Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- ###########################################################
- # Install LDAP-server
- ###########################################################
- # Enable SELinux for higher security.
- setenforce 1
- setsebool -P domain_kernel_load_modules 1
- # Communication with the LDAP-server needs to be done with domain name, and not
- # the ip. This ensures the dns-name is configured.
- cat >> /etc/hosts << EOF
- 10.100.110.7 ldap.syco.net
- EOF
- # Install all required packages.
- yum -y install openldap-servers openldap-clients
- # Create backend database.
- cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- chown -R ldap:ldap /var/lib/ldap
- # Set password for cn=admin,cn=config (it's secret)
- cat >> /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif << EOF
- olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
- EOF
- # Autostart slapd after reboot.
- chkconfig slapd on
- # Start ldap server
- service slapd start
- # Wait for slapd to start.
- sleep 1
- ###########################################################
- # General configuration of the server.
- ###########################################################
- # Create folder to store log files in
- mkdir /var/log/slapd
- chmod 755 /var/log/slapd/
- chown ldap:ldap /var/log/slapd/
- # Redirect all log files through rsyslog.
- sed -i "/local4.*/d" /etc/rsyslog.conf
- cat >> /etc/rsyslog.conf << EOF
- local4.* /var/log/slapd/slapd.log
- EOF
- service rsyslog restart
- # Do the configurations.
- ldapadd -H ldap://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF
- # Setup logfile (not working now, propably needing debug level settings.)
- dn: cn=config
- changetype:modify
- replace: olcLogLevel
- olcLogLevel: config stats shell
- -
- replace: olcIdleTimeout
- olcIdleTimeout: 30
- # Set access for the monitor db.
- dn: olcDatabase={2}monitor,cn=config
- changetype: modify
- replace: olcAccess
- olcAccess: {0}to * by dn.base="cn=Manager,dc=syco,dc=net" read by * none
- # Set password for cn=admin,cn=config
- dn: olcDatabase={0}config,cn=config
- changetype: modify
- replace: olcRootPW
- olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
- # Change LDAP-domain, password and access rights.
- dn: olcDatabase={1}bdb,cn=config
- changetype: modify
- replace: olcSuffix
- olcSuffix: dc=syco,dc=net
- -
- replace: olcRootDN
- olcRootDN: cn=Manager,dc=syco,dc=net
- -
- replace: olcRootPW
- olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
- -
- replace: olcAccess
- olcAccess: {0}to attrs=employeeType by dn="cn=sssd,dc=syco,dc=net" read by self read by * none
- olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
- olcAccess: {2}to dn.base="" by * none
- olcAccess: {3}to * by dn="cn=admin,cn=config" write by dn="cn=sssd,dc=syco,dc=net" read by self write by * none
- EOF
- ##########################################################
- # Configure sudo in ldap
- #
- # Users that should have sudo rights, are configured in
- # in the ldap-db. The ldap sudo schema are not configured
- # by default, and are here created.
- #
- # http://eatingsecurity.blogspot.com/2008/10/openldap-continued.html
- # http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html
- ##########################################################
- # Copy the sudo Schema into the LDAP schema repository
- /bin/cp -f /usr/share/doc/sudo-1.7.2p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema
- restorecon /etc/openldap/schema/sudo.schema
- # Create a conversion file for schema
- mkdir ~/sudoWork
- echo "include /etc/openldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf
- # Convert the "Schema" to "LDIF".
- slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudoWork/sudo.ldif
- # Remove invalid data.
- sed -i "s/{0}sudo/sudo/g" ~/sudoWork/sudo.ldif
- # Remove last 8 (invalid) lines.
- head -n-8 ~/sudoWork/sudo.ldif > ~/sudoWork/sudo2.ldif
- # Load the schema into the LDAP server
- ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret -f ~/sudoWork/sudo2.ldif
- # Add index to sudoers db
- ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
- dn: olcDatabase={1}bdb,cn=config
- changetype: modify
- add: olcDbIndex
- olcDbIndex: sudoUser eq
- EOF
- ###########################################################
- # Create modules area
- #
- ###########################################################
- ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
- dn: cn=module{0},cn=config
- objectClass: olcModuleList
- cn: module{0}
- olcModulePath: /usr/lib64/openldap/
- EOF
- ###########################################################
- # Add auditlog overlay.
