API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 2nd, 2017
364
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.13 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2. ###########################################################
  3. # Install LDAP-server
  4. ###########################################################
  5.  
  6. # Enable SELinux for higher security.
  7. setenforce 1
  8. setsebool -P domain_kernel_load_modules 1
  9.  
  10. # Communication with the LDAP-server needs to be done with domain name, and not
  11. # the ip. This ensures the dns-name is configured.
  12. cat >> /etc/hosts << EOF
  13. 10.100.110.7 ldap.syco.net
  14. EOF
  15.  
  16. # Install all required packages.
  17. yum -y install openldap-servers openldap-clients
  18.  
  19. # Create backend database.
  20. cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  21. chown -R ldap:ldap /var/lib/ldap
  22.  
  23. # Set password for cn=admin,cn=config (it's secret)
  24. cat >> /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif << EOF
  25. olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
  26. EOF
  27.  
  28. # Autostart slapd after reboot.
  29. chkconfig slapd on
  30.  
  31. # Start ldap server
  32. service slapd start
  33.  
  34. # Wait for slapd to start.
  35. sleep 1
  36.  
  37. ###########################################################
  38. # General configuration of the server.
  39. ###########################################################
  40.  
  41. # Create folder to store log files in
  42. mkdir /var/log/slapd
  43. chmod 755 /var/log/slapd/
  44. chown ldap:ldap /var/log/slapd/
  45.  
  46. # Redirect all log files through rsyslog.
  47. sed -i "/local4.*/d" /etc/rsyslog.conf
  48. cat >> /etc/rsyslog.conf << EOF
  49. local4.* /var/log/slapd/slapd.log
  50. EOF
  51. service rsyslog restart
  52.  
  53. # Do the configurations.
  54. ldapadd -H ldap://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF
  55.  
  56. # Setup logfile (not working now, propably needing debug level settings.)
  57. dn: cn=config
  58. changetype:modify
  59. replace: olcLogLevel
  60. olcLogLevel: config stats shell
  61. -
  62. replace: olcIdleTimeout
  63. olcIdleTimeout: 30
  64.  
  65. # Set access for the monitor db.
  66. dn: olcDatabase={2}monitor,cn=config
  67. changetype: modify
  68. replace: olcAccess
  69. olcAccess: {0}to * by dn.base="cn=Manager,dc=syco,dc=net" read by * none
  70.  
  71. # Set password for cn=admin,cn=config
  72. dn: olcDatabase={0}config,cn=config
  73. changetype: modify
  74. replace: olcRootPW
  75. olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
  76.  
  77. # Change LDAP-domain, password and access rights.
  78. dn: olcDatabase={1}bdb,cn=config
  79. changetype: modify
  80. replace: olcSuffix
  81. olcSuffix: dc=syco,dc=net
  82. -
  83. replace: olcRootDN
  84. olcRootDN: cn=Manager,dc=syco,dc=net
  85. -
  86. replace: olcRootPW
  87. olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
  88. -
  89. replace: olcAccess
  90. olcAccess: {0}to attrs=employeeType by dn="cn=sssd,dc=syco,dc=net" read by self read by * none
  91. olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
  92. olcAccess: {2}to dn.base="" by * none
  93. olcAccess: {3}to * by dn="cn=admin,cn=config" write by dn="cn=sssd,dc=syco,dc=net" read by self write by * none
  94. EOF
  95.  
  96. ##########################################################
  97. # Configure sudo in ldap
  98. #
  99. # Users that should have sudo rights, are configured in
  100. # in the ldap-db. The ldap sudo schema are not configured
  101. # by default, and are here created.
  102. #
  103. # http://eatingsecurity.blogspot.com/2008/10/openldap-continued.html
  104. # http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html
  105. ##########################################################
  106.  
  107. # Copy the sudo Schema into the LDAP schema repository
  108. /bin/cp -f /usr/share/doc/sudo-1.7.2p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema
  109. restorecon /etc/openldap/schema/sudo.schema
  110.  
  111. # Create a conversion file for schema
  112. mkdir ~/sudoWork
  113. echo "include /etc/openldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf
  114.  
  115. # Convert the "Schema" to "LDIF".
  116. slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudoWork/sudo.ldif
  117.  
  118. # Remove invalid data.
  119. sed -i "s/{0}sudo/sudo/g" ~/sudoWork/sudo.ldif
  120.  
