ldap 网络账号

ldap网络帐号

1.ldap
是什么
ldap
目录服务认证,和windows活动目录类似,就是记录数据的一种方式

2.ldap
客户端所须软件
[root@server37 ~]# vim /etc/yum.repos.d/rhel_dvd.repo
[root@server37 ~]# cat /etc/yum.repos.d/rhel_dvd.repo
# Created by cloud-init on Thu, 10 Jul 2014 22:19:11 +0000
[rhel_dvd]
gpgcheck = 0
enabled = 1
baseurl = http://172.25.37.254/content/rhel7.0/x86_64
name = Remote classroom copy of dvd
yum install sssd krb5-workstation -y
3.
如何开启ldap用户认证
authconfig-tui

┌────────────────┤ Authentication Configuration ├─────────────────┐
│                                                                │
│  User Information        Authentication                         │
│  [ ] Cache Information   [ ] Use MD5 Passwords                  │
│  [*] Use LDAP            [*] Use Shadow Passwords               │
│  [ ] Use NIS             [ ] Use LDAP Authentication            │
│  [ ] Use IPAv2           [*] Use Kerberos                       │
│  [ ] Use Winbind         [ ] Use Fingerprint reader             │
│                          [ ] UseWinbind Authentication         │
│                          [*] Localauthorization is sufficient  │
│                                                                │
│            ┌────────┐                      ┌──────┐             │
│            │ Cancel │                      │ Next │             │
│            └────────┘                      └──────┘             │
│                                                                │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘
                                                                                          


┌─────────────────┤ LDAP Settings ├─────────────────┐
│                                                  │
│          [*] Use TLS                              │
│  Server:ldap://classroom.example.com/___________ │
│ Base DN: dc=example,dc=com_______________________ │
│                                                   │
│         ┌──────┐                ┌──────┐          │
│         │ Back │                │ Next │          │
│         └──────┘                └──────┘          │
│                                                  │
│                                                   │
└───────────────────────────────────────────────────┘
                                                     



┌─────────────────┤ Kerberos Settings ├──────────────────┐
│                                                        │
│        Realm:EXAMPLE.COM_____________________________ │
│          KDC:classroom.example.com___________________ │
│ Admin Server: classroom.example.com___________________ │
│               [ ] Use DNS to resolvehosts to realms   │
│               [ ] Use DNS to locateKDCs for realms    │
│                                                       │
│          ┌──────┐                    ┌────┐            │
│          │ Back │                    │ Ok │            │
│          └──────┘                    └────┘            │
│                                                       │
│                                                       │
└────────────────────────────────────────────────────────┘
                                                          
<
当出现以下报错时>

┌────────────────┤ Warning ├─────────────────┐
│                                           │
│ To connect to a LDAP server with TLS      │
│ protocol enabled you need a CA certificate │
│ which signed your server's certificate.   │
│ Copy the certificate in the PEM format to │
│ the '/etc/openldap/cacerts' directory.    │
│ Then press OK.                            │
│                                           │
│                  ┌────┐                    │
│                  │ Ok │                    │
│                  └────┘                    │
│                                           │
│                                           │
└────────────────────────────────────────────┘
                                                                               
时因为tls的证书缺失,需要到服务器端下载所需要的证书到/etc/openldap/cacerts
用到的命令
wget http://172.25.254.254/pub/example-ca.crt
[root@server37 ~]# wget http://172.25.254.254/pub/example-ca.crt
--2017-04-13 04:30:16-- http://172.25.254.254/pub/example-ca.crt
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1220 (1.2K)
Saving to: ‘example-ca.crt’

100%[===================>] 1,220      --.-K/s   in 0s     

2017-04-13 04:30:16 (137 MB/s) - ‘example-ca.crt’ saved [1220/1220]
[root@server37 cacerts]# ls
d5912a02.0  example-ca.crt
[root@server37 cacerts]# getent passwd ldapuser1
ldapuser1:x:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
[root@server37 cacerts]# su - ldapuser1
Last login: Wed Apr 12 04:36:14 EDT 2017 on pts/1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file ordirectory
mkdir: cannot create directory '/home/guests/ldapuser1': Permissiondenied
-bash-4.2$
<
测试>
getent passwd ldapuser1
如果用户信息可以正常显示,证明客户端认成功。

列出所有用户
vim /etc/sssd/sssd.conf
enumerate = True
systemctl restart sssd 

4.
自动挂载用户家目录
yum install autofs -y
vim /etc/autofs.master
/home/guests    /etc/auto.ldap

vim /etc/auto.ldap
ldapuser1   172.25.254.254:/home/guests/ldapuser1
*       172.25.254.254:/home/guests/&

systemctl restart autofs                               
systemctl enable autofs

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值