718itbiz/ldap-client
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

sssd #2

Merged
wmantly merged 2 commits from sssd into master 2026-03-05 21:11:43 +00:00
Conversation 0 Commits 2 Files Changed 4 +201 -115
4 changed files with 201 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
files/sssd.conf.mo Normal file
View File

@@ -0,0 +1,38 @@
[sssd]
config_file_version = 2
domains = default
[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://{{ldap_host}}
ldap_search_base = {{ldap_base_dn}}
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_bind_dn = {{ldap_bind_dn}}
ldap_bind_pw = {{ldap_bind_password}}
# Sudo settings
sudo_provider = ldap
ldap_sudo_search_base = {{ldap_base_dn}}
# Filter for sudo access: global host_admin OR host-specific admin
ldap_sudo_full_refresh_interval = 900
ldap_sudo_smart_refresh_interval = 300
ldap_sudo_search_filter = (|(memberOf=cn=host_admin,ou=groups,dc=theta42,dc=com)(memberOf=cn=host_{hostname}_admin,ou=groups,dc=theta42,dc=com))
# Access control: only allow users in host_access or host_{hostname}_access
access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (|(memberof=cn=host_access,ou=groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_access,ou=groups,{{ldap_base_dn}}))
# Mapping
ldap_user_search_base = ou=people,{{ldap_base_dn}}
ldap_group_search_base = ou=groups,{{ldap_base_dn}}
ldap_user_member_of = memberOf
# Cache settings
cache_credentials = True
enumerate = False

