====== LDAP ======
This page is a reference for Hacklab's server admins.
===== Quick Server Details =====
* Base: dc=edinburghhacklab,dc=com
* Servers: pool.ldap.ehlab.uk, or a.ldap.ehlab.uk + b.ldap.ehlab.uk + c.ldap.ehlab.uk
* Port: 389/STARTTLS or 636/TLS
===== Client Configuration =====
Quick reference for Debian LDAP client setup:
* apt-get install sssd libpam-mkhomedir
* edit /etc/ldap/ldap.conf
BASE dc=edinburghhacklab,dc=com
URI ldaps://pool.ldap.ehlab.uk
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT demand
* edit /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = hacklab
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/hacklab]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldaps://a.ldap.ehlab.uk,ldaps://b.ldap.ehlab.uk,ldaps://c.ldap.ehlab.uk
ldap_search_base = dc=edinburghhacklab,dc=com
ldap_id_use_start_tls = true
cache_credentials = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
* edit /etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_sss.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0022
# end of pam-auth-update config
* edit /etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss