Last active
December 25, 2015 00:49
-
-
Save vtamara/6890392 to your computer and use it in GitHub Desktop.
Prepara un Ubuntu para que permite autenticar con un servidor LDAP. Probado en Ubuntu 12.04 autenticando con un LDAPD en OpenBSD.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Prepara un Ubuntu como cliente LDAP | |
# Dominio Público. 2013. [email protected] | |
# Referencias: | |
# http://dhobsd.pasosdejesus.org/index.php?id=Atenticar+con+LDAP+desde+Ubuntu | |
# https://help.ubuntu.com/community/LDAPClientAuthentication | |
# http://www.jukie.net/~bart/ldap/ldap-authentication-on-debian/ | |
# https://wiki.debian.org/LDAP/NSS | |
dn=$1 | |
ip=$2 | |
if (test "$dn" = "") then { | |
echo "Primer parametro debe ser DN LDAP, e.g dc=pasosdeJesus,dc=org" | |
exit 1; | |
} fi; | |
if (test "$ip" = "") then { | |
echo "Segundo parametro debe ser IP del servidor LDAPS, e.g 192.168.2.1" | |
exit 1; | |
} fi; | |
echo "dn=$dn" | |
echo "ip=$ip" | |
echo "" | |
apt-get install ldap-utils libpam-ldap | |
dist=`lsb_release -i | sed -e "s/Distributor ID:.//g"` | |
if (test "$dist" == "Ubuntu") then { | |
apt-get install libnss-ldap nslcd nscd ldap-auth-client | |
auth-client-config -t nss -p lac_ldap | |
} elif (test "$dist" == "Debian") then { | |
apt-get install ed libnss-ldapd nscd | |
} fi; | |
# Configuramos creación de directorio para usuarios nuevos | |
if (test ! -f /usr/share/pam-configs/my_mkhomedir) then { | |
cat > /usr/share/pam-configs/my_mkhomedir <<EOF | |
Name: activate mkhomedir | |
Default: yes | |
Priority: 900 | |
Session-Type: Additional | |
Session: | |
required pam_mkhomedir.so umask=0022 skel=/etc/skel | |
EOF | |
} fi; | |
# Otra forma de configurar creación de directorios | |
function x1 { | |
grep "pam_mkhomedir.so" /etc/pam.d/common-session > /dev/null 2>&1 | |
if (test "$?" != "0") then { | |
ed /etc/pam.d/common-session <<EOF | |
/^session required.*pam_unix.so | |
i | |
session required pam_mkhomedir.so umask=0022 skel=/etc/skel | |
. | |
w | |
q | |
EOF | |
} fi; | |
} | |
# Configuramos grupos para usuarios LDAP | |
grep "\*;Al0000-2400" /etc/security/group.conf > /dev/null 2>&1 | |
if (test "$?" != "0") then { | |
ed /etc/security/group.conf <<EOF | |
a | |
*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,software,dip,plugdev,lpadmin,sambashare,vboxsf,vboxusers | |
. | |
w | |
q | |
EOF | |
} fi; | |
# Ante autenticación poner grupos | |
if (test ! -f /usr/share/pam-configs/my_groups) then { | |
cat > /usr/share/pam-configs/my_groups <<EOF | |
Name: activate /etc/security/group.conf | |
Default: yes | |
Priority: 900 | |
Auth-Type: Primary | |
Auth: | |
required pam_group.so use_first_pass | |
EOF | |
} fi; | |
# Otra forma de configurar grupos en autenticación | |
function x2 { | |
grep "pam_group.so" /etc/pam.d/common-auth > /dev/null 2>&1 | |
if (test "$?" != "0") then { | |
ed /etc/pam.d/common-auth <<EOF | |
/pam_unix.so | |
i | |
auth required pam_group.so use_first_pass | |
. | |
w | |
q | |
EOF | |
} fi; | |
} | |
if (test "$dist" == "Debian") then { | |
echo "En /etc/libnss-ldap.conf | |
nss_base_passwd ou=People,dc=example | |
nss_base_group ou=Group,dc=example | |
En /etc/nsswitch.con | |
passwd: ldap compat | |
group: ldap compat | |
shadow: ldap compat | |
" | |
} fi; | |
echo "Asegurese de elegir 'activate mkhomedir' y 'activate /etc/security/group.conf'" | |
pam-auth-update | |
/etc/init.d/nscd restart | |
# Deshabilitamos chequeo de certificados SSL por parte de clientes LDAP y configuramos servidor | |
grep "TLS_REQCERT" /etc/ldap/ldap.conf > /dev/null 2>&1 | |
if (test "$?" != "0") then { | |
ed /etc/ldap/ldap.conf <<EOF | |
a | |
TLS_REQCERT never | |
. | |
/#BASE | |
s/^#BASE.*/BASE $dn/g | |
/#URI | |
s/^#URI.*/URI ldaps:\/\/$ip:636/g | |
w | |
q | |
EOF | |
if (test "$dist" == "Debian") then { | |
grep "pam_filter" /etc/ldap/ldap.conf > /dev/null 2>&1 | |
if (test "$?" != "0") then { | |
cat >> /etc/ldap/ldap.conf <<EOF | |
pam_filter objectclass=posixAccount | |
pam_login_attribute uid | |
pam_crypt local | |
EOF | |
} fi; | |
} fi; | |
} fi; | |
echo "" | |
echo "" | |
echo "Configurado, se sugiere:" | |
echo "1. Ejecutar 'ldapsearch -x' para confirmar conexion a servidor LDAP" | |
echo "2. Ejecutar 'getent group' y verifique que al final se listan los grupos del directorio LDAP" | |
echo "3. Ejecutar 'su - usuarioldap' para verificar que logra ingresar, que crea el directorio /home/users/usuarioldap y que los grupos listados con 'groups' son los tipicos de un usuario en Ubuntu" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment