= openldap client 设置 =
== centos 6.3 setup ==
step 1 : 安装软件
{{{
yum install openldap openldap-clients nss-pam-ldapd pam_ldap openssh-ldap -y
}}}
step 2 : 增加BIND策略,避免LDAP无法连接时无法开机
{{{
echo “bind_policy soft” >> /etc/openldap/ldap.conf
}}}
step 3 : 修改 “ /etc/pam.d/password-auth ” 文件,将文件当中内容替换成如下内容即可。(注意: auth 、password 、account开头的行必须将 pam_ldap.so 添加在 pam_deny.so 上面一行)
{{{
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
}}}
step 4 : 修改 " /etc/sysconfig/authconfig " 文件,将如下选项的 " no " 修改为 " yes "
{{{
FORCELEGACY=yes
USELDAPAUTH=yes
USELDAP=yes
}}}
step 5 : 修改 “ /etc/nsswitch.conf " 文件,将其中的内容修改成如下显示即可。
{{{
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
}}}
step 6 : 更新配置改动
{{{
authconfig --enableldap --enableldapauth --ldapserver=10.12.7.80 --ldapbasedn="dc=a,dc=com" --update
}}}
== 配置过程中遇到的问题 ==
在执行第1步之后,无法登入。用 ldapsearch 可以搜索到服务器上的帐号信息,而 getent passwd 执行没有看到帐号信息,在第4步中修改了 “ FORCELEGACY ” 参数之后,getent 可以获取帐号信息,并且可以登入。