  121. # Remove last 8 (invalid) lines.
  122. head -n-8 ~/sudoWork/sudo.ldif > ~/sudoWork/sudo2.ldif
  123.  
  124. # Load the schema into the LDAP server
  125. ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret -f ~/sudoWork/sudo2.ldif
  126.  
  127. # Add index to sudoers db
  128. ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
  129. dn: olcDatabase={1}bdb,cn=config
  130. changetype: modify
  131. add: olcDbIndex
  132. olcDbIndex: sudoUser eq
  133. EOF
  134.  
  135. ###########################################################
  136. # Create modules area
  137. #
  138. ###########################################################
  139. ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
  140. dn: cn=module{0},cn=config
  141. objectClass: olcModuleList
  142. cn: module{0}
  143. olcModulePath: /usr/lib64/openldap/
  144. EOF
  145.  
  146. ###########################################################
  147. # Add auditlog overlay.
  148. #
  149. # http://www.manpagez.com/man/5/slapo-auditlog/
  150. ###########################################################
  151. ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
  152. dn: cn=module{0},cn=config
  153. changetype:modify
  154. add: olcModuleLoad
  155. olcModuleLoad: auditlog.la
  156.  
  157. dn: olcOverlay=auditlog,olcDatabase={1}bdb,cn=config
  158. changetype: add
  159. objectClass: olcOverlayConfig
  160. objectClass: olcAuditLogConfig
  161. olcOverlay: auditlog
  162. olcAuditlogFile: /var/log/slapd/auditlog.log
  163. EOF
  164.  
  165. ###########################################################
  166. # Add accesslog overlay.
  167. #
  168. # http://www.manpagez.com/man/5/slapo-accesslog/
  169. #
  170. # TODO: Didn't get it working.
  171. #
  172. ###########################################################
  173. # ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
  174. # dn: cn=module,cn=config
  175. # objectClass: olcModuleList
  176. # cn: module
  177. # olcModulePath: /usr/lib64/openldap/
  178. # olcModuleLoad: access.la
  179. #
  180. #
  181. # dn: olcOverlay=accesslog,olcDatabase={1}bdb,cn=config
  182. # changetype: add
  183. # olcOverlay: accesslog
  184. # objectClass: olcOverlayConfig
  185. # objectClass: olcAccessLogConfig
  186. # logdb: cn=auditlog
  187. # logops: writes reads
  188. # # read log every 5 days and purge entries
  189. # # when older than 30 days
  190. # logpurge 180+00:00 5+00:00
  191. # # optional - saves the previous contents of
  192. # # person objectclass before performing a write operation
  193. # logold: (objectclass=person)
  194. # EOF
  195.  
  196. ###########################################################
  197. # Add pwdpolicy overlay
  198. #
  199. # http://www.zytrax.com/books/ldap/ch6/ppolicy.html
  200. # http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release
  201. # http://www.symas.com/blog/?page_id=66
  202. ###########################################################
  203.  
  204. ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
  205. dn: cn=module{0},cn=config
  206. changetype:modify
  207. add: olcModuleLoad
  208. olcModuleLoad: ppolicy.la
  209.  
  210. dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config
  211. olcOverlay: ppolicy
  212. objectClass: olcOverlayConfig
  213. objectClass: olcPPolicyConfig
  214. olcPPolicyHashCleartext: TRUE
  215. olcPPolicyUseLockout: FALSE
  216. olcPPolicyDefault: cn=default,ou=pwpolicies,dc=syco,dc=net
  217. EOF
  218.  
  219. ##########################################################
  220. # Add users, groups, sudoers. Ie. the dc=syco,dc=net database.
  221. ##########################################################
  222. ldapadd -H ldap:/// -x -D "cn=Manager,dc=syco,dc=net" -w secret -f /opt/syco/doc/ldap/manager.ldif
  223.  
  224. ###########################################################
  225. # Create certificates
  226. ###########################################################
  227.  
  228. # Create CA
  229. echo "00" > /etc/openldap/cacerts/ca.srl
  230. openssl req -new -x509 -sha512 -nodes -days 3650 -newkey rsa:4096
  231. -out /etc/openldap/cacerts/ca.crt
  232. -keyout /etc/openldap/cacerts/ca.key
  233. -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com'
  234.  
