LDAP on Gentoo

client.md

# emerge -pvq sssd openldap sudo openssh
[ebuild   R   ] net-nds/openldap-2.4.38-r2  USE="berkdb crypt gnutls ipv6 minimal sasl ssl syslog tcpd -cxx -debug -experimental -icu -iodbc -kerberos -odbc -overlays -perl -samba (-selinux) -slp -smbkrb5passwd" ABI_X86="(64) -32 (-x32)" 
[ebuild   R   ] net-misc/openssh-6.7_p1  USE="hpn pam pie -X -X509 -bindist -kerberos -ldap -ldns -libedit -sctp (-selinux) -skey -static" 
[ebuild   R   ] sys-auth/sssd-1.12.1  USE="ssh sudo -acl -augeas -autofs -locator -manpages -netlink -nfsv4 -nls -python (-selinux) {-test}" PYTHON_TARGETS="python2_7" 
[ebuild   R   ] app-admin/sudo-1.8.12  USE="ldap nls pam sendmail -offensive (-selinux) -skey" 

# < /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss,pam,sudo,ssh
domains = example
debug_level = 1

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[sudo]
subdomain_enumerate = true
debug_level = 9

[domain/example]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_search_base = dc=example,dc=co,dc=jp
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=co,dc=jp
ldap_tls_reqcert = never
ldap_uri = ldap://ldap.example.com
ldap_schema = rfc2307
debug_level = 1

enumerate = true

ldap_default_bind_dn = cn=Authenticator,dc=example,dc=co,dc=jp
ldap_default_authtok = P@ssw0rd!

ldap_group_object_class = posixGroup
ldap_group_search_base = ou=Group,dc=example,dc=co,dc=jp
ldap_group_name = cn
ldap_group_member = memberUid
ldap_id_use_start_tls = false
chpass_provider = ldap
cache_credentials = true

# < /etc/pam.d/system-auth
auth            required        pam_env.so 
auth            sufficient      pam_unix.so try_first_pass likeauth nullok 
auth            sufficient      pam_sss.so use_first_pass
auth            optional        pam_permit.so

account required        pam_unix.so 
account [default=bad success=ok user_unknown=ignore]            pam_sss.so
account optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
password        sufficient      pam_sss.so use_authtok
password        optional        pam_permit.so
session         required        pam_limits.so 
session         required        pam_env.so 
session         required        pam_unix.so 
session         optional                pam_mkhomedir.so skel=/etc/skel/ umask=0077
session         optional        pam_sss.so
session         optional        pam_permit.so

# < /etc/nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd:      compat sss
shadow:      compat sss
group:       compat sss

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

sudoers:     files ldap sss

# ll /etc/ldap.conf.sudo /etc/openldap/ldap.conf /etc/ldap.conf
lrwxrwxrwx 1 root root  23 May 17 17:16 /etc/ldap.conf -> /etc/openldap/ldap.conf
lrwxrwxrwx 1 root root  23 May 17 17:16 /etc/ldap.conf.sudo -> /etc/openldap/ldap.conf
-rw-r--r-- 1 root root 492 May 17 19:48 /etc/openldap/ldap.conf

# < /etc/openldap/ldap.conf
uri ldap://ldap.example.com
base dc=example,dc=co,dc=jp
tls_reqcert naver
sudoers_base ou=SUDOers,dc=example,dc=co,dc=jp
#sudoers_debug 2
nss_initgroups backlink

binddn cn=Authenticator,dc=example,dc=co,dc=jp
bindpw P@ssw0rd!

#nss_base_group ou=Group,dc=example,dc=co,dc=jp
#nss_base_passwd ou=People,dc=example,dc=co,dc=jp
#nss_base_shadow ou=People,dc=example,dc=co,dc=jp
#pam_filter objectclass=posixAccount
#pam_login_attribute uid
#pam_member_attribute memberuid
#pam_password exop
#scope one

console.md

openldap

# emerge -pv openldap

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] net-nds/openldap-2.4.38-r2  USE="berkdb crypt gnutls ipv6 sasl ssl syslog tcpd -cxx -debug -experimental -icu -iodbc -kerberos -minimal -odbc -overlays -perl -samba (-selinux) -slp -smbkrb5passwd" ABI_X86="(64) (-32) (-x32)" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

# bzip2 -dc /usr/share/doc/sudo-1.8.11_p1/schema.OpenLDAP.bz2 > /etc/openldap/schema/sudo.schema

# /usr/lib64/openldap/slapd -u ldap -g ldap -d 255

# sudo -V | grep 'ldap.conf path:'
ldap.conf path: /etc/ldap.conf.sudo

sssd

# emerge -pv sssd

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sys-auth/sssd-1.12.1  USE="locator manpages ssh sudo -acl -augeas -autofs -netlink -nfsv4 -nls -python (-selinux) {-test}" PYTHON_TARGETS="python2_7" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

pam

/etc/pam.d/system-auth

--- /etc/pam.d/system-auth      2014-12-04 13:17:13.000000000 +0900
+++ system-auth.example 2014-07-04 10:54:59.000000000 +0900
@@ -1,15 +1,20 @@
 auth           required        pam_env.so 
-auth           required        pam_unix.so try_first_pass likeauth nullok 
+auth           sufficient      pam_unix.so try_first_pass likeauth nullok 
+auth           sufficient      pam_sss.so use_first_pass
 auth           optional        pam_permit.so
  
 account                required        pam_unix.so 
+account        [default=bad success=ok user_unknown=ignore] pam_sss.so
 account                optional        pam_permit.so
  
 password       required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
-password       required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
+password       sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
+password       sufficient      pam_sss.so use_authtok
 password       optional        pam_permit.so
  
 session                required        pam_limits.so 
 session                required        pam_env.so 
 session                required        pam_unix.so 
+session                required        pam_mkhomedir.so skel=/etc/skel umask=0022
+session                optional        pam_sss.so
 session                optional        pam_permit.so

openssh

# emerge -pv openssh

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] net-misc/openssh-6.7_p1  USE="hpn pam pie -X -X509 -bindist -kerberos -ldap -ldns -libedit -sctp (-selinux) -skey -static" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

# grep -vE '^\s*(#|$)' /etc/ssh/sshd_config
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser %u
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
UsePrivilegeSeparation sandbox          # Default for new installations.
Subsystem       sftp    /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_*