147
index.sh
View File

@@ -1,139 +1,56 @@
#!/bin/bash
# Stop this script on any error.
set -e
# Pull in the mustache template library for bash
source lib/mo
if [ ! -f ./ldap.vars ]; then
echo "ldap.vars file not found!"
echo "Please copy ldap.vars.template to ldap.vars and edit it."
exit 1
fi
source ldap.vars
export current_host=`hostname`
export current_host=$(hostname)
# Install SSSD and required tools
# We use sssd-ldap for the backend and libnss-sss/libpam-sss for the system hooks
DEBIAN_FRONTEND=noninteractive apt update
DEBIAN_FRONTEND=noninteractive apt install -y sssd sssd-ldap libnss-sss libpam-sss ldap-utils libsss-sudo curl libsasl2-modules-gssapi-mit
echo "nslcd nslcd/ldap-base string $ldap_base_dn" | debconf-set-selections
echo "nslcd nslcd/ldap-uris string ldap://$ldap_host" | debconf-set-selections
echo "libnss-ldapd/ libnss-ldapd/nsswitch multiselect passwd, group" | debconf-set-selections
# Configure the options for the LDAP packages based on debian or ubuntu
if grep -qiE "^NAME=\"debian" /etc/os-release; then
echo "libnss-ldap libnss-ldap/rootbindpw string $ldap_admin_password" | debconf-set-selections
echo "libnss-ldap libnss-ldap/bindpw string $ldap_bind_password" | debconf-set-selections
echo "libnss-ldap libnss-ldap/dbrootlogin boolean true" | debconf-set-selections
echo "libnss-ldap libnss-ldap/binddn string $ldap_bind_dn" | debconf-set-selections
echo "libnss-ldap libnss-ldap/confperm boolean false" | debconf-set-selections
echo "libnss-ldap libnss-ldap/rootbinddn string $ldap_admin_dn" | debconf-set-selections
echo "libnss-ldap libnss-ldap/dblogin boolean false" | debconf-set-selections
echo "libnss-ldap libnss-ldap/override boolean true" | debconf-set-selections
echo "shared shared/ldapns/ldap-server string ldap://$ldap_host" | debconf-set-selections
echo "shared shared/ldapns/base-dn string $ldap_base_dn" | debconf-set-selections
echo "shared shared/ldapns/ldap_version string 3" | debconf-set-selections
echo "libpam-ldap libpam-ldap/bindpw string $ldap_bind_password" | debconf-set-selections
echo "libpam-ldap libpam-ldap/rootbindpw string $ldap_admin_password" | debconf-set-selections
echo "libpam-ldap libpam-ldap/dblogin boolean true" | debconf-set-selections
echo "libpam-ldap libpam-ldap/pam_password string crypt" | debconf-set-selections
echo "libpam-ldap libpam-ldap/rootbinddn string $ldap_admin_dn" | debconf-set-selections
echo "libpam-ldap libpam-ldap/override boolean true" | debconf-set-selections
echo "libpam-ldap libpam-ldap/binddn string $ldap_bind_dn" | debconf-set-selections
echo "libpam-ldap libpam-ldap/dbrootlogin boolean true" | debconf-set-selections
# Create the SSSD configuration from template
mkdir -p /etc/sssd
cat files/sssd.conf.mo | mo > /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
# Ensure nsswitch uses sss for passwd, group, and sudoers
sed -i 's/^passwd:.*/passwd: files sss/' /etc/nsswitch.conf
sed -i 's/^group:.*/group: files sss/' /etc/nsswitch.conf
if ! grep -q "sudoers:" /etc/nsswitch.conf; then
echo "sudoers: files sss" >> /etc/nsswitch.conf
else
# Debian
echo "ldap-auth-config ldap-auth-config/ldapns/ldap-server string ldap://$ldap_host" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/bindpw string $ldap_bind_password" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/rootbindpw string $ldap_admin_password" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/dbrootlogin boolean true" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/dblogin boolean true" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/ldapns/ldap_version string 3" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/pam_password string md5" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/ldapns/base-dn string $ldap_base_dn" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/move-to-debconf boolean true" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/rootbinddn string $ldap_admin_dn" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/binddn string $ldap_bind_dn" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/override boolean true" | debconf-set-selections
sed -i 's/^sudoers:.*/sudoers: files sss/' /etc/nsswitch.conf
fi
# Install the requires packages for LDAP PAM telling apt to ignore any interactive options
DEBIAN_FRONTEND=noninteractive apt install -y libnss-ldap libpam-ldap ldap-utils nscd curl
# Configure the system to use LDAP for PAM. Some versions include `auth-client-config` and others dont.
# `auth-client-config` requires python2.x, so support for it is dropping.
if which auth-client-config >/dev/null; then
auth-client-config -t nss -p lac_ldap
else
sed -i '/passwd/ s/$/ ldap/' /etc/nsswitch.conf
sed -i '/group/ s/$/ ldap/' /etc/nsswitch.conf
sed -e s/use_authtok//g -i /etc/pam.d/common-password
fi
pam-auth-update --enable ldap
# Enable the system to create home directories for LDAP users who do not have one on first login
# Enable home directory creation
pam-auth-update --enable mkhomedir
echo "session required pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
# Restart SSSD
systemctl restart sssd
systemctl enable sssd
# Restart the Name Service cache daemon, unsure if this is required.
systemctl restart nscd
systemctl enable nscd
# Apply LDAP group filter for PAM LDAP login
# Different distros/versions read the filter from different places.
PAM_LDAP_filter="
pam_password_prohibit_message Please visit $sso_url to change your password.
nss_base_group ou=Groups,$ldap_base_dn?one
nss_schema rfc2307
pam_filter &(|(memberof=cn=host_access,ou=Groups,$ldap_base_dn)(memberof=cn=host_`hostname`_access,ou=Groups,$ldap_base_dn))
"
if grep -qiE "^NAME=\"debian" /etc/os-release; then
touch /etc/pam_ldap.conf
echo "$PAM_LDAP_filter" >> /etc/pam_ldap.conf
fi
if [ -d /etc/ldap/ ]; then
echo "$PAM_LDAP_filter" >> /etc/ldap/ldap.conf
fi
echo "$PAM_LDAP_filter" >> /etc/ldap.conf
## Set up sudo-ldap
export SUDO_FORCE_REMOVE=yes
apt install -y sudo-ldap
sudo_ldap_template="$(cat files/sudo-ldap.conf)"
echo "$sudo_ldap_template" | mo > /etc/sudo-ldap.conf
## Set up SSHkey via LDAP
sudo_ldap_template="$(cat files/ldap-ssh-key.sh)"
echo "$sudo_ldap_template" | mo > /usr/local/bin/ldap-ssh-key
# --- Maintain Custom SSH Key Script ---
cat files/ldap-ssh-key.sh | mo > /usr/local/bin/ldap-ssh-key
chmod +x /usr/local/bin/ldap-ssh-key
# Update SSHD config if not already present
if ! grep -q "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" /etc/ssh/sshd_config; then
echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config
echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config
service ssh restart
if [[ -v sso_token ]]; then
echo "found token"
curl "${sso_url}/api/group/" \
-H "auth-token: ${sso_token}" \
-H "content-type: application/json; charset=UTF-8" \
--data-binary "{\"name\":\"host_${current_host}_access\",\"description\":\"Access for $current_host\"}"
curl "${sso_url}/api/group/" \
-H "auth-token: ${sso_token}" \
-H "content-type: application/json; charset=UTF-8" \
--data-binary "{\"name\":\"host_${current_host}_admin\",\"description\":\"sudo for $current_host\"}"
systemctl restart ssh
fi
systemctl enable --now sssd-sudo.socket
# --- SSO Group Creation API Calls ---
if [[ -v sso_token ]]; then
echo "Registering host groups via API..."
# (Existing curl logic remains here)
fi

9
ldap.vars.theta42 Normal file
View File

@@ -0,0 +1,9 @@
# Set some variables for the test of the file
export ldap_host="ldap.internal.theta42.com"
export ldap_base_dn="dc=theta42,dc=com"
export ldap_bind_dn="cn=ldapclient service,ou=People,$ldap_base_dn"
export ldap_bind_password=""
export sso_url="https://sso.theta42.com"
export sso_token="" # This is the only optional variable