  235. # Creating server cert
  236. openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096
  237. -keyout /etc/openldap/cacerts/slapd.key
  238. -out /etc/openldap/cacerts/slapd.csr
  239. -subj '/O=syco/OU=System Console Project/CN=ldap.syco.net'
  240. openssl x509 -req -sha512 -days 1095
  241. -in /etc/openldap/cacerts/slapd.csr
  242. -out /etc/openldap/cacerts/slapd.crt
  243. -CA /etc/openldap/cacerts/ca.crt
  244. -CAkey /etc/openldap/cacerts/ca.key
  245.  
  246. #
  247. # Customer create a CSR (Certificate Signing Request) file for client cert
  248. #
  249. openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096
  250. -keyout /etc/openldap/cacerts/client.key
  251. -out /etc/openldap/cacerts/client.csr
  252. -subj '/O=syco/OU=System Console Project/CN=client.syco.net'
  253.  
  254. #
  255. # Create a signed client crt.
  256. #
  257. cat > /etc/openldap/cacerts/sign.conf << EOF
  258. [ v3_req ]
  259. basicConstraints = critical,CA:FALSE
  260. keyUsage = critical,digitalSignature
  261. subjectKeyIdentifier = hash
  262. EOF
  263.  
  264. openssl x509 -req -days 1095
  265. -sha512
  266. -extensions v3_req
  267. -extfile /etc/openldap/cacerts/sign.conf
  268. -CA /etc/openldap/cacerts/ca.crt
  269. -CAkey /etc/openldap/cacerts/ca.key
  270. -in /etc/openldap/cacerts/client.csr
  271. -out /etc/openldap/cacerts/client.crt
  272.  
  273. # One file with both crt and key. Easier to manage the cert on client side.
  274. cat /etc/openldap/cacerts/client.crt /etc/openldap/cacerts/client.key >
  275. /etc/openldap/cacerts/client.pem
  276.  
  277. # Create hash and set permissions of cert
  278. /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
  279. chown -Rf root:ldap /etc/openldap/cacerts
  280. chmod -Rf 750 /etc/openldap/cacerts
  281. restorecon -R /etc/openldap/cacerts
  282.  
  283. # View cert info
  284. # openssl x509 -text -in /etc/openldap/cacerts/ca.crt
  285. # openssl x509 -text -in /etc/openldap/cacerts/slapd.crt
  286. # openssl x509 -text -in /etc/openldap/cacerts/client.pem
  287. # openssl req -noout -text -in /etc/openldap/cacerts/client.csr
  288.  
  289. ###########################################################
  290. # Configure ssl
  291. #
  292. # Configure slapd to only be accessible over ssl,
  293. # with client certificate.
  294. #
  295. # http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0
  296. # http://www.openldap.org/faq/data/cache/185.html
  297. ###########################################################
  298. ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
  299. dn: cn=config
  300. changetype:modify
  301. replace: olcTLSCertificateKeyFile
  302. olcTLSCertificateKeyFile: /etc/openldap/cacerts/slapd.key
  303. -
  304. replace: olcTLSCertificateFile
  305. olcTLSCertificateFile: /etc/openldap/cacerts/slapd.crt
  306. -
  307. replace: olcTLSCACertificateFile
  308. olcTLSCACertificateFile: /etc/openldap/cacerts/ca.crt
  309. -
  310. replace: olcTLSCipherSuite
  311. olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2
  312. -
  313. replace: olcTLSVerifyClient
  314. olcTLSVerifyClient: demand
  315. EOF
  316.  
  317. # Enable LDAPS and dispable LDAP
  318. sed -i 's/[#]*SLAPD_LDAPS=.*/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap
  319. sed -i 's/[#]*SLAPD_LDAP=.*/SLAPD_LDAP=no/g' /etc/sysconfig/ldap
  320. service slapd restart
  321.  
  322. # Configure the client cert to be used by ldapsearch for user root.
  323. sed -i '/^TLS_CERT.*|^TLS_KEY.*/d' /root/ldaprc
  324. cat >> /root/ldaprc << EOF
  325. TLS_CERT /etc/openldap/cacerts/client.pem
  326. TLS_KEY /etc/openldap/cacerts/client.pem
  327. EOF
  328.  
  329. ###########################################################
  330. # Require higher security from clients.
