https://github.com/ahaenggli/AzureAD-LDAP-wrapper
docker-compose.yaml
version: '3.2'
services:
azuread-ldap-wrapper:
image: ahaen/azuread-ldap-wrapper:latest
container_name: azuread-ldap-wrapper
environment:
TZ: "Europe/Prague"
AZURE_TENANTID: "xxx"
AZURE_APP_ID: "xxx"
AZURE_APP_SECRET: "xxx"
LDAP_DOMAIN: "sspu-opava.cz"
LDAP_BINDUSER: "ldapsearch|ldapsearch123"
LDAP_DEBUG: "true"
GRAPH_IGNORE_MFA_ERRORS: "false" # set this to true to bypass MFA
DSM7: "true" # set this to false if you are running DSM 6 or lower
ports:
- 389:13389
volumes:
- /data/azuread-ldap/app:/app/.cache
a na klientovi linux sssd
sudo apt install sssd-ad sssd-tools realmd adcli
# konfigurace /etc/sssd/sssd.conf
[domain/external_ldap]
krb5_store_password_if_offline = True
krb5_realm = LDAP.SSPU-OPAVA.CZ
krb5_validate = false
realmd_tags = manages-system joined-with-adcli
ad_server = ldap.sspu-opava.cz
ad_domain = ldap.sspu-opava.cz
ad_gpo_access_control = permissive
auto_private_groups = true
simple_allow_groups = users
###The below common parameters and values should not be changed
ignore_group_members = True
ldap_user_object_class = posixAccount
#userObjectClass = posixAccount # not allowed in this
ldap_schema = AD
ldap_group_name = memberOf
#ldap_group_name = sAMAccountName
ldap_user_name = sAMAccountName
auth_provider = ldap
ldap_rfc2307_fallback_to_local_users = True
ldap_referrals = False
override_homedir = /home/%u
ldap_network_timeout = 3
ldap_opt_timeout = 60
cache_credentials = True
entry_cache_group_timeout = 0
entry_cache_user_timeout = 0
ldap_search_timeout = 30
id_provider = ldap
entry_cache_timeout = 600
case_sensitive = False
ldap_id_mapping = false
#ldap_id_mapping = True # toto me nefunguje
#ldap_group_attribute =
#debug_level = 10
cache_credentials = true
ldap_referrals = false
###Supplied from Input
ldap_access_filter = (&(objectclass=posixaccount)(memberOf=cn=ucitele_wifi,cn=groups,dc=sspu-opava,dc=cz))
ldap_uri = ldap://ldap.sspu-opava.cz:389
ldap_user_search_base = dc=sspu-opava,dc=cz
ldap_default_bind_dn = uid=ldapsearch
#ldap_tls_reqcert = demand
#ldap_id_use_start_tls = True
#ldap_tls_cacert = /nz/caCert/ca_cert.pem
#ldap_group_search_base = ou=groups,dc=sspu-opava,dc=cz?subtree?(cn=ssh_access)
ldap_group_search_base = DC=sspu-opava,DC=cz?subtree?(&(objectclass=group))
ldap_default_authtok = ldapsearch123
#ldap_default_authtok = ldappw
ldap_auth_disable_tls_never_use_in_production=true
adding implicit_pac_responder = false
[sssd]
services = nss, sudo, ssh, pam
domains = external_ldap
[nss]
memcache_timeout = 600
homedir_substring = /home
[pam]
#debug_level = 10
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
a jeste autocreate home directory
# /etc/pam.d/common-session
# pridat radek
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Omezeni zatim autopridani nazvu skupin (groups)
Pomocne prikazy na testovani
#restart sssd
service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start
#kontrola uzivatele
id [uzivatel]
sssctl user-checks -a=auth [user@domena] nebo [user]
journalctl
Samba
https://copyprogramming.com/howto/samba-file-server-ad-sssd-without-winbind