PAM system-auth for centralized client authentication update

[alamahant]

Hi Guys,
I remember someone recently was asking about the correct format of
/etc/pam.d/system-auth
for centralized ldap authentication using the new pam modules(pwquality etc)
I found the following to work perfectly

Code: Select all

auth        required	  pam_env.so
auth        required	  pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required	  pam_deny.so

account     required	  pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required	  pam_permit.so

password    requisite     pam_pwquality.so config=/etc/security/passwdqc.conf try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required	  pam_deny.so

session     optional	  pam_keyinit.so revoke
session     required	  pam_limits.so
-session     optional	   pam_systemd.so
session     optional	  pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required	  pam_unix.so
session     optional	  pam_sss.so

Of course it uses
sys-auth/sssd
which is far superior to the older
sys-auth/nss-pam-ldapd
which frankly is buggy and a little stupid at times.
Additionally it can handle additional authentication sources like kerberos, ipa etc.
In my setup I use openldap together with kerberos and it works smoothly.
In case one uses sssd here is a sample sssd.conf that works fine

Code: Select all

[domain/default]

autofs_provider = ldap
cache_credentials = True
krb5_kpasswd = <fqdn-of-kdc>
ldap_search_base = dc=example,dc=com
krb5_server = <fqdn-of-kdc>
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_store_password_if_offline = True
ldap_uri = ldap://<fqdn-of-ldap-server>/
krb5_realm = EXAMPLE.COM
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = allow
[sssd]
services = nss, pam, autofs

domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

In case of not using kerberos remove all the lines starting with "krb5" and replace "krb5" for "ldap" in the id,auth and chpass fields.

I was wondering if it might be included as an update to
https://wiki.gentoo.org/wiki/Centralize ... g_OpenLDAP

Cheers!

[wols]

Great! Thanks a lot.

I must change

Code: Select all

pam_pwquality.so

into

Code: Select all

pam_passwdqc.so