ldap網絡帳號
1.ldap是什麼
ldap目錄服務認證,和windows活動目錄類似,就是記錄數據的一種方式
2.ldap客戶端所須軟件
[root@server37 ~]# vim /etc/yum.repos.d/rhel_dvd.repo
[root@server37 ~]# cat /etc/yum.repos.d/rhel_dvd.repo
# Created by cloud-init on Thu, 10 Jul 2014 22:19:11 +0000
[rhel_dvd]
gpgcheck = 0
enabled = 1
baseurl = http://172.25.37.254/content/rhel7.0/x86_64
name = Remote classroom copy of dvd
yum install sssd krb5-workstation -y
3.如何開啓ldap用戶認證
authconfig-tui
┌────────────────┤ Authentication Configuration ├─────────────────┐
│ │
│ User Information Authentication │
│ [ ] Cache Information [ ] Use MD5 Passwords │
│ [*] Use LDAP [*] Use Shadow Passwords │
│ [ ] Use NIS [ ] Use LDAP Authentication │
│ [ ] Use IPAv2 [*] Use Kerberos │
│ [ ] Use Winbind [ ] Use Fingerprint reader │
│ [ ] UseWinbind Authentication │
│ [*] Localauthorization is sufficient │
│ │
│ ┌────────┐ ┌──────┐ │
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────┤ LDAP Settings ├─────────────────┐
│ │
│ [*] Use TLS │
│ Server:ldap://classroom.example.com/___________ │
│ Base DN: dc=example,dc=com_______________________ │
│ │
│ ┌──────┐ ┌──────┐ │
│ │ Back │ │ Next │ │
│ └──────┘ └──────┘ │
│ │
│ │
└───────────────────────────────────────────────────┘
┌─────────────────┤ Kerberos Settings ├──────────────────┐
│ │
│ Realm:EXAMPLE.COM_____________________________ │
│ KDC:classroom.example.com___________________ │
│ Admin Server: classroom.example.com___________________ │
│ [ ] Use DNS to resolvehosts to realms │
│ [ ] Use DNS to locateKDCs for realms │
│ │
│ ┌──────┐ ┌────┐ │
│ │ Back │ │ Ok │ │
│ └──────┘ └────┘ │
│ │
│ │
└────────────────────────────────────────────────────────┘
<當出現以下報錯時>
┌────────────────┤ Warning ├─────────────────┐
│ │
│ To connect to a LDAP server with TLS │
│ protocol enabled you need a CA certificate │
│ which signed your server's certificate. │
│ Copy the certificate in the PEM format to │
│ the '/etc/openldap/cacerts' directory. │
│ Then press OK. │
│ │
│ ┌────┐ │
│ │ Ok │ │
│ └────┘ │
│ │
│ │
└────────────────────────────────────────────┘
時因爲tls的證書缺失,需要到服務器端下載所需要的證書到/etc/openldap/cacerts,
用到的命令
wget http://172.25.254.254/pub/example-ca.crt
[root@server37 ~]# wget http://172.25.254.254/pub/example-ca.crt
--2017-04-13 04:30:16-- http://172.25.254.254/pub/example-ca.crt
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1220 (1.2K)
Saving to: ‘example-ca.crt’
100%[===================>] 1,220 --.-K/s in 0s
2017-04-13 04:30:16 (137 MB/s) - ‘example-ca.crt’ saved [1220/1220]
[root@server37 cacerts]# ls
d5912a02.0 example-ca.crt
[root@server37 cacerts]# getent passwd ldapuser1
ldapuser1:x:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
[root@server37 cacerts]# su - ldapuser1
Last login: Wed Apr 12 04:36:14 EDT 2017 on pts/1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file ordirectory
mkdir: cannot create directory '/home/guests/ldapuser1': Permissiondenied
-bash-4.2$
<測試>
getent passwd ldapuser1
如果用戶信息可以正常顯示,證明客戶端認成功。
列出所有用戶
vim /etc/sssd/sssd.conf
enumerate = True
systemctl restart sssd
4.自動掛載用戶家目錄
yum install autofs -y
vim /etc/autofs.master
/home/guests /etc/auto.ldap
vim /etc/auto.ldap
ldapuser1 172.25.254.254:/home/guests/ldapuser1
* 172.25.254.254:/home/guests/&
systemctl restart autofs
systemctl enable autofs
