| View previous topic :: View next topic |
| Author |
Message |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
 Posted: Thu Jan 07, 2021 10:36 am Post subject: PAM system-auth for centralized client authentication update |
 |
|
Hi Guys,
I remember someone recently was asking about the correct format of
/etc/pam.d/system-auth
for centralized ldap authentication using the new pam modules(pwquality etc)
I found the following to work perfectly
| Code: |
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so config=/etc/security/passwdqc.conf try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
|
Of course it uses
sys-auth/sssd
which is far superior to the older
sys-auth/nss-pam-ldapd
which frankly is buggy and a little stupid at times.
Additionally it can handle additional authentication sources like kerberos, ipa etc.
In my setup I use openldap together with kerberos and it works smoothly.
In case one uses sssd here is a sample sssd.conf that works fine
| Code: |
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_kpasswd = <fqdn-of-kdc>
ldap_search_base = dc=example,dc=com
krb5_server = <fqdn-of-kdc>
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_store_password_if_offline = True
ldap_uri = ldap://<fqdn-of-ldap-server>/
krb5_realm = EXAMPLE.COM
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = allow
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
|
In case of not using kerberos remove all the lines starting with "krb5" and replace "krb5" for "ldap" in the id,auth and chpass fields.
I was wondering if it might be included as an update to
https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP
Cheers!
_________________
 |
|
| Back to top |
|
 |
wols
Tux's lil' helper
Joined: 06 Nov 2005
Posts: 92
Location: Franken
|
| Posted: Mon Feb 15, 2021 5:14 pm Post subject: |
|
|
Great! Thanks a lot.
I must change into |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
