====== Авторизация с использованием LDAP сервера ======
===== Установка LDAP клиента =====
* !!! Не требуется для nss_ldap, удобен для отладки
==== Debian/Ubuntu ====
root@gate:~# apt install ldap-utils
==== FreeBSD ====
[gate:~] # pkg install openldap-client
===== Тестирование доступности каталога с клиентов =====
==== OpenLDAP ====
gate# ldapsearch -x -b"dc=corpX,dc=un" -H ldap://server "uid=user1"
==== Microsoft Active Directory ====
* Права на чтение атрибутов LDAP ([[http://support.microsoft.com/kb/976063]])
* [[https://ldap.com/dns-srv-records-for-ldap/|DNS SRV Records for LDAP]]
gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=user1"
или через ldaps:
gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -w 'Pa$$w0rd' -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1"
или с Kerberos GSSAPI аутентификацией
gate# apt install libsasl2-modules-gssapi-mit
gate# kinit Administrator
gate# ldapsearch -h server -b "dc=corpX,dc=un" "sAMAccountName=user1"
...
msSFU30NisDomain: corpX
uidNumber: 10001
gidNumber: 10001
unixHomeDirectory: /home/user1
loginShell: /bin/sh
...
# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=guser1"
...
msSFU30NisDomain: corpX
gidNumber: 10001
...
===== Установка библиотеки nss ldap =====
==== Debian/Ubuntu ====
root@gate:~# DEBIAN_FRONTEND=noninteractive apt install libnss-ldap
...
Ответы по умолчанию, все равно все сотрем;)
...
ubuntu# cat /etc/ldap.conf
debian# cat /etc/libnss-ldap.conf
==== FreeBSD ====
[gate:~] # pkg install nss_ldap
[gate:~] # cat /usr/local/etc/nss_ldap.conf
===== Настройка библиотеки nss ldap =====
==== OpenLDAP ====
uri ldap://server
base dc=corpX,dc=un
nss_base_passwd ou=People,
nss_base_group ou=Group,
==== Microsoft Active Directory ====
Настройка Active Directory сервера ([[Сервис NIS]])
=== 2003 ===
host server
base dc=corpX,dc=un
binddn cn=user1,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd1
scope sub
nss_base_passwd cn=Users,dc=corpX,dc=un?one
nss_base_group cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectClass posixGroup Group
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute loginShell msSFU30LoginShell
=== 2008 ===
host server
base dc=corpX,dc=un
binddn cn=Administrator,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd
scope sub
nss_base_passwd cn=Users,dc=corpX,dc=un?one
nss_base_group cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_objectClass posixGroup Group
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMemberOf
nss_map_attribute homeDirectory unixHomeDirectory
=== 2016/Samba4 ===
host server
# uri ldaps://server.corpX.un/
# tls_checkpeer no
base dc=corpX,dc=un
binddn cn=Administrator,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd
scope sub
nss_base_passwd cn=Users,dc=corpX,dc=un?one
nss_base_group cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_objectClass posixGroup Group
nss_map_attribute uid SamAccountName
nss_map_attribute homeDirectory unixHomeDirectory
===== Настройка библиотеки nsswitch =====
root@gate:~# cat /etc/nsswitch.conf
...
passwd: files systemd ldap
group: files systemd ldap
shadow: files ldap
...
debian# service nscd restart && service nscd reload
# getent passwd user1
# id user1
===== Установка сертификатов =====
* [[Пакет OpenSSL#Импорт сертификата центра сертификации]]
# export LDAPTLS_REQCERT=never
===== Дополнительные материалы =====
==== Изменения в Debian 12 ====
debian12# apt install libnss-ldapd
debian12# grep "^[^#]" /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://server/
base dc=corp20,dc=un
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
service nslcd restart
gate# chown -R user1:user1 /home/user1
gate# chown -R user2:user2 /home/user2