Copyright (C) 2008-2020 Oliver Bohlen.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free Documentation License".
This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
This is an example how you can authenticate your System-Accounts over PAM or SASLAuthD against LDAP. Users can change their passwords in LDAP with the passwd command as usual.
If you want to use this solution you need the following howto(s) finished:
emerge sys-auth/pam_ldap emerge sys-auth/nss_ldap
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/saslauthd
Changed on 18.05.09If you are using SASL for some authentications you should point to a configuration file with your LDAP settings.
SASLAUTHD_OPTS="-a pam"After change
SASLAUTHD_OPTS="-O /etc/saslauthd.conf -a ldap"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/crontab
Changed on 02.12.09Run the checkusers-script hourly
42 * * * * root /usr/local/sbin/checkusers.sh 2>&1 | mail -E -s "Checkusers-Script" root
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/ldap.conf.old
Changed on 18.05.09The LDAP BaesDN
base dc=padl,dc=comAfter change
base dc=example,dc=com
This is for accepting a self-signed SSL/TLS certificate
pam_login_attribute uid:caseExactMatch: tls_reqcert allow
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/nsswitch.conf
Changed on 18.05.09The order how to check for passwd, shadow and group
passwd: db files group: db files initgroups: db [SUCCESS=continue] files shadow: db files gshadow: filesAfter change
passwd: files ldap shadow: files ldap #initgroups: db [SUCCESS=continue] files group: files ldap #gshadow: files
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/system-auth
Changed on 18.05.09Authenticate with LDAP
auth required pam_unix.so try_first_pass likeauth nullokAfter change
auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_ldap.so use_first_pass #auth optional pam_smbpass.so migrate use_first_pass auth required pam_deny.so
Authenticate with LDAP
account sufficient pam_ldap.so
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/system-auth
Changed on 18.05.09Authenticate with LDAP
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadowAfter change
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so
Authenticate with LDAP
session optional pam_ldap.so
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/saslauthd.conf
Changed on 18.05.09If you are using SASL for some authentications you should configure the LDAP access for SASL here.
ldap_servers: ldaps://127.0.0.1:636 ldap_search_base: ou=Users,ou=People,dc=example,dc=com ldap_scope: one ldap_uidattr: uid ldap_filter: uid:caseExactMatch:=%U
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/checkusers.sh
Changed on 02.12.09This is a script I use to create a HomeDir and a Mailbox if a new LDAP-User is created. I depends on your environment if you can use ist.
#!/bin/bash . /etc/profile for i in `getent passwd | cut -d":" -f 3` do if [ $i -gt 999 ] then if [ $i -lt 8999 ] then # Get Infos USER=`getent passwd $i | cut -d":" -f 1` USERID=`getent passwd $i | cut -d":" -f 3` HOMEDIR=`getent passwd $i | cut -d":" -f 6` GROUP=`getent passwd $i | cut -d":" -f 4` LNAME="`getent passwd $i | cut -d':' -f 5`" #echo "Checking User $USER" # Check for non existing HomeDir if ! [ -d $HOMEDIR ] then echo "Creating Homedir $HOMEDIR for $USER ($i)" mkdir -p $HOMEDIR chown $USER:$GROUP $HOMEDIR chmod 0700 $HOMEDIR fi # Check for existing Backup-Dir if ! [ -d /srv/share/Backups/home/$USER ] then echo "Creating BackupDir /srv/share/Backups/home/$USER for $USER ($i)" mkdir -p /srv/share/Backups/home/$USER chown $USER:$GROUP /srv/share/Backups/home/$USER chmod 0700 /srv/share/Backups/home/$USER fi # SSH KEYs if ! [ -e $HOMEDIR/.ssh/id_ed25519 ] then echo "Generating openssh-key $USER for pubkey Auth e.g. for backups" su - $USER -c "ssh-keygen -q -t ed25519 -f $HOMEDIR/.ssh/id_ed25519 -N ''" fi if ! [ -e $HOMEDIR/.ssh/dropbear.key ] then echo "Generating dropbear-key for pubkey Auth e.g. for syncopoli-backups" mkdir -p $HOMEDIR/.ssh su - $USER -c "dropbearkey -t ecdsa -f $HOMEDIR/.ssh/dropbear.key 2>/dev/null | grep ecdsa >>$HOMEDIR/.ssh/authorized_keys" chown -R $USER:$GROUP $HOMEDIR/.ssh chmod 644 $HOMEDIR/.ssh/authorized_keys chmod 600 $HOMEDIR/.ssh/dropbear.key chmod 700 $HOMEDIR/.ssh fi # Check weather a mailbox exists if ! [ $USER = "admin" ] then if /usr/local/sbin/cyr-show-mailboxes | grep "^user.$USER" >/dev/null then echo "Mailbox for User $USER OK" >/dev/null else echo "Creating Mailbox for $USER" /usr/local/sbin/cyr-create-mbox user/$USER 100 fi # Check/Recreate removed folders like Trash /usr/local/sbin/cyr-create-mbox user/$USER fi fi fi done chmod 700 /home/* maillists.sh
Please send a feedback to: doc<at>gabosh.net
Howto listingHere you can find the official Gentoo Linux Forums where you can find a lot of answers.
Here a link to the official Gentoo Linux Homepage.