Copyright (C) 2008-2020 Oliver Bohlen.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free Documentation License".
This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
This is an example how you can authenticate your System-Accounts over PAM or SASLAuthD against LDAP. Users can change their passwords in LDAP with the passwd command as usual.
If you want to use this solution you need the following howto(s) finished:
emerge sys-auth/pam_ldap emerge sys-auth/nss_ldap
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/saslauthd
Changed on 18.05.09If you are using SASL for some authentications you should point to a configuration file with your LDAP settings.
SASLAUTHD_OPTS="-a pam"After change
SASLAUTHD_OPTS="-O /etc/saslauthd.conf -a ldap"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/crontab
Changed on 02.12.09Run the checkusers-script hourly
42 * * * * root /usr/local/sbin/checkusers.sh 2>&1 | mail -E -s "Checkusers-Script" root
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/ldap.conf.old
Changed on 18.05.09The LDAP BaesDN
base dc=padl,dc=comAfter change
base dc=example,dc=com
This is for accepting a self-signed SSL/TLS certificate
pam_login_attribute uid:caseExactMatch: tls_reqcert allow
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/nsswitch.conf
Changed on 18.05.09The order how to check for passwd, shadow and group
passwd: db files group: db files initgroups: db [SUCCESS=continue] files shadow: db files gshadow: filesAfter change
passwd: files ldap shadow: files ldap #initgroups: db [SUCCESS=continue] files group: files ldap #gshadow: files
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/system-auth
Changed on 18.05.09Authenticate with LDAP
auth required pam_unix.so try_first_pass likeauth nullokAfter change
auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_ldap.so use_first_pass #auth optional pam_smbpass.so migrate use_first_pass auth required pam_deny.so
Authenticate with LDAP
account sufficient pam_ldap.so
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/system-auth
Changed on 18.05.09Authenticate with LDAP
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadowAfter change
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so
Authenticate with LDAP
session optional pam_ldap.so
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/saslauthd.conf
Changed on 18.05.09If you are using SASL for some authentications you should configure the LDAP access for SASL here.
ldap_servers: ldaps://127.0.0.1:636 ldap_search_base: ou=Users,ou=People,dc=example,dc=com ldap_scope: one ldap_uidattr: uid ldap_filter: uid:caseExactMatch:=%U
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/checkusers.sh
Changed on 02.12.09This is a script I use to create a HomeDir and a Mailbox if a new LDAP-User is created. I depends on your environment if you can use ist.
#!/bin/bash
. /etc/profile
for i in `getent passwd | cut -d":" -f 3`
do
if [ $i -gt 999 ]
then
if [ $i -lt 8999 ]
then
# Get Infos
USER=`getent passwd $i | cut -d":" -f 1`
USERID=`getent passwd $i | cut -d":" -f 3`
HOMEDIR=`getent passwd $i | cut -d":" -f 6`
GROUP=`getent passwd $i | cut -d":" -f 4`
LNAME="`getent passwd $i | cut -d':' -f 5`"
#echo "Checking User $USER"
# Check for non existing HomeDir
if ! [ -d $HOMEDIR ]
then
echo "Creating Homedir $HOMEDIR for $USER ($i)"
mkdir -p $HOMEDIR
chown $USER:$GROUP $HOMEDIR
chmod 0700 $HOMEDIR
fi
# Check for existing Backup-Dir
if ! [ -d /srv/share/Backups/home/$USER ]
then
echo "Creating BackupDir /srv/share/Backups/home/$USER for $USER ($i)"
mkdir -p /srv/share/Backups/home/$USER
chown $USER:$GROUP /srv/share/Backups/home/$USER
chmod 0700 /srv/share/Backups/home/$USER
fi
# SSH KEYs
if ! [ -e $HOMEDIR/.ssh/id_ed25519 ]
then
echo "Generating openssh-key $USER for pubkey Auth e.g. for backups"
su - $USER -c "ssh-keygen -q -t ed25519 -f $HOMEDIR/.ssh/id_ed25519 -N ''"
fi
if ! [ -e $HOMEDIR/.ssh/dropbear.key ]
then
echo "Generating dropbear-key for pubkey Auth e.g. for syncopoli-backups"
mkdir -p $HOMEDIR/.ssh
su - $USER -c "dropbearkey -t ecdsa -f $HOMEDIR/.ssh/dropbear.key 2>/dev/null | grep ecdsa >>$HOMEDIR/.ssh/authorized_keys"
chown -R $USER:$GROUP $HOMEDIR/.ssh
chmod 644 $HOMEDIR/.ssh/authorized_keys
chmod 600 $HOMEDIR/.ssh/dropbear.key
chmod 700 $HOMEDIR/.ssh
fi
# Check weather a mailbox exists
if ! [ $USER = "admin" ]
then
if /usr/local/sbin/cyr-show-mailboxes | grep "^user.$USER" >/dev/null
then
echo "Mailbox for User $USER OK" >/dev/null
else
echo "Creating Mailbox for $USER"
/usr/local/sbin/cyr-create-mbox user/$USER 100
fi
# Check/Recreate removed folders like Trash
/usr/local/sbin/cyr-create-mbox user/$USER
fi
fi
fi
done
chmod 700 /home/*
maillists.sh
Please send a feedback to: doc<at>gabosh.net
Howto listingHere you can find the official Gentoo Linux Forums where you can find a lot of answers.
Here a link to the official Gentoo Linux Homepage.