leviathonbeast/lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-03-31 15:07:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
copilot/fix-1268
lldap/example_configs/pam/README.md
T
v-mod 1f89059c84 example_config: Add SSSD 
* example_config: moving nslcd old guide to NSLCD.md

* example_config: creating README for SSSD

* example_config: creating sssd.conf

* example_config: removing explicit links and adding a reference to the old NSLCD guide

* example_config: fixing images in pam README

* example_config: add how to enable automatic home directory creation

* example_config: fixing typo in command to edit ssh config

* example_config: using commments instead of line numbers for the example sssd.conf file

---------

Co-authored-by: nitnelave <valentin@tolmer.fr>
2025-04-09 10:15:03 +09:00

158 lines
4.1 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Getting Started with UNIX PAM using SSSD
## Configuring LLDAP
### Configure LDAPS
You **must** use LDAPS. You MUST NOT use plain LDAP. Even over a private network this costs you nearly nothing, and passwords will be sent in PLAIN TEXT without it.
```jsx
[ldaps_options]
enabled=true
port=6360
cert_file="cert.pem"
key_file="key.pem"
```
You can generate an SSL certificate for it with the following command. The `subjectAltName` is REQUIRED. Make sure all domains are listed there, even your `CN`.
```bash
openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 36500 -nodes -subj "/CN=lldap.example.net" -addext "subjectAltName = DNS:lldap.example.net"
```
### Setting up the custom attributes
You will need to add the following custom attributes to the **user schema**.
- uidNumber (integer)
- gidNumber (integer, multiple values)
- homeDirectory (string)
- unixShell (string)
- sshPublicKey (string) (only if youre setting up SSH Public Key Sync)
You will need to add the following custom attributes to the **group schema.**
- gidNumber (integer)
You will now need to populate these values for all the users you wish to be able to login.
## Client setup
### Install the client packages
You need to install the packages `sssd` `sssd-tools` `libnss-sss` `libpam-sss` `libsss-sudo` .
E.g. on Debian/Ubuntu
```bash
sudo apt update; sudo apt install -y sssd sssd-tools libnss-sss libpam-sss libsss-sudo
```
### Configure the client packages
Use your favourite text editor to create/open the file `/etc/sssd/sssd.conf` .
E.g. Using nano
```bash
sudo nano /etc/sssd/sssd.conf
```
Insert the contents of the provided template (sssd.conf), but you will need to change some of the configuration in the file. Comments have been made to guide you. The config file is an example if your LLDAP server is hosted at `lldap.example.com` and your domain is `example.com` with your dc being `dc=example,dc=com`.
SSSD will **refuse** to run if its config file is world-readable, so apply the following permissions to it:
```bash
sudo chmod 600 /etc/sssd/sssd.conf
```
Restart SSSD to apply any changes:
```bash
sudo systemctl restart sssd
```
Enable automatic creation of home directories
```bash
sudo pam-auth-update --enable mkhomedir
```
## Permissions and SSH Key sync
### SSH Key Sync
In order to do this, you need to setup the custom attribute `sshPublicKey` in the user schema. Then, you must uncomment the following line in the SSSD config file (assuming you are using the provided template):
```bash
sudo nano /etc/sssd/sssd.conf
```
```jsx
ldap_user_ssh_public_key = sshPublicKey
```
And the following to the bottom of your OpenSSH config file:
```bash
sudo nano /etc/ssh/sshd_config
```
```bash
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
```
Now restart both SSH and SSSD:
```bash
sudo systemctl restart ssh
sudo systemctl restart sssd
```
### Permissions Sync
Linux often manages permissions to tools such as Sudo and Docker based on group membership. There are two possible ways to achieve this.
**Number 1**
**If all your client systems are setup identically,** you can just check the group id of the local group, i.e. Sudo being 27 on most Debian and Ubuntu installs, and set that as the gid in LLDAP. For tools such as docker, you can create a group before install with a custom gid on the system, which must be the same on all, and use that GID on the LLDAP group
Sudo
![image](https://github.com/user-attachments/assets/731847e6-c857-4250-a007-a3790a6a1b6d)
Docker
```jsx
sudo groupadd docker -g 722
```
![image](https://github.com/user-attachments/assets/face88d0-5a20-4442-a5e3-9f6a1ae41b68)
**Number 2**
Create a group in LLDAP that you would like all your users who have sudo access to be in, and add the following to the bottom of `/etc/sudoers` .
E.g. if your group is named `lldap_sudo`
```bash
%lldap_sudo ALL=(ALL:ALL) ALL
```
## Debugging
To verify your config files validity, you can run the following command
```jsx
sudo sssctl config-check
```
To flush SSSDs cache
```jsx
sudo sss_cache -E
```
## Final Notes
To see the old guide for NSLCD, go to NSLCD.md.
Reference in New Issue View Git Blame Copy Permalink