diff options
Diffstat (limited to 'files')
| -rw-r--r-- | files/etc/krb5.conf.common | 29 | ||||
| -rw-r--r-- | files/etc/login.conf.freebsd | 3 | ||||
| -rw-r--r-- | files/usr/local/etc/nslcd.conf.common | 14 | ||||
| -rw-r--r-- | files/usr/local/etc/openldap/.krb5/config.idm_server | 2 | ||||
| -rw-r--r-- | files/usr/local/etc/openldap/ldap.conf.common | 9 | ||||
| -rw-r--r-- | files/usr/local/etc/openldap/slapd.ldif.idm_server | 2 | ||||
| -rw-r--r-- | files/usr/local/etc/ssh/sshd_config.freebsd | 2 | ||||
| -rw-r--r-- | files/usr/local/var/krb5kdc/kadm5.acl.idm_server | 4 |
8 files changed, 60 insertions, 5 deletions
diff --git a/files/etc/krb5.conf.common b/files/etc/krb5.conf.common new file mode 100644 index 0000000..aa2c11f --- /dev/null +++ b/files/etc/krb5.conf.common @@ -0,0 +1,29 @@ +[libdefaults] + default_realm = ${realm} + dns_lookup_kdc = true + dns_lookup_realm = false + allow_weak_crypto = false + permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 + default_client_keytab_name = /var/db/keytabs/%{euid}.keytab + # Breaks screenlockers + # verify_ap_req_nofail = true + +[appdefaults] + pam = { + minimum_uid = 1000 + ccache = FILE:/tmp/krb5cc_%u_XXXXXX + forwardable = true + ticket_lifetime = ${krb5_ticket_lifetime} + renew_lifetime = ${krb5_renew_lifetime} + } + +[realms] + ${realm} = { +$(for host in $ldap_hosts; do echo "\ + admin_server = ${host}"; done) + default_domain = ${domain} + } + +[domain_realm] + .${domain} = ${realm} + ${domain} = ${realm} diff --git a/files/etc/login.conf.freebsd b/files/etc/login.conf.freebsd index b7def42..e712b88 100644 --- a/files/etc/login.conf.freebsd +++ b/files/etc/login.conf.freebsd @@ -4,7 +4,7 @@ default:\\ :welcome=/var/run/motd:\\ :setenv=BLOCKSIZE=K:\\ :mail=/var/mail/$:\\ - :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\\ + :path=/sbin /bin /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin ~/bin:\\ :nologin=/var/run/nologin:\\ :cputime=unlimited:\\ :datasize=unlimited:\\ @@ -59,6 +59,7 @@ dialer:\\ # N.B. login_getpwclass(3) will use this entry for the root account, # in preference to 'default'. root:\\ + :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\\ :ignorenologin:\\ :memorylocked=unlimited:\\ :tc=default: diff --git a/files/usr/local/etc/nslcd.conf.common b/files/usr/local/etc/nslcd.conf.common new file mode 100644 index 0000000..6494c70 --- /dev/null +++ b/files/usr/local/etc/nslcd.conf.common @@ -0,0 +1,14 @@ +uid ${nslcd_user} +gid ${nslcd_user} + +uri ${ldap_uri} + +base ${basedn} +base passwd ${accounts_basedn} +base group ${groups_basedn} + +sasl_mech GSSAPI + +nss_min_uid ${nslcd_min_uid} +nss_initgroups_ignoreusers ALLLOCAL +nss_nested_groups yes diff --git a/files/usr/local/etc/openldap/.krb5/config.idm_server b/files/usr/local/etc/openldap/.krb5/config.idm_server new file mode 100644 index 0000000..7a92f86 --- /dev/null +++ b/files/usr/local/etc/openldap/.krb5/config.idm_server @@ -0,0 +1,2 @@ +[libdefaults] + default_keytab_name = FILE:${slapd_keytab} diff --git a/files/usr/local/etc/openldap/ldap.conf.common b/files/usr/local/etc/openldap/ldap.conf.common new file mode 100644 index 0000000..b56dc94 --- /dev/null +++ b/files/usr/local/etc/openldap/ldap.conf.common @@ -0,0 +1,9 @@ +URI ${ldap_uri} +BASE ${basedn} +USE_SASL yes +ROOTUSE_SASL yes +SASL_MECH GSSAPI +SASL_REALM ${realm} +GSSAPI_SIGN yes +GSSAPI_ENCRYPT yes +SUDOERS_BASE ${sudo_basedn} diff --git a/files/usr/local/etc/openldap/slapd.ldif.idm_server b/files/usr/local/etc/openldap/slapd.ldif.idm_server index 9dc0086..d63641e 100644 --- a/files/usr/local/etc/openldap/slapd.ldif.idm_server +++ b/files/usr/local/etc/openldap/slapd.ldif.idm_server @@ -119,7 +119,7 @@ olcAccess: {1}to dn.base="cn=Subschema" by * read olcAccess: {3}to * by dn.exact=${slapd_replicator_dn} read - by dn.exact=krbPrincipalName=${boxconf_username},${robots_basedn} manage + by dn.exact=${boxconf_dn} manage by set="[cn=${slapd_admin_role},${roles_basedn}]/member* & user" manage by * break olcAccess: {4}to dn.subtree=${sudo_basedn} diff --git a/files/usr/local/etc/ssh/sshd_config.freebsd b/files/usr/local/etc/ssh/sshd_config.freebsd index df46af6..52d9bfe 100644 --- a/files/usr/local/etc/ssh/sshd_config.freebsd +++ b/files/usr/local/etc/ssh/sshd_config.freebsd @@ -3,7 +3,7 @@ Include /etc/ssh/sshd_config.d/*.conf PermitRootLogin prohibit-password AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysCommand /usr/local/libexec/idm-ssh-authorized-keys %u -AuthorizedKeysCommandUser ${ssh_authzkeys_user} +AuthorizedKeysCommandUser ${ssh_authzkeys_username} KbdInteractiveAuthentication no PasswordAuthentication yes diff --git a/files/usr/local/var/krb5kdc/kadm5.acl.idm_server b/files/usr/local/var/krb5kdc/kadm5.acl.idm_server index c2a454b..9f7507e 100644 --- a/files/usr/local/var/krb5kdc/kadm5.acl.idm_server +++ b/files/usr/local/var/krb5kdc/kadm5.acl.idm_server @@ -1,2 +1,2 @@ -*/admin@${realm} * * -maxlife 1h -postdateable -${boxconf_username}@${realm} * * -maxlife 5m -postdateable +*/admin@${realm} * * +${boxconf_username}@${realm} * * |