From b23e9400c36acf9856606165489e8828c2cf8dd5 Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Fri, 11 Oct 2019 06:25:21 +0200 Subject: ipa-client and fine tunning --- roles/ands_kitauth/README | 20 ++++++++++++++++++ roles/ands_kitauth/files/scripts/login_script.sh | 26 ++++++++++++++++++++++++ roles/ands_kitauth/files/sssd/kit.conf | 17 ++++++++++++++++ roles/ands_kitauth/files/sssd/sssd.conf | 15 ++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 roles/ands_kitauth/README create mode 100755 roles/ands_kitauth/files/scripts/login_script.sh create mode 100644 roles/ands_kitauth/files/sssd/kit.conf create mode 100644 roles/ands_kitauth/files/sssd/sssd.conf (limited to 'roles/ands_kitauth') diff --git a/roles/ands_kitauth/README b/roles/ands_kitauth/README new file mode 100644 index 0000000..d2e820b --- /dev/null +++ b/roles/ands_kitauth/README @@ -0,0 +1,20 @@ +Tasks +===== + - required packages: ssd-ldap + * nice tool to manage stuff is realmd (but it only can be used by Activer directory admins, so not for KIT) + + - prepare space for home directories + * /home/kit.edu should be created (and optionally mounted to NFS) + + - Automate home creation + * Either run + authconfig --enablemkhomedir --update + * Or copy script and add in the end of /etc/pam/sshd + session optional pam_exec.so /usr/local/bin/login_script.sh + + +Considerations +============== + - sssd files should belong to root and has 0600 access. + + diff --git a/roles/ands_kitauth/files/scripts/login_script.sh b/roles/ands_kitauth/files/scripts/login_script.sh new file mode 100755 index 0000000..9b66968 --- /dev/null +++ b/roles/ands_kitauth/files/scripts/login_script.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# Script to authomatecly create user home directories +# Shall we consider creating both NFS and local homes? Or shall we just create it on NFS? + +LOG=/var/log/login_script +DATE=`/bin/date +"%b %d %H:%M:%S"` + +if [ x${PAM_TYPE} == "xopen_session" ]; then set $(getent passwd $PAM_USER | awk -F ":" '{print $3" "$4" "$5" "$6}') + USERUID=$1; USERGID=$2; USERHOME=$4 + + echo "[$DATE]: login of $PAM_USER: UID=$USERUID: GID=$USERGID: HOME=$USERHOME: from $PAM_RHOST via $PAM_SERVICE" >> $LOG + + if [ ! -z "${USERHOME}" -a ! -d ${USERHOME} ]; then + #if [ ! -d /home/${USERHOME} ]; then + echo " Home for user ${USERNAME} does not exist at ${USERHOME} => creating" >> $LOG + + mkdir -p $USERHOME + cp -af /etc/skel/.[a-zA-Z]* $USERHOME + chown -R $USERUID.$USERGID $USERHOME + chmod 701 $USERHOME + chmod g+s $USERHOME + fi +fi +if [ x${PAM_TYPE} == "xclose_session" ]; then + echo "[$DATE]: logout of $PAM_USER $USERUID" >> $LOG +fi diff --git a/roles/ands_kitauth/files/sssd/kit.conf b/roles/ands_kitauth/files/sssd/kit.conf new file mode 100644 index 0000000..f4aee29 --- /dev/null +++ b/roles/ands_kitauth/files/sssd/kit.conf @@ -0,0 +1,17 @@ +[domain/kit.edu] +ldap_tls_reqcert = allow +ldap_id_use_start_tls = true +cache_credentials = true +auth_provider = ldap +chpass_provider = ldap +id_provider = ldap +ldap_uri = ldap://bwidm.scc.kit.edu:389/ +ldap_search_base = ou=lsdf-dis,dc=bwlsdf,dc=de +ldap_default_bind_dn = uid=fileservice-read,ou=admin,ou=lsdf-dis,dc=bwlsdf,dc=de +ldap_default_authtok_type = password +ldap_default_authtok = H7fjmJhvr58hjbv411fmjuhb +ldap_tls_cacertdir = /etc/openldap/certs +#ldap_user_home_directory = homeDirectory +override_homedir = /home/%d/%u +debug_level = 10 +debug_timestamps = true diff --git a/roles/ands_kitauth/files/sssd/sssd.conf b/roles/ands_kitauth/files/sssd/sssd.conf new file mode 100644 index 0000000..af34dba --- /dev/null +++ b/roles/ands_kitauth/files/sssd/sssd.conf @@ -0,0 +1,15 @@ +[sssd] +config_file_version = 2 +services = nss, pam +domains = kit.edu + +[nss] +filter_groups = root +filter_users = root +entry_cache_timeout = 300 +entry_cache_nowait_percentage = 75 + +[pam] +offline_credentials_expiration = 2 +offline_failed_login_attempts = 3 +offline_failed_login_delay = 5 -- cgit v1.2.3