RockyLinux 8: Difference between revisions
Created page with "=== authselect === <nowiki>#</nowiki> mkhomedir module dnf install oddjob systemctl enable oddjobd.service systemctl start oddjobd.service <nowiki>#</nowiki> replace lda..." |
// Edit via Wikitext Extension for VSCode |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== | == About == | ||
Rocky Linux is a community enterprise Operating System designed to be 100% bug-for-bug compatible with Enterprise Linux, now that CentOS has shifted direction. | |||
The official website: https://rockylinux.org/ | |||
===authselect=== | |||
<syntaxhighlight lang="bash"> | |||
systemctl | dnf install -y openldap-clients sssd sssd-ldap oddjob-mkhomedir openssl-perl | ||
systemctl enable --now oddjobd.service | |||
# replace ldap_tls_cacertdir with ldap_tls_cacert in /etc/sssd/conf.d/sssd.conf | |||
#ldap_tls_cacertdir = /etc/openldap/cacerts | |||
ldap_tls_cacert = /etc/openldap/cacerts/caname.crt | ldap_tls_cacert = /etc/openldap/cacerts/caname.crt | ||
# chmod | |||
chmod 0600 /etc/openldap/cacerts/caname.crt | chmod 0600 /etc/openldap/cacerts/caname.crt | ||
chmod 0600 /etc/sssd/conf.d/sssd.conf | chmod 0600 /etc/sssd/conf.d/sssd.conf | ||
systemctl enable autofs | dnf install -y autofs nfs-utils | ||
systemctl enable --now autofs | |||
systemctl enable --now sssd | |||
# grep -Ev "^$|^\s*#" /etc/idmapd.conf | |||
[General] | |||
Domain = DOMAIN.TLD | |||
[Mapping] | |||
Nobody-User = nobody | |||
Nobody-Group = nobody | |||
[Translation] | |||
[Static] | |||
[UMICH_SCHEMA] | |||
LDAP_server = LDAP.DOMAIN.TLD | |||
LDAP_base = dc=DOMAIN,dc=TLD | |||
authselect current | |||
authselect select sssd with-mkhomedir with-sudo --force | |||
#apply changes | |||
authselect apply-changes | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
[domain/default] | |||
id_provider = ldap | |||
autofs_provider = ldap | |||
auth_provider = ldap | |||
chpass_provider = ldap | |||
ldap_uri = ldaps://DS.DOMAIN.TLD | |||
ldap_chpass_uri = ldaps://DS.DOMAIN.TLD | |||
ldap_schema = rfc2307bis | |||
ldap_group_member = uniqueMember | |||
ldap_search_base = dc=DOMAIN,dc=TLD | |||
ldap_id_use_start_tls = False | |||
ldap_tls_cacert = /etc/openldap/cacert.pem | |||
cache_credentials = True | |||
#ldap_tls_reqcert = never | |||
entry_cache_timeout = 600 | |||
ldap_network_timeout = 3 | |||
ldap_connection_expire_timeout = 60 | |||
debug_level = 9 | |||
ldap_autofs_map_object_class = nisMap | |||
ldap_autofs_map_name = nisMapName | |||
ldap_autofs_entry_object_class = nisObject | |||
ldap_autofs_entry_key = cn | |||
ldap_autofs_entry_value = nisMapEntry | |||
ldap_autofs_search_base = ou=service,dc=DOMAIN,dc=TLD | |||
ldap_default_bind_dn = uid=ds_bind,ou=service,dc=DOMAIN,dc=TLD | |||
ldap_default_authtok_type = password | |||
ldap_default_authtok = YOUR_PASSWORD | |||
[ | [sssd] | ||
config_file_version = 2 | |||
services = nss,pam,autofs | |||
domains = default | |||
[ | [nss] | ||
homedir_substring = /home | |||
debug_level = 5 | |||
filter_groups = root | |||
filter_users = root | |||
[pam] | |||
pam_account_locked_message = Account locked, please contact IT Team. | |||
pam_verbosity = 2 | |||
pam_pwd_expiration_warning = 5 | |||
[sudo] | |||
[autofs] | |||
debug_level = 5 | |||
[ssh] | |||
</syntaxhighlight> | |||
[[Category:OS]] | [[Category:OS]] | ||
Latest revision as of 02:38, 19 March 2022
About
Rocky Linux is a community enterprise Operating System designed to be 100% bug-for-bug compatible with Enterprise Linux, now that CentOS has shifted direction.
The official website: https://rockylinux.org/
authselect
dnf install -y openldap-clients sssd sssd-ldap oddjob-mkhomedir openssl-perl
systemctl enable --now oddjobd.service
# replace ldap_tls_cacertdir with ldap_tls_cacert in /etc/sssd/conf.d/sssd.conf
#ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/caname.crt
# chmod
chmod 0600 /etc/openldap/cacerts/caname.crt
chmod 0600 /etc/sssd/conf.d/sssd.conf
dnf install -y autofs nfs-utils
systemctl enable --now autofs
systemctl enable --now sssd
# grep -Ev "^$|^\s*#" /etc/idmapd.conf
[General]
Domain = DOMAIN.TLD
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = LDAP.DOMAIN.TLD
LDAP_base = dc=DOMAIN,dc=TLD
authselect current
authselect select sssd with-mkhomedir with-sudo --force
#apply changes
authselect apply-changes
[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://DS.DOMAIN.TLD
ldap_chpass_uri = ldaps://DS.DOMAIN.TLD
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
ldap_search_base = dc=DOMAIN,dc=TLD
ldap_id_use_start_tls = False
ldap_tls_cacert = /etc/openldap/cacert.pem
cache_credentials = True
#ldap_tls_reqcert = never
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_connection_expire_timeout = 60
debug_level = 9
ldap_autofs_map_object_class = nisMap
ldap_autofs_map_name = nisMapName
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_key = cn
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_search_base = ou=service,dc=DOMAIN,dc=TLD
ldap_default_bind_dn = uid=ds_bind,ou=service,dc=DOMAIN,dc=TLD
ldap_default_authtok_type = password
ldap_default_authtok = YOUR_PASSWORD
[sssd]
config_file_version = 2
services = nss,pam,autofs
domains = default
[nss]
homedir_substring = /home
debug_level = 5
filter_groups = root
filter_users = root
[pam]
pam_account_locked_message = Account locked, please contact IT Team.
pam_verbosity = 2
pam_pwd_expiration_warning = 5
[sudo]
[autofs]
debug_level = 5
[ssh]