lemoinem · June 15, 2016 07:01
diff --git a/ldap.conf b/ldap.conf
 base    dc=ldap,dc=office
 uri     ldap://ldap.office

 ssl start_tls
 tls_cacert /etc/ssl/certs/CA.pem
diff --git a/nsswitch.conf [extract] b/nsswitch.conf [extract]
 passwd: files sss
 group: files sss
 shadow: files sss
diff --git a/openssh_user_public_key.schema.ldiff b/openssh_user_public_key.schema.ldiff
 dn: cn=openssh_user_public_key,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: openssh-lpk_openldap
 olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
 olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MAY ( sshPublicKey $
 uid ) )
diff --git a/pam.d [summary] b/pam.d [summary]
 #%PAM-1.0

 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        sufficient    pam_sss.so use_first_pass
 auth        required      pam_deny.so

 account     required      pam_unix.so broken_shadow
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required      pam_permit.so

 password    requisite     pam_cracklib.so try_first_pass retry=3
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    sufficient    pam_sss.so use_authtok
 password    required      pam_deny.so

 session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel/
 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     sufficient    pam_sss.so
 session     required      pam_unix.so
diff --git a/sssd.conf b/sssd.conf
 [sssd]
 config_file_version = 2
 reconnection_retries = 3
 sbus_timeout = 30
 services = nss, pam, ssh
 domains = office
 #debug_level = 10

 [nss]
 filter_groups = root
 filter_users = root
 reconnection_retries = 3

 [pam]
 reconnection_retries = 3
 offline_credentials_expirations = 0

 [ssh]

 [domain/office]
 ; Using enumerate = true leads to high load and slow response
 enumerate = true
 cache_credentials = true

 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap

 ldap_uri = ldap://ldap.office
 ldap_search_base = dc=ldap,dc=office
 ldap_tls_reqcert = demand
 ldap_tls_cacert = /etc/ssl/certs/CA.pem

 ldap_user_ssh_public_key = sshPublicKey
 ldap_user_search_base = cn=users,dc=ldap,dc=office
 ldap_group_search_base = cn=groups,dc=ldap,dc=office

 entry_cache_timeout = 1
	base dc=ldap,dc=office
	uri ldap://ldap.office

	ssl start_tls
	tls_cacert /etc/ssl/certs/CA.pem
	dn: cn=openssh_user_public_key,cn=schema,cn=config
	objectClass: olcSchemaConfig
	cn: openssh-lpk_openldap
	olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
	C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
	1.1466.115.121.1.40 )
	olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
	'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MAY ( sshPublicKey $
	uid ) )
	#%PAM-1.0

	auth required pam_env.so
	auth sufficient pam_unix.so nullok try_first_pass
	auth requisite pam_succeed_if.so uid >= 500 quiet
	auth sufficient pam_sss.so use_first_pass
	auth required pam_deny.so

	account required pam_unix.so broken_shadow
	account sufficient pam_localuser.so
	account sufficient pam_succeed_if.so uid < 500 quiet
	account [default=bad success=ok user_unknown=ignore] pam_sss.so
	account required pam_permit.so

	password requisite pam_cracklib.so try_first_pass retry=3
	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
	password sufficient pam_sss.so use_authtok
	password required pam_deny.so

	session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
	session optional pam_keyinit.so revoke
	session required pam_limits.so
	session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
	session sufficient pam_sss.so
	session required pam_unix.so
	[sssd]
	config_file_version = 2
	reconnection_retries = 3
	sbus_timeout = 30
	services = nss, pam, ssh
	domains = office
	#debug_level = 10

	[nss]
	filter_groups = root
	filter_users = root
	reconnection_retries = 3

	[pam]
	reconnection_retries = 3
	offline_credentials_expirations = 0

	[ssh]

	[domain/office]
	; Using enumerate = true leads to high load and slow response
	enumerate = true
	cache_credentials = true

	id_provider = ldap
	auth_provider = ldap
	chpass_provider = ldap

	ldap_uri = ldap://ldap.office
	ldap_search_base = dc=ldap,dc=office
	ldap_tls_reqcert = demand
	ldap_tls_cacert = /etc/ssl/certs/CA.pem

	ldap_user_ssh_public_key = sshPublicKey
	ldap_user_search_base = cn=users,dc=ldap,dc=office
	ldap_group_search_base = cn=groups,dc=ldap,dc=office

	entry_cache_timeout = 1