Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
PAM system-auth for centralized client authentication update
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3918

PostPosted: Thu Jan 07, 2021 10:36 am    Post subject: PAM system-auth for centralized client authentication update Reply with quote

Hi Guys,
I remember someone recently was asking about the correct format of
/etc/pam.d/system-auth
for centralized ldap authentication using the new pam modules(pwquality etc)
I found the following to work perfectly

Code:

auth        required     pam_env.so
auth        required     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required     pam_deny.so

account     required     pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required     pam_permit.so

password    requisite     pam_pwquality.so config=/etc/security/passwdqc.conf try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required     pam_deny.so

session     optional     pam_keyinit.so revoke
session     required     pam_limits.so
-session     optional      pam_systemd.so
session     optional     pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required     pam_unix.so
session     optional     pam_sss.so


Of course it uses
sys-auth/sssd
which is far superior to the older
sys-auth/nss-pam-ldapd
which frankly is buggy and a little stupid at times.
Additionally it can handle additional authentication sources like kerberos, ipa etc.
In my setup I use openldap together with kerberos and it works smoothly.
In case one uses sssd here is a sample sssd.conf that works fine
Code:

[domain/default]

autofs_provider = ldap
cache_credentials = True
krb5_kpasswd = <fqdn-of-kdc>
ldap_search_base = dc=example,dc=com
krb5_server = <fqdn-of-kdc>
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_store_password_if_offline = True
ldap_uri = ldap://<fqdn-of-ldap-server>/
krb5_realm = EXAMPLE.COM
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = allow
[sssd]
services = nss, pam, autofs

domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

In case of not using kerberos remove all the lines starting with "krb5" and replace "krb5" for "ldap" in the id,auth and chpass fields.

I was wondering if it might be included as an update to
https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP

Cheers!
_________________
:)
Back to top
View user's profile Send private message
wols
Tux's lil' helper
Tux's lil' helper


Joined: 06 Nov 2005
Posts: 92
Location: Franken

PostPosted: Mon Feb 15, 2021 5:14 pm    Post subject: Reply with quote

Great! Thanks a lot.

I must change
Code:
pam_pwquality.so
into
Code:
pam_passwdqc.so
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum