mirror of https://github.com/lldap/lldap.git
Compare commits
3 Commits
db7265c792
...
3417ad3447
Author | SHA1 | Date |
---|---|---|
Bartłomiej Rudecki | 3417ad3447 | |
Pierre Penninckx | 85b83aff5f | |
Bartłomiej Rudecki | 9dc6528845 |
|
@ -74,6 +74,7 @@ occ ldap:set-config s01 ldapUserDisplayName displayname
|
|||
occ ldap:set-config s01 ldapUserFilterMode 1
|
||||
occ ldap:set-config s01 ldapUuidGroupAttribute auto
|
||||
occ ldap:set-config s01 ldapUuidUserAttribute auto
|
||||
occ ldap:set-config s01 ldapExpertUsernameAttr user_id
|
||||
```
|
||||
With a bit of of luck, you should be able to log in your nextcloud instance with LLDAP accounts in the `nextcloud_users` group.
|
||||
|
||||
|
@ -120,6 +121,10 @@ For example:
|
|||
```
|
||||
![groups configuration page](images/nextcloud_groups.png)
|
||||
|
||||
### Expert
|
||||
|
||||
Set `Internal Username` to `user_id`. This is needed to that the user ID used by Nextcloud corresponds to the `user_id` field and not the `UUID` field.
|
||||
|
||||
## Sharing restrictions
|
||||
|
||||
Go to Settings > Administration > Sharing and check following boxes :
|
||||
|
|
|
@ -0,0 +1,150 @@
|
|||
# SSSD configuration
|
||||
|
||||
> [!WARNING]
|
||||
> Since we need to create custom user attributes, you must run `latest` version of LLDAP - `stable` does not have this functionality yet.
|
||||
|
||||
The following configuration was tested on sssd version 2.9.1. It may not work on older versions.
|
||||
|
||||
To work properly SSSD also needs correct openldap-client configuration.
|
||||
|
||||
## Packages
|
||||
|
||||
Here are the packages needed in Oracle Linux 9:
|
||||
|
||||
`openldap-clients openldap-devel sssd sssd-ldap`
|
||||
|
||||
## Configure OpenLDAP client
|
||||
|
||||
### Certificates - skip if you don't use LDAPS
|
||||
|
||||
1. Place your certs in `/etc/openldap/certs`
|
||||
2. Run `openssl rehash /etc/openldap/certs`
|
||||
|
||||
### Config
|
||||
|
||||
Create or modify `/etc/openldap/ldap.conf`:
|
||||
|
||||
```
|
||||
URI ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
|
||||
BASE dc=example,dc=com
|
||||
TLS_CACERTDIR /etc/openldap/certs # Skip if you don't use LDAPS
|
||||
ssl on # Skip if you don't use LDAPS
|
||||
```
|
||||
|
||||
### Verify
|
||||
|
||||
To check if your config is correct you can use `ldapsearch`:
|
||||
|
||||
```bash
|
||||
ldapsearch -x -D "uid=admin,ou=people,dc=example,dc=com" -w "${ADMIN_PASSWORD}" -b "ou=people,dc=example,dc=com"
|
||||
```
|
||||
|
||||
The above command should return list of your users.
|
||||
|
||||
## Prepare LLDAP
|
||||
|
||||
SSSD requires some specific setup.
|
||||
|
||||
All of your users need `uidnumber` and `gidnumber` - these are not generated by default in LLDAP.
|
||||
|
||||
To create these user attributes you can use either the web GUI or [lldap-cli](https://github.com/Zepmann/lldap-cli), but webp GUI does not support setting them.
|
||||
|
||||
To set these custom user attributes with [lldap-cli](https://github.com/Zepmann/lldap-cli):
|
||||
|
||||
```bash
|
||||
# Login to your LLDAP server
|
||||
eval $(lldap-cli -D admin -w abcd1234 login)
|
||||
|
||||
# Add uidnumber and gidnumber attributes
|
||||
lldap-cli schema attribute user add uidnumber integer
|
||||
lldap-cli schema attribute user add gidnumber integer
|
||||
```
|
||||
|
||||
You must also manually set the above attributes for each user, eg. for user `admin` with `uidnumber` 2000 and `gidnumber` 2000:
|
||||
|
||||
```bash
|
||||
lldap-cli user update set admin uidnumber 2000
|
||||
lldap-cli user update set admin gidnumber 2000
|
||||
```
|
||||
|
||||
> [!WARNING]
|
||||
> To set each user's home directory, use `homeDirectory` attribute. It can be also simply hardcoded in SSSD (as shown below).
|
||||
|
||||
To overwrite user's shell you can use `loginShell` attribute.
|
||||
|
||||
To make groups discoverable by SSSD you need to add `posixGroup` objectClass:
|
||||
|
||||
```bash
|
||||
lldap-cli schema objectclass group add posixGroup
|
||||
```
|
||||
|
||||
## Configure SSSD
|
||||
|
||||
1. Configure System Services for SSSD:
|
||||
|
||||
```bash
|
||||
authselect select sssd
|
||||
```
|
||||
|
||||
2. Create or modify `/etc/sssd/sssd.conf`:
|
||||
|
||||
```bash
|
||||
[domain/default]
|
||||
ldap_uri = ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
|
||||
ldap_default_bind_dn = uid=admin,ou=people,dc=example,dc=com
|
||||
ldap_default_authtok = ADMIN_PASSWORD
|
||||
ldap_search_base = dc=example,dc=com
|
||||
ldap_tls_reqcert = allow # Skip if you don't use LDAPS
|
||||
ldap_tls_cacertdir = /etc/openldap/certs # Skip if you don't use LDAPS
|
||||
ldap_schema = rfc2307bis
|
||||
|
||||
enumerate = true
|
||||
cache_credentials = true
|
||||
|
||||
id_provider = ldap
|
||||
auth_provider = ldap
|
||||
chpass_provider = ldap
|
||||
|
||||
override_homedir = /home/ldapusers # Skip if you use homeDirectory attribute
|
||||
default_shell = /bin/bash
|
||||
|
||||
[sssd]
|
||||
services = nss, pam, ssh, sudo
|
||||
config_file_version = 2
|
||||
|
||||
domains = default
|
||||
```
|
||||
|
||||
Remember to set correct permissions for `sssd.conf`:
|
||||
|
||||
```bash
|
||||
chmod 600 /etc/sssd/sssd.conf
|
||||
```
|
||||
|
||||
3. Start sssd daemon:
|
||||
|
||||
```bash
|
||||
systemctl start sssd
|
||||
```
|
||||
|
||||
### Verify
|
||||
|
||||
To check if SSSD works correctly:
|
||||
|
||||
```bash
|
||||
getent passwd <UID>
|
||||
```
|
||||
|
||||
The above command should return passwd entry for your user.
|
||||
|
||||
# SUDO
|
||||
|
||||
Since LLDAP does not have `sudoRole` objectClass, to allow access to sudo you must use groups and manually modify `sudoers` on each host.
|
||||
|
||||
The group you want to use must have `gidnumber` attribute.
|
||||
|
||||
For example to allow any user in the group with gidNumber 2000 to run any sudo command append the following in the `sudoers` (`visudo`):
|
||||
|
||||
```
|
||||
%#2000 ALL=(ALL:ALL) ALL
|
||||
```
|
Loading…
Reference in New Issue