From ed3bac5c08fed1c804eddd6c0f32bd5045711e7e Mon Sep 17 00:00:00 2001 From: Karl Eichwalder Date: Wed, 8 Jan 2025 09:12:05 +0100 Subject: [PATCH] example for LDAP integration with Active Directory https://bugzilla.suse.com/show_bug.cgi?id=1233696 https://github.com/SUSE/spacewalk/issues/25863 https://github.com/uyuni-project/uyuni/issues/9597 --- CHANGELOG.md | 2 + .../pages/auth-methods-pam.adoc | 61 +++++++++++++++++-- 2 files changed, 57 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index db506ec6d6f..889c4f171e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,5 @@ +- Added example for LDAP integration with Active Directory in + Administration Guide (bsc#1233696) - Updated Troubleshooting Autoinstallation in Administration Guide - Added external link for creating virtual network peer for Azure in Specialized Gudes (bsc#1234441) diff --git a/modules/administration/pages/auth-methods-pam.adoc b/modules/administration/pages/auth-methods-pam.adoc index fb8e65e0fc7..49b2dddc82c 100644 --- a/modules/administration/pages/auth-methods-pam.adoc +++ b/modules/administration/pages/auth-methods-pam.adoc @@ -16,19 +16,24 @@ PAM is a suite of libraries that allows you to integrate {productname} with a ce In usernames, additionally to alphanumeric characters, [literal]``-``, [literal]``_``, [literal]``.``, and [literal]``@`` are allowed. ==== . Check the [guimenu]``Pluggable Authentication Modules (PAM)`` checkbox. -. Configure SSSD in the container. - Connect inside the container using: +. Configure SSSD in the server container. + At the command prompt of the {productname} container host, as root, enter the server container: + + ---- mgrctl term ---- -Then change the file + +. Inside the container, execute the following steps: ++ + +.. To set configuration options, open the file: + ---- /etc/sssd/sssd.conf ---- + -. Set [literal]``krb5_keytab`` in ``domain/$domain`` to [literal]``/etc/sssd/krb5.keytab`` +.. Set [literal]``krb5_keytab`` in ``domain/$domain`` to [literal]``/etc/sssd/krb5.keytab`` . Restart {productname} using: + ---- @@ -46,6 +51,50 @@ Use the password change mechanism of your network service to change the password ==== -For more information about configuring PAM, the SUSE Linux Enterprise Server Security Guide contains a generic example that also works for other network-based authentication methods. -It also describes how to configure an active directory service. +For more information about PAM configuration, see the {sles} Security Guide. The Security Guide contains a generic example that also works for other network-based authentication methods. +It also describes how to configure an Active Directory (AD) service. For more information, see {sles-base-os-documentation}/part-auth.html. + + + +=== LDAP Integration with Active Directory Example + +For LDAP integration with Active Directory, you can use the following example. + +In te code snippet, change the following placeholders according to your environment: + +[literal]``$domain``:: +Your domain name +[literal]``$ad_server``:: +FQDN of the AD server if it is not auto-detected from the [literal]``$domain`` +[literal]``$uyuni-hostname``: +The name of the machine this AD client is supposed to be known. +If not set, it will be [literal]``uyuni-server.mgr.internal``. + +---- +/etc/sssd/sssd.conf: + +[sssd] +config_file_version = 2 +services = nss, pam +domains = $domain + +[nss] + +[pam] + +[domain/$domain] +id_provider = ad +chpass_provider = ad +access_provider = ad +auth_provider = ad + +ad_domain = $domain +ad_server = $ad_server +ad_hostname = $uyuni-hostname + +ad_gpo_map_network = +susemanager + +krb5_keytab = FILE:/etc/rhn/krb5.conf.d/krb5.keytab +krb5_ccname_template = FILE:/tmp/krb5cc_%{uid} +----