Last active
April 28, 2020 17:56
-
-
Save danfinn/38fc588f4386724376b44db781ab0405 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Packages installed: | |
class ad_auth::packages { | |
case $osfamily { | |
RedHat: { | |
package { 'nscd': ensure => 'installed' } | |
package { 'pam_ldap' : ensure => 'installed' } | |
package { 'nss-pam-ldapd' : ensure => 'installed' } | |
} | |
Debian: { | |
package { 'nscd': ensure => 'installed' } | |
package { 'nslcd': ensure => 'installed' } | |
package { 'libpam-ldapd': ensure => 'installed' } | |
package { 'auth-client-config': ensure => 'installed' } | |
package { 'libpam-cracklib': ensure => 'installed' } | |
} | |
} | |
Run this command: | |
'/usr/sbin/auth-client-config -p ldap_example -a' | |
which sets up nsswitch.conf | |
root@ps-test-app01:~# cat /etc/nsswitch.conf | |
# /etc/nsswitch.conf | |
# | |
# Example configuration of GNU Name Service Switch functionality. | |
# If you have the `glibc-doc-reference' and `info' packages installed, try: | |
# `info libc "Name Service Switch"' for information about this file. | |
# pre_auth-client-config # passwd: compat | |
passwd: files ldap | |
# pre_auth-client-config # group: compat | |
group: files ldap | |
# pre_auth-client-config # shadow: compat | |
shadow: files ldap | |
gshadow: files | |
hosts: files dns | |
networks: files | |
protocols: db files | |
services: db files | |
ethers: db files | |
rpc: db files | |
# pre_auth-client-config # netgroup: nis | |
netgroup: nis | |
root@ps-test-app01:~# cat /etc/pam.d/common-account | |
# | |
# /etc/pam.d/common-account - authorization settings common to all services | |
# | |
# This file is included from other service-specific PAM config files, | |
# and should contain a list of the authorization modules that define | |
# the central access policy for use on the system. The default is to | |
# only deny service to users whose accounts are expired in /etc/shadow. | |
# | |
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | |
# To take advantage of this, it is recommended that you configure any | |
# local modules either before or after the default block, and use | |
# pam-auth-update to manage selection of other modules. See | |
# pam-auth-update(8) for details. | |
# | |
# pre_auth-client-config # # here are the per-package modules (the "Primary" block) | |
# pre_auth-client-config # account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so | |
# pre_auth-client-config # # here's the fallback if no module succeeds | |
# pre_auth-client-config # account requisite pam_deny.so | |
# prime the stack with a positive return value if there isn't one already; | |
# this avoids us returning an error just because nothing sets a success code | |
# since the modules above will each just jump around | |
# pre_auth-client-config # account required pam_permit.so | |
account required pam_access.so | |
# pre_auth-client-config # # and here are more per-package modules (the "Additional" block) | |
# pre_auth-client-config # account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 | |
# pre_auth-client-config # # end of pam-auth-update config | |
account sufficient pam_unix.so | |
account sufficient pam_ldap.so | |
account required pam_deny.so | |
root@ps-test-app01:~# cat /etc/nslcd.conf | |
############################################################### | |
# # | |
# This file is managed by puppet. Any changes you make # | |
# will be overwritten. If you need to make changes to this # | |
# file please submit a ticket to the DevOps group. # | |
# # | |
############################################################### | |
# /etc/nslcd.conf | |
# nslcd configuration file. See nslcd.conf(5) | |
# for details. | |
# The user and group nslcd should run as. | |
uid nslcd | |
gid nslcd | |
# disconnect after this amount of time (in seconds) of inactivity | |
idle_timelimit 180 | |
# set the time limit for the connection setup | |
bind_timelimit 25 | |
# The location at which the LDAP server(s) should be reachable. | |
uri ldaps://ds-pdc.domain.local/ | |
uri ldaps://ds-pdc01.domain.local/ | |
# The search base that will be used for all queries. | |
base dc=domain,dc=local | |
#base ou=People,dc=plansource,dc=local | |
# The LDAP protocol version to use. | |
ldap_version 3 | |
# The DN to bind with for normal lookups. | |
binddn CN=ldap,OU=Service Accounts,OU=IT,DC=domain,DC=local | |
bindpw $$$password$$$ | |
# The DN used for password modifications by root. | |
#rootpwmoddn cn=admin,dc=example,dc=com | |
# SSL options | |
ssl on | |
tls_reqcert never | |
# The search scope. | |
#scope sub | |
# disable referrals. this is what fixed the issue where nslcd was making requests to ALL of our AD servers | |
referrals no | |
nss_initgroups_ignoreusers ALLLOCAL | |
filter passwd (&(&(objectClass=person)(uidNumber=*))) | |
#filter passwd (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) | |
map passwd uid sAMAccountName | |
map passwd homeDirectory unixHomeDirectory | |
map passwd gecos displayName | |
# If you wish to override the shell given by LDAP, uncomment the next line | |
#map passwd loginShell "/bin/bash" | |
filter shadow (&(&(objectClass=person)(uidNumber=*))) | |
#filter shadow (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) | |
map shadow uid sAMAccountName | |
map shadow shadowLastChange pwdLastSet | |
filter group (&(objectClass=group)(gidNumber=*)) | |
#map group gid member |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment