summaryrefslogtreecommitdiffstats
path: root/roles/ands_kitauth
diff options
context:
space:
mode:
authorSuren A. Chilingaryan <csa@suren.me>2019-10-11 06:25:21 +0200
committerSuren A. Chilingaryan <csa@suren.me>2019-10-11 06:25:21 +0200
commitb23e9400c36acf9856606165489e8828c2cf8dd5 (patch)
tree581468996aa8202b9121c8031ee50bf60984a816 /roles/ands_kitauth
parentb17d3d74eb5a9e7640d94f98f6b27ce4891b3c26 (diff)
downloaditm-b23e9400c36acf9856606165489e8828c2cf8dd5.tar.gz
itm-b23e9400c36acf9856606165489e8828c2cf8dd5.tar.bz2
itm-b23e9400c36acf9856606165489e8828c2cf8dd5.tar.xz
itm-b23e9400c36acf9856606165489e8828c2cf8dd5.zip
ipa-client and fine tunning
Diffstat (limited to 'roles/ands_kitauth')
-rw-r--r--roles/ands_kitauth/README20
-rwxr-xr-xroles/ands_kitauth/files/scripts/login_script.sh26
-rw-r--r--roles/ands_kitauth/files/sssd/kit.conf17
-rw-r--r--roles/ands_kitauth/files/sssd/sssd.conf15
4 files changed, 78 insertions, 0 deletions
diff --git a/roles/ands_kitauth/README b/roles/ands_kitauth/README
new file mode 100644
index 0000000..d2e820b
--- /dev/null
+++ b/roles/ands_kitauth/README
@@ -0,0 +1,20 @@
+Tasks
+=====
+ - required packages: ssd-ldap
+ * nice tool to manage stuff is realmd (but it only can be used by Activer directory admins, so not for KIT)
+
+ - prepare space for home directories
+ * /home/kit.edu should be created (and optionally mounted to NFS)
+
+ - Automate home creation
+ * Either run
+ authconfig --enablemkhomedir --update
+ * Or copy script and add in the end of /etc/pam/sshd
+ session optional pam_exec.so /usr/local/bin/login_script.sh
+
+
+Considerations
+==============
+ - sssd files should belong to root and has 0600 access.
+
+
diff --git a/roles/ands_kitauth/files/scripts/login_script.sh b/roles/ands_kitauth/files/scripts/login_script.sh
new file mode 100755
index 0000000..9b66968
--- /dev/null
+++ b/roles/ands_kitauth/files/scripts/login_script.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# Script to authomatecly create user home directories
+# Shall we consider creating both NFS and local homes? Or shall we just create it on NFS?
+
+LOG=/var/log/login_script
+DATE=`/bin/date +"%b %d %H:%M:%S"`
+
+if [ x${PAM_TYPE} == "xopen_session" ]; then set $(getent passwd $PAM_USER | awk -F ":" '{print $3" "$4" "$5" "$6}')
+ USERUID=$1; USERGID=$2; USERHOME=$4
+
+ echo "[$DATE]: login of $PAM_USER: UID=$USERUID: GID=$USERGID: HOME=$USERHOME: from $PAM_RHOST via $PAM_SERVICE" >> $LOG
+
+ if [ ! -z "${USERHOME}" -a ! -d ${USERHOME} ]; then
+ #if [ ! -d /home/${USERHOME} ]; then
+ echo " Home for user ${USERNAME} does not exist at ${USERHOME} => creating" >> $LOG
+
+ mkdir -p $USERHOME
+ cp -af /etc/skel/.[a-zA-Z]* $USERHOME
+ chown -R $USERUID.$USERGID $USERHOME
+ chmod 701 $USERHOME
+ chmod g+s $USERHOME
+ fi
+fi
+if [ x${PAM_TYPE} == "xclose_session" ]; then
+ echo "[$DATE]: logout of $PAM_USER $USERUID" >> $LOG
+fi
diff --git a/roles/ands_kitauth/files/sssd/kit.conf b/roles/ands_kitauth/files/sssd/kit.conf
new file mode 100644
index 0000000..f4aee29
--- /dev/null
+++ b/roles/ands_kitauth/files/sssd/kit.conf
@@ -0,0 +1,17 @@
+[domain/kit.edu]
+ldap_tls_reqcert = allow
+ldap_id_use_start_tls = true
+cache_credentials = true
+auth_provider = ldap
+chpass_provider = ldap
+id_provider = ldap
+ldap_uri = ldap://bwidm.scc.kit.edu:389/
+ldap_search_base = ou=lsdf-dis,dc=bwlsdf,dc=de
+ldap_default_bind_dn = uid=fileservice-read,ou=admin,ou=lsdf-dis,dc=bwlsdf,dc=de
+ldap_default_authtok_type = password
+ldap_default_authtok = H7fjmJhvr58hjbv411fmjuhb
+ldap_tls_cacertdir = /etc/openldap/certs
+#ldap_user_home_directory = homeDirectory
+override_homedir = /home/%d/%u
+debug_level = 10
+debug_timestamps = true
diff --git a/roles/ands_kitauth/files/sssd/sssd.conf b/roles/ands_kitauth/files/sssd/sssd.conf
new file mode 100644
index 0000000..af34dba
--- /dev/null
+++ b/roles/ands_kitauth/files/sssd/sssd.conf
@@ -0,0 +1,15 @@
+[sssd]
+config_file_version = 2
+services = nss, pam
+domains = kit.edu
+
+[nss]
+filter_groups = root
+filter_users = root
+entry_cache_timeout = 300
+entry_cache_nowait_percentage = 75
+
+[pam]
+offline_credentials_expiration = 2
+offline_failed_login_attempts = 3
+offline_failed_login_delay = 5