From 9a83756e050bb88277f81ac6e005d901cc18a13a Mon Sep 17 00:00:00 2001 From: Karl Eichwalder Date: Thu, 9 Jan 2025 07:58:34 +0100 Subject: [PATCH] backport 5.0: example for LDAP integration with Active Directory (#3580) (#3586) * example for LDAP integration with Active Directory (#3580) https://bugzilla.suse.com/show_bug.cgi?id=1233696 https://github.com/SUSE/spacewalk/issues/25863 https://github.com/uyuni-project/uyuni/issues/9597 --- CHANGELOG.md | 2 + .../pages/auth-methods-pam.adoc | 66 ++++++++++++++++--- 2 files changed, 60 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d6c724584eb..47d5872cb99 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,5 @@ +- Added example for LDAP integration with Active Directory in + Administration Guide (bsc#1233696) - Added ports overview images in Installation and Upgrade Guide (bsc#1217338) - Updated ports listing according to hidden ports file and fixed diff --git a/modules/administration/pages/auth-methods-pam.adoc b/modules/administration/pages/auth-methods-pam.adoc index fb8e65e0fc7..1b11301aa44 100644 --- a/modules/administration/pages/auth-methods-pam.adoc +++ b/modules/administration/pages/auth-methods-pam.adoc @@ -16,19 +16,23 @@ PAM is a suite of libraries that allows you to integrate {productname} with a ce In usernames, additionally to alphanumeric characters, [literal]``-``, [literal]``_``, [literal]``.``, and [literal]``@`` are allowed. ==== . Check the [guimenu]``Pluggable Authentication Modules (PAM)`` checkbox. -. Configure SSSD in the container. - Connect inside the container using: +. Configure SSSD in the server container. + At the command prompt of the {productname} container host, as root, enter the server container: + + ---- mgrctl term ---- -Then change the file + +. Inside the container, execute the following steps: ++ +.. Edit [path]``/etc/sssd/sssd.conf`` according to your configuration. + For an example, see xref:administration:auth-methods-pam.adoc#auth-methods-pam-ad[]. +.. When done, exit the container: + ---- -/etc/sssd/sssd.conf +exit ---- -+ -. Set [literal]``krb5_keytab`` in ``domain/$domain`` to [literal]``/etc/sssd/krb5.keytab`` . Restart {productname} using: + ---- @@ -46,6 +50,52 @@ Use the password change mechanism of your network service to change the password ==== -For more information about configuring PAM, the SUSE Linux Enterprise Server Security Guide contains a generic example that also works for other network-based authentication methods. -It also describes how to configure an active directory service. +For more information about PAM configuration, see the {sles} Security Guide. The Security Guide contains a generic example that also works for other network-based authentication methods. +It also describes how to configure an Active Directory (AD) service. For more information, see {sles-base-os-documentation}/part-auth.html. + + + +[[auth-methods-pam-ad]] +=== LDAP Integration with Active Directory Example + +For LDAP integration with Active Directory, you can use the following example. + +In the code snippet, change the following placeholders according to your environment: + +[literal]``$domain``:: +Your domain name +[literal]``$ad_server``:: +FQDN of the AD server if it is not auto-detected from the [literal]``$domain`` +[literal]``$uyuni-hostname``: +The name of the machine this AD client is supposed to be known. +If not set, it will be [literal]``uyuni-server.mgr.internal``. + + +Example snippet for [path]``/etc/sssd/sssd.conf``: + +---- +[sssd] +config_file_version = 2 +services = nss, pam +domains = $domain + +[nss] + +[pam] + +[domain/$domain] +id_provider = ad +chpass_provider = ad +access_provider = ad +auth_provider = ad + +ad_domain = $domain +ad_server = $ad_server +ad_hostname = $uyuni-hostname + +ad_gpo_map_network = +susemanager + +krb5_keytab = FILE:/etc/rhn/krb5.conf.d/krb5.keytab +krb5_ccname_template = FILE:/tmp/krb5cc_%{uid} +----