Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rb:ldapclientsidesetup [24/07/2019 16:09] (current)
andrew created
Line 1: Line 1:
 +====== LDAP client side setup ======
 +
 +Several files need editing to enable ldap access, lines or blocks of directives which require changing are shown below, lines which are left alone are not shown for clarity:-
 +
 +  [root@inet03 pam.d]# more /​etc/​ldap.conf
 +  # This is the configuration file for the LDAP nameservice
 +  # switch library and the LDAP PAM module.
 +  #
 +  host inet02 inet01
 +  ​
 +  # The distinguished name of the search base.
 +  #base dc=example,​dc=com
 +  base dc=prod,​dc=company,​dc=net
 +
 +
 +  [root@inet03 pam.d]# more /​etc/​nsswitch.conf
 +  #
 +  # /​etc/​nsswitch.conf
 +  ​
 +  passwd: ​    files ldap
 +  shadow: ​    files ldap
 +  group: ​     files ldap
 +  ​
 +  #​hosts: ​    db files nisplus nis dns
 +  hosts: ​     files dns
 +  ​
 +  ​
 +  ethers: ​    files
 +  netmasks: ​  files
 +  networks: ​  files
 +  protocols: ​ files ldap
 +  rpc:        files
 +  services: ​  files ldap
 +  ​
 +  netgroup: ​  files ldap
 +  ​
 +  publickey: ​ nisplus
 +  ​
 +  automount: ​ files ldap
 +  aliases: ​   files
 +  ​
 +
 +  [root@inet03 pam.d]# cat /​etc/​openldap/​ldap.conf
 +  #BASE   ​dc=example,​ dc=com
 +  #URI    ldap://​ldap.example.com ldap://​ldap-master.example.com:​666
 +  ​
 +  #​SIZELIMIT ​     12
 +  #​TIMELIMIT ​     15
 +  #​DEREF ​         never
 +  #URI ldap://​127.0.0.1/​
 +  URI ldap://​inet02 ldap://​inet01
 +  ​
 +  #BASE dc=example,​dc=com
 +  BASE dc=prod,​dc=company,​dc=net
 +  ​
 +  TLS_CACERTDIR /​etc/​openldap/​cacerts
 +  [root@inet03 pam.d]#
 +
 +
 +Add the pam module to /​etc/​pam.d/​sshd to auto create home directories:​-
 +
 +  [root@inet03 pam.d]# cat sshd
 +  #%PAM-1.0
 +  auth       ​include ​     system-auth
 +  account ​   required ​    ​pam_nologin.so
 +  account ​   include ​     system-auth
 +  password ​  ​include ​     system-auth
 +  session ​   optional ​    ​pam_keyinit.so force revoke
 +  session ​   include ​     system-auth
 +  session ​   required ​    ​pam_mkhomedir.so skel=/​etc/​skel/​ umask=0077
 +  session ​   required ​    ​pam_loginuid.so
 +
 +Also you can add this line to a pam file like /​etc/​pam.d/​sshd:​-
 +  account ​   required ​    ​pam_access.so accessfile=/​etc/​security/​access-login.conf
 +
 +Users must additionally be listed in /​etc/​security/​access-login.conf to allow logins.
 +
 +Test LDAP access with ldapsearch -x.
 +
 +
  

rb/ldapclientsidesetup.txt ยท Last modified: 24/07/2019 16:09 by andrew