain/it213.int] id_provider = ldap auth_provider = ldap access_provider = permit sudo_provider = ldap ldap_uri = ldap://ldap.it213.int ldap_search_base = dc=it213,dc=int ldap_sudo_search_base = ou=sudo,dc=it213,dc=int ldap_id_use_start_tls = false ldap_auth_disable_tls_never_use_in_production = true ldap_tls_reqcert = never
- chmod 600 /etc/sssd/sssd.conf
- systemctl restart sssd
NSS
- Nur Kontrolle
- cat /etc/nsswitch.conf
passwd: files systemd sss group: files systemd sss shadow: files systemd sss gshadow: files systemd hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss automount: sss
PAM
- grep "^[^#]" /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so
PAM
- pam-auth-update --enable sss mkhomedir
Tests
- Funktioniert nsswitch?
- getent passwd thomas
thomas:*:10000:10000:thomas:/home/thomas:/bin/bash
- getent passwd tina
tina:*:10001:10000:tina:/home/tina:/bin/bash
- getent group it
it:*:10000:
- Kann ich mit su - einen Identitätswechel vornehmen?
- su - thomas
thomas@ldap:~$ exit
- su - tina
tina@ldap:~$ exit