Add LDAP feature support (#80)

Added LDAP support to hostcfgd
sonic-net · May 7, 2024 · 9e6404c · 9e6404c
1 parent e93494c
commit 9e6404c
Show file tree

Hide file tree

Showing 22 changed files with 1,177 additions and 9 deletions.
diff --git a/data/templates/common-auth-sonic.j2 b/data/templates/common-auth-sonic.j2
@@ -68,6 +68,15 @@ auth	[success=2 default=ignore]	pam_exec.so /usr/sbin/cache_radius
 # Local
 auth	[success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}]	pam_unix.so nullok try_first_pass
 
+{% elif auth['login'] == 'ldap,local' %}
+auth    [success=2 default=ignore]      pam_ldap.so minimum_uid=1000 try_first_pass
+auth    [success=1 default=ignore]      pam_unix.so nullok try_first_pass
+{% elif auth['login'] == 'local,ldap' %}
+auth    [success=2 default=ignore]      pam_unix.so nullok try_first_pass
+auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 try_first_pass
+{% elif auth['login'] == 'ldap' %}
+auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 try_first_pass
+
 {% else %}
 auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
 

diff --git a/data/templates/ldap.conf.j2 b/data/templates/ldap.conf.j2
@@ -0,0 +1,17 @@
+{{ ldap_cfg.cfg_servers(servers) }}
+
+base {{ ldap_cfg.cfg_base(servers) }}
+
+ldap_version {{ ldap_cfg.cfg_version(servers) }}
+
+binddn {{ ldap_cfg.cfg_bind(servers) }}
+
+bindpw {{ ldap_cfg.cfg_bindpw(servers) }}
+
+port {{ ldap_cfg.cfg_port(servers) }}
+
+scope {{ ldap_cfg.cfg_scope(servers) }}
+
+timelimit {{ ldap_cfg.cfg_timeout(servers) }}
+
+bind_timelimit {{ ldap_cfg.cfg_bind_timeout(servers) }}
diff --git a/data/templates/nslcd.conf.j2 b/data/templates/nslcd.conf.j2
@@ -0,0 +1,41 @@
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+{{ ldap_cfg.cfg_servers(servers) }}
+
+# The search base that will be used for all queries.
+base {{ ldap_cfg.cfg_base(servers) }}
+
+
+# The LDAP protocol version to use.
+ldap_version {{ ldap_cfg.cfg_version(servers) }}
+
+# The DN to bind with for normal lookups.
+binddn {{ ldap_cfg.cfg_bind(servers) }}
+bindpw {{ ldap_cfg.cfg_bindpw(servers) }}
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+#tls_reqcert never
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+scope {{ ldap_cfg.cfg_scope(servers) }}
+
+timelimit {{ ldap_cfg.cfg_timeout(servers) }}
+
+bind_timelimit {{ ldap_cfg.cfg_bind_timeout(servers) }}
+
+nss_initgroups_ignoreusers ALLLOCAL
+
+nss_min_uid 1000
+