LDAP(Light Directory Access Portocol),它是基于X.500标准的轻量级目录访问协议。目录是一个为查询、浏览和搜索而优化的数据库,它成树状结构组织数据,类似文件目录一样。身份认证主要是改变原有的认证策略,使需要认证的软件都通过LDAP进行认证,在统一身份认证之后,用户的所有信息都存储在AD Server中。终端用户在需要使用公司内部服务的时候,都需要通过AD服务器的认证。
配置LDAP
FAS1> options ldap.ADdomain "dc=demo,dc=netapp,dc=com" FAS1> options ldap.base "ou=ldapusers,dc=demo,dc=netapp,dc=com" FAS1> options ldap.base.group "ou=ldapusers,dc=demo,dc=netapp,dc=com" FAS1> options ldap.base.netgroup "ou=ldapusers,dc=demo,dc=netapp,dc=com" FAS1> options ldap.base.passwd "ou=ldapusers,dc=demo,dc=netapp,dc=com" FAS1> options ldap.enable on FAS1> options ldap.minimum_bind_level anonymous FAS1> options ldap.name "cn=Administrator,cn=Users,dc=demo,dc=netapp,dc=com" FAS1> options ldap.nssmap.attribute.gecos name FAS1> options ldap.nssmap.attribute.gidNumber msSFU30GidNumber FAS1> options ldap.nssmap.attribute.groupname cn FAS1> options ldap.nssmap.attribute.homeDirectory msSFU30HomeDirectory FAS1> options ldap.nssmap.attribute.loginShell msSFU30LoginShell FAS1> options ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup FAS1> options ldap.nssmap.attribute.memberUid msSFU30MemberUid FAS1> options ldap.nssmap.attribute.netgroupname cn FAS1> options ldap.nssmap.attribute.nisNetgroupTriple FAS1> options ldap.nssmap.attribute.uid sAMAccountName FAS1> options ldap.nssmap.attribute.uidNumber msSFU30uidNumber FAS1> options ldap.nssmap.attribute.userPassword msSFUPassword FAS1> options ldap.nssmap.objectClass.nisNetgroup nisNetgroup FAS1> options ldap.nssmap.objectClass.posixAccount User FAS1> options ldap.nssmap.objectClass.posixGroup Group FAS1> options ldap.passwd netapp1 FAS1> options ldap.port 389 FAS1> options ldap.servers FAS1> options ldap.servers.preferred FAS1> options ldap.ssl.enable off
FAS1> options ldap.usermap.attribute.unixaccount Unixaccount FAS1> options ldap.usermap.attribute.windowsaccount Windowsaccount FAS1> options ldap.usermap.base FAS1> options ldap.usermap.enable off FAS1> options ldap FAS1> reboot |
测试LDAP
-----------使用GetXXbyYY命令来测试LDAP功能的正确------------------------------------ FAS1> getXXbyYY gethostbyname_r demo.netapp.com produces: name: demo.netapp.com aliases: addresses: 192.168.10.100 FAS1> getXXbyYY getpwbyname_r Fred produces something like pw_name = Fred pw_passwd = {{******}} pw_uid = 201, pw_gid = 100 pw_gecos = Fred Flintstone pw_dir = /home/fred pw_shell = /bin/sh |
LDAP-Based Windows Client Authentication
FAS1> cifs terminate –t 0 FAS1> cifs setup (指定 LDAP / ) ------------------------------------------------------------------------------------------------------------- SERVER> Net use * /delete /yes ------------------------------------------------------------------------------------------------------------- FAS1> useradmin user list administrator FAS1> options security.passwd.rules.minimum 7 FAS1> useradmin user add administrator –n “Local Admin” –g administrators FAS1> cifs access c$ builtin\administrator full control
SERVER> Net use T: \\FAS1\C$ SERVER> N et use T: /delete /yes ----------------------------------------------------------------------------------------------------------- FAS1> options ldap.rfc2307bis.enable on FAS1> options ldap.nssmap.attribute.uniqueMember Member FAS1> options ldap.nssmap.objectClass.groupOfUniqueNames Group |