– Il faut installer les packages:
# pkg install -y nss_ldap pam_ldap openldap-client p5-Mozilla-CA
– Faire la conf du client ldap
vi /usr/local/etc/nss_ldap.conf BASE ou=People,dc=infranix,dc=eu URI ldaps://ldap1 TLS_CACERTDIR /usr/local/lib/perl5/site_perl/Mozilla/CA/cacert.pem TLS_REQCERT allow SASL_NOCANON on
– Créer des symlink pour simplier la configuration vers ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/openldap/ldap.conf # ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/ldap.conf
– Modifier nsswitch pour qu’il s’appuye sur ldap pour passwd et group
[root@app001 ~]# cat /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: releng/10.2/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files
– Modifier /etc/pam.d/ssh
root@app001 ~]# cat /etc/pam.d/sshd # # $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # # auth auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required /usr/local/lib/pam_mkhomedir.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
– modifier /etc/pam.d/su pour mettre le bon groupe
[root@app001 ~]# cat /etc/pam.d/su # # $FreeBSD: releng/10.2/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $ # # PAM configuration for the "su" service # # auth auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth requisite pam_group.so no_warn group=wheel,users root_only fail_safe ruser auth include system # account account include system # session session required pam_permit.so
– modifier /etc/pam.d/system
root@app001 /etc/pam.d]# cat system
# $FreeBSD: releng/10.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $ # # System-wide defaults # # auth auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required /usr/local/lib/pam_mkhomedir.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
– modifier /etc/pam.d/passwd
[root@app001 /etc/pam.d]# cat passwd # # $FreeBSD: releng/10.2/etc/pam.d/passwd 113967 2003-04-24 12:22:42Z des $ # # PAM configuration for the "passwd" service # # passwd(1) does not use the auth, account or session services. # password #password requisite pam_passwdqc.so enforce=users #password required pam_ldap.so password required pam_unix.so no_warn try_first_pass nullok
– OPTIONNEL : forcer le gidMember
vi /etc/group users:*:100:
– pour tester
getent passwd