LDAP Client 端設定

安裝套件

[root@kvm4 ~]# yum install {openldap,openldap-clients,nss-pam-ldapd}

LDAP server 條件

1. ldap server: deyu.wang
2. base dn: dc=deyu,dc=wang
3. 認證證書: ftp://deyu.wang/pub/cacert.pem
4. 帳號: ldapuser1
5. 密碼: 123

直接進行設定並啟動認證

修改設定檔

[root@kvm4 ~]# vi /etc/nslcd.conf
uri ldap://deyu.wang/
base dc=deyu,dc=wang
ssl start_tls
tls_cacertdir /etc/openldap/cacerts

[root@kvm4 ~]# vi /etc/openldap/ldap.conf
URI ldap://deyu.wang/
BASE dc=deyu,dc=wang
TLS_CACERTDIR /etc/openldap/cacerts

[root@kvm4 ~]# vi /etc/pam_ldap.conf
base dc=deyu,dc=wang
uri ldap://deyu.wang/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5

[root@kvm4 ~]# vi /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap

下載認證證書

[root@kvm4 ~]# cd /etc/openldap/cacerts/
[root@kvm4 cacerts]# wget ftp://deyu.wang/pub/cacert.pem
--2011-12-20 22:10:29--  ftp://deyu.wang/pub/cacert.pem
           => “cacert.pem”
Resolving deyu.wang... 192.168.122.1
Connecting to deyu.wang|192.168.122.1|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /pub ... done.
==> SIZE cacert.pem ... 1318
==> PASV ... done.    ==> RETR cacert.pem ... done.
Length: 1318 (1.3K) (unauthoritative)

100%[======================================>] 1,318       --.-K/s   in 0s      

2011-12-20 22:10:29 (144 MB/s) - “cacert.pem” saved [1318]

建立證書的 hash 連結

[root@kvm4 cacerts]# ll
total 4
-rw-r--r--. 1 root root 1318 Dec 20 22:10 cacert.pem
[root@kvm4 cacerts]# cacertdir_rehash .
[root@kvm4 cacerts]# ll
total 4
lrwxrwxrwx. 1 root root   10 Dec 20 22:14 77bc2243.0 -> cacert.pem
-rw-r--r--. 1 root root 1318 Dec 20 22:10 cacert.pem

啟動 nslcd

[root@kvm4 ~]#  /etc/init.d/nslcd start
Starting nslcd:                                            [  OK  ]

測試 ldap user：用滑鼠點 Send key 的 Ctrl+Alt+F2 進入第二終端機，以 ldapuser1 登入測試密碼是否正確。

[root@kvm4 ~]# getent passwd ldapuser1
ldapuser1:{SSHA}HAvRpYe5TR88asauGqYtoCFzT7qHYqjP:1001:1001:ldapuser1:/home/guests/ldapuser1:/bin/bash

以 authconfig 命令幫忙設定 LDAP 認證

[root@kvmr4 ~]# authconfig --help | grep ldap
  --enableldap          enable LDAP for user information by default
  --disableldap         disable LDAP for user information by default
  --enableldapauth      enable LDAP for authentication by default
  --disableldapauth     disable LDAP for authentication by default
  --ldapserver=<server>
  --ldapbasedn=<dn>     default LDAP base DN
  --enableldaptls, --enableldapstarttls
  --disableldaptls, --disableldapstarttls
  --ldaploadcacert=<URL>

[root@kvm4 ~]#  authconfig --enableldap --enableldapauth \
--ldapserver=deyu.wang --ldapbasedn="dc=deyu,dc=wang" --enableldaptls --enableldapstarttls \
--ldaploadcacert=ftp://deyu.wang/pub/cacert.pem --update
Starting nslcd:                                            [  OK  ]

檢查要登入的帳號是否存在？

[root@kvm4 cacerts]# getent passwd ldapuser1
ldapuser1:{SSHA}HAvRpYe5TR88asauGqYtoCFzT7qHYqjP:1001:1001:ldapuser1:/home/guests/ldapuser1:/bin/bash

登入測試

[root@kvm4 cacerts]# su - ldapuser1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory
-bash-4.1$

若已掛載 NFS 後，登入 LDAP 帳號已有家目錄

[root@kvm4 ~]# getent passwd ldapuser1
ldapuser1:{SSHA}HAvRpYe5TR88asauGqYtoCFzT7qHYqjP:1001:1001:ldapuser1:/home/guests/ldapuser1:/bin/bash
[root@kvm4 ~]# su - ldapuser1
[ldapuser1@kvm4 ~]$ pwd
/home/guests/ldapuser1

LDAP client 圖形界面設定工具

[root@kvm4 cacerts]# system-config-authentication
1. Under, "User account database" select LDAP
2. For "base DN", enter 'dc=deyu,dc=wang'
3. For "LDAP Server", enter 'ldap://deyu.wang'
4. Click "Download certificate" and use
ftp://deyu.wang/pub/cacert.pem
5. Leave TLS *UNCHECKED*
6. Under "Authentication Method", select LDAP
7. Select Apply and complete firstboot setup