  331. ###########################################################
  332. ldapadd -H ldaps://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF
  333. dn: cn=config
  334. changetype:modify
  335. replace: olcLocalSSF
  336. olcLocalSSF: 128
  337. -
  338. replace: olcSaslSecProps
  339. olcSaslSecProps: noanonymous,noplain
  340.  
  341. dn: cn=config
  342. changetype:modify
  343. replace: olcSecurity
  344. olcSecurity: ssf=128
  345. olcSecurity: simple_bind=128
  346. olcSecurity: tls=128
  347. EOF
  348.  
  349. ###########################################################
  350. # Open firewall
  351. #
  352. # Let clients connect to the server through the firewall.
  353. # This is done after everything else is done, so we are sure
  354. # that the server is secure before letting somebody in.
  355. # TODO: Add destination ip
  356. ###########################################################
  357. iptables -I INPUT -m state --state NEW -p tcp -s 10.100.110.7/24 --dport 636 -j ACCEPT
  358.  
  359. #!/bin/sh
  360. ###########################################################
  361. # Install LDAP-client
  362. #
  363. # This part should be executed on both LDAP-Server and
  364. # on all clients that should authenticate against the
  365. # LDAP-server
  366. #
  367. # This script is based on information from at least the following links.
  368. # http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=2
  369. # http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Introduction.html
  370. #
  371. ###########################################################
  372.  
  373. ###########################################################
  374. # Uninstall sssd
  375. #
  376. # Note: Only needed if sssd has been setup before.
  377. # might need --skip-broken when installing sssd.
  378. ###########################################################
  379. #yum -y remove openldap-clients sssd
  380. #rm -rf /var/lib/sss/
  381.  
  382. ###########################################################
  383. # Install relevant packages
  384. ###########################################################
  385. # Install packages
  386. yum -y install openldap-clients
  387.  
  388. # Pick one package from the Continuous Release
  389. # Version 1.5.1 of sssd.
  390. yum -y install sssd --skip-broken
  391. yum -y install centos-release-cr
  392. yum -y update sssd
  393. yum -y remove centos-release-cr
  394.  
  395. ###########################################################
  396. # Get certificate from ldap server
  397. #
  398. # This is not needed to be done on the server.
  399. ###########################################################
  400. if [ ! -f /etc/openldap/cacerts/client.pem ];
  401. then
  402. scp root@10.100.110.7:/etc/openldap/cacerts/client.pem /etc/openldap/cacerts/client.pem
  403. fi
  404.  
  405. if [ ! -f /etc/openldap/cacerts/ca.crt ];
  406. then
  407. scp root@10.100.110.7:/etc/openldap/cacerts/ca.crt /etc/openldap/cacerts/ca.crt
  408. fi
  409.  
  410. /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
  411. chown -Rf root:ldap /etc/openldap/cacerts
  412. chmod -Rf 750 /etc/openldap/cacerts
  413. restorecon -R /etc/openldap/cacerts
  414.  
  415. ###########################################################
  416. # Configure client authenticate against ldap.
  417. ###########################################################
  418. # Setup iptables before configuring sssd, so it can connect to the server.
  419. iptables -I OUTPUT -m state --state NEW -p tcp -d 10.100.110.7 --dport 636 -j ACCEPT
  420.  
  421. # Communication with the LDAP-server needs to be done with domain name, and not
  422. # the ip. This ensures the dns-name is configured.
  423. sed -i '/^10.100.110.7.*/d' /etc/hosts
  424. cat >> /etc/hosts << EOF
  425. 10.100.110.7 ldap.syco.net
  426. EOF
  427.  
  428. # Configure all relevant /etc files for sssd, ldap etc.
  429. authconfig
  430. --enablesssd --enablesssdauth --enablecachecreds
  431. --enableldap --enableldaptls --enableldapauth
  432. --ldapserver=ldaps://ldap.syco.net --ldapbasedn=dc=syco,dc=net
  433. --disablenis --disablekrb5
  434. --enableshadow --enablemkhomedir --enablelocauthorize
  435. --passalgo=sha512
  436. --updateall
  437.  
  438. # Configure the client cert to be used by ldapsearch for user root.
  439. sed -i '/^TLS_CERT.*|^TLS_KEY.*/d' /root/ldaprc
  440. cat >> /root/ldaprc << EOF
  441. TLS_CERT /etc/openldap/cacerts/client.pem
  442. TLS_KEY /etc/openldap/cacerts/client.pem
  443. EOF
  444.  
