LDAP und Radius Authentifizierung

Packages

RHEL / CentOS

  • nss_ldap
  • pam_radius

Debian / Ubuntu

  • libpam-radius-auth
  • libnss-ldap

Konfigurationsdateien

PAM

RHEL / CentOS

/etc/pam.d/system-auth
auth		required		pam_env.so
auth		sufficient		pam_radius_auth.so localifdown
auth		requisite		pam_succeed_if.so uid = 0
auth		sufficient		pam_unix.so nullok use_first_pass uid = 0
auth		required		pam_deny.so
/etc/pam.d/system-session
session		required		pam_unix.so
session		required		pam_mkhomedir.so skel=/etc/skel/ umask=0022

PAM Debian / Ubuntu

/etc/pam.d/common-auth
auth		sufficient		pam_radius_auth.so localifdown
auth		requisite		pam_succeed_if.so uid = 0
auth		requisite		pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-session
session		required		pam_unix.so
session		required		pam_mkhomedir.so skel=/etc/skel/ umask=0022

Radius

Auflistung der Radius Server.

/etc/pam_radius_auth.conf
10.1.1.10        <secret token>  5
10.1.1.11        <secret token>  5

LDAP

/etc/ldap.conf
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a 
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host ldap1.eisscholle.net ldap2.eisscholle.net
 
# SSL Settings
ssl yes
port 636
tls_checkpeer no
 
# of non SSL
# ssl no
# port 389
 
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
 
# The distinguished name of the search base.
base dc=ad,dc=eisscholle,dc=net
 
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn CN=RSA Service User,OU=Serviceuser,OU=Users,DC=ad,DC=eisscholle,DC=net
 
# The credentials to bind with. 
# Optional: default is no credential.
bindpw <pw von rsaserviceuser>
 
# Search timelimit
timelimit 15
 
# Bind/connect timelimit
bind_timelimit 10
 
# Filtert deaktivierte Accounts: &(!(userAccountControl:1.2.840.113556.1.4.803:=2))
nss_base_passwd        dc=ad,dc=eisscholle,dc=net?sub?&(!(userAccountControl:1.2.840.113556.1.4.803:=2))
nss_base_shadow        dc=ad,dc=eisscholle,dc=net?sub?&(!(userAccountControl:1.2.840.113556.1.4.803:=2))
nss_base_group         dc=ad,dc=eisscholle,dc=net?sub?&(!(userAccountControl:1.2.840.113556.1.4.803:=2))
 
# Mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
 
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
nss_map_attribute userPassword unixUserPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember primaryGroupID
nss_map_attribute cn cn

nsswitch

RHEL / CentOS

/etc/nsswitch.conf
passwd:     files ldap
shadow:     files 
group:      files ldap

Debian / Ubuntu

/etc/nsswitch.conf
passwd:     compat ldap
shadow:     compat
group:      compat ldap