Init directory client configurations

Signed-off-by: Georg <georg@lysergic.dev>

2 files changed, 130 insertions, 0 deletions

diff --git a/sssd/client_sssd.generated.conf b/sssd/client_sssd.generated.conf
new file mode 100644
index 0000000..3615f96
--- /dev/null
+++ b/sssd/client_sssd.generated.conf
@@ -0,0 +1,72 @@
+WARNING: ldap_uri starts with ldapi:// - you should review this parameter in the sssd configuration
+
+#
+# sssd.conf
+# Generated by 389 Directory Server - dsidm
+#
+# For more details see man sssd.conf and man sssd-ldap
+# Be sure to review the content of this file to ensure it is secure and correct
+# in your environment.
+
+[domain/ldap]
+# Uncomment this for more verbose logging.
+# debug_level=3
+
+# Cache hashes of user authentication for offline auth.
+cache_credentials = True
+id_provider = ldap
+auth_provider = ldap
+access_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307bis
+ldap_search_base = dc=syscid,dc=com
+ldap_uri = ldapi://%2fvar%2frun%2fslapd-syscid.socket
+# If you have DNS SRV records, you can use the following instead. This derives
+# from your ldap_search_base.
+# ldap_uri = _srv_
+
+ldap_tls_reqcert = demand
+# To use cacert dir, place *.crt files in this path then run:
+# /usr/bin/openssl rehash /etc/openldap/certs
+# or (for older versions of openssl)
+# /usr/bin/c_rehash /etc/openldap/certs
+ldap_tls_cacertdir = /etc/openldap/certs
+
+# Path to the cacert
+# ldap_tls_cacert = /etc/openldap/certs/ca.crt
+
+# Only users who match this filter can login and authorise to this machine. Note
+# that users who do NOT match, will still have their uid/gid resolve, but they
+# can't login.
+# ldap_access_filter = (memberOf=<dn>)
+
+enumerate = false
+access_provider = ldap
+ldap_user_member_of = memberof
+ldap_user_gecos = cn
+ldap_user_uuid = nsUniqueId
+ldap_group_uuid = nsUniqueId
+# This is really important as it allows SSSD to respect nsAccountLock
+ldap_account_expire_policy = rhds
+ldap_access_order = filter, expire
+# Setup for ssh keys
+# Inside /etc/ssh/sshd_config add the lines:
+#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+#   AuthorizedKeysCommandUser nobody
+# You can test with the command: sss_ssh_authorizedkeys <username>
+ldap_user_ssh_public_key = nsSshPublicKey
+
+# This prevents an issue where the Directory is recursively walked on group
+# and user look ups. It makes the client faster and more responsive in almost
+# every scenario.
+ignore_group_members = False
+
+[sssd]
+services = nss, pam, ssh, sudo
+config_file_version = 2
+
+domains = ldap
+[nss]
+homedir_substring = /home
+
+
diff --git a/sssd/sssd.conf b/sssd/sssd.conf
new file mode 100644
index 0000000..7a6664d
--- /dev/null
+++ b/sssd/sssd.conf
@@ -0,0 +1,58 @@
+###
+##
+## Prototype System Security Services Daemon configuration for GNU/Linux based systems in the namespaces lysergic.dev / syscid.com /liberta.casa
+##
+## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
+##
+## georg@lysergic.dev
+##
+###
+
+[sssd]
+debug_level = 10
+config_file_version = 2
+services = nss, pam, ssh, sudo
+domains = SYSCID
+
+[nss]
+homedir_substring = /home
+debug_level = 10
+
+[pam]
+debug_level = 10
+pam_verbosity = 3
+pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED.
+pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED.
+
+[ssh]
+debug_level = 10
+
+[sudo]
+debug_level = 10
+
+[domain/SYSCID]
+ignore_group_members = False
+debug_level = 10
+cache_credentials= False
+id_provider = ldap
+auth_provider = ldap
+access_provider = ldap
+chpass_provider = ldap
+ldap_schema = rfc2307bis
+ldap_search_base = dc=syscid,dc=com
+ldap_uri = ldaps://ldap.syscid.com
+ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com)
+access_provider = ldap
+ldap_user_member_of = memberof
+#ldap_group_member = memberUid
+#ldap_group_member = member
+ldap_user_gecos = cn
+ldap_user_uuid = nsUniqueId
+ldap_group_uuid = nsUniqueId
+#ldap_pwd_policy = shadow
+ldap_account_expire_policy = rhds
+ldap_access_order = filter, expire, pwd_expire_policy_renew
+ldap_user_ssh_public_key = sshPublicKey
+sudo_provider = ldap
+ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
+