install sssd as openldap client on rocky9
2024-07-291、sssd 需要 openldap-server配置tls,否则不通。
2、其他文件/etc/nsswitch.conf,/etc/pam.d/password-auth, /etc/sssd/sssd.conf
3、cat 9ldap_client_sssd_idc.sh
#!/bin/bash
ldapuri="ldap://idc-ldap.easyliao.net"
ldapbase="dc=easyliao,dc=net"
ldapsudoers="ou=sudoers,dc=easyliao,dc=net"
binddn1=cn=readonly,dc=easyliao,dc=net
bindpw1=password9
yum -y install sssd sssd-client sssd-tools
yum -y install openldap-clients authconfig
yum -y install oddjob oddjob-mkhomedir
sed -i '/^uri/d' /etc/nslcd.conf /etc/openldap/ldap.conf /etc/sudo-ldap.conf
sed -i '/^base/d' /etc/nslcd.conf /etc/openldap/ldap.conf /etc/sudo-ldap.conf
sed -i '/^URI/d' /etc/nslcd.conf /etc/openldap/ldap.conf /etc/sudo-ldap.conf
sed -i '/^BASE/d' /etc/nslcd.conf /etc/openldap/ldap.conf /etc/sudo-ldap.conf
sed -i '/^sudoers_base/d' /etc/nslcd.conf /etc/openldap/ldap.conf /etc/sudo-ldap.conf
#authselect select sssd with-mkhomedir --force
authconfig \--enablesssd \--enablesssdauth \--ldapserver=${ldapuri} \--ldapbasedn=${ldapbase} \--enablemkhomedir \--updateall --enablemd5 --enableshadow
#sed -i 's/sss/ldap/g' /etc/pam.d/password-auth
#sed -i 's/sss/ldap/g' /etc/pam.d/system-auth
cat > /etc/sssd/sssd.conf << EOF [sssd] config_file_version = 2 services = nss, pam,sudo domains = default [nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd [pam] [domain/default] auth_provider = ldap id_provider = ldap chpass_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://idc-ldap.easyliao.net ldap_search_base = dc=easyliao,dc=net sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=easyliao,dc=net entry_cache_timeout = 600 ldap_network_timeout = 3 ldap_tls_reqcert=never #ldap_id_use_start_tls=true #ldap_tls_cacertdir = /etc/ssl 10 substitutions on 9 lines debug_level = 9 cache_credentials = True enumerate = false #ldap_access_filter = (&(object)(object)) ldap_default_bind_dn = cn=readonly,dc=my,dc=net ldap_default_authtok_type = password ldap_default_authtok = password9 [sudo] EOF cat > /etc/sudo-ldap.conf << EOF uri ${ldapuri} sudoers_base ${ldapsudoers} binddn ${binddn1} bindpw ${bindpw1} EOF cat > /etc/nslcd.conf << EOF uri ${ldapuri} base ${ldapbase} binddn ${binddn1} bindpw ${bindpw1} EOF cat > /etc/openldap/ldap.conf << EOF uri ${ldapuri} base ${ldapbase} binddn ${binddn1} bindpw ${bindpw1} EOF sed -i '/sudoers/d' /etc/nsswitch.conf echo 'sudoers: files sss' >>/etc/nsswitch.conf
#sed -i 's/sss/ldap/g' /etc/nsswitch.conf
sed -i '/AllowGroups/d' /etc/ssh/sshd_config
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config
cat >> /etc/ssh/sshd_config << EOF
AllowGroups root manager
EOF
#################################
systemctl enable --now oddjobd.service
systemctl enable --now sssd.service
systemctl restart sshd.service
systemctl restart sssd.service
systemctl restart oddjobd.service
#systemctl stop nscd.socket nscd.service
#systemctl disable nscd.socket nscd.service
getent passwd ftq
ldapsearch -x cn=ftq -b dc=my,dc=net -D cn=readonly,dc=my,dc=net -w password9 -ZZ
id ftq