OpenLDAP Active Directory集成
注意 ***三个连续字符替代这三个字
:
1. centos7 open***安装ldap插件以支持ldap验证
# 安装open***-auth-ldap
yum install open***-auth-ldap -y
# 进入open***服务器认证配置文件夹
cd /etc/open***/auth/
# 备份默认配置文件
cp ldap.conf ldap.conf.bak
# 开始修改配置,清空内容进行编辑
echo > ldap.conf
# 修改ldap配置文件
vim ldap.conf
# 修改并粘贴配置
# 重启
systemctl restart open***@server
ldap.conf
<LDAP>
# AD服务器地址
URL ldap://192.168.xxx.xxx
# 管理员DN
BindDN CN=Administrator,CN=Users,DC=GOING-LINK,DC=com
# 管理员密码
Password YUGU@$%Y45%^F^#GH
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# 基础DN
BaseDN "OU=甄云科技,DC=going-link,DC=com"
# 用户搜索过滤条件
SearchFilter "(&(sAMAccountName=%u)(accountStatus=active))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_***_users
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_***_eng
</Group>
</Authorization>
测试连接
# 安装 openldap-clients
yum install -y openldap-clients
# 搜索实验 并输入密码
ldapsearch -x -W -D "CN=Administrator,CN=Users,DC=GOING-LINK,DC=com" -b "DC=GOING-LINK,DC=com" -h 192.168.1.62 -s one dn -LLL
YUGU@$%Y45%^F^#GH
ldapsearch -x -W -D "CN=Administrator,CN=Users,DC=GOING-LINK,DC=com" -b "DC=going-link,DC=com" -h 192.168.1.62
ldapsearch -x -W -D "CN=Administrator,CN=Users,DC=GOING-LINK,DC=com" -b "OU=disabled,DC=going-link,DC=com" -h 192.168.1.62
2. open***服务端配置文件增加配置
plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u"
client-cert-not-required
username-as-common-name
3. open***客户端测试
暂未测试成功