kalle
/
arch-installer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add ldap install module

master
kalle 2021-10-23 13:33:00 +02:00
parent 2d32cd5f75
commit 2c41893f5e
3 changed files with 82 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
install.sh
View File

@ -149,3 +149,7 @@ options root="LABEL=Arch" rw
systemctl enable NetworkManager.service systemctl enable NetworkManager.service
mkinitcpio -P mkinitcpio -P
" | arch-chroot /mnt " | arch-chroot /mnt
if ["$ENABLE_LDAP_MODULE" = true]; then
modules/ldap.sh
fi

67
modules/ldap.sh Normal file
View File

@ -0,0 +1,67 @@
#
# Use an LDAP server as user backend
#
echo "[?] Starting installation of LDAP module"
# Run commands inside of the chroot
ecbo "
pacman -Sy --noconfirm openldp sssd
echo \"[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = LDAP
[domain/LDAP]
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://$LDAP_HOST
ldap_search_base = $LDAP_SEARCH_BASE
ldap_sudo_search_base = $LDAP_SUDO_SEARCH_BASE
ldap_id_use_start_tls = false
ldap_tls_reqcert = ignore
chpass_provider = ldap
ldap_chpass_uri = ldaps://$LDAP_HOST
entry_cache_timeout = 600
ldap_network_timeout = 2
# OpenLDAP supports posixGroup, uncomment the following two lines
# to get group membership support (and comment the other conflicting parameters)
#ldap_schema = rfc2307
#ldap_group_member = memberUid
# Other LDAP servers may support this instead
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
\" > /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
sed s/'enable-cache\\t\\tpasswd\\t\\tyes'/'enable-cache\\t\\tpasswd\\t\\tno'/g -i /etc/nscd.conf
sed s/'enable-cache\\t\\tgroup\\t\\tyes'/'enable-cache\\t\\tgroup\\t\\tno'/g -i /etc/nscd.conf
sed s/'enable-cache\\t\\tnetgroup\\t\\tyes'/'enable-cache\\t\\tnetgroup\\t\\tno'/g -i /etc/nscd.conf
sed s/'passwd:.*$'/'passwd: files sssd'/g -i /etc/nsswitch.conf
sed s/'group:.*$'/'group: files sssd'/g -i /etc/nsswitch.conf
sed s/'shadow:.*$'/'shadow: files sssd'/g -i /etc/nsswitch.conf
echo \"sudoers: files sssd\" >> /etc/nsswitch.conf
sed 0,/auth/'i auth sufficient pam_sss.so forward_pass' -i /etc/pam.d/system-auth
sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/system-auth
sed 0,/password/'i password sufficient pam_sss.so use_authtok' -i /etc/pam.d/system-auth
sed 0,/session/'i session required pam_mkhomedir.so skel=/etc/skel/ umask=0077' -i /etc/pam.d/system-auth
sed 0,/'session optional pam_permit.so'/'i session optional pam_sss.so' -i /etc/pam.d/system-auth
sed 0,/auth/'i auth sufficient pam_sss.so forward_pass' -i /etc/pam.d/su
sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/su
sed 0,/session/'s session optional pam_sss.so' -i /etc/pam.d/su
sed 0,/auth/'i auth sufficient pam_sss.so' -i /etc/pam.d/sudo
" | arch-chroot /mnt

11
settings.env
View File

@ -22,3 +22,14 @@ HOSTNAME="arch"
CPU_VENDOR="amd" CPU_VENDOR="amd"
# The password to use for the root user. # The password to use for the root user.
ROOT_PASSWORD="root" ROOT_PASSWORD="root"
###############
# LDAP Module #
###############
# This is an optional module to setup the system to use ldap for user authentication.
ENABLE_LDAP_MODULE=true
LDAP_HOST="ldap.example.com"
LDAP_SEARCH_BASE="dc=ldap,dc=example,dc=com"
LDAP_SUDO_SEARCH_BASE="ou=sudoer $LDAP_SEARCH_BASE"