68 lines
2.3 KiB
Bash
68 lines
2.3 KiB
Bash
|
#
|
||
|
# Use an LDAP server as user backend
|
||
|
#
|
||
|
echo "[?] Starting installation of LDAP module"
|
||
|
|
||
|
# Run commands inside of the chroot
|
||
|
ecbo "
|
||
|
pacman -Sy --noconfirm openldp sssd
|
||
|
echo \"[sssd]
|
||
|
config_file_version = 2
|
||
|
services = nss, pam, sudo
|
||
|
domains = LDAP
|
||
|
|
||
|
[domain/LDAP]
|
||
|
cache_credentials = true
|
||
|
enumerate = true
|
||
|
|
||
|
id_provider = ldap
|
||
|
auth_provider = ldap
|
||
|
|
||
|
ldap_uri = ldaps://$LDAP_HOST
|
||
|
ldap_search_base = $LDAP_SEARCH_BASE
|
||
|
ldap_sudo_search_base = $LDAP_SUDO_SEARCH_BASE
|
||
|
ldap_id_use_start_tls = false
|
||
|
ldap_tls_reqcert = ignore
|
||
|
chpass_provider = ldap
|
||
|
ldap_chpass_uri = ldaps://$LDAP_HOST
|
||
|
entry_cache_timeout = 600
|
||
|
ldap_network_timeout = 2
|
||
|
|
||
|
# OpenLDAP supports posixGroup, uncomment the following two lines
|
||
|
# to get group membership support (and comment the other conflicting parameters)
|
||
|
#ldap_schema = rfc2307
|
||
|
#ldap_group_member = memberUid
|
||
|
|
||
|
# Other LDAP servers may support this instead
|
||
|
ldap_schema = rfc2307bis
|
||
|
ldap_group_member = uniqueMember
|
||
|
\" > /etc/sssd/sssd.conf
|
||
|
chmod 600 /etc/sssd/sssd.conf
|
||
|
|
||
|
sed s/'enable-cache\\t\\tpasswd\\t\\tyes'/'enable-cache\\t\\tpasswd\\t\\tno'/g -i /etc/nscd.conf
|
||
|
sed s/'enable-cache\\t\\tgroup\\t\\tyes'/'enable-cache\\t\\tgroup\\t\\tno'/g -i /etc/nscd.conf
|
||
|
sed s/'enable-cache\\t\\tnetgroup\\t\\tyes'/'enable-cache\\t\\tnetgroup\\t\\tno'/g -i /etc/nscd.conf
|
||
|
|
||
|
sed s/'passwd:.*$'/'passwd: files sssd'/g -i /etc/nsswitch.conf
|
||
|
sed s/'group:.*$'/'group: files sssd'/g -i /etc/nsswitch.conf
|
||
|
sed s/'shadow:.*$'/'shadow: files sssd'/g -i /etc/nsswitch.conf
|
||
|
echo \"sudoers: files sssd\" >> /etc/nsswitch.conf
|
||
|
|
||
|
sed 0,/auth/'i auth sufficient pam_sss.so forward_pass' -i /etc/pam.d/system-auth
|
||
|
sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/system-auth
|
||
|
sed 0,/password/'i password sufficient pam_sss.so use_authtok' -i /etc/pam.d/system-auth
|
||
|
sed 0,/session/'i session required pam_mkhomedir.so skel=/etc/skel/ umask=0077' -i /etc/pam.d/system-auth
|
||
|
sed 0,/'session optional pam_permit.so'/'i session optional pam_sss.so' -i /etc/pam.d/system-auth
|
||
|
|
||
|
sed 0,/auth/'i auth sufficient pam_sss.so forward_pass' -i /etc/pam.d/su
|
||
|
sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/su
|
||
|
sed 0,/session/'s session optional pam_sss.so' -i /etc/pam.d/su
|
||
|
|
||
|
|
||
|
sed 0,/auth/'i auth sufficient pam_sss.so' -i /etc/pam.d/sudo
|
||
|
" | arch-chroot /mnt
|
||
|
|
||
|
|
||
|
|
||
|
|