mirror of https://github.com/lldap/lldap.git
Compare commits
3 Commits
db7265c792
...
3417ad3447
Author | SHA1 | Date |
---|---|---|
Bartłomiej Rudecki | 3417ad3447 | |
Pierre Penninckx | 85b83aff5f | |
Bartłomiej Rudecki | 9dc6528845 |
|
@ -74,6 +74,7 @@ occ ldap:set-config s01 ldapUserDisplayName displayname
|
||||||
occ ldap:set-config s01 ldapUserFilterMode 1
|
occ ldap:set-config s01 ldapUserFilterMode 1
|
||||||
occ ldap:set-config s01 ldapUuidGroupAttribute auto
|
occ ldap:set-config s01 ldapUuidGroupAttribute auto
|
||||||
occ ldap:set-config s01 ldapUuidUserAttribute auto
|
occ ldap:set-config s01 ldapUuidUserAttribute auto
|
||||||
|
occ ldap:set-config s01 ldapExpertUsernameAttr user_id
|
||||||
```
|
```
|
||||||
With a bit of of luck, you should be able to log in your nextcloud instance with LLDAP accounts in the `nextcloud_users` group.
|
With a bit of of luck, you should be able to log in your nextcloud instance with LLDAP accounts in the `nextcloud_users` group.
|
||||||
|
|
||||||
|
@ -120,6 +121,10 @@ For example:
|
||||||
```
|
```
|
||||||
![groups configuration page](images/nextcloud_groups.png)
|
![groups configuration page](images/nextcloud_groups.png)
|
||||||
|
|
||||||
|
### Expert
|
||||||
|
|
||||||
|
Set `Internal Username` to `user_id`. This is needed to that the user ID used by Nextcloud corresponds to the `user_id` field and not the `UUID` field.
|
||||||
|
|
||||||
## Sharing restrictions
|
## Sharing restrictions
|
||||||
|
|
||||||
Go to Settings > Administration > Sharing and check following boxes :
|
Go to Settings > Administration > Sharing and check following boxes :
|
||||||
|
|
|
@ -0,0 +1,150 @@
|
||||||
|
# SSSD configuration
|
||||||
|
|
||||||
|
> [!WARNING]
|
||||||
|
> Since we need to create custom user attributes, you must run `latest` version of LLDAP - `stable` does not have this functionality yet.
|
||||||
|
|
||||||
|
The following configuration was tested on sssd version 2.9.1. It may not work on older versions.
|
||||||
|
|
||||||
|
To work properly SSSD also needs correct openldap-client configuration.
|
||||||
|
|
||||||
|
## Packages
|
||||||
|
|
||||||
|
Here are the packages needed in Oracle Linux 9:
|
||||||
|
|
||||||
|
`openldap-clients openldap-devel sssd sssd-ldap`
|
||||||
|
|
||||||
|
## Configure OpenLDAP client
|
||||||
|
|
||||||
|
### Certificates - skip if you don't use LDAPS
|
||||||
|
|
||||||
|
1. Place your certs in `/etc/openldap/certs`
|
||||||
|
2. Run `openssl rehash /etc/openldap/certs`
|
||||||
|
|
||||||
|
### Config
|
||||||
|
|
||||||
|
Create or modify `/etc/openldap/ldap.conf`:
|
||||||
|
|
||||||
|
```
|
||||||
|
URI ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
|
||||||
|
BASE dc=example,dc=com
|
||||||
|
TLS_CACERTDIR /etc/openldap/certs # Skip if you don't use LDAPS
|
||||||
|
ssl on # Skip if you don't use LDAPS
|
||||||
|
```
|
||||||
|
|
||||||
|
### Verify
|
||||||
|
|
||||||
|
To check if your config is correct you can use `ldapsearch`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ldapsearch -x -D "uid=admin,ou=people,dc=example,dc=com" -w "${ADMIN_PASSWORD}" -b "ou=people,dc=example,dc=com"
|
||||||
|
```
|
||||||
|
|
||||||
|
The above command should return list of your users.
|
||||||
|
|
||||||
|
## Prepare LLDAP
|
||||||
|
|
||||||
|
SSSD requires some specific setup.
