Integre o PAM com o LDAP no Gentoo/Funtoo

De Wiki Hackstore

Instale as dependências e o LDAP server

emerge nss_ldap pam_ldap openldap

Configure o ldap (server)

Configure o arquivo /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/samba3.schema
include         /etc/openldap/schema/nis.schema

pidfile         /var/run/slapd/
argsfile        /var/run/slapd/slapd.args

allow bind_v2

access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by * read

database        bdb
suffix          "dc=hackstore,dc=com,dc=br"
checkpoint      1024    5
cachesize       10000
rootdn          "cn=Manager,dc=hackstore,dc=com,dc=br"
rootpw          secrethackstore
directory       /var/lib/ldap
index   objectClass     eq

serverID 001
overlay syncprov
syncprov-checkpoint 10 60
syncprov-sessionlog 1000

Inicie o servidor LDAP

/etc/init.d/slapd start

Configure o ldap (client)

Configure o arquivo /etc/ldap.conf


base "dc=hackstore,dc=com,dc=br"
suffix "dc=hackstore,dc=com,dc=br"
rootbinddn "cn=Manager,dc=hackstore,dc=com,dc=br"


pam_lookup_policy yes
pam_password exop
pam_filter objectclass=posixAccount

bind_policy soft
bind_timelimit 10

nss_schema rfc2307bis
nss_initgroups_ignoreusers root,ldap
nss_map_attribute uniqueMember member
nss_base_passwd ou=Users,dc=hackstore,dc=com,dc=br
nss_base_shadow ou=Users,dc=hackstore,dc=com,dc=br
nss_base_group ou=Groups,dc=hackstore,dc=com,dc=br

Configure o PAM

Configure o /etc/nsswitch.conf

Comente as linhas abaixo:

#passwd:      compat
#shadow:      compat
#group:       compat

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

E adicione as novas linhas:

passwd: compat files [UNAVAIL=return] ldap
shadow: compat files [UNAVAIL=return] ldap
group:  compat files [UNAVAIL=return] ldap

Configure o /etc/pam.d/system-auth

Adicione as linhas abaixo:

auth       sufficient use_first_pass
account    sufficient
password   sufficient use_authtok use_first_pass
session    optional

Deixando o arquivo assim:

auth            required
auth            required try_first_pass likeauth nullok
auth            optional
auth       sufficient use_first_pass

account         required
account         optional
account    sufficient

password        required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required try_first_pass use_authtok nullok sha512 shadow
password        optional
password   sufficient use_authtok use_first_pass

session         required
session         required
session         required
session         optional
session    optional