特に真新しいわけでもないけど、SSSD(System Security Services Daemon) についてメモ。SSSDは主にリモートの認証システムの利用と、その認証データのキャッシュを目的とします。
キッカケはLDAP連携において 現在利用中の nslcd+nscd との優位性が気になったからで、その辺は分けて書いておきます。ここではSSSDとLDAPの連携、そしてSUDOが使えるようにするための構築手順になります。
関連記事
SSSD+LDAP+SUDOの構築
LDAPサーバーとユーザーデータは既にあるものとします。まず、SSSDをインストールします。
nscd は共存できない(するべきではない)ので、削除しておきます。
|
1 2 3 4 |
yum erase nscd yum install sssd sssd-client sssd-ldap openldap-clients systemctl enable sssd systemctl status sssd |
自動設定をします。が、設定内容の見た目が汚いのと、どうせsudo周りの設定が足りないので、飛ばして直接作成した方がいいかもです。
|
1 2 3 4 5 6 7 |
authconfig --test authconfig \ --enablesssd --enablesssdauth --enablelocauthorize \ --enableldap --enableldapauth --disableldaptls \ --ldapserver=ldap://ldap.example.com \ --ldapbasedn=dc=example,dc=com \ --update |
/etc/sssd/sssd.conf を編集します。設定の説明は、キャッシュ周りは別記事で触れますが、それ以外は man sssd.conf , man sssd-ldap で確認した方が確実です。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
[sssd] debug_level = 0 config_file_version = 2 services = nss, pam, ssh, sudo domains = default [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com ldap_id_use_start_tls = False ldap_search_timeout = 3 ldap_network_timeout = 3 ldap_opt_timeout = 3 ldap_enumeration_search_timeout = 60 ldap_enumeration_refresh_timeout = 300 ldap_connection_expire_timeout = 600 ldap_sudo_smart_refresh_interval = 600 ldap_sudo_full_refresh_interval = 10800 entry_cache_timeout = 1200 cache_credentials = True [nss] homedir_substring = /home entry_negative_timeout = 20 entry_cache_nowait_percentage = 50 [pam] [sudo] [autofs] [ssh] [pac] [ifp] |
直接ファイルを作成した場合は、権限を設定します。
|
1 2 |
chmod 600 /etc/sssd/sssd.conf chown root:root /etc/sssd/sssd.conf |
/etc/nsswitch.conf を編集します。(authconfigでは sudoers を埋め込めません)
|
1 2 3 4 |
passwd: files sss shadow: files sss group: files sss sudoers: files sss |
再起動してデータの確認をします。
|
1 2 3 4 5 |
systemctl restart sssd id example_user su - example_user sudo ls /root |
ゴリッとキャッシュ周りの確認をしたいときなどは、キャッシュデータを削除しつつ再起動します。nscd -i passwd のようなクリーンアップツール sss_cache もあります。
|
1 2 |
rm /var/lib/sss/db/cache_default.ldb systemctl restart sssd |
nslcd と比べると、ldap.conf や sudo-ldap.conf など散らばった設定が不要になるので、だいぶ綺麗になって使いやすくなった印象です。
あとは、古めのバージョンには嫌らしいバグがあったりするみたいなので、新し目のディストリビューションからの採用がよいかもしれません、というくらいです。
ピンバック: CentOS 8.0をインストールしてみた | 外道父の匠
Der Artikel ist wirklich informativ. Das Thema hat mich schon immer interessiert und ich konnte hier noch einiges weiterführendes finden. Ich
bin schon sehr gespannt, weitere News zu lesen. Danke und Grüße aus Heidelberg Marco Feindler
I’m impressed, I must say. Rarely do I come across a blog that’s both equally educative and interesting, and without a doubt, you have hit the nail on the head. The issue is something that not enough people are speaking intelligently about. Now i’m very happy I came across this during my hunt for something concerning this.
Я чувствовал, как разрываю её плоть, и меня это возбуждало.
Extraordinario información clara y sencilla, gracias y buenas tardes!
