FreeIPA

FreeIPA is an Identity Policy and Authentication solution. We are currently using this for our internal management networks.

Basically follow this. Also DNS is suuuuuuupppppeeeerrrrr important.

On RHEL based ones, install freeipa-client. Super easy. However, if you're on debian-master-race, you don't need hand holding and an “automated client”. Let's dig into some config files.

1. Install sssd
2. Copy the configuration file to /etc/sssd/sssd.conf
   1. Don't forget to s/name.ubnetdef.net/your-hostname.ubnetdef.net/g
3. chown root:root /etc/sssd/sssd.conf and chmod 0600 /etc/sssd/sssd.conf
4. Grab your krb5.keytab, and dump it to /etc/krb5.keytab
   1. ipa-getkeytab -p host/name.ubnetdef.net -k /tmp/keytab
5. Append the following line to /etc/pam.d/common-session
   1. session required pam_mkhomedir.so skel=/etc/skel/
6. GG, you're done.

/etc/sssd/sssd.conf

[domain/ubnetdef.net]
cache_credentials = True
krb5_store_password_if_offline = True
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
sudo_provider = ldap
 
# Configure IPA
ipa_domain = ubnetdef.net
ipa_hostname = name.ubnetdef.net
 
# Configure sudo
ldap_uri = ldaps://master.ubnetdef.net
ldap_sudo_search_base = ou=sudoers,dc=ubnetdef,dc=net
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/name.ubnetdef.net
ldap_sasl_realm = UBNETDEF.NET
krb5_server = master.ubnetdef.net
krb5_realm = UBNETDEF.NET
 
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ubnetdef.net
 
[nss]
 
[pam]
 
[sudo]
 
[autofs]
 
[ssh]
 
[pac]

Include the specific settings (search stuff, bind user, etc). Link to each service's page on how to finalize the configuration.

• Bind User: uid=bind,cn=users,cn=accounts,dc=ubnetdef,dc=net
• Search Base DN: cn=users,cn=accounts,dc=ubnetdef,dc=net
• User Search Pattern: (&(objectClass=inetorgperson)(uid=#USERNAME#))
• Group Search Base DN: cn=groups,cn=accounts,dc=ubnetdef,dc=net
• Group Search Pattern: (&(objectClass=groupofnames)(cn=#GROUPNAME#))