Инструменты пользователя

Инструменты сайта


авторизация_с_использованием_ldap_сервера

Это старая версия документа.


Авторизация с использованием LDAP сервера

Установка LDAP клиента

Debian/Ubuntu

root@gate:~# apt install ldap-utils

FreeBSD

[gate:~] # pkg install openldap-client

Тестирование доступности каталога с клиентов

OpenLDAP

gate# ldapsearch -x -b"dc=corpX,dc=un" -H ldap://server "uid=user1"

Microsoft Active Directory

gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=user1"

или через ldaps:

gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1"
...
msSFU30NisDomain: corpX
uidNumber: 10001
gidNumber: 10001
unixHomeDirectory: /home/user1
loginShell: /bin/sh
...
# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=guser1"
...
msSFU30NisDomain: corpX
gidNumber: 10001
...

Установка библиотеки nss ldap

FreeBSD

[gate:~] # pkg install nss_ldap

[gate:~] # cat /usr/local/etc/nss_ldap.conf

Debian/Ubuntu

root@gate:~# apt install libnss-ldap
...
Ответы по умолчанию, все равно все сотрем;)
...
ubuntu# cat /etc/ldap.conf

debian# cat /etc/libnss-ldap.conf

Настройка библиотеки nss ldap

OpenLDAP

host server
base dc=corpX,dc=un
nss_base_passwd               ou=users,dc=corpX,dc=un?one
nss_base_group                ou=groups,dc=corpX,dc=un?one

Microsoft Active Directory

Настройка Active Directory сервера (Сервис NIS)

2003

host server
base dc=corpX,dc=un
binddn cn=user1,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd1
scope sub
nss_base_passwd         cn=Users,dc=corpX,dc=un?one
nss_base_group          cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectClass posixGroup Group
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute loginShell msSFU30LoginShell

2008/Samba4

host server

# uri ldaps://server.corpX.un/
# tls_checkpeer no

base dc=corpX,dc=un
binddn cn=Administrator,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd
scope sub
nss_base_passwd         cn=Users,dc=corpX,dc=un?one
nss_base_group          cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_objectClass posixGroup Group
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMemberOf
nss_map_attribute homeDirectory unixHomeDirectory

2016

host server

base dc=corpX,dc=un
binddn cn=Administrator,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd
scope sub
nss_base_passwd         cn=Users,dc=corpX,dc=un?one
nss_base_group          cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_objectClass posixGroup Group
nss_map_attribute uid SamAccountName
nss_map_attribute homeDirectory unixHomeDirectory

Настройка библиотеки nsswitch

root@gate:~# cat /etc/nsswitch.conf
...
passwd:         files ldap
group:          files ldap
shadow:         files ldap
...
debian# service nscd restart

debian# service nscd reload

# getent passwd

# id user1

Установка сертификатов

FreeBSD

# setenv LDAPTLS_REQCERT never
  или
# pkg install ca_root_nss
# setenv LDAPTLS_CACERT /usr/local/etc/ssl/cert.pem

Linux

# export LDAPTLS_REQCERT=never
авторизация_с_использованием_ldap_сервера.1562318249.txt.gz · Последние изменения: 2019/07/05 12:17 — val