- #
- # http://www.manpagez.com/man/5/slapo-auditlog/
- ###########################################################
- ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
- dn: cn=module{0},cn=config
- changetype:modify
- add: olcModuleLoad
- olcModuleLoad: auditlog.la
- dn: olcOverlay=auditlog,olcDatabase={1}bdb,cn=config
- changetype: add
- objectClass: olcOverlayConfig
- objectClass: olcAuditLogConfig
- olcOverlay: auditlog
- olcAuditlogFile: /var/log/slapd/auditlog.log
- EOF
- ###########################################################
- # Add accesslog overlay.
- #
- # http://www.manpagez.com/man/5/slapo-accesslog/
- #
- # TODO: Didn't get it working.
- #
- ###########################################################
- # ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
- # dn: cn=module,cn=config
- # objectClass: olcModuleList
- # cn: module
- # olcModulePath: /usr/lib64/openldap/
- # olcModuleLoad: access.la
- #
- #
- # dn: olcOverlay=accesslog,olcDatabase={1}bdb,cn=config
- # changetype: add
- # olcOverlay: accesslog
- # objectClass: olcOverlayConfig
- # objectClass: olcAccessLogConfig
- # logdb: cn=auditlog
- # logops: writes reads
- # # read log every 5 days and purge entries
- # # when older than 30 days
- # logpurge 180+00:00 5+00:00
- # # optional - saves the previous contents of
- # # person objectclass before performing a write operation
- # logold: (objectclass=person)
- # EOF
- ###########################################################
- # Add pwdpolicy overlay
- #
- # http://www.zytrax.com/books/ldap/ch6/ppolicy.html
- # http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release
- # http://www.symas.com/blog/?page_id=66
- ###########################################################
- ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
- dn: cn=module{0},cn=config
- changetype:modify
- add: olcModuleLoad
- olcModuleLoad: ppolicy.la
- dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config
- olcOverlay: ppolicy
- objectClass: olcOverlayConfig
- objectClass: olcPPolicyConfig
- olcPPolicyHashCleartext: TRUE
- olcPPolicyUseLockout: FALSE
- olcPPolicyDefault: cn=default,ou=pwpolicies,dc=syco,dc=net
- EOF
- ##########################################################
- # Add users, groups, sudoers. Ie. the dc=syco,dc=net database.
- ##########################################################
- ldapadd -H ldap:/// -x -D "cn=Manager,dc=syco,dc=net" -w secret -f /opt/syco/doc/ldap/manager.ldif
- ###########################################################
- # Create certificates
- ###########################################################
- # Create CA
- echo "00" > /etc/openldap/cacerts/ca.srl
- openssl req -new -x509 -sha512 -nodes -days 3650 -newkey rsa:4096
- -out /etc/openldap/cacerts/ca.crt
- -keyout /etc/openldap/cacerts/ca.key
- -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com'
- # Creating server cert
- openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096
- -keyout /etc/openldap/cacerts/slapd.key
- -out /etc/openldap/cacerts/slapd.csr
- -subj '/O=syco/OU=System Console Project/CN=ldap.syco.net'
- openssl x509 -req -sha512 -days 1095
- -in /etc/openldap/cacerts/slapd.csr
- -out /etc/openldap/cacerts/slapd.crt
- -CA /etc/openldap/cacerts/ca.crt
- -CAkey /etc/openldap/cacerts/ca.key
- #
- # Customer create a CSR (Certificate Signing Request) file for client cert
- #
- openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096
- -keyout /etc/openldap/cacerts/client.key
- -out /etc/openldap/cacerts/client.csr
- -subj '/O=syco/OU=System Console Project/CN=client.syco.net'
- #
- # Create a signed client crt.
- #
- cat > /etc/openldap/cacerts/sign.conf << EOF
- [ v3_req ]
- basicConstraints = critical,CA:FALSE
- keyUsage = critical,digitalSignature
- subjectKeyIdentifier = hash
- EOF
- openssl x509 -req -days 1095
- -sha512
- -extensions v3_req
- -extfile /etc/openldap/cacerts/sign.conf
- -CA /etc/openldap/cacerts/ca.crt
- -CAkey /etc/openldap/cacerts/ca.key
- -in /etc/openldap/cacerts/client.csr
- -out /etc/openldap/cacerts/client.crt
- # One file with both crt and key. Easier to manage the cert on client side.
