**This is an old revision of the document!**
FreeIPA
FreeIPA is an Identity Policy and Authentication solution. We are currently using this for our internal management networks.
Server
Basically follow this. Also DNS is suuuuuuupppppeeeerrrrr important.
As a note, you should install libsss_sudo
. Otherwise you might get this error:
sudo: unable to load /usr/lib64/libsss_sudo.so: /usr/lib64/libsss_sudo.so: cannot open shared object file: No such file or directory sudo: unable to initialize SSS source. Is SSSD installed on your machine?
When running sudo on the server.
Client
On RHEL based ones, install freeipa-client
. Super easy. However, if you're on debian-master-race, you don't need hand holding and an “automated client”. Let's dig into some config files.
Debian Installation
- Install
sssd
- Copy the configuration file to
/etc/sssd/sssd.conf
- Don't forget to
s/name.ubnetdef.net/your-hostname.ubnetdef.net/g
chown root:root /etc/sssd/sssd.conf
andchmod 0600 /etc/sssd/sssd.conf
- Grab your krb5.keytab, and dump it to
/etc/krb5.keytab
ipa-getkeytab -p host/name.ubnetdef.net -k /tmp/keytab
- Append the following line to
/etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel/
- GG, you're done.
- /etc/sssd/sssd.conf
[domain/ubnetdef.net] cache_credentials = True krb5_store_password_if_offline = True id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa sudo_provider = ldap # Configure IPA ipa_domain = ubnetdef.net ipa_hostname = name.ubnetdef.net # Configure sudo ldap_uri = ldaps://master.ubnetdef.net ldap_sudo_search_base = ou=sudoers,dc=ubnetdef,dc=net ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/name.ubnetdef.net ldap_sasl_realm = UBNETDEF.NET krb5_server = master.ubnetdef.net krb5_realm = UBNETDEF.NET [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = ubnetdef.net
LDAP Integrations
Include the specific settings (search stuff, bind user, etc). Link to each service's page on how to finalize the configuration.
General
- Bind User: uid=bind,cn=users,cn=accounts,dc=ubnetdef,dc=net
- Search Base DN: cn=users,cn=accounts,dc=ubnetdef,dc=net
- User Search Pattern: (&(objectClass=inetorgperson)(uid=#USERNAME#))
- Group Search Base DN: cn=groups,cn=accounts,dc=ubnetdef,dc=net
- Group Search Pattern: (&(objectClass=groupofnames)(cn=#GROUPNAME#))