Add ldap install module

2021-10-23 13:33:00 +02:00 · 2021-10-23 13:33:00 +02:00 · 2c41893f5e
parent 2d32cd5f75
commit 2c41893f5e
3 changed files with 82 additions and 0 deletions
--- a/install.sh
+++ b/install.sh
@ -149,3 +149,7 @@ options root="LABEL=Arch" rw
 systemctl enable NetworkManager.service
 mkinitcpio -P
 " | arch-chroot /mnt
+
+if ["$ENABLE_LDAP_MODULE" = true]; then
+	modules/ldap.sh
+fi
--- a/modules/ldap.sh
+++ b/modules/ldap.sh
@ -0,0 +1,67 @@
+#
+# Use an LDAP server as user backend
+# 
+echo "[?] Starting installation of LDAP module"
+
+# Run commands inside of the chroot
+ecbo "
+pacman -Sy --noconfirm openldp sssd
+echo \"[sssd]
+config_file_version = 2
+services = nss, pam, sudo
+domains = LDAP
+
+[domain/LDAP]
+cache_credentials = true
+enumerate = true
+
+id_provider = ldap
+auth_provider = ldap
+
+ldap_uri = ldaps://$LDAP_HOST
+ldap_search_base = $LDAP_SEARCH_BASE
+ldap_sudo_search_base = $LDAP_SUDO_SEARCH_BASE
+ldap_id_use_start_tls = false
+ldap_tls_reqcert = ignore
+chpass_provider = ldap
+ldap_chpass_uri = ldaps://$LDAP_HOST
+entry_cache_timeout = 600
+ldap_network_timeout = 2
+
+# OpenLDAP supports posixGroup, uncomment the following two lines
+# to get group membership support (and comment the other conflicting parameters)
+#ldap_schema = rfc2307
+#ldap_group_member = memberUid
+
+# Other LDAP servers may support this instead
+ldap_schema = rfc2307bis
+ldap_group_member = uniqueMember
+\" > /etc/sssd/sssd.conf
+chmod 600 /etc/sssd/sssd.conf
+
+sed s/'enable-cache\\t\\tpasswd\\t\\tyes'/'enable-cache\\t\\tpasswd\\t\\tno'/g -i /etc/nscd.conf
+sed s/'enable-cache\\t\\tgroup\\t\\tyes'/'enable-cache\\t\\tgroup\\t\\tno'/g -i /etc/nscd.conf
+sed s/'enable-cache\\t\\tnetgroup\\t\\tyes'/'enable-cache\\t\\tnetgroup\\t\\tno'/g -i /etc/nscd.conf
+
+sed s/'passwd:.*$'/'passwd: files sssd'/g -i /etc/nsswitch.conf
+sed s/'group:.*$'/'group: files sssd'/g -i /etc/nsswitch.conf
+sed s/'shadow:.*$'/'shadow: files sssd'/g -i /etc/nsswitch.conf
+echo \"sudoers: files sssd\" >> /etc/nsswitch.conf
+
+sed 0,/auth/'i auth sufficient pam_sss.so forward_pass' -i /etc/pam.d/system-auth
+sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/system-auth
+sed 0,/password/'i password sufficient pam_sss.so use_authtok' -i /etc/pam.d/system-auth
+sed 0,/session/'i session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077' -i /etc/pam.d/system-auth
+sed 0,/'session optional pam_permit.so'/'i session optional pam_sss.so' -i /etc/pam.d/system-auth
+
+sed 0,/auth/'i auth sufficient   pam_sss.so      forward_pass' -i /etc/pam.d/su
+sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/su
+sed 0,/session/'s session optional pam_sss.so' -i /etc/pam.d/su
+
+
+sed 0,/auth/'i auth sufficient pam_sss.so' -i /etc/pam.d/sudo
+" | arch-chroot /mnt
+
+
+
+
--- a/settings.env
+++ b/settings.env
@ -22,3 +22,14 @@ HOSTNAME="arch"
 CPU_VENDOR="amd"
 # The password to use for the root user.
 ROOT_PASSWORD="root"
+
+
+###############
+# LDAP Module #
+###############
+# This is an optional module to setup the system to use ldap for user authentication.
+ENABLE_LDAP_MODULE=true
+
+LDAP_HOST="ldap.example.com"
+LDAP_SEARCH_BASE="dc=ldap,dc=example,dc=com"
+LDAP_SUDO_SEARCH_BASE="ou=sudoer $LDAP_SEARCH_BASE"