Hi Andrew.
>So is the LDAP service just used to provide passwd and group databases
>for Unix-like systems, and not for any other purpose?
Yes, only password auth
>If my guess above is right then you have missed a very important class
>of LDAP user. Every Unix-like server must access LDAP data.
>Do your Unix/Linux systems bind to LDAP with specific DNs?
>(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
>/etc/sssd.conf etc...)
Yes,
ldap.conf client config file.
base dc=server,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=example,dc=com
bind_policy soft
idle_timelimit 3600
pam_filter objectClass=posixAccount
pam_lookup_policy yes
pam_check_host_attr yes
pam_password exop
nss_base_passwd ou=Users,dc=server,dc=com?one
nss_base_shadow ou=Users,dc=server,dc=com?one
nss_base_group ou=Groups,dc=server,dc=com?one
ssl start_tls
#ssl on
tls_cacertfile /etc/openldap/certs/cert.pem
tls_cacertdir /etc/openldap/certs
>I assume you allow users to change their own passwords. How is this handled?
>Are users allowed to update any other details, or do all changes come to you?
yes, they can change their password based on the ppolicy and the pam module, other properties are changed
by me, like phone number, photo, address and so on.
auth required pam_env.so
auth required pam_tally2.so deny=5 unlock_time=1800
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=7 dcredit=-2 ocredit=-2 difok=2 maxrepeat=2
password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Password policy
dn: cn=default,ou=Policies,dc=server,dc=com
cn: default
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdMinAge: 604800
pwdMaxAge: 5184000
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 432000
pwdFailureCountInterval: 30
pwdLockout: TRUE
pwdSafeModify: FALSE
sn: Password Policies
structuralObjectClass: person
entryUUID: 3cd52690-0ba9-1032-96ec-87e546c35b73
creatorsName: cn=Manager,dc=server,dc=com
createTimestamp: 20130215105020Z
pwdGraceAuthNLimit: 0
pwdMinLength: 8
pwdLockoutDuration: 54000
pwdInHistory: 3
pwdMaxFailure: 5
Default access lists
creatorsName: cn=config
createTimestamp: 20130215092101Z
olcAccess: {0}to attrs=userPassword by dn="cn=Manager,dc=server,dc=com" wr
ite by anonymous auth by self write by * none
olcAccess: {1}to attrs=cn,sn,memberUid,uidNumber,pwdHistory,pwdPolicySubentry,
gidNumber,homeDirectory,givenName,description,loginShell by self write by ano
nymous read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=Manager,dc,server,dc=com" write by * read
Thanks for your time and support
Regards