meta data for this page
LDAP und Radius Authentifizierung
Packages
RHEL / CentOS
- nss_ldap
- pam_radius
Debian / Ubuntu
- libpam-radius-auth
- libnss-ldap
Konfigurationsdateien
PAM
RHEL / CentOS
- /etc/pam.d/system-auth
auth required pam_env.so auth sufficient pam_radius_auth.so localifdown auth requisite pam_succeed_if.so uid = 0 auth sufficient pam_unix.so nullok use_first_pass uid = 0 auth required pam_deny.so
- /etc/pam.d/system-session
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
PAM Debian / Ubuntu
- /etc/pam.d/common-auth
auth sufficient pam_radius_auth.so localifdown auth requisite pam_succeed_if.so uid = 0 auth requisite pam_unix.so nullok_secure use_first_pass
- /etc/pam.d/common-session
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Radius
Auflistung der Radius Server.
- /etc/pam_radius_auth.conf
10.1.1.10 <secret token> 5 10.1.1.11 <secret token> 5
LDAP
- /etc/ldap.conf
# Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host ldap1.eisscholle.net ldap2.eisscholle.net # SSL Settings ssl yes port 636 tls_checkpeer no # of non SSL # ssl no # port 389 # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name of the search base. base dc=ad,dc=eisscholle,dc=net # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn CN=RSA Service User,OU=Serviceuser,OU=Users,DC=ad,DC=eisscholle,DC=net # The credentials to bind with. # Optional: default is no credential. bindpw <pw von rsaserviceuser> # Search timelimit timelimit 15 # Bind/connect timelimit bind_timelimit 10 # Filtert deaktivierte Accounts: &(!(userAccountControl:1.2.840.113556.1.4.803:=2)) nss_base_passwd dc=ad,dc=eisscholle,dc=net?sub?&(!(userAccountControl:1.2.840.113556.1.4.803:=2)) nss_base_shadow dc=ad,dc=eisscholle,dc=net?sub?&(!(userAccountControl:1.2.840.113556.1.4.803:=2)) nss_base_group dc=ad,dc=eisscholle,dc=net?sub?&(!(userAccountControl:1.2.840.113556.1.4.803:=2)) # Mappings nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber uidNumber nss_map_attribute gidNumber gidNumber nss_map_attribute loginShell loginShell nss_map_attribute gecos name nss_map_attribute userPassword unixUserPassword nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_attribute uniqueMember primaryGroupID nss_map_attribute cn cn
nsswitch
RHEL / CentOS
- /etc/nsswitch.conf
passwd: files ldap shadow: files group: files ldap
Debian / Ubuntu
- /etc/nsswitch.conf
passwd: compat ldap shadow: compat group: compat ldap