Authentification d'un poste Debian sur l'annuaire LDAP d'un serveur SME avec sssd
testé avec une debian squeeze
Installation des paquets requis
apt-get install sssd libnss-sss libpam-sss ca-certificates
Configuration
sssd
Éditez le fichier de configuration /etc/sssd/sssd.conf, et adaptez-le à vos besoins. Le plus important étant la partie du domaine utilisé :
[domain/FIREWALL] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://sme.domain.tld ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld ldap_default_authtok = something_very_secret ldap_default_authtok_type = password ldap_search_base = dc=domain,dc=tld ldap_user_search_base = ou=Users,dc=domain,dc=tld ldap_group_search_base = ou=Groups,dc=domain,dc=tld ldap_user_object_class = inetOrgPerson ldap_user_gecos = cn ldap_tls_reqcert = hard ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_id_use_start_tls = true # à dé-commenter si votre serveur SME est une iPasserelle # ldap_user_shell = desktopLoginShell cache_credentials = true enumerate = true # Il est possible de limiter l'accès via un filtre LDAP en # dé-commentant ces deux lignes. Dans cet exemple, seuls les # membres du groupe netusers seront valides sur cet hôte # posixMemberOf est un attribut disponible uniquement sur une iPasserelle # access_provider = ldap # ldap_access_filter = posixMemberOf=netusers
Il faut aussi s'assurer que le fichier /etc/ssl/certs/ca-certificates.crt contient bien la CA qui a signé le certificat de votre serveur SME.
nsswitch
Éditez /etc/nsswitch.conf en ajoutant sss pour passwd, group et shadow:
passwd: compat sss group: compat sss shadow: compat sss
pam
cd /etc/pam.d cp -a common-account common-account.orig cat <<'EOF'> common-account # # /etc/pam.d/common-account - authorization settings common to all services # account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_mkhomedir.so skel=/etc/skel umask=0077 account [default=bad success=ok user_unknown=ignore] pam_sss.so EOF cp -a common-auth common-auth.orig cat <<'EOF'> common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_sss.so auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) EOF cp -a common-password common-password.orig cat <<'EOF'> common-password # # /etc/pam.d/common-password - password-related modules common to all services # here are the per-package modules (the "Primary" block) password sufficient pam_sss.so password [success=1 default=ignore] pam_unix.so obscure try_first_pass sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) EOF cp -a common-session common-session.orig cat <<'EOF'> common-session # # /etc/pam.d/common-session - session-related modules common to all services # # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_mkhomedir.so skel=/etc/skel umask=0077 session optional pam_sss.so session required pam_unix.so EOF
Activation au démarrage
update-rc.d sssd enable /etc/init.d/sssd start