Nice weblog here! Additionally your website a lot up fast!
What host are you the usage of? Can I am getting your affiliate hyperlink
for your host? I wish my web site loaded
up as fast as yours lol
I was pretty pleased to find this site. I want to to thank you for your time for this particularly wonderful read!!
I definitely loved every part of it aand I have youu ssaved as a favorite to see new stuff in your blog.
Wonderful blog! Do you have any tips for aspiring writers?
I’m hoping to start my own site soon but I’m a little lost on everything.
Would you advise starting with a free platform like WordPress or go for a paid option? There
are so many choices out there that I’m completely confused ..
Any ideas? Cheers!
Thank you a bunch for sharing this with all of us you really know what you are talking approximately!
Bookmarked. Please additionally talk over with my site =).
We could have a link exchange contract among us
It’s awesome for me to have a site, which is beneficial in support of
my knowledge. thanks admin
Thank you, I’ve recently been searching for information about this subject
for ages and yours is the greatest I have discovered so far.
However, what about the bottom line? Are you certain concerning the source?
I don’t know whether it’s just me or if perhaps everybody
else experiencing problems with your site.
It seems like some of the written text in your content are running off the screen. Can somebody else please provide feedback and let me
know if this is happening to them too? This could be
a issue with my web browser because I’ve had
this happen previously. Appreciate it
whoah this weblog is wonderful i like reading your articles.
Keep up the good work! You realize, many people are hunting around for this info, you
could help them greatly.
What i don’t understood is in truth how you are no longer actually much more smartly-liked than you may be right now.
You are very intelligent. You realize thus significantly with
regards to this matter, made me in my opinion consider it
from numerous numerous angles. Its like women and men don’t seem to be fascinated unless it is something to
do with Girl gaga! Your individual stuffs excellent.
At all times deal with it up!
I feel that is one of the such a lot important information for me.
And i’m satisfied reading your article. But wanna commentary on few basic things,
The web site taste is great, the articles is really great : D.
Good activity, cheers
Thanks for finally talking about > 認証システムSSSD+LDAP+SUDOの構築手順 | 外道父の匠 < Loved it!
I am really happy to read this weblog posts which contains plenty of helpful facts, thanks for providing such statistics.
Hi kaelyn, yes, i watched to the end!! For what its worth, I failed miserably at school so college/uni was never going to
be an option. I actually became more interested in educating myself as I got older.
Im actually extremely jealous of anyone who is smart enough to
be accepted at any university. The struggles you had with your essay remind me the struggle
I had with the “11″plus. It was the test you took at 11
yrs old to decide if you were clever enough to go to a grammar school.
( I failed ) I remember not understanding most
of the questions!! I now realise the reason I watch articles like yours and
others is it tells me of what might have been had I been smarter.
Saying that,continue to be productive, use this time of your life to the full and grasp this opportunity.
You want to be able to look back and be certain that you did everything you could,
which, if this article is anything to go by, you certainly are……fingers crossed for the PHD applications!!……A jealous
subscriber
Love hearing about your research! I am also not a person who
can do a rough draft and edit because I hate going back to reading what I wrote lol I always feel like it should be better.
I was wondering if you also thought yourself to be a slow writer
in undergrad because of your writing process?
Hello mates, how is all, and what you desire to say about this post, in my view its
in fact amazing designed for me.
Great article.
This is the right web sijte for everyone wwho really wants to find out about
this topic. You understand so much its almost tough to argue with you (not that I really would
want to…HaHa). You certanly put a brand new spin on a topic which has
been discussed for a long time. Wonderful stuff, just great!
My web page xtoys.co.il
You can certainly see your enthusiasm in the article you write.
The world hopes for even more passionate writers like you who aren’t afraid to
mention how they believe. Always go after your heart. betflix22
First-class information it is actually. My boss has been awaiting for this update.
Inspiring quest there. What occurred after? Thanks!
I get pleasure from, result in I found exactly what I used to
be looking for. You’ve ended my 4 day long hunt!
God Bless you man. Have a nice day. Bye