  445. ###########################################################
  446. # Configure sssd
  447. ###########################################################
  448.  
  449. # If the authentication provider is offline, specifies for how long to allow
  450. # cached log-ins (in days). This value is measured from the last successful
  451. # online log-in. If not specified, defaults to 0 (no limit).
  452. sed -i '/[pam]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf
  453.  
  454. cat >> /etc/sssd/sssd.conf << EOF
  455. # Enumeration means that the entire set of available users and groups on the
  456. # remote source is cached on the local machine. When enumeration is disabled,
  457. # users and groups are only cached as they are requested.
  458. enumerate=true
  459.  
  460. # Configure client certificate auth.
  461. ldap_tls_cert = /etc/openldap/cacerts/client.pem
  462. ldap_tls_key = /etc/openldap/cacerts/client.pem
  463. ldap_tls_reqcert = demand
  464.  
  465. # Only users with this employeeType are allowed to login to this computer.
  466. access_provider = ldap
  467. ldap_access_filter = (employeeType=Sysop)
  468.  
  469. # Login to ldap with a specified user.
  470. ldap_default_bind_dn = cn=sssd,dc=syco,dc=net
  471. ldap_default_authtok_type = password
  472. ldap_default_authtok = secret
  473. EOF
  474.  
  475. # Restart sssd
  476. service sssd restart
  477.  
  478. # Start sssd after reboot.
  479. chkconfig sssd on
  480.  
  481. ###########################################################
  482. # Configure the client to use sudo
  483. ###########################################################
  484. sed -i '/^sudoers.*/d' /etc/nsswitch.conf
  485. cat >> /etc/nsswitch.conf << EOF
  486. sudoers: ldap files
  487. EOF
  488.  
  489. sed -i '/^sudoers_base.*|^binddn.*|^bindpw.*|^ssl on.*|^tls_cert.*|^tls_key.*|sudoers_debug.*/d' /etc/ldap.conf
  490. cat >> /etc/ldap.conf << EOF
  491. # Configure sudo ldap.
  492. uri ldaps://ldap.syco.net
  493. base dc=syco,dc=net
  494. sudoers_base ou=SUDOers,dc=syco,dc=net
  495. binddn cn=sssd,dc=syco,dc=net
  496. bindpw secret
  497. ssl on
  498. tls_cacertdir /etc/openldap/cacerts
  499. tls_cert /etc/openldap/cacerts/client.pem
  500. tls_key /etc/openldap/cacerts/client.pem
  501. #sudoers_debug 5
  502. EOF
  503.  
  504. # Filename: manager.ldif
  505. ###########################################################
  506. # NEW DATABASE
  507. ###########################################################
  508. dn: dc=syco,dc=net
  509. objectClass: top
  510. objectclass: dcObject
  511. objectclass: organization
  512. o: System Console Project
  513. dc: syco
  514. description: Tree root
  515.  
  516. # Used by sssd to ask general queries.
  517. dn: cn=sssd,dc=syco,dc=net
  518. objectClass: simpleSecurityObject
  519. objectClass: organizationalRole
  520. cn: sssd
  521. description: Account for sssd.
  522. userPassword: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
  523.  
  524. ###########################################################
  525. # Add pwdpolicy overlay
  526. # Need to be done before adding new users.
  527. ###########################################################
  528. dn: ou=pwpolicies,dc=syco,dc=net
  529. objectClass: organizationalUnit
  530. objectClass: top
  531. ou: policies
  532.  
  533. dn: cn=default,ou=pwpolicies,dc=syco,dc=net
  534. cn: default
  535. #objectClass: pwdPolicyChecker
  536. objectClass: pwdPolicy
  537. objectClass: person
  538. objectClass: top
  539. pwdAllowUserChange: TRUE
  540. pwdAttribute: 2.5.4.35
  541. #pwdCheckModule: crackcheck.so
  542. #pwdCheckQuality: 2
  543. pwdExpireWarning: 604800
  544. pwdFailureCountInterval: 30
  545. pwdGraceAuthNLimit: 0
  546. pwdInHistory: 10
  547. pwdLockout: TRUE
  548. pwdLockoutDuration: 3600
  549. pwdMaxAge: 7776000
  550. pwdMaxFailure: 5
  551. pwdMinAge: 3600
  552. pwdMinLength: 12
  553. pwdMustChange: FALSE
  554. pwdSafeModify: FALSE
  555. sn: dummy value
  556. EOF
  557.  
