# emerge -pvq sssd openldap sudo openssh
[ebuild R ] net-nds/openldap-2.4.38-r2 USE="berkdb crypt gnutls ipv6 minimal sasl ssl syslog tcpd -cxx -debug -experimental -icu -iodbc -kerberos -odbc -overlays -perl -samba (-selinux) -slp -smbkrb5passwd" ABI_X86="(64) -32 (-x32)"
[ebuild R ] net-misc/openssh-6.7_p1 USE="hpn pam pie -X -X509 -bindist -kerberos -ldap -ldns -libedit -sctp (-selinux) -skey -static"
[ebuild R ] sys-auth/sssd-1.12.1 USE="ssh sudo -acl -augeas -autofs -locator -manpages -netlink -nfsv4 -nls -python (-selinux) {-test}" PYTHON_TARGETS="python2_7"
[ebuild R ] app-admin/sudo-1.8.12 USE="ldap nls pam sendmail -offensive (-selinux) -skey"
# < /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss,pam,sudo,ssh
domains = example
debug_level = 1
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[sudo]
subdomain_enumerate = true
debug_level = 9
[domain/example]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_search_base = dc=example,dc=co,dc=jp
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=co,dc=jp
ldap_tls_reqcert = never
ldap_uri = ldap://ldap.example.com
ldap_schema = rfc2307
debug_level = 1
enumerate = true
ldap_default_bind_dn = cn=Authenticator,dc=example,dc=co,dc=jp
ldap_default_authtok = P@ssw0rd!
ldap_group_object_class = posixGroup
ldap_group_search_base = ou=Group,dc=example,dc=co,dc=jp
ldap_group_name = cn
ldap_group_member = memberUid
ldap_id_use_start_tls = false
chpass_provider = ldap
cache_credentials = true
# < /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_sss.so use_first_pass
auth optional pam_permit.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account optional pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_sss.so use_authtok
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session optional pam_sss.so
session optional pam_permit.so
# < /etc/nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $
passwd: compat sss
shadow: compat sss
group: compat sss
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
sudoers: files ldap sss
# ll /etc/ldap.conf.sudo /etc/openldap/ldap.conf /etc/ldap.conf
lrwxrwxrwx 1 root root 23 May 17 17:16 /etc/ldap.conf -> /etc/openldap/ldap.conf
lrwxrwxrwx 1 root root 23 May 17 17:16 /etc/ldap.conf.sudo -> /etc/openldap/ldap.conf
-rw-r--r-- 1 root root 492 May 17 19:48 /etc/openldap/ldap.conf
# < /etc/openldap/ldap.conf
uri ldap://ldap.example.com
base dc=example,dc=co,dc=jp
tls_reqcert naver
sudoers_base ou=SUDOers,dc=example,dc=co,dc=jp
#sudoers_debug 2
nss_initgroups backlink
binddn cn=Authenticator,dc=example,dc=co,dc=jp
bindpw P@ssw0rd!
#nss_base_group ou=Group,dc=example,dc=co,dc=jp
#nss_base_passwd ou=People,dc=example,dc=co,dc=jp
#nss_base_shadow ou=People,dc=example,dc=co,dc=jp
#pam_filter objectclass=posixAccount
#pam_login_attribute uid
#pam_member_attribute memberuid
#pam_password exop
#scope one