ldap + google auth

Notes are sparse, because I don’t remember a lot.

I remember setting up sssd for auth to active directory. There’s more to it than setting up the sssd.conf, but I’d have to look that up.

sssd.conf:

[sssd]
domains = AD_DOMAIN
config_file_version = 2
services = nss, pam

[domain/intelgd.com]
ad_server = AD_SERVERS
ad_domain = AD_DOMAIN
krb5_realm = KERBEROS_REALM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_maximum_machine_account_password_age = 30
auto_private_groups = true

password-auth pam:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so

# Try to add google-auth here
#auth required pam_google_authenticator.so debug forward_pass
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success

# Not sure what to do to get this to work
auth        sufficient    pam_sss.so forward_pass
#auth        sufficient    pam_sss.so use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

radiusd pam:

Setup pam_google_authenticator.so to forward_pass to the next piece. Use pam_sss.so to auth to active directory.

#%PAM-1.0
#auth       include     password-auth
#account    required    pam_nologin.so
#account    include     password-auth
#password   include     password-auth
#session    include     password-auth

auth required pam_google_authenticator.so debug forward_pass
#auth required pam_unix.so debug use_first_pass
#auth required pam_unix.so debug
auth required pam_sss.so use_first_pass
account required        pam_unix.so