Next: LDAP 帳號管理 Up: OPENLDAP 網路用戶帳號 Previous: CA 憑證 Contents

LDAP Client 端設定

安裝套件 [root@kvm4 ~]# yum install {openldap,openldap-clients,nss-pam-ldapd} LDAP server 條件 1. ldap server: deyu.wang 2. base dn: dc=deyu,dc=wang 3. 認證證書: ftp://deyu.wang/pub/cacert.pem 4. 帳號: ldapuser1 5. 密碼: 123 直接進行設定並啟動認證修改設定檔 [root@kvm4 ~]# vi /etc/nslcd.conf uri ldap://deyu.wang/ base dc=deyu,dc=wang ssl start_tls tls_cacertdir /etc/openldap/cacerts [root@kvm4 ~]# vi /etc/openldap/ldap.conf URI ldap://deyu.wang/ BASE dc=deyu,dc=wang TLS_CACERTDIR /etc/openldap/cacerts [root@kvm4 ~]# vi /etc/pam_ldap.conf base dc=deyu,dc=wang uri ldap://deyu.wang/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password md5 [root@kvm4 ~]# vi /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap 下載認證證書 [root@kvm4 ~]# cd /etc/openldap/cacerts/ [root@kvm4 cacerts]# wget ftp://deyu.wang/pub/cacert.pem --2011-12-20 22:10:29-- ftp://deyu.wang/pub/cacert.pem => “cacert.pem” Resolving deyu.wang... 192.168.122.1 Connecting to deyu.wang|192.168.122.1|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD (1) /pub ... done. ==> SIZE cacert.pem ... 1318 ==> PASV ... done. ==> RETR cacert.pem ... done. Length: 1318 (1.3K) (unauthoritative) 100%[======================================>] 1,318 --.-K/s in 0s 2011-12-20 22:10:29 (144 MB/s) - “cacert.pem” saved [1318] 建立證書的 hash 連結 [root@kvm4 cacerts]# ll total 4 -rw-r--r--. 1 root root 1318 Dec 20 22:10 cacert.pem [root@kvm4 cacerts]# cacertdir_rehash . [root@kvm4 cacerts]# ll total 4 lrwxrwxrwx. 1 root root 10 Dec 20 22:14 77bc2243.0 -> cacert.pem -rw-r--r--. 1 root root 1318 Dec 20 22:10 cacert.pem 啟動 nslcd [root@kvm4 ~]# /etc/init.d/nslcd start Starting nslcd: [ OK ] 測試 ldap user：用滑鼠點 Send key 的 Ctrl+Alt+F2 進入第二終端機，以 ldapuser1 登入測試密碼是否正確。 [root@kvm4 ~]# getent passwd ldapuser1 ldapuser1:{SSHA}HAvRpYe5TR88asauGqYtoCFzT7qHYqjP:1001:1001:ldapuser1:/home/guests/ldapuser1:/bin/bash 以 authconfig 命令幫忙設定 LDAP 認證 [root@kvmr4 ~]# authconfig --help | grep ldap --enableldap enable LDAP for user information by default --disableldap disable LDAP for user information by default --enableldapauth enable LDAP for authentication by default --disableldapauth disable LDAP for authentication by default --ldapserver=<server> --ldapbasedn=<dn> default LDAP base DN --enableldaptls, --enableldapstarttls --disableldaptls, --disableldapstarttls --ldaploadcacert=<URL> [root@kvm4 ~]# authconfig --enableldap --enableldapauth \ --ldapserver=deyu.wang --ldapbasedn="dc=deyu,dc=wang" --enableldaptls --enableldapstarttls \ --ldaploadcacert=ftp://deyu.wang/pub/cacert.pem --update Starting nslcd: [ OK ] 檢查要登入的帳號是否存在？ [root@kvm4 cacerts]# getent passwd ldapuser1 ldapuser1:{SSHA}HAvRpYe5TR88asauGqYtoCFzT7qHYqjP:1001:1001:ldapuser1:/home/guests/ldapuser1:/bin/bash 登入測試 [root@kvm4 cacerts]# su - ldapuser1 su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory -bash-4.1$ 若已掛載 NFS 後，登入 LDAP 帳號已有家目錄 [root@kvm4 ~]# getent passwd ldapuser1 ldapuser1:{SSHA}HAvRpYe5TR88asauGqYtoCFzT7qHYqjP:1001:1001:ldapuser1:/home/guests/ldapuser1:/bin/bash [root@kvm4 ~]# su - ldapuser1 [ldapuser1@kvm4 ~]$ pwd /home/guests/ldapuser1 LDAP client 圖形界面設定工具 [root@kvm4 cacerts]# system-config-authentication 1. Under, "User account database" select LDAP 2. For "base DN", enter 'dc=deyu,dc=wang' 3. For "LDAP Server", enter 'ldap://deyu.wang' 4. Click "Download certificate" and use ftp://deyu.wang/pub/cacert.pem 5. Leave TLS *UNCHECKED* 6. Under "Authentication Method", select LDAP 7. Select Apply and complete firstboot setup 2015-04-13