ldap
Table of Contents
LDAP
This page is a reference for Hacklab's server admins.
Quick Server Details
- Base: dc=edinburghhacklab,dc=com
- Servers: pool.ldap.ehlab.uk, or a.ldap.ehlab.uk + b.ldap.ehlab.uk + c.ldap.ehlab.uk
- Port: 389/STARTTLS or 636/TLS
Client Configuration
Quick reference for Debian LDAP client setup:
- apt-get install sssd libpam-mkhomedir
- edit /etc/ldap/ldap.conf
BASE dc=edinburghhacklab,dc=com URI ldaps://pool.ldap.ehlab.uk TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT demand
- edit /etc/sssd/sssd.conf
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = hacklab [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/hacklab] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldaps://a.ldap.ehlab.uk,ldaps://b.ldap.ehlab.uk,ldaps://c.ldap.ehlab.uk ldap_search_base = dc=edinburghhacklab,dc=com ldap_id_use_start_tls = true cache_credentials = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
- edit /etc/pam.d/common-session
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so skel=/etc/skel umask=0022 # end of pam-auth-update config
- edit /etc/nsswitch.conf
passwd: compat sss group: compat sss shadow: compat sss hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss
ldap.txt · Last modified: 2017-06-23 16:01 by tim