tuto:ipasserelle:authentification:debian_sssd_on_sme

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision 		Révision précédente
tuto:ipasserelle:authentification:debian_sssd_on_sme [22/06/2012 14:38]
dani [pam] 		tuto:ipasserelle:authentification:debian_sssd_on_sme [21/10/2015 17:30] (Version actuelle)
heuzef [sssd]
Ligne 8: Ligne 8:
  
  
-<code bash>apt-get install sssd libnss-sss libpam-sss+<code bash>apt-get install sssd libnss-sss libpam-sss ca-certificates
 </code> </code>
  
Ligne 18: Ligne 18:
  
  
-Éditez le fichier de configuration **/etc/sssd/sssd.conf**, et adaptez-le à vos besoins. Le plus important étant la partie du domane utilisé:+Éditez le fichier de configuration **/etc/sssd/sssd.conf**, et adaptez-le à vos besoins. Le plus important étant la partie du domaine utilisé :
 <code bash>[domain/FIREWALL] <code bash>[domain/FIREWALL]
 id_provider = ldap id_provider = ldap
Ligne 33: Ligne 33:
 ldap_user_gecos = cn ldap_user_gecos = cn
 ldap_tls_reqcert = hard ldap_tls_reqcert = hard
-ldap_tls_cacert = /etc/ssl/certs/ca.pem+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
 ldap_id_use_start_tls = true ldap_id_use_start_tls = true
 # à dé-commenter si votre serveur SME est une iPasserelle # à dé-commenter si votre serveur SME est une iPasserelle
Ligne 48: Ligne 48:
  
  
-Il faut aussi s'assurer que le fichier /etc/ssl/certs/ca.pem contient bien la CA qui a signé le certificat de votre serveur SME.+Il faut aussi s'assurer que le fichier /etc/ssl/certs/ca-certificates.crt contient bien la CA qui a signé le certificat de votre serveur SME.
  
  
Ligne 61: Ligne 61:
 shadow:         compat sss shadow:         compat sss
 </code> </code>
 +
  