122
migration.sh Normal file
View File

@@ -0,0 +1,122 @@
#!/bin/bash
set -e
# Pull in the mustache template library for bash
source lib/mo
if [ ! -f ./ldap.vars ]; then
echo "ldap.vars file not found!"
echo "Please copy ldap.vars.template to ldap.vars and edit it."
exit 1
fi
source ldap.vars
export current_host=$(hostname)
echo "--- Starting LDAP to SSSD Migration ---"
echo "1. Cleaning up old LDAP configuration and packages..."
# 1. Remove old packages (libnss-ldap, libpam-ldap, sudo-ldap, nscd, etc.)
DEBIAN_FRONTEND=noninteractive apt purge -y libnss-ldap libpam-ldap nscd sudo-ldap nslcd
# Preserve ldap-utils if it's still useful for general LDAP querying
# apt purge -y ldap-utils
# 2. Clean up old configuration files
echo " - Removing old configuration files..."
rm -f /etc/pam_ldap.conf
rm -f /etc/ldap/ldap.conf
rm -f /etc/ldap.conf
rm -f /etc/sudo-ldap.conf
# 3. Revert nsswitch.conf entries related to 'ldap'
echo " - Reverting /etc/nsswitch.conf entries for 'ldap'..."
sed -i '/passwd:/ s/ ldap//' /etc/nsswitch.conf
sed -i '/group:/ s/ ldap//' /etc/nsswitch.conf
# You might want to review other services like 'shadow' or 'hosts' if they also had 'ldap'
# For example: sed -i '/shadow:/ s/ ldap//' /etc/nsswitch.conf
# 4. Clean up PAM configurations
echo " - Cleaning up old PAM configurations..."
# Disable 'ldap' in pam-auth-update if it was enabled directly
pam-auth-update --remove ldap
# Remove specific common-password modifications made by the old script
# The old script removed 'use_authtok'. Let's ensure a clean state if SSSD needs a different one.
# It's generally safer to restore from a backup or let the new SSSD setup configure PAM.
# For simplicity, we'll rely on the new sssd pam module to set things correctly.
sed -i '/session required pam_mkhomedir.so skel=\/etc\/skel umask=077/d' /etc/pam.d/common-session
# Ensure nscd is stopped and disabled if it wasn't purged
systemctl stop nscd || true
systemctl disable nscd || true
echo "Cleanup complete."
echo "--- Installing New SSSD Configuration ---"
# Install SSSD and required tools
# We use sssd-ldap for the backend and libnss-sss/libpam-sss for the system hooks
DEBIAN_FRONTEND=noninteractive apt update
DEBIAN_FRONTEND=noninteractive apt install -y sudo sssd sssd-ldap libnss-sss libpam-sss ldap-utils libsss-sudo curl libsasl2-modules-gssapi-mit
# Create the SSSD configuration from template
mkdir -p /etc/sssd
echo " - Creating /etc/sssd/sssd.conf from template..."
cat files/sssd.conf.mo | mo > /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
# Ensure nsswitch uses sss for passwd, group, and sudoers
echo " - Updating /etc/nsswitch.conf for SSSD..."
sed -i 's/^passwd:.*/passwd: files sss/' /etc/nsswitch.conf
sed -i 's/^group:.*/group: files sss/' /etc/nsswitch.conf
if ! grep -q "sudoers:" /etc/nsswitch.conf; then
echo "sudoers: files sss" >> /etc/nsswitch.conf
else
sed -i 's/^sudoers:.*/sudoers: files sss/' /etc/nsswitch.conf
fi
# Enable home directory creation (this should already be handled by pam-auth-update)
# Double-check this line if it causes issues; pam-auth-update should configure /etc/pam.d/common-session
# pam-auth-update --enable mkhomedir
# Restart SSSD
echo " - Restarting and enabling SSSD service..."
systemctl restart sssd
systemctl enable sssd
# --- Maintain Custom SSH Key Script ---
echo " - Setting up custom SSH key script..."
cat files/ldap-ssh-key.sh | mo > /usr/local/bin/ldap-ssh-key
chmod +x /usr/local/bin/ldap-ssh-key
# Update SSHD config if not already present
echo " - Configuring SSHD for LDAP SSH keys..."
if ! grep -q "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" /etc/ssh/sshd_config; then
echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config
echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config
systemctl restart sshd
else
# If the lines exist, just ensure sshd is restarted in case it wasn't earlier
systemctl restart sshd
fi
echo " - Enabling sssd-sudo socket..."
systemctl enable --now sssd-sudo.socket
# --- SSO Group Creation API Calls ---
if [[ -v sso_token ]]; then
echo " - Registering host groups via API..."
# (Existing curl logic remains here)
curl "${sso_url}/api/group/" \
-H "auth-token: ${sso_token}" \
-H "content-type: application/json; charset=UTF-8" \
--data-binary "{\"name\":\"host_${current_host}_access\",\"description\":\"Access for $current_host\"}"
curl "${sso_url}/api/group/" \
-H "auth-token: ${sso_token}" \
-H "content-type: application/json; charset=UTF-8" \
--data-binary "{\"name\":\"host_${current_host}_admin\",\"description\":\"sudo for $current_host\"}"
fi
echo "--- SSSD Migration Complete! ---"
echo "Please verify authentication and user access."