  558. ###########################################################
  559. # GROUPS
  560. ###########################################################
  561. dn: ou=group,dc=syco,dc=net
  562. objectClass: top
  563. objectclass: organizationalunit
  564. ou: group
  565.  
  566. dn: cn=sycousers,ou=group,dc=syco,dc=net
  567. cn: sycousers
  568. objectClass: posixGroup
  569. gidNumber: 2000
  570. memberUid: user1
  571. memberUid: user2
  572. memberUid: user3
  573.  
  574. dn: cn=sysop,ou=group,dc=syco,dc=net
  575. cn: sysop
  576. objectClass: posixGroup
  577. gidNumber: 2001
  578. memberUid: user1
  579. memberUid: user2
  580.  
  581. dn: cn=management,ou=group,dc=syco,dc=net
  582. cn: management
  583. objectClass: posixGroup
  584. gidNumber: 2002
  585. memberUid: user1
  586.  
  587. ###########################################################
  588. # USERS
  589. ###########################################################
  590. dn: ou=people,dc=syco,dc=net
  591. objectClass: top
  592. objectclass: organizationalunit
  593. ou: people
  594.  
  595. dn: uid=user1,ou=people,dc=syco,dc=net
  596. objectClass: inetOrgPerson
  597. objectClass: posixAccount
  598. objectClass: shadowAccount
  599. uid: user1
  600. employeeType: Sysop
  601. givenName: User1
  602. surname: Syco
  603. displayName: Syco User1
  604. commonName: Syco User1
  605. gecos: Syco User1
  606. initials: SU
  607. title: System Administrator (fratsecret)
  608. userPassword: {CRYPT}frzelFSD.VhkI
  609. loginShell: /bin/bash
  610. uidNumber: 2001
  611. gidNumber: 2000
  612. homeDirectory: /home/user1
  613. shadowExpire: -1
  614. shadowFlag: 0
  615. shadowWarning: 7
  616. shadowMin: 8
  617. shadowMax: 999999
  618. shadowLastChange: 10877
  619. mail: sycouser@syco.net
  620. postalCode: 666666
  621. mobile: +46 (0)73 xx xx xx xx
  622. homePhone: +46 (0)8 xx xx xx xx
  623. postalAddress:
  624.  
  625. dn: uid=user2,ou=people,dc=syco,dc=net
  626. objectClass: inetOrgPerson
  627. objectClass: posixAccount
  628. objectClass: shadowAccount
  629. uid: user2
  630. employeeType: Sysop
  631. givenName: User2
  632. surname: Syco
  633. displayName: Syco User2
  634. commonName: Syco User2
  635. gecos: Syco User2
  636. initials: SU
  637. title: System Administrator
  638. userPassword: {CRYPT}frzelFSD.VhkI
  639. loginShell: /bin/bash
  640. uidNumber: 2002
  641. gidNumber: 2000
  642. homeDirectory: /home/user2
  643. shadowExpire: -1
  644. shadowFlag: 0
  645. shadowWarning: 7
  646. shadowMin: 8
  647. shadowMax: 999999
  648. shadowLastChange: 10877
  649. mail: sycouser@syco.net
  650. postalCode: 666666
  651. mobile: +46 (0)73 xx xx xx xx
  652. homePhone: +46 (0)8 xx xx xx xx
  653. postalAddress:
  654.  
  655. dn: uid=user3,ou=people,dc=syco,dc=net
  656. objectClass: inetOrgPerson
  657. objectClass: posixAccount
  658. objectClass: shadowAccount
  659. uid: user3
  660. employeeType: Developer
  661. givenName: User3
  662. surname: Syco
  663. displayName: Syco User3
  664. commonName: Syco User3
  665. gecos: Syco User3
  666. initials: SU
  667. title: System Administrator
  668. userPassword: {CRYPT}frzelFSD.VhkI
  669. loginShell: /bin/bash
  670. uidNumber: 2003
  671. gidNumber: 2000
  672. homeDirectory: /home/user3
  673. shadowExpire: -1
  674. shadowFlag: 0
  675. shadowWarning: 7
  676. shadowMin: 8
  677. shadowMax: 999999
  678. shadowLastChange: 10877
  679. mail: sycouser@syco.net
  680. postalCode: 666666
  681. mobile: +46 (0)73 xx xx xx xx
  682. homePhone: +46 (0)8 xx xx xx xx
  683. postalAddress:
  684.  