- cat /etc/openldap/cacerts/client.crt /etc/openldap/cacerts/client.key >
- /etc/openldap/cacerts/client.pem
- # Create hash and set permissions of cert
- /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
- chown -Rf root:ldap /etc/openldap/cacerts
- chmod -Rf 750 /etc/openldap/cacerts
- restorecon -R /etc/openldap/cacerts
- # View cert info
- # openssl x509 -text -in /etc/openldap/cacerts/ca.crt
- # openssl x509 -text -in /etc/openldap/cacerts/slapd.crt
- # openssl x509 -text -in /etc/openldap/cacerts/client.pem
- # openssl req -noout -text -in /etc/openldap/cacerts/client.csr
- ###########################################################
- # Configure ssl
- #
- # Configure slapd to only be accessible over ssl,
- # with client certificate.
- #
- # http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0
- # http://www.openldap.org/faq/data/cache/185.html
- ###########################################################
- ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
- dn: cn=config
- changetype:modify
- replace: olcTLSCertificateKeyFile
- olcTLSCertificateKeyFile: /etc/openldap/cacerts/slapd.key
- -
- replace: olcTLSCertificateFile
- olcTLSCertificateFile: /etc/openldap/cacerts/slapd.crt
- -
- replace: olcTLSCACertificateFile
- olcTLSCACertificateFile: /etc/openldap/cacerts/ca.crt
- -
- replace: olcTLSCipherSuite
- olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2
- -
- replace: olcTLSVerifyClient
- olcTLSVerifyClient: demand
- EOF
- # Enable LDAPS and dispable LDAP
- sed -i 's/[#]*SLAPD_LDAPS=.*/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap
- sed -i 's/[#]*SLAPD_LDAP=.*/SLAPD_LDAP=no/g' /etc/sysconfig/ldap
- service slapd restart
- # Configure the client cert to be used by ldapsearch for user root.
- sed -i '/^TLS_CERT.*|^TLS_KEY.*/d' /root/ldaprc
- cat >> /root/ldaprc << EOF
- TLS_CERT /etc/openldap/cacerts/client.pem
- TLS_KEY /etc/openldap/cacerts/client.pem
- EOF
- ###########################################################
- # Require higher security from clients.
- ###########################################################
- ldapadd -H ldaps://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF
- dn: cn=config
- changetype:modify
- replace: olcLocalSSF
- olcLocalSSF: 128
- -
- replace: olcSaslSecProps
- olcSaslSecProps: noanonymous,noplain
- dn: cn=config
- changetype:modify
- replace: olcSecurity
- olcSecurity: ssf=128
- olcSecurity: simple_bind=128
- olcSecurity: tls=128
- EOF
- ###########################################################
- # Open firewall
- #
- # Let clients connect to the server through the firewall.
- # This is done after everything else is done, so we are sure
- # that the server is secure before letting somebody in.
- # TODO: Add destination ip
- ###########################################################
- iptables -I INPUT -m state --state NEW -p tcp -s 10.100.110.7/24 --dport 636 -j ACCEPT
- #!/bin/sh
- ###########################################################
- # Install LDAP-client
- #
- # This part should be executed on both LDAP-Server and
- # on all clients that should authenticate against the
- # LDAP-server
- #
- # This script is based on information from at least the following links.
- # http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=2
- # http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Introduction.html
- #
- ###########################################################
- ###########################################################
- # Uninstall sssd
- #
- # Note: Only needed if sssd has been setup before.
- # might need --skip-broken when installing sssd.
- ###########################################################
- #yum -y remove openldap-clients sssd
- #rm -rf /var/lib/sss/
- ###########################################################
- # Install relevant packages
- ###########################################################
- # Install packages
- yum -y install openldap-clients
- # Pick one package from the Continuous Release
- # Version 1.5.1 of sssd.
- yum -y install sssd --skip-broken
- yum -y install centos-release-cr
- yum -y update sssd
- yum -y remove centos-release-cr
- ###########################################################
- # Get certificate from ldap server
- #
- # This is not needed to be done on the server.
