Integre o PAM com o LDAP no Gentoo/Funtoo

De Wiki Hackstore

Instale as dependências e o LDAP server

emerge nss_ldap pam_ldap openldap


Configure o ldap (server)

Configure o arquivo /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/samba3.schema
include         /etc/openldap/schema/nis.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

allow bind_v2


access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by * read

database        bdb
suffix          "dc=hackstore,dc=com,dc=br"
checkpoint      1024    5
cachesize       10000
rootdn          "cn=Manager,dc=hackstore,dc=com,dc=br"
rootpw          secrethackstore
directory       /var/lib/ldap
index   objectClass     eq

serverID 001
overlay syncprov
syncprov-checkpoint 10 60
syncprov-sessionlog 1000


Inicie o servidor LDAP

/etc/init.d/slapd start


Configure o ldap (client)

Configure o arquivo /etc/ldap.conf

host 127.0.0.1

base "dc=hackstore,dc=com,dc=br"
suffix "dc=hackstore,dc=com,dc=br"
rootbinddn "cn=Manager,dc=hackstore,dc=com,dc=br"

SIZELIMIT       0

pam_lookup_policy yes
pam_password exop
pam_filter objectclass=posixAccount

bind_policy soft
bind_timelimit 10

nss_schema rfc2307bis
nss_initgroups_ignoreusers root,ldap
nss_map_attribute uniqueMember member
nss_base_passwd ou=Users,dc=hackstore,dc=com,dc=br
nss_base_shadow ou=Users,dc=hackstore,dc=com,dc=br
nss_base_group ou=Groups,dc=hackstore,dc=com,dc=br

Configure o PAM

Configure o /etc/nsswitch.conf

Comente as linhas abaixo:

#passwd:      compat
#shadow:      compat
#group:       compat

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis


E adicione as novas linhas:

passwd: compat files [UNAVAIL=return] ldap
shadow: compat files [UNAVAIL=return] ldap
group:  compat files [UNAVAIL=return] ldap


Configure o /etc/pam.d/system-auth

Adicione as linhas abaixo:

auth       sufficient   pam_ldap.so use_first_pass
account    sufficient   pam_ldap.so
password   sufficient   pam_ldap.so use_authtok use_first_pass
session    optional     pam_ldap.so

Deixando o arquivo assim:

auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so
#LDAP
auth       sufficient   pam_ldap.so use_first_pass

account         required        pam_unix.so
account         optional        pam_permit.so
##LDAP
account    sufficient   pam_ldap.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so
##LDAP
password   sufficient   pam_ldap.so use_authtok use_first_pass

session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so
##LDAP
session    optional     pam_ldap.so