环境 centos7.6 openldap2.4.44
1、安装包
yum -y install openldap-clients sssd authconfig nss-pam-ldapd
2、修改ldap.conf配置文件
cat > /etc/openldap/ <<EOF
URI ldaps://192.168.100.5
BASE dc=admin,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
EOF
3、拷贝证书
cd certs && scp 192.168.100.5:/etc/openldap/certs/server* ./
4、初始化认证
authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enableldap --enableldapauth --disableforcelegacy --enableldaptls --disablekrb5 --ldapserver ldaps://192.168.100.5 --ldapbasedn "dc=admin,dc=com" --enablemkhomedir --update
5、sssd配置文件
cat > /etc/sssd/sssd.conf <<EOF
[domain/default]
autofs_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=admin,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://192.168.100.5
ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
cache_credentials = False
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
EOF
6、启动服务
systemctl restart sssd
systemctl enable sssd
7、认证
id first
uid=1100(first) gid=2000(ldapadmin) groups=2000(ldapadmin)
8、用户切换
#su - test
#su - first 输入密码后进入家目录