- ###########################################################
- if [ ! -f /etc/openldap/cacerts/client.pem ];
- then
- scp root@10.100.110.7:/etc/openldap/cacerts/client.pem /etc/openldap/cacerts/client.pem
- fi
- if [ ! -f /etc/openldap/cacerts/ca.crt ];
- then
- scp root@10.100.110.7:/etc/openldap/cacerts/ca.crt /etc/openldap/cacerts/ca.crt
- fi
- /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
- chown -Rf root:ldap /etc/openldap/cacerts
- chmod -Rf 750 /etc/openldap/cacerts
- restorecon -R /etc/openldap/cacerts
- ###########################################################
- # Configure client authenticate against ldap.
- ###########################################################
- # Setup iptables before configuring sssd, so it can connect to the server.
- iptables -I OUTPUT -m state --state NEW -p tcp -d 10.100.110.7 --dport 636 -j ACCEPT
- # Communication with the LDAP-server needs to be done with domain name, and not
- # the ip. This ensures the dns-name is configured.
- sed -i '/^10.100.110.7.*/d' /etc/hosts
- cat >> /etc/hosts << EOF
- 10.100.110.7 ldap.syco.net
- EOF
- # Configure all relevant /etc files for sssd, ldap etc.
- authconfig
- --enablesssd --enablesssdauth --enablecachecreds
- --enableldap --enableldaptls --enableldapauth
- --ldapserver=ldaps://ldap.syco.net --ldapbasedn=dc=syco,dc=net
- --disablenis --disablekrb5
- --enableshadow --enablemkhomedir --enablelocauthorize
- --passalgo=sha512
- --updateall
- # Configure the client cert to be used by ldapsearch for user root.
- sed -i '/^TLS_CERT.*|^TLS_KEY.*/d' /root/ldaprc
- cat >> /root/ldaprc << EOF
- TLS_CERT /etc/openldap/cacerts/client.pem
- TLS_KEY /etc/openldap/cacerts/client.pem
- EOF
- ###########################################################
- # Configure sssd
- ###########################################################
- # If the authentication provider is offline, specifies for how long to allow
- # cached log-ins (in days). This value is measured from the last successful
- # online log-in. If not specified, defaults to 0 (no limit).
- sed -i '/[pam]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf
- cat >> /etc/sssd/sssd.conf << EOF
- # Enumeration means that the entire set of available users and groups on the
- # remote source is cached on the local machine. When enumeration is disabled,
- # users and groups are only cached as they are requested.
- enumerate=true
- # Configure client certificate auth.
- ldap_tls_cert = /etc/openldap/cacerts/client.pem
- ldap_tls_key = /etc/openldap/cacerts/client.pem
- ldap_tls_reqcert = demand
- # Only users with this employeeType are allowed to login to this computer.
- access_provider = ldap
- ldap_access_filter = (employeeType=Sysop)
- # Login to ldap with a specified user.
- ldap_default_bind_dn = cn=sssd,dc=syco,dc=net
- ldap_default_authtok_type = password
- ldap_default_authtok = secret
- EOF
- # Restart sssd
- service sssd restart
- # Start sssd after reboot.
- chkconfig sssd on
- ###########################################################
- # Configure the client to use sudo
- ###########################################################
- sed -i '/^sudoers.*/d' /etc/nsswitch.conf
- cat >> /etc/nsswitch.conf << EOF
- sudoers: ldap files
- EOF
- sed -i '/^sudoers_base.*|^binddn.*|^bindpw.*|^ssl on.*|^tls_cert.*|^tls_key.*|sudoers_debug.*/d' /etc/ldap.conf
- cat >> /etc/ldap.conf << EOF
- # Configure sudo ldap.
- uri ldaps://ldap.syco.net
- base dc=syco,dc=net
- sudoers_base ou=SUDOers,dc=syco,dc=net
- binddn cn=sssd,dc=syco,dc=net
- bindpw secret
- ssl on
- tls_cacertdir /etc/openldap/cacerts
- tls_cert /etc/openldap/cacerts/client.pem
- tls_key /etc/openldap/cacerts/client.pem
- #sudoers_debug 5
- EOF
- # Filename: manager.ldif
- ###########################################################
- # NEW DATABASE
- ###########################################################
- dn: dc=syco,dc=net
- objectClass: top
- objectclass: dcObject
- objectclass: organization
- o: System Console Project
- dc: syco
- description: Tree root
- # Used by sssd to ask general queries.