 ==== pam ==== ==== pam ====
  
  
-<code bash> +<code bash>cd /etc/pam.d
-cd /etc/pam.d+
 cp -a common-account common-account.orig cp -a common-account common-account.orig
 cat <<'EOF'> common-account cat <<'EOF'> common-account
Ligne 72: Ligne 72:
 # /etc/pam.d/common-account - authorization settings common to all services # /etc/pam.d/common-account - authorization settings common to all services
 # #
-# This file is included from other service-specific PAM config files, +  
-# and should contain a list of the authorization modules that define + 
-# the central access policy for use on the system.  The default is to +
-# only deny service to users whose accounts are expired in /etc/shadow. +
-+
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +
-# To take advantage of this, it is recommended that you configure any +
-# local modules either before or after the default block, and use +
-# pam-auth-update to manage selection of other modules.  See +
-# pam-auth-update(8) for details. +
-+
- +
- +
-# here are the per-package modules (the "Primary" block)+
 account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
 # here's the fallback if no module succeeds # here's the fallback if no module succeeds
Ligne 94: Ligne 82:
 account required                        pam_permit.so account required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block) # and here are more per-package modules (the "Additional" block)
 +session optional      pam_mkhomedir.so skel=/etc/skel umask=0077
 account [default=bad success=ok user_unknown=ignore]    pam_sss.so account [default=bad success=ok user_unknown=ignore]    pam_sss.so
-# end of pam-auth-update config 
 EOF EOF
 cp -a common-auth common-auth.orig cp -a common-auth common-auth.orig
Ligne 102: Ligne 90:
 # /etc/pam.d/common-auth - authentication settings common to all services # /etc/pam.d/common-auth - authentication settings common to all services
 # #
-# This file is included from other service-specific PAM config files, + 
-# and should contain a list of the authentication modules that define +
-# the central authentication scheme for use on the system +
-# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the +
-# traditional Unix authentication mechanisms. +
-+
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +
-# To take advantage of this, it is recommended that you configure any +
-# local modules either before or after the default block, and use +
-# pam-auth-update to manage selection of other modules.  See +
-# pam-auth-update(8) for details. +
- +
 # here are the per-package modules (the "Primary" block) # here are the per-package modules (the "Primary" block)
 auth    [success=2 default=ignore]                      pam_sss.so auth    [success=2 default=ignore]                      pam_sss.so
Ligne 125: Ligne 101:
 auth    required                        pam_permit.so auth    required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block) # and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config 
 EOF EOF
 cp -a common-password common-password.orig cp -a common-password common-password.orig
Ligne 131: Ligne 106:
 # #
 # /etc/pam.d/common-password - password-related modules common to all services # /etc/pam.d/common-password - password-related modules common to all services
-+  
-# This file is included from other service-specific PAM config files, + 
-# and should contain a list of modules that define the services to be +
-# used to change user passwords.  The default is pam_unix. +
- +
- +
-# Explanation of pam_unix options: +
-+
-# The "sha512" option enables salted SHA512 passwords.  Without this option, +
-# the default is Unix crypt.  Prior releases used the option "md5"+
-+
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +
-# login.defs. +
-+
-# See the pam_unix manpage for other options. +
- +
- +
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +
-# To take advantage of this, it is recommended that you configure any +
-# local modules either before or after the default block, and use +
-# pam-auth-update to manage selection of other modules.  See +
-# pam-auth-update(8) for details. +
- +
 # here are the per-package modules (the "Primary" block) # here are the per-package modules (the "Primary" block)
-password        sufficient                                      pam_sss.so +password        sufficient                      pam_sss.so 
-password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512+password        [success=1 default=ignore]      pam_unix.so obscure try_first_pass sha512
 # here's the fallback if no module succeeds # here's the fallback if no module succeeds
 password        requisite                       pam_deny.so password        requisite                       pam_deny.so
Ligne 165: Ligne 118:
 password        required                        pam_permit.so password        required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block) # and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config +  
-cp -a comomn-session common-session.orig+  
 +EOF 
 +cp -a common-session common-session.orig 
 +cat <<'EOF'> common-session
 # #
 # /etc/pam.d/common-session - session-related modules common to all services # /etc/pam.d/common-session - session-related modules common to all services
-# +#  
-# This file is included from other service-specific PAM config files, + 
-# and should contain a list of modules that define tasks to be performed +
-# at the start and end of sessions of *any* kind (both interactive and +
-# non-interactive). +
-+
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +
-# To take advantage of this, it is recommended that you configure any +
-# local modules either before or after the default block, and use +
-# pam-auth-update to manage selection of other modules.  See +
-# pam-auth-update(8) for details. +
- +
 # here are the per-package modules (the "Primary" block) # here are the per-package modules (the "Primary" block)
-session [default=1]                     pam_permit.so+session [default=1]   pam_permit.so
 # here's the fallback if no module succeeds # here's the fallback if no module succeeds
-session requisite                       pam_deny.so+session requisite     pam_deny.so
 # prime the stack with a positive return value if there isn't one already; # prime the stack with a positive return value if there isn't one already;
 # this avoids us returning an error just because nothing sets a success code # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around # since the modules above will each just jump around
-session required                        pam_permit.so+session required      pam_permit.so
 # and here are more per-package modules (the "Additional" block) # and here are more per-package modules (the "Additional" block)
 session optional      pam_mkhomedir.so skel=/etc/skel umask=0077 session optional      pam_mkhomedir.so skel=/etc/skel umask=0077
-session optional                                        pam_sss.so +session optional      pam_sss.so 
-session required        pam_unix.so +session required      pam_unix.so 
-# end of pam-auth-update config+  
 + 
 EOF EOF
 +</code>
 +
 +==== Activation au démarrage ====
 +<code bash>
 +update-rc.d sssd enable
 +/etc/init.d/sssd start
 </code> </code>
  
  • tuto/ipasserelle/authentification/debian_sssd_on_sme.1340368686.txt.gz
  • Dernière modification: 22/06/2012 14:38
  • de dani