2 changed files with 0 additions and 233 deletions
--- a/home.md
+++ b/home.md
@ -1,12 +0,0 @@
 ---
 title: Untitled Page
 description: 
 published: true
 date: 2026-01-21T13:19:48.685Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-21T13:19:48.685Z
 ---
 # Header
 Your content here
--- a/infrastructure/identity/ldap-client-setup.md
+++ b/infrastructure/identity/ldap-client-setup.md
@ -1,221 +0,0 @@
 ---
 title: LDAP Client Setup
 description: 
 published: true
 date: 2026-01-21T13:24:03.516Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-21T13:21:40.588Z
 ---
 # Header
 Your content here✅ LLDAP + SSSD Node Join Checklist (FINAL)
 Assumptions
 LLDAP server: docker4
 LDAP URI: ldap://docker4:3890
 Base DN: dc=netgrimoire,dc=com
 Users/groups use lowercase attributes (uidnumber, gidnumber, homedirectory, unixshell, uniquemember)
 No TLS (lab only)
 Docker group GID = 1964 in LDAP
 This node is Ubuntu/Debian-based
 0️⃣ Safety first (do this every time)
 Open two SSH sessions to the node
 Confirm you can sudo
 Do not edit nsswitch.conf until SSSD is confirmed working
 1️⃣ Install required packages
 sudo apt update
 sudo apt install -y \
  sssd sssd-ldap sssd-tools \
  libpam-sss libnss-sss libsss-sudo \
  ldap-utils oddjob oddjob-mkhomedir
 Ensure legacy LDAP NSS is NOT installed
 sudo apt purge -y libnss-ldap libpam-ldap nslcd libnss-ldapd libpam-ldapd || true
 sudo apt autoremove -y
 2️⃣ Verify LDAP connectivity (must pass)
 getent hosts docker4
 nc -vz docker4 3890
 ldapwhoami -x -H ldap://docker4:3890 \
  -D 'uid=admin,ou=people,dc=netgrimoire,dc=com' -w 'F@lcon13'
 ❌ If any fail → stop and fix networking/DNS/firewall.
 3️⃣ Create /etc/sssd/sssd.conf (single file, no includes)
 sudo vi /etc/sssd/sssd.conf
 Paste exactly:
 [sssd]
 services = nss, pam, ssh
 config_file_version = 2
 domains = netgrimoire.com
 [nss]
 filter_users = root
 filter_groups = root
 [pam]
 offline_failed_login_attempts = 3
 offline_failed_login_delay = 5
 [ssh]
 [domain/netgrimoire.com]
 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
 access_provider = permit
 enumerate = false
 cache_credentials = true
 ldap_uri = ldap://docker4:3890
 ldap_schema = rfc2307bis
 ldap_search_base = dc=netgrimoire,dc=com
 ldap_auth_disable_tls_never_use_in_production = true
 ldap_id_use_start_tls = false
 ldap_tls_reqcert = never
 ldap_default_bind_dn = uid=admin,ou=people,dc=netgrimoire,dc=com
 ldap_default_authtok = F@lcon13
 # USERS (lowercase attributes)
 ldap_user_search_base = ou=people,dc=netgrimoire,dc=com
 ldap_user_object_class = posixAccount
 ldap_user_name = uid
 ldap_user_gecos = cn
 ldap_user_uid_number = uidnumber
 ldap_user_gid_number = gidnumber
 ldap_user_home_directory = homedirectory
 ldap_user_shell = unixshell
 # GROUPS (lowercase attributes)
 ldap_group_search_base = ou=groups,dc=netgrimoire,dc=com
 ldap_group_object_class = groupOfUniqueNames
 ldap_group_name = cn
 ldap_group_gid_number = gidnumber
 ldap_group_member = uniquemember
 4️⃣ Fix permissions (SSSD will NOT start without this)
 sudo chown root:root /etc/sssd/sssd.conf
 sudo chmod 600 /etc/sssd/sssd.conf
 sudo chmod 700 /etc/sssd
 Validate:
 sudo sssctl config-check
 5️⃣ Start SSSD cleanly
 sudo systemctl enable sssd
 sudo systemctl stop sssd
 sudo rm -f /var/lib/sss/db/* /var/lib/sss/mc/*
 sudo systemctl start sssd
 Verify:
 sudo systemctl status sssd --no-pager -l
 sudo sssctl domain-status netgrimoire.com
 Expected:
 Online status: Online
 LDAP: docker4
 6️⃣ Enable NSS lookups via SSSD (LDAP-first)
 Edit /etc/nsswitch.conf:
 passwd: sss files systemd
 group:  sss files systemd
 shadow: sss files
 Test:
 getent passwd graymutt
 getent group docker
 id graymutt
 7️⃣ 🔑 RE-INITIALIZE PAM (THIS IS THE STEP YOU REMEMBERED)
 This step is mandatory on Debian/Ubuntu.
 sudo pam-auth-update
 In the menu, ENABLE:
 ✅ Unix authentication
 ✅ SSSD
 ✅ Create home directory on login
 DISABLE:
 ❌ LDAP Authentication (legacy)
 ❌ Kerberos (unless you explicitly use it)
 Press OK.
 8️⃣ Verify PAM wiring
 grep pam_sss.so /etc/pam.d/common-*
 grep pam_mkhomedir /etc/pam.d/common-session
 You should see:
 session required pam_mkhomedir.so skel=/etc/skel umask=0022
 9️⃣ Final login test (definitive)
 ssh graymutt@localhost
 Expected:
 Login succeeds
 /home/graymutt is auto-created
 Correct LDAP groups present
 🔟 (Optional but recommended) Remove local docker group
 If the node has a local docker group (gid 998):
 sudo groupdel docker
 Verify:
 getent group docker
 Expected:
 docker:x:1964:graymutt,dockhand
 🧪 Fast troubleshooting commands
 sudo sssctl domain-status netgrimoire.com
 sudo tail -n 200 /var/log/sssd/sssd_netgrimoire.com.log
 sudo systemctl status sssd --no-pager -l