- dn: cn=sssd,dc=syco,dc=net
- objectClass: simpleSecurityObject
- objectClass: organizationalRole
- cn: sssd
- description: Account for sssd.
- userPassword: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
- ###########################################################
- # Add pwdpolicy overlay
- # Need to be done before adding new users.
- ###########################################################
- dn: ou=pwpolicies,dc=syco,dc=net
- objectClass: organizationalUnit
- objectClass: top
- ou: policies
- dn: cn=default,ou=pwpolicies,dc=syco,dc=net
- cn: default
- #objectClass: pwdPolicyChecker
- objectClass: pwdPolicy
- objectClass: person
- objectClass: top
- pwdAllowUserChange: TRUE
- pwdAttribute: 2.5.4.35
- #pwdCheckModule: crackcheck.so
- #pwdCheckQuality: 2
- pwdExpireWarning: 604800
- pwdFailureCountInterval: 30
- pwdGraceAuthNLimit: 0
- pwdInHistory: 10
- pwdLockout: TRUE
- pwdLockoutDuration: 3600
- pwdMaxAge: 7776000
- pwdMaxFailure: 5
- pwdMinAge: 3600
- pwdMinLength: 12
- pwdMustChange: FALSE
- pwdSafeModify: FALSE
- sn: dummy value
- EOF
- ###########################################################
- # GROUPS
- ###########################################################
- dn: ou=group,dc=syco,dc=net
- objectClass: top
- objectclass: organizationalunit
- ou: group
- dn: cn=sycousers,ou=group,dc=syco,dc=net
- cn: sycousers
- objectClass: posixGroup
- gidNumber: 2000
- memberUid: user1
- memberUid: user2
- memberUid: user3
- dn: cn=sysop,ou=group,dc=syco,dc=net
- cn: sysop
- objectClass: posixGroup
- gidNumber: 2001
- memberUid: user1
- memberUid: user2
- dn: cn=management,ou=group,dc=syco,dc=net
- cn: management
- objectClass: posixGroup
- gidNumber: 2002
- memberUid: user1
- ###########################################################
- # USERS
- ###########################################################
- dn: ou=people,dc=syco,dc=net
- objectClass: top
- objectclass: organizationalunit
- ou: people
- dn: uid=user1,ou=people,dc=syco,dc=net
- objectClass: inetOrgPerson
- objectClass: posixAccount
- objectClass: shadowAccount
- uid: user1
- employeeType: Sysop
- givenName: User1
- surname: Syco
- displayName: Syco User1
- commonName: Syco User1
- gecos: Syco User1
- initials: SU
- title: System Administrator (fratsecret)
- userPassword: {CRYPT}frzelFSD.VhkI
- loginShell: /bin/bash
- uidNumber: 2001
- gidNumber: 2000
- homeDirectory: /home/user1
- shadowExpire: -1
- shadowFlag: 0
- shadowWarning: 7
- shadowMin: 8
- shadowMax: 999999
- shadowLastChange: 10877
- mail: sycouser@syco.net
- postalCode: 666666
- mobile: +46 (0)73 xx xx xx xx
- homePhone: +46 (0)8 xx xx xx xx
- postalAddress:
- dn: uid=user2,ou=people,dc=syco,dc=net
- objectClass: inetOrgPerson
- objectClass: posixAccount
- objectClass: shadowAccount
- uid: user2
- employeeType: Sysop
- givenName: User2
- surname: Syco
- displayName: Syco User2
- commonName: Syco User2
- gecos: Syco User2
- initials: SU
- title: System Administrator
- userPassword: {CRYPT}frzelFSD.VhkI
- loginShell: /bin/bash
- uidNumber: 2002
- gidNumber: 2000
- homeDirectory: /home/user2
- shadowExpire: -1
- shadowFlag: 0
- shadowWarning: 7
- shadowMin: 8
- shadowMax: 999999
- shadowLastChange: 10877
- mail: sycouser@syco.net
- postalCode: 666666
- mobile: +46 (0)73 xx xx xx xx
- homePhone: +46 (0)8 xx xx xx xx
- postalAddress:
- dn: uid=user3,ou=people,dc=syco,dc=net
- objectClass: inetOrgPerson
- objectClass: posixAccount
- objectClass: shadowAccount
- uid: user3
- employeeType: Developer
- givenName: User3
- surname: Syco
- displayName: Syco User3
- commonName: Syco User3
- gecos: Syco User3
- initials: SU
- title: System Administrator
