WRSomsky
UW Physics & Astronomy Linux Guru
WRSomsky::LDI::xldap::using_xldap.sfml 2016-09-20

Using the XLDAP Prototype

From a basic install of CentOS 7,

Required RPMS

yum install nss-pam-ldapd pam_krb5

/etc/nsswitch.conf:

passwd:     files ldap
shadow:     files ldap
group:      files ldap
netgroup:   files ldap
#--
hosts:      files dns
#--
aliases:    files
automount:  files
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
publickey:  files
rpc:        files
services:   files

/etc/openldap/ldap.conf:

uri		ldaps://xldap.phys.washington.edu:636
base		ou=u_somsky,dc=XLDAP
TLS_REQCERT	allow

/etc/nslcd.conf:

uid		nslcd
gid		ldap

tls_reqcert	allow
uri		ldaps://xldap.phys.washington.edu:636
binddn		cn=reader,ou=bindDNs,ou=u_somsky,dc=XLDAP
bindpw		reader

bind_timelimit	30
timelimit	30
idle_timelimit	3600

filter	group	(objectClass=posixGroup)
base	group	ou=xldapGroup,ou=u_somsky,dc=XLDAP

filter	passwd	(objectClass=xldapPosixAccount)
base	passwd	ou=xldapAccount,ou=u_somsky,dc=XLDAP
map	passwd	uidNumber	uwUidNumber
map	passwd	gidNumber	uwGidNumber

   map	passwd	gecos		uwDisplayName
## map	passwd	gecos		unitDisplayName

## map	passwd	homeDirectory	uwHomeDirectory
## map	passwd	homeDirectory	unitHomeDirectory
   map	passwd	homeDirectory	"/local/users/$uid"

## map	passwd	loginShell	uwLoginShell
## map	passwd	loginShell	unitLoginShell
   map	passwd	loginShell	"${uwLoginShell:-/bin/tcsh}"

## ---------------------------------------------------------
## See nslcd.conf(5) for info on maps and map expressions...
## ---------------------------------------------------------

/etc/krb5.conf:

[logging]
  kdc = FILE:/var/log/krb5kdc.log
  default = FILE:/var/log/krb5libs.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = NETID.WASHINGTON.EDU

[realms]

[domain_realm]

[appdefaults]

/etc/pam.d/system-auth-xldap:

#%PAM-1.0

# required   = [default=bad    success=ok   new_authtok_reqd=ok ignore=ignore]
# requisite  = [default=die    success=ok   new_authtok_reqd=ok ignore=ignore]
# optional   = [default=ignore success=ok   new_authtok_reqd=ok  ]
# sufficient = [default=ignore success=done new_authtok_reqd=done]

auth required				pam_env.so
auth sufficient				pam_unix.so try_first_pass
auth requisite				pam_succeed_if.so uid >= 1000
auth sufficient				pam_krb5.so use_first_pass
auth required				pam_deny.so

password requisite			pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient			pam_unix.so sha512 shadow try_first_pass use_authtok
password requisite			pam_succeed_if.so uid >= 1000
password sufficient			pam_krb5.so use_authtok
password required			pam_deny.so

account required			pam_unix.so broken_shadow
account sufficient			pam_succeed_if.so uid < 1000 quiet
account required			pam_ldap.so
account optional			pam_krb5.so
account required			pam_permit.so

session optional			pam_keyinit.so revoke
session required			pam_limits.so
session optional			pam_systemd.so
session [success=1 default=ignore]	pam_succeed_if.so service in crond quiet use_uid
session required			pam_unix.so
session optional			pam_ldap.so
session optional			pam_krb5.so