Using the XLDAP Prototype
From a basic install of CentOS 7,
Required RPMS
yum install nss-pam-ldapd pam_krb5
passwd: files ldap shadow: files ldap group: files ldap netgroup: files ldap #-- hosts: files dns #-- aliases: files automount: files bootparams: files ethers: files netmasks: files networks: files protocols: files publickey: files rpc: files services: files
uri ldaps://xldap.phys.washington.edu:636 base ou=u_somsky,dc=XLDAP TLS_REQCERT allow
uid nslcd gid ldap tls_reqcert allow uri ldaps://xldap.phys.washington.edu:636 binddn cn=reader,ou=bindDNs,ou=u_somsky,dc=XLDAP bindpw reader bind_timelimit 30 timelimit 30 idle_timelimit 3600 filter group (objectClass=posixGroup) base group ou=xldapGroup,ou=u_somsky,dc=XLDAP filter passwd (objectClass=xldapPosixAccount) base passwd ou=xldapAccount,ou=u_somsky,dc=XLDAP map passwd uidNumber uwUidNumber map passwd gidNumber uwGidNumber map passwd gecos uwDisplayName ## map passwd gecos unitDisplayName ## map passwd homeDirectory uwHomeDirectory ## map passwd homeDirectory unitHomeDirectory map passwd homeDirectory "/local/users/$uid" ## map passwd loginShell uwLoginShell ## map passwd loginShell unitLoginShell map passwd loginShell "${uwLoginShell:-/bin/tcsh}" ## --------------------------------------------------------- ## See nslcd.conf(5) for info on maps and map expressions... ## ---------------------------------------------------------
[logging] kdc = FILE:/var/log/krb5kdc.log default = FILE:/var/log/krb5libs.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = NETID.WASHINGTON.EDU [realms] [domain_realm] [appdefaults]
#%PAM-1.0 # required = [default=bad success=ok new_authtok_reqd=ok ignore=ignore] # requisite = [default=die success=ok new_authtok_reqd=ok ignore=ignore] # optional = [default=ignore success=ok new_authtok_reqd=ok ] # sufficient = [default=ignore success=done new_authtok_reqd=done] auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password requisite pam_succeed_if.so uid >= 1000 password sufficient pam_krb5.so use_authtok password required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_ldap.so account optional pam_krb5.so account required pam_permit.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_krb5.so