- userPassword: {CRYPT}frzelFSD.VhkI
- loginShell: /bin/bash
- uidNumber: 2003
- gidNumber: 2000
- homeDirectory: /home/user3
- shadowExpire: -1
- shadowFlag: 0
- shadowWarning: 7
- shadowMin: 8
- shadowMax: 999999
- shadowLastChange: 10877
- mail: sycouser@syco.net
- postalCode: 666666
- mobile: +46 (0)73 xx xx xx xx
- homePhone: +46 (0)8 xx xx xx xx
- postalAddress:
- ###########################################################
- # SUDOERS
- ###########################################################
- dn: ou=SUDOers,dc=syco,dc=net
- objectClass: top
- objectClass: organizationalUnit
- ou: SUDOers
- dn: cn=defaults,ou=SUDOers,dc=syco,dc=net
- objectClass: top
- objectClass: sudoRole
- cn: defaults
- description: Default sudoOptions go here
- sudoOption: requiretty
- sudoOption: always_set_home
- sudoOption: env_reset
- sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
- sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
- sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
- sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
- sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
- sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin
- dn: cn=root,ou=SUDOers,dc=syco,dc=net
- objectClass: top
- objectClass: sudoRole
- cn: root
- sudoUser: root
- sudoHost: ALL
- sudoRunAsUser: ALL
- sudoCommand: ALL
- # Allow all sysops to execute anything
- dn: cn=%sysop,ou=SUDOers,dc=syco,dc=net
- objectClass: top
- objectClass: sudoRole
- cn: %sysop
- sudoUser: %sysop
- sudoHost: ALL
- sudoRunAsUser: ALL
- sudoCommand: ALL
- yum install sssd pam_ldap
- chkconfig sssd on
- authconfig
- --enablesssd --enablesssdauth --enablecachecreds
- --enableldap --enableldaptls --enableldapauth
- --ldapserver=ldap://ldap.example.com --ldapbasedn=dc=example,dc=com
- --disablenis --disablekrb5
- --enableshadow --enablemkhomedir --enablelocauthorize
- --passalgo=sha512 --updateall
- ldap_schema = rfc2307bis
- ldap_user_fullname = displayName
- ldap_user_search_base = dc=People,dc=example,dc=com
- ldap_group_search_base = dc=Roles,dc=example,dc=com
- ldap_group_member = member
- ldap_group_nesting_level = 4
- ldap_default_bind_dn = cn=fooServer,dc=Devices,dc=example,dc=com
- ldap_default_authtok_type = password
- ldap_default_authtok = yourSecretPassword
- ldap_id_use_start_tls = False
- ldap_auth_disable_tls_never_use_in_production = true
- to attrs=userPassword,sambaLMPassword,sambaNTPassword
- by anonymous auth
- by self =rwdx
- by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage
- by dn.children="ou=Special Accounts,dc=example,dc=com" auth
- to *
- by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage
- by * break
- to dn.children="dc=Roles,dc=example,dc=com" attrs=member
- by set="user & this/owner" manage
- by set="user & this/owner*/member*" manage
- by set="user & this/owner*/manager*" manage
- by set="user & this/owner*/member*/manager*" manage
- by * break
- to dn.children="ou=Special Accounts,dc=example,dc=com" attrs=authzTo
- by * auth
- to dn.children="dc=People,dc=example,dc=com"
- attrs=givenName,sn,middleName,dateOfBirth,displayName,cn,
- telephoneNumber,fax,postalAddress,homePhone,homePostalAddress,mobile,pager,
- postalCode,postOfficeBox,preferredLanguage,streetAddress,l,st,c
- by self write
- by * break
- to dn.children="dc=People,dc=example,dc=com"
- attrs=uid,uidNumber,gidNumber,mail,telephoneNumber,mobile,departmentNumber,manager,
- title,initials,givenName,sn,displayName,cn,dateHired,dateTerminated,fax,middleName,
- organizationName,organizationalUnitName,pager,postalAddress,l,st,c
- by * read
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement