From 5f1c378aa6b120d036b37fa07ee86c3005376b9e Mon Sep 17 00:00:00 2001 From: Georg Date: Mon, 30 Aug 2021 21:57:59 +0200 Subject: Init directory client configurations Signed-off-by: Georg --- sssd/client_sssd.generated.conf | 72 +++++++++++++++++++++++++++++++++++++++++ sssd/sssd.conf | 58 +++++++++++++++++++++++++++++++++ 2 files changed, 130 insertions(+) create mode 100644 sssd/client_sssd.generated.conf create mode 100644 sssd/sssd.conf (limited to 'sssd') diff --git a/sssd/client_sssd.generated.conf b/sssd/client_sssd.generated.conf new file mode 100644 index 0000000..3615f96 --- /dev/null +++ b/sssd/client_sssd.generated.conf @@ -0,0 +1,72 @@ +WARNING: ldap_uri starts with ldapi:// - you should review this parameter in the sssd configuration + +# +# sssd.conf +# Generated by 389 Directory Server - dsidm +# +# For more details see man sssd.conf and man sssd-ldap +# Be sure to review the content of this file to ensure it is secure and correct +# in your environment. + +[domain/ldap] +# Uncomment this for more verbose logging. +# debug_level=3 + +# Cache hashes of user authentication for offline auth. +cache_credentials = True +id_provider = ldap +auth_provider = ldap +access_provider = ldap +chpass_provider = ldap +ldap_schema = rfc2307bis +ldap_search_base = dc=syscid,dc=com +ldap_uri = ldapi://%2fvar%2frun%2fslapd-syscid.socket +# If you have DNS SRV records, you can use the following instead. This derives +# from your ldap_search_base. +# ldap_uri = _srv_ + +ldap_tls_reqcert = demand +# To use cacert dir, place *.crt files in this path then run: +# /usr/bin/openssl rehash /etc/openldap/certs +# or (for older versions of openssl) +# /usr/bin/c_rehash /etc/openldap/certs +ldap_tls_cacertdir = /etc/openldap/certs + +# Path to the cacert +# ldap_tls_cacert = /etc/openldap/certs/ca.crt + +# Only users who match this filter can login and authorise to this machine. Note +# that users who do NOT match, will still have their uid/gid resolve, but they +# can't login. +# ldap_access_filter = (memberOf=) + +enumerate = false +access_provider = ldap +ldap_user_member_of = memberof +ldap_user_gecos = cn +ldap_user_uuid = nsUniqueId +ldap_group_uuid = nsUniqueId +# This is really important as it allows SSSD to respect nsAccountLock +ldap_account_expire_policy = rhds +ldap_access_order = filter, expire +# Setup for ssh keys +# Inside /etc/ssh/sshd_config add the lines: +# AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys +# AuthorizedKeysCommandUser nobody +# You can test with the command: sss_ssh_authorizedkeys +ldap_user_ssh_public_key = nsSshPublicKey + +# This prevents an issue where the Directory is recursively walked on group +# and user look ups. It makes the client faster and more responsive in almost +# every scenario. +ignore_group_members = False + +[sssd] +services = nss, pam, ssh, sudo +config_file_version = 2 + +domains = ldap +[nss] +homedir_substring = /home + + diff --git a/sssd/sssd.conf b/sssd/sssd.conf new file mode 100644 index 0000000..7a6664d --- /dev/null +++ b/sssd/sssd.conf @@ -0,0 +1,58 @@ +### +## +## Prototype System Security Services Daemon configuration for GNU/Linux based systems in the namespaces lysergic.dev / syscid.com /liberta.casa +## +## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file. +## +## georg@lysergic.dev +## +### + +[sssd] +debug_level = 10 +config_file_version = 2 +services = nss, pam, ssh, sudo +domains = SYSCID + +[nss] +homedir_substring = /home +debug_level = 10 + +[pam] +debug_level = 10 +pam_verbosity = 3 +pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED. +pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED. + +[ssh] +debug_level = 10 + +[sudo] +debug_level = 10 + +[domain/SYSCID] +ignore_group_members = False +debug_level = 10 +cache_credentials= False +id_provider = ldap +auth_provider = ldap +access_provider = ldap +chpass_provider = ldap +ldap_schema = rfc2307bis +ldap_search_base = dc=syscid,dc=com +ldap_uri = ldaps://ldap.syscid.com +ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com) +access_provider = ldap +ldap_user_member_of = memberof +#ldap_group_member = memberUid +#ldap_group_member = member +ldap_user_gecos = cn +ldap_user_uuid = nsUniqueId +ldap_group_uuid = nsUniqueId +#ldap_pwd_policy = shadow +ldap_account_expire_policy = rhds +ldap_access_order = filter, expire, pwd_expire_policy_renew +ldap_user_ssh_public_key = sshPublicKey +sudo_provider = ldap +ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com + -- cgit v1.2.3