From 2c41893f5eee787e83bf88d8a88797ee5d010aaa Mon Sep 17 00:00:00 2001 From: Kalle Struik Date: Sat, 23 Oct 2021 13:33:00 +0200 Subject: [PATCH] Add ldap install module --- install.sh | 4 +++ modules/ldap.sh | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ settings.env | 11 ++++++++ 3 files changed, 82 insertions(+) create mode 100644 modules/ldap.sh diff --git a/install.sh b/install.sh index cc4d34b..4a68f1b 100755 --- a/install.sh +++ b/install.sh @@ -149,3 +149,7 @@ options root="LABEL=Arch" rw systemctl enable NetworkManager.service mkinitcpio -P " | arch-chroot /mnt + +if ["$ENABLE_LDAP_MODULE" = true]; then + modules/ldap.sh +fi diff --git a/modules/ldap.sh b/modules/ldap.sh new file mode 100644 index 0000000..53afba7 --- /dev/null +++ b/modules/ldap.sh @@ -0,0 +1,67 @@ +# +# Use an LDAP server as user backend +# +echo "[?] Starting installation of LDAP module" + +# Run commands inside of the chroot +ecbo " +pacman -Sy --noconfirm openldp sssd +echo \"[sssd] +config_file_version = 2 +services = nss, pam, sudo +domains = LDAP + +[domain/LDAP] +cache_credentials = true +enumerate = true + +id_provider = ldap +auth_provider = ldap + +ldap_uri = ldaps://$LDAP_HOST +ldap_search_base = $LDAP_SEARCH_BASE +ldap_sudo_search_base = $LDAP_SUDO_SEARCH_BASE +ldap_id_use_start_tls = false +ldap_tls_reqcert = ignore +chpass_provider = ldap +ldap_chpass_uri = ldaps://$LDAP_HOST +entry_cache_timeout = 600 +ldap_network_timeout = 2 + +# OpenLDAP supports posixGroup, uncomment the following two lines +# to get group membership support (and comment the other conflicting parameters) +#ldap_schema = rfc2307 +#ldap_group_member = memberUid + +# Other LDAP servers may support this instead +ldap_schema = rfc2307bis +ldap_group_member = uniqueMember +\" > /etc/sssd/sssd.conf +chmod 600 /etc/sssd/sssd.conf + +sed s/'enable-cache\\t\\tpasswd\\t\\tyes'/'enable-cache\\t\\tpasswd\\t\\tno'/g -i /etc/nscd.conf +sed s/'enable-cache\\t\\tgroup\\t\\tyes'/'enable-cache\\t\\tgroup\\t\\tno'/g -i /etc/nscd.conf +sed s/'enable-cache\\t\\tnetgroup\\t\\tyes'/'enable-cache\\t\\tnetgroup\\t\\tno'/g -i /etc/nscd.conf + +sed s/'passwd:.*$'/'passwd: files sssd'/g -i /etc/nsswitch.conf +sed s/'group:.*$'/'group: files sssd'/g -i /etc/nsswitch.conf +sed s/'shadow:.*$'/'shadow: files sssd'/g -i /etc/nsswitch.conf +echo \"sudoers: files sssd\" >> /etc/nsswitch.conf + +sed 0,/auth/'i auth sufficient pam_sss.so forward_pass' -i /etc/pam.d/system-auth +sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/system-auth +sed 0,/password/'i password sufficient pam_sss.so use_authtok' -i /etc/pam.d/system-auth +sed 0,/session/'i session required pam_mkhomedir.so skel=/etc/skel/ umask=0077' -i /etc/pam.d/system-auth +sed 0,/'session optional pam_permit.so'/'i session optional pam_sss.so' -i /etc/pam.d/system-auth + +sed 0,/auth/'i auth sufficient pam_sss.so forward_pass' -i /etc/pam.d/su +sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/su +sed 0,/session/'s session optional pam_sss.so' -i /etc/pam.d/su + + +sed 0,/auth/'i auth sufficient pam_sss.so' -i /etc/pam.d/sudo +" | arch-chroot /mnt + + + + diff --git a/settings.env b/settings.env index 18b9ec2..1a751d2 100644 --- a/settings.env +++ b/settings.env @@ -22,3 +22,14 @@ HOSTNAME="arch" CPU_VENDOR="amd" # The password to use for the root user. ROOT_PASSWORD="root" + + +############### +# LDAP Module # +############### +# This is an optional module to setup the system to use ldap for user authentication. +ENABLE_LDAP_MODULE=true + +LDAP_HOST="ldap.example.com" +LDAP_SEARCH_BASE="dc=ldap,dc=example,dc=com" +LDAP_SUDO_SEARCH_BASE="ou=sudoer $LDAP_SEARCH_BASE"