|
||||||
|
|
||||||
|
All of your users need `uidnumber` and `gidnumber` - these are not generated by default in LLDAP.
|
||||||
|
|
||||||
|
To create these user attributes you can use either the web GUI or [lldap-cli](https://github.com/Zepmann/lldap-cli), but webp GUI does not support setting them.
|
||||||
|
|
||||||
|
To set these custom user attributes with [lldap-cli](https://github.com/Zepmann/lldap-cli):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Login to your LLDAP server
|
||||||
|
eval $(lldap-cli -D admin -w abcd1234 login)
|
||||||
|
|
||||||
|
# Add uidnumber and gidnumber attributes
|
||||||
|
lldap-cli schema attribute user add uidnumber integer
|
||||||
|
lldap-cli schema attribute user add gidnumber integer
|
||||||
|
```
|
||||||
|
|
||||||
|
You must also manually set the above attributes for each user, eg. for user `admin` with `uidnumber` 2000 and `gidnumber` 2000:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
lldap-cli user update set admin uidnumber 2000
|
||||||
|
lldap-cli user update set admin gidnumber 2000
|
||||||
|
```
|
||||||
|
|
||||||
|
> [!WARNING]
|
||||||
|
> To set each user's home directory, use `homeDirectory` attribute. It can be also simply hardcoded in SSSD (as shown below).
|
||||||
|
|
||||||
|
To overwrite user's shell you can use `loginShell` attribute.
|
||||||
|
|
||||||
|
To make groups discoverable by SSSD you need to add `posixGroup` objectClass:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
lldap-cli schema objectclass group add posixGroup
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configure SSSD
|
||||||
|
|
||||||
|
1. Configure System Services for SSSD:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
authselect select sssd
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Create or modify `/etc/sssd/sssd.conf`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
[domain/default]
|
||||||
|
ldap_uri = ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
|
||||||
|
ldap_default_bind_dn = uid=admin,ou=people,dc=example,dc=com
|
||||||
|
ldap_default_authtok = ADMIN_PASSWORD
|
||||||
|
ldap_search_base = dc=example,dc=com
|
||||||
|
ldap_tls_reqcert = allow # Skip if you don't use LDAPS
|
||||||
|
ldap_tls_cacertdir = /etc/openldap/certs # Skip if you don't use LDAPS
|
||||||
|
ldap_schema = rfc2307bis
|
||||||
|
|
||||||
|
enumerate = true
|
||||||
|
cache_credentials = true
|
||||||
|
|
||||||
|
id_provider = ldap
|
||||||
|
auth_provider = ldap
|
||||||
|
chpass_provider = ldap
|
||||||
|
|
||||||
|
override_homedir = /home/ldapusers # Skip if you use homeDirectory attribute
|
||||||
|
default_shell = /bin/bash
|
||||||
|
|
||||||
|
[sssd]
|
||||||
|
services = nss, pam, ssh, sudo
|
||||||
|
config_file_version = 2
|
||||||
|
|
||||||
|
domains = default
|
||||||
|
```
|
||||||
|
|
||||||
|
Remember to set correct permissions for `sssd.conf`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
chmod 600 /etc/sssd/sssd.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Start sssd daemon:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
systemctl start sssd
|
||||||
|
```
|
||||||
|
|
||||||
|
### Verify
|
||||||
|
|
||||||
|
To check if SSSD works correctly:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
getent passwd <UID>
|
||||||
|
```
|
||||||
|
|
||||||
|
The above command should return passwd entry for your user.
|
||||||
|
|
||||||
|
# SUDO
|
||||||
|
|
||||||
|
Since LLDAP does not have `sudoRole` objectClass, to allow access to sudo you must use groups and manually modify `sudoers` on each host.
|
||||||
|
|
||||||
|
The group you want to use must have `gidnumber` attribute.
|
||||||
|
|
||||||
|
For example to allow any user in the group with gidNumber 2000 to run any sudo command append the following in the `sudoers` (`visudo`):
|
||||||
|
|
||||||
|
```
|
||||||
|
%#2000 ALL=(ALL:ALL) ALL
|
||||||
|
```
|
Loading…
Reference in New Issue