User Tools
авторизация_с_использованием_ldap_сервера
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
авторизация_с_использованием_ldap_сервера [2021/01/14 08:50] val [Debian/Ubuntu] |
авторизация_с_использованием_ldap_сервера [2025/10/08 09:12] (current) val |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| ===== Установка LDAP клиента ===== | ===== Установка LDAP клиента ===== | ||
| - | ==== Debian/Ubuntu ==== | + | * !!! Не требуется для nss_ldap, удобен для отладки |
| - | !!! Не требуется для nss_ldap, удобен для отладки | + | ==== Debian/Ubuntu ==== |
| <code> | <code> | ||
| Line 21: | Line 21: | ||
| <code> | <code> | ||
| gate# ldapsearch -x -b"dc=corpX,dc=un" -H ldap://server "uid=user1" | gate# ldapsearch -x -b"dc=corpX,dc=un" -H ldap://server "uid=user1" | ||
| + | </code> | ||
| + | ==== FreeIPA ==== | ||
| + | <code> | ||
| + | gate# ldapsearch -x -b"dc=corpX,dc=un" -H ldap://server "uid=user1" | ||
| + | |||
| + | gate# ldapsearch -x -D "uid=admin,cn=users,cn=accounts,dc=corp13,dc=un" -W -H ldap://server -b "dc=corp13,dc=un" "uid=user1" | ||
| + | ... | ||
| + | mail: user1@corp13.un | ||
| + | ... | ||
| </code> | </code> | ||
| Line 26: | Line 35: | ||
| * Права на чтение атрибутов LDAP ([[http://support.microsoft.com/kb/976063]]) | * Права на чтение атрибутов LDAP ([[http://support.microsoft.com/kb/976063]]) | ||
| + | * [[https://ldap.com/dns-srv-records-for-ldap/|DNS SRV Records for LDAP]] | ||
| <code> | <code> | ||
| - | gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=user1" | + | gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=user1" |
| или через ldaps: | или через ldaps: | ||
| gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -w 'Pa$$w0rd' -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1" | gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -w 'Pa$$w0rd' -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1" | ||
| + | |||
| + | или с Kerberos GSSAPI аутентификацией | ||
| + | |||
| + | gate# apt install libsasl2-modules-gssapi-mit | ||
| + | gate# kinit Administrator | ||
| + | gate# ldapsearch -h server -b "dc=corpX,dc=un" "sAMAccountName=user1" | ||
| </code><code> | </code><code> | ||
| ... | ... | ||
| Line 42: | Line 58: | ||
| ... | ... | ||
| </code><code> | </code><code> | ||
| - | # ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=guser1" | + | # ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=guser1" |
| </code><code> | </code><code> | ||
| ... | ... | ||
| Line 50: | Line 66: | ||
| </code> | </code> | ||
| ===== Установка библиотеки nss ldap ===== | ===== Установка библиотеки nss ldap ===== | ||
| - | |||
| - | ==== FreeBSD ==== | ||
| - | <code> | ||
| - | [gate:~] # pkg install nss_ldap | ||
| - | |||
| - | [gate:~] # cat /usr/local/etc/nss_ldap.conf | ||
| - | </code> | ||
| ==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
| <code> | <code> | ||
| - | root@gate:~# apt install libnss-ldap | + | root@gate:~# DEBIAN_FRONTEND=noninteractive apt install libnss-ldap |
| </code><code> | </code><code> | ||
| ... | ... | ||
| Line 69: | Line 78: | ||
| debian# cat /etc/libnss-ldap.conf | debian# cat /etc/libnss-ldap.conf | ||
| + | </code> | ||
| + | |||
| + | ==== FreeBSD ==== | ||
| + | <code> | ||
| + | [gate:~] # pkg install nss_ldap | ||
| + | |||
| + | [gate:~] # cat /usr/local/etc/nss_ldap.conf | ||
| </code> | </code> | ||
| Line 75: | Line 91: | ||
| ==== OpenLDAP ==== | ==== OpenLDAP ==== | ||
| <code> | <code> | ||
| - | host server | + | uri ldap://server |
| base dc=corpX,dc=un | base dc=corpX,dc=un | ||
| - | nss_base_passwd ou=users,dc=corpX,dc=un?one | + | nss_base_passwd ou=People, |
| - | nss_base_group ou=groups,dc=corpX,dc=un?one | + | nss_base_group ou=Group, |
| </code> | </code> | ||
| Line 148: | Line 164: | ||
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | passwd: files ldap | + | passwd: files systemd ldap |
| - | group: files ldap | + | group: files systemd ldap |
| shadow: files ldap | shadow: files ldap | ||
| ... | ... | ||
| Line 155: | Line 171: | ||
| debian# service nscd restart && service nscd reload | debian# service nscd restart && service nscd reload | ||
| - | # getent passwd | + | # getent passwd user1 |
| # id user1 | # id user1 | ||
| Line 162: | Line 178: | ||
| ===== Установка сертификатов ===== | ===== Установка сертификатов ===== | ||
| - | ==== FreeBSD ==== | + | * [[Пакет OpenSSL#Импорт сертификата центра сертификации]] |
| <code> | <code> | ||
| - | # setenv LDAPTLS_REQCERT never | + | # export LDAPTLS_REQCERT=never |
| - | или | + | |
| - | # pkg install ca_root_nss | + | |
| - | # setenv LDAPTLS_CACERT /usr/local/etc/ssl/cert.pem | + | |
| </code> | </code> | ||
| - | ==== Linux ==== | + | |
| + | ===== Дополнительные материалы ===== | ||
| + | |||
| + | ==== Изменения в Debian 12 ==== | ||
| <code> | <code> | ||
| - | # export LDAPTLS_REQCERT=never | + | debian12# apt install libnss-ldapd |
| + | |||
| + | debian12# grep "^[^#]" /etc/nslcd.conf | ||
| + | uid nslcd | ||
| + | gid nslcd | ||
| + | uri ldap://server/ | ||
| + | base dc=corp20,dc=un | ||
| + | tls_cacertfile /etc/ssl/certs/ca-certificates.crt | ||
| + | |||
| + | service nslcd restart | ||
| + | |||
| + | gate# chown -R user1:user1 /home/user1 | ||
| + | gate# chown -R user2:user2 /home/user2 | ||
| </code> | </code> | ||
авторизация_с_использованием_ldap_сервера.1610603432.txt.gz · Last modified: 2021/01/14 08:50 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
