Table des matières

Authentification d'un poste Debian sur l'annuaire LDAP d'un serveur SME avec sssd

testé avec une debian squeeze

Installation des paquets requis

apt-get install sssd libnss-sss libpam-sss ca-certificates

Configuration

sssd

Éditez le fichier de configuration /etc/sssd/sssd.conf, et adaptez-le à vos besoins. Le plus important étant la partie du domaine utilisé :

[domain/FIREWALL]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://sme.domain.tld
ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld
ldap_default_authtok = something_very_secret
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=tld
ldap_user_search_base = ou=Users,dc=domain,dc=tld
ldap_group_search_base = ou=Groups,dc=domain,dc=tld
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_id_use_start_tls = true
# à dé-commenter si votre serveur SME est une iPasserelle
# ldap_user_shell = desktopLoginShell
cache_credentials = true
enumerate = true
# Il est possible de limiter l'accès via un filtre LDAP en
# dé-commentant ces deux lignes. Dans cet exemple, seuls les
# membres du groupe netusers seront valides sur cet hôte
# posixMemberOf est un attribut disponible uniquement sur une iPasserelle
# access_provider = ldap
# ldap_access_filter = posixMemberOf=netusers

Il faut aussi s'assurer que le fichier /etc/ssl/certs/ca-certificates.crt contient bien la CA qui a signé le certificat de votre serveur SME.

nsswitch

Éditez /etc/nsswitch.conf en ajoutant sss pour passwd, group et shadow:

passwd:         compat sss
group:          compat sss
shadow:         compat sss

pam

cd /etc/pam.d
cp -a common-account common-account.orig
cat <<'EOF'> common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
 
 
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional      pam_mkhomedir.so skel=/etc/skel umask=0077
account [default=bad success=ok user_unknown=ignore]    pam_sss.so
EOF
cp -a common-auth common-auth.orig
cat <<'EOF'> common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
 
# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]                      pam_sss.so
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
EOF
cp -a common-password common-password.orig
cat <<'EOF'> common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
 
 
# here are the per-package modules (the "Primary" block)
password        sufficient                      pam_sss.so
password        [success=1 default=ignore]      pam_unix.so obscure try_first_pass sha512
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
 
 
EOF
cp -a common-session common-session.orig
cat <<'EOF'> common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
# 
 
# here are the per-package modules (the "Primary" block)
session [default=1]   pam_permit.so
# here's the fallback if no module succeeds
session requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional      pam_mkhomedir.so skel=/etc/skel umask=0077
session optional      pam_sss.so
session required      pam_unix.so
 
 
EOF

Activation au démarrage

update-rc.d sssd enable
/etc/init.d/sssd start