– Il faut installer les packages:
# pkg install -y nss_ldap pam_ldap openldap-client p5-Mozilla-CA
– Faire la conf du client ldap
vi /usr/local/etc/nss_ldap.conf
BASE ou=People,dc=infranix,dc=eu
URI ldaps://ldap1
TLS_CACERTDIR /usr/local/lib/perl5/site_perl/Mozilla/CA/cacert.pem
TLS_REQCERT allow
SASL_NOCANON on
– Créer des symlink pour simplier la configuration vers ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/openldap/ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/ldap.conf
– Modifier nsswitch pour qu’il s’appuye sur ldap pour passwd et group
[root@app001 ~]# cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/10.2/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
– Modifier /etc/pam.d/ssh
root@app001 ~]# cat /etc/pam.d/sshd
#
# $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
– modifier /etc/pam.d/su pour mettre le bon groupe
[root@app001 ~]# cat /etc/pam.d/su
#
# $FreeBSD: releng/10.2/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
#
# PAM configuration for the "su" service
#
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth requisite pam_group.so no_warn group=wheel,users root_only fail_safe ruser
auth include system
# account
account include system
# session
session required pam_permit.so
– modifier /etc/pam.d/system
root@app001 /etc/pam.d]# cat system
# $FreeBSD: releng/10.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#
# auth
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required /usr/local/lib/pam_mkhomedir.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
– modifier /etc/pam.d/passwd
[root@app001 /etc/pam.d]# cat passwd
#
# $FreeBSD: releng/10.2/etc/pam.d/passwd 113967 2003-04-24 12:22:42Z des $
#
# PAM configuration for the "passwd" service
#
# passwd(1) does not use the auth, account or session services.
# password
#password requisite pam_passwdqc.so enforce=users
#password required pam_ldap.so
password required pam_unix.so no_warn try_first_pass nullok
– OPTIONNEL : forcer le gidMember
vi /etc/group
users:*:100:
– pour tester
getent passwd