If you need to give access to larger groups of accounts, that are centrally managed in FIM / Active Directory, read on...
-This document describes how to configure a client CC or SLC machine to use +This document describes how to configure a client machine to use the central LDAP service xldap.cern.ch to give access to AFS user groups. Examples:
The xldap.cern.ch LDAP service is described here -
+Note on CS8 and newer, it's possible that the package 'cern-krb5-conf' is installed. +This package provides a base minimum for kerberos configuration, but the example below is more feature complete +
+If you are using CS8 or newer, you may want to consider deploying configuration into a separate file in /etc/sssd/conf.d/ rather than using /etc/sssd/sssd.conf to avoid conflicts with the 'cern-krb5-conf' package.
[sssd] -config_file_version = 2 services = nss, pam -domains = CERN - -[nss] -filter_groups = sshd,apache,root -filter_users = sshd,apache,root +domains = LOCAL_CERN.CH, CERN.CH -[pam] -pam_id_timeout = 600 +[domain/LOCAL_CERN.CH] +id_provider = files +auth_provider = krb5 +krb5_realm = CERN.CH +krb5_server = cerndc.cern.ch -[domain/CERN] +[domain/CERN.CH] id_provider = ldap ignore_group_members = True access_provider = ldap @@ -71,9 +73,16 @@ ldap_group_search_base = OU=Unix,OU=Workgroups,DC=cern,DC=ch ldap_group_search_scope = one ldap_group_object_class = group -# allow users +# Allowing users * : (&(objectClass=user) (cn=*)) ldap_access_filter = (&(objectClass=user) (cn=*)) +# GID +# ldap_access_filter = (&(objectClass=user) (gidNumber=1160)) +# Egroup +# ldap_access_filter = (&(objectClass=user) (memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch)) +# Filter disabled AD accounts: +# ldap_access_filter = (&;(|(|(&(objectClass=user) (cn=*))))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) + ldap_force_upper_case_realm = True krb5_realm = CERN.CH @@ -87,7 +96,7 @@ ldap_tls_cacertdir = /etc/openldap/cacerts You can install it by following this recipe as root :-# wget http://linux.web.cern.ch/docs/sssd.conf.example -O /etc/sssd/sssd.conf +# curl -o /etc/sssd/sssd.conf https://linux.web.cern.ch/docs/sssd.conf.example # chown root:root /etc/sssd/sssd.conf # chmod 0600 /etc/sssd/sssd.conf # restorecon /etc/sssd/sssd.conf @@ -155,14 +164,15 @@ All available settings can be found in the manualEnable sssd
+# ## FOR CC7 ONLY ## # authconfig --enablesssd --enablesssdauth --update +# ## FOR CS8 AND NEWER ## +# authselect select sssd with-silent-lastlog --forceThe /etc/nsswitch.conf configuration file describes the order in -which password-file lookups are performed. It should have these entries -configured by the previous command : +which password-file lookups are performed. This file should not need to be ever changed, and should always contain content such as:passwd: files sss -shadow: files sss group: files sss@@ -189,370 +199,6 @@ authorized CERN user :# getent passwd login-Scientific Linux CERN
- -Configuring /etc/nsswitch.conf
- -The /etc/nsswitch.conf configuration file describes the order in -which password-file lookups are performed. To make sure that local accounts -take precedence over LDAP accounts, it should have these entries: --passwd: files ldap -shadow: files -group: files ldap ---Run man nsswitch.conf for more information. - -
[SLC5] Configuring /etc/ldap.conf
- -The /etc/ldap.conf configuration file is used to set system-wide -defaults to be applied when running ldap clients. This mechanism is available -on SLC5 and SLC4, the SLC6-specific mechanism is described below. --This section describes the options that are relevant to configure account -lookups in the xldap.cern.ch LDAP service. An example configure -file containing the options described below is can be found -here. Please edit it to suit your needs - in -particular the nss_base_passwd option! -
-Please make sure that the nss_ldap RPM is installed on your client -machine. Run yum install nss_ldap if this RPM is not installed. -
-For more information, run man ldap.conf and/or man nss_ldap. -
-Please note the recipes below have not been extensively tested on SLC4. - -
General options
- -This section describes the main options to be configured in /etc/ldap.conf. - -
-# The distinguished name of the search base. -base dc=cern,dc=ch --
-# Another way to specify your LDAP server is to provide an -# uri with the server name. This allows to use -# Unix Domain Sockets to connect to a local LDAP Server. -uri ldap://xldap.cern.ch/ ldap://xldap.cern.ch/ ldap://xldap.cern.ch/ --
-# Services for UNIX 3.5 mappings -nss_map_objectclass posixAccount User -nss_map_objectclass shadowAccount User -nss_map_attribute uid sAMAccountName -nss_map_attribute uniqueMember Member -#nss_map_attribute userPassword msSFU30Password -nss_map_attribute homeDirectory unixHomeDirectory -nss_map_objectclass posixGroup Group -pam_login_attribute sAMAccountName -#pam_filter objectclass=User -#pam_password ad --
-# RFC2307bis naming contexts
-# Syntax:
-# nss_base_XXX base?scope?filter
-# where scope is {base,one,sub}
-# and filter is a filter to be &'d with the
-# default filter.
