mirrors
/
lldap
mirror of https://github.com/lldap/lldap.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: mirrors:db7265c7923f2c33cb7d002801829481afbfba9a
Branches Tags
mirrors:main
mirrors:dependabot/github_actions/actions/checkout-4.1.6
mirrors:user-attribute-form
mirrors:user-ui
mirrors:group-ui
mirrors:server-user-attribute-schema
mirrors:crates
mirrors:haveibeenpwned
mirrors:v0.5.0
mirrors:v0.4.3
mirrors:v0.4.2
mirrors:v0.4.1
mirrors:v0.4.0
mirrors:v0.3.0
mirrors:v0.2.0
mirrors:v0.0.1
...
compare: mirrors:3417ad34473b02d098866db40bbb9e89e06f8013
Branches Tags
mirrors:dependabot/github_actions/actions/checkout-4.1.6
mirrors:main
mirrors:user-attribute-form
mirrors:user-ui
mirrors:group-ui
mirrors:server-user-attribute-schema
mirrors:crates
mirrors:haveibeenpwned
mirrors:v0.5.0
mirrors:v0.4.3
mirrors:v0.4.2
mirrors:v0.4.1
mirrors:v0.4.0
mirrors:v0.3.0
mirrors:v0.2.0
mirrors:v0.0.1

3 Commits
db7265c792 ... 3417ad3447

Author SHA1 Message Date
Bartłomiej Rudecki 3417ad3447
Merge 9dc6528845 into 85b83aff5f 2024-05-02 20:49:23 +02:00
Pierre Penninckx 85b83aff5f
example_configs: add user_id mapping for nextcloud 
This allows both LDAP and SSO backends to have consistent usernames
 2024-05-02 09:19:33 +02:00
Bartłomiej Rudecki 9dc6528845
Initial SSSD example 2024-04-23 23:01:05 +02:00
2 changed files with 155 additions and 0 deletions
Show Stats Expand all files Collapse all files

5
example_configs/nextcloud.md
View File

@ -74,6 +74,7 @@ occ ldap:set-config s01 ldapUserDisplayName displayname
occ ldap:set-config s01 ldapUserFilterMode 1
occ ldap:set-config s01 ldapUuidGroupAttribute auto
occ ldap:set-config s01 ldapUuidUserAttribute auto
occ ldap:set-config s01 ldapExpertUsernameAttr user_id
```
With a bit of of luck, you should be able to log in your nextcloud instance with LLDAP accounts in the `nextcloud_users` group.
@ -120,6 +121,10 @@ For example:
```
![groups configuration page](images/nextcloud_groups.png)
### Expert
Set `Internal Username` to `user_id`. This is needed to that the user ID used by Nextcloud corresponds to the `user_id` field and not the `UUID` field.
## Sharing restrictions
Go to Settings > Administration > Sharing and check following boxes :

150
example_configs/sssd.md Normal file
View File

@ -0,0 +1,150 @@
# SSSD configuration
> [!WARNING]
> Since we need to create custom user attributes, you must run `latest` version of LLDAP - `stable` does not have this functionality yet.
The following configuration was tested on sssd version 2.9.1. It may not work on older versions.
To work properly SSSD also needs correct openldap-client configuration.
## Packages
Here are the packages needed in Oracle Linux 9:
`openldap-clients openldap-devel sssd sssd-ldap`
## Configure OpenLDAP client
### Certificates - skip if you don't use LDAPS
1. Place your certs in `/etc/openldap/certs`
2. Run `openssl rehash /etc/openldap/certs`
### Config
Create or modify `/etc/openldap/ldap.conf`:
```
URI ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/certs # Skip if you don't use LDAPS
ssl on # Skip if you don't use LDAPS
```
### Verify
To check if your config is correct you can use `ldapsearch`:
```bash
ldapsearch -x -D "uid=admin,ou=people,dc=example,dc=com" -w "${ADMIN_PASSWORD}" -b "ou=people,dc=example,dc=com"
```
The above command should return list of your users.
## Prepare LLDAP
SSSD requires some specific setup.
All of your users need `uidnumber` and `gidnumber` - these are not generated by default in LLDAP.
To create these user attributes you can use either the web GUI or [lldap-cli](https://github.com/Zepmann/lldap-cli), but webp GUI does not support setting them.
To set these custom user attributes with [lldap-cli](https://github.com/Zepmann/lldap-cli):
```bash
# Login to your LLDAP server
eval $(lldap-cli -D admin -w abcd1234 login)
# Add uidnumber and gidnumber attributes
lldap-cli schema attribute user add uidnumber integer
lldap-cli schema attribute user add gidnumber integer
```
You must also manually set the above attributes for each user, eg. for user `admin` with `uidnumber` 2000 and `gidnumber` 2000:
```bash
lldap-cli user update set admin uidnumber 2000
lldap-cli user update set admin gidnumber 2000
```
> [!WARNING]
> To set each user's home directory, use `homeDirectory` attribute. It can be also simply hardcoded in SSSD (as shown below).
To overwrite user's shell you can use `loginShell` attribute.
To make groups discoverable by SSSD you need to add `posixGroup` objectClass:
```bash
lldap-cli schema objectclass group add posixGroup
```
## Configure SSSD
1. Configure System Services for SSSD:
```bash
authselect select sssd
```
2. Create or modify `/etc/sssd/sssd.conf`:
```bash
[domain/default]
ldap_uri = ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
ldap_default_bind_dn = uid=admin,ou=people,dc=example,dc=com
ldap_default_authtok = ADMIN_PASSWORD
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = allow # Skip if you don't use LDAPS
ldap_tls_cacertdir = /etc/openldap/certs # Skip if you don't use LDAPS
ldap_schema = rfc2307bis
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
override_homedir = /home/ldapusers # Skip if you use homeDirectory attribute
default_shell = /bin/bash
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = default
```
Remember to set correct permissions for `sssd.conf`:
```bash
chmod 600 /etc/sssd/sssd.conf
```
3. Start sssd daemon:
```bash
systemctl start sssd
```
### Verify
To check if SSSD works correctly:
```bash
getent passwd <UID>
```
The above command should return passwd entry for your user.
# SUDO
Since LLDAP does not have `sudoRole` objectClass, to allow access to sudo you must use groups and manually modify `sudoers` on each host.
The group you want to use must have `gidnumber` attribute.
For example to allow any user in the group with gidNumber 2000 to run any sudo command append the following in the `sudoers` (`visudo`):
```
%#2000 ALL=(ALL:ALL) ALL
```