Ceci est une ancienne révision du document !
Authentification d'un poste Debian sur l'annuaire LDAP d'un serveur SME avec sssd
testé avec une debian squeeze
Installation des paquets requis
apt-get install sssd libnss-sss libpam-sss
Configuration
sssd
Éditez le fichier de configuration /etc/sssd/sssd.conf, et adaptez-le à vos besoins. Le plus important étant la partie du domane utilisé:
[domain/FIREWALL] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://sme.domain.tld ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld ldap_default_authtok = something_very_secret ldap_default_authtok_type = password ldap_search_base = dc=domain,dc=tld ldap_user_search_base = ou=Users,dc=domain,dc=tld ldap_group_search_base = ou=Groups,dc=domain,dc=tld ldap_user_object_class = inetOrgPerson ldap_user_gecos = cn ldap_tls_reqcert = hard ldap_tls_cacert = /etc/ssl/certs/ca.pem ldap_id_use_start_tls = true # à dé-commenter si votre serveur SME est une iPasserelle # ldap_user_shell = desktopLoginShell cache_credentials = true enumerate = true # Il est possible de limiter l'accès via un filtre LDAP en # dé-commentant ces deux lignes. Dans cet exemple, seuls les # membres du groupe netusers seront valides sur cet hôte # posixMemberOf est un attribut disponible uniquement sur une iPasserelle # access_provider = ldap # ldap_access_filter = posixMemberOf=netusers
Il faut aussi s'assurer que le fichier /etc/ssl/certs/ca.pem contient bien la CA qui a signé le certificat de votre serveur SME.
nsswitch
Éditez /etc/nsswitch.conf en ajoutant sss pour passwd, group et shadow:
passwd: compat sss group: compat sss shadow: compat sss
pam
cd /etc/pam.d cp -a common-account common-account.orig cat <<'EOF'> common-account # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account [default=bad success=ok user_unknown=ignore] pam_sss.so # end of pam-auth-update config EOF cp -a common-auth common-auth.orig cat <<'EOF'> common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_sss.so auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config EOF cp -a common-password common-password.orig cat <<'EOF'> common-password # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) password sufficient pam_sss.so password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config cp -a comomn-session common-session.orig # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_mkhomedir.so skel=/etc/skel umask=0077 session optional pam_sss.so session required pam_unix.so # end of pam-auth-update config EOF