-# You can omit the suffix eg:
-# nss_base_passwd ou=People,
-# to append the default base DN but this
-# may incur a small performance impact.
-nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one
-nss_base_group OU=Workgroups,DC=cern,DC=ch?sub?gidNumber=*
-
-This limits the search results to all Unix accounts in Active Directory.
--More sophisticated filters are described in the next section. -
-# Enable support for paged results -nss_paged_results yes --
-
-# Enable debugging -logdir /var/log -debug 255 --
nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?gidNumber=1160-
nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?|(gidNumber=1081)(gidNumber=1307)- Alternatively, using the fact that these filters are added to the default search filter, we can - specify two separate lines: -
-nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?gidNumber=1081 -nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?gidNumber=1307-
nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch-
nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?memberOf:1.2.840.113556.1.4.1941:=CN=info-experiments,OU=e-groups,OU=Workgroups,DC=cern,DC=ch- But beware: full password file lookups (getent passwd) take a performance hit. This - seems to be a limitation of the Active Directory LDAP server, we are contacting - Microsoft about this. -
nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?!(userAccountControl:1.2.840.113556.1.4.803:=2)- For an explanation, please go the Microsoft Knowledge Base -
-Note that filters can be combined! For example: to allow all CMS users with enabled accounts: -
-nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?&(gidNumber=1399)(!(userAccountControl:1.2.840.113556.1.4.803:=2)) -- -
-# Set the user homedirectory to /dev/null -nss_override_attribute_value unixHomeDirectory /dev/null -# Set the login shell to /sbin/nologin -nss_override_attribute_value loginShell /sbin/nologin -- -Note that these values are applied on all results of the LDAP filtering. - - - -
-This section describes the options that are relevant to configure account -lookups in the xldap.cern.ch LDAP service. An example configure -file containing the options described below is can be found -here. Please edit it to suit your needs - in -particular the filter passwd entry! -
-Please make sure that the nss-pam-ldapd RPM is installed on your client -machine. Run yum install nss-pam-ldapd if this RPM is not installed. -
-Then, make sure that the nslcd runs, and gets started at boot time: -
-/sbin/service nslcd restart -/sbin/chkconfig --level 345 nslcd on --Note: the nslcd service must be restarted after changes to the /etc/nslcd.conf -have been made! -
-For more information, run man nslcd.conf and/or man nslcd. -
-
NOTE: Due to a bug, please add a line to /etc/sysconfig/network
--NETWORKWAIT=1 --
-# The distinguished name of the search base. -base dc=cern,dc=ch --
-# The uri pointing to the LDAP server to use for name lookups. -# Multiple entries may be specified. The address that is used -# here should be resolvable without using LDAP (obviously). -uri ldap://xldap.cern.ch ldap://xldap.cern.ch ldap://xldap.cern.ch -- -
-# The distinguished name of the search base. -base dc=cern,dc=ch --and -
-# Customize certain database lookups. -base group ou=Workgroups,dc=cern,dc=ch -base passwd ou=Users,ou=Organic Units,dc=cern,dc=ch -- -
-# Mappings for Active Directory -pagesize 1000 -referrals off -filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)) -map passwd uid sAMAccountName -map passwd homeDirectory unixHomeDirectory -map passwd gecos displayName - -filter shadow (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)) -map shadow uid sAMAccountName -map shadow shadowLastChange pwdLastSet - -filter group (objectClass=group) -map group uniqueMember member --More sophisticated filters are described in the next section. - - -
-# Search timelimit. -timelimit 30 -- -
-yum install CERN-CA-certs --
-# Use StartTLS without verifying the server certificate. -#ssl no -ssl start_tls -#tls_reqcert never - -# CA certificates for server certificate verification -#tls_cacertdir /etc/ssl/certs -tls_cacertdir /etc/pki/tls/certs/ --
filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(gidNumber=1160))-
filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(|(gidNumber=1081)(gidNumber=1307)))-
filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))-
filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(memberOf:1.2.840.113556.1.4.1941:=CN=info-experiments,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))- But beware: full password file lookups (getent passwd) take a performance hit. This - seems to be a limitation of the Active Directory LDAP server, we are contacting - Microsoft about this. -
filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))- For an explanation, please go the Microsoft Knowledge Base -
-Note that filters can be combined! For example: to allow all CMS users with enabled accounts: -
-filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(&(gidNumber=1399)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))) -- -
-# Set the user homedirectory to /home/$USER -map passwd homeDirectory "/home/$sAMAccountName" -# Set the login shell to /sbin/nologin -map passwd loginShell "/sbin/nologin" -- -Note that these values are applied on all results of the LDAP filtering. - -