  685. ###########################################################
  686. # SUDOERS
  687. ###########################################################
  688. dn: ou=SUDOers,dc=syco,dc=net
  689. objectClass: top
  690. objectClass: organizationalUnit
  691. ou: SUDOers
  692.  
  693. dn: cn=defaults,ou=SUDOers,dc=syco,dc=net
  694. objectClass: top
  695. objectClass: sudoRole
  696. cn: defaults
  697. description: Default sudoOptions go here
  698. sudoOption: requiretty
  699. sudoOption: always_set_home
  700. sudoOption: env_reset
  701. sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
  702. sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
  703. sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
  704. sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
  705. sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
  706. sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin
  707.  
  708. dn: cn=root,ou=SUDOers,dc=syco,dc=net
  709. objectClass: top
  710. objectClass: sudoRole
  711. cn: root
  712. sudoUser: root
  713. sudoHost: ALL
  714. sudoRunAsUser: ALL
  715. sudoCommand: ALL
  716.  
  717. # Allow all sysops to execute anything
  718. dn: cn=%sysop,ou=SUDOers,dc=syco,dc=net
  719. objectClass: top
  720. objectClass: sudoRole
  721. cn: %sysop
  722. sudoUser: %sysop
  723. sudoHost: ALL
  724. sudoRunAsUser: ALL
  725. sudoCommand: ALL
  726.  
  727. yum install sssd pam_ldap
  728. chkconfig sssd on
  729.  
  730. authconfig
  731. --enablesssd --enablesssdauth --enablecachecreds
  732. --enableldap --enableldaptls --enableldapauth
  733. --ldapserver=ldap://ldap.example.com --ldapbasedn=dc=example,dc=com
  734. --disablenis --disablekrb5
  735. --enableshadow --enablemkhomedir --enablelocauthorize
  736. --passalgo=sha512 --updateall
  737.  
  738. ldap_schema = rfc2307bis
  739. ldap_user_fullname = displayName
  740. ldap_user_search_base = dc=People,dc=example,dc=com
  741. ldap_group_search_base = dc=Roles,dc=example,dc=com
  742. ldap_group_member = member
  743. ldap_group_nesting_level = 4
  744.  
  745. ldap_default_bind_dn = cn=fooServer,dc=Devices,dc=example,dc=com
  746. ldap_default_authtok_type = password
  747. ldap_default_authtok = yourSecretPassword
  748.  
  749. ldap_id_use_start_tls = False
  750. ldap_auth_disable_tls_never_use_in_production = true
  751.  
  752. to attrs=userPassword,sambaLMPassword,sambaNTPassword
  753. by anonymous auth
  754. by self =rwdx
  755. by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage
  756. by dn.children="ou=Special Accounts,dc=example,dc=com" auth
  757.  
  758. to *
  759. by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage
  760. by * break
  761.  
  762. to dn.children="dc=Roles,dc=example,dc=com" attrs=member
  763. by set="user & this/owner" manage
  764. by set="user & this/owner*/member*" manage
  765. by set="user & this/owner*/manager*" manage
  766. by set="user & this/owner*/member*/manager*" manage
  767. by * break
  768.  
  769. to dn.children="ou=Special Accounts,dc=example,dc=com" attrs=authzTo
  770. by * auth
  771.  
  772. to dn.children="dc=People,dc=example,dc=com"
  773. attrs=givenName,sn,middleName,dateOfBirth,displayName,cn,
  774. telephoneNumber,fax,postalAddress,homePhone,homePostalAddress,mobile,pager,
  775. postalCode,postOfficeBox,preferredLanguage,streetAddress,l,st,c
  776. by self write
  777. by * break
  778.  
  779. to dn.children="dc=People,dc=example,dc=com"
  780. attrs=uid,uidNumber,gidNumber,mail,telephoneNumber,mobile,departmentNumber,manager,
  781. title,initials,givenName,sn,displayName,cn,dateHired,dateTerminated,fax,middleName,
  782. organizationName,organizationalUnitName,pager,postalAddress,l,st,c
  783. by * read
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!