User Tools
авторизация_с_использованием_ldap_сервера
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
авторизация_с_использованием_ldap_сервера [2017/07/24 13:27] val [Настройка библиотеки nsswitch] |
авторизация_с_использованием_ldap_сервера [2024/01/23 11:25] val [Microsoft Active Directory] |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| ===== Установка LDAP клиента ===== | ===== Установка LDAP клиента ===== | ||
| - | ==== FreeBSD ==== | + | * !!! Не требуется для nss_ldap, удобен для отладки |
| - | <code> | + | |
| - | [gate:~] # pkg install openldap-client | + | |
| - | </code> | + | |
| ==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
| + | |||
| <code> | <code> | ||
| root@gate:~# apt install ldap-utils | root@gate:~# apt install ldap-utils | ||
| + | </code> | ||
| + | |||
| + | ==== FreeBSD ==== | ||
| + | <code> | ||
| + | [gate:~] # pkg install openldap-client | ||
| </code> | </code> | ||
| Line 17: | Line 20: | ||
| ==== OpenLDAP ==== | ==== OpenLDAP ==== | ||
| <code> | <code> | ||
| - | gate# ldapsearch -x -b"dc=corpX,dc=un" -h server "uid=user1" | + | gate# ldapsearch -x -b"dc=corpX,dc=un" -H ldap://server "uid=user1" |
| </code> | </code> | ||
| Line 23: | Line 26: | ||
| * Права на чтение атрибутов LDAP ([[http://support.microsoft.com/kb/976063]]) | * Права на чтение атрибутов LDAP ([[http://support.microsoft.com/kb/976063]]) | ||
| + | * [[https://ldap.com/dns-srv-records-for-ldap/|DNS SRV Records for LDAP]] | ||
| <code> | <code> | ||
| - | gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=user1" | + | gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=user1" |
| - | gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corp6,dc=un" -W -H ldaps://server -b "dc=corp6,dc=un" "sAMAccountName=user1" | + | или через ldaps: |
| - | </code> | + | |
| - | ===== Установка библиотеки nss ldap ===== | + | |
| - | ==== FreeBSD ==== | + | gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -w 'Pa$$w0rd' -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1" |
| - | <code> | + | |
| - | [gate:~] # pkg install nss_ldap | + | |
| - | [gate:~] # cat /usr/local/etc/nss_ldap.conf | + | или с Kerberos GSSAPI аутентификацией |
| + | |||
| + | gate# apt install libsasl2-modules-gssapi-mit | ||
| + | gate# kinit Administrator | ||
| + | gate# ldapsearch -h server -b "dc=corpX,dc=un" "sAMAccountName=user1" | ||
| + | </code><code> | ||
| + | ... | ||
| + | msSFU30NisDomain: corpX | ||
| + | uidNumber: 10001 | ||
| + | gidNumber: 10001 | ||
| + | unixHomeDirectory: /home/user1 | ||
| + | loginShell: /bin/sh | ||
| + | ... | ||
| + | </code><code> | ||
| + | # ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=guser1" | ||
| + | </code><code> | ||
| + | ... | ||
| + | msSFU30NisDomain: corpX | ||
| + | gidNumber: 10001 | ||
| + | ... | ||
| </code> | </code> | ||
| + | ===== Установка библиотеки nss ldap ===== | ||
| ==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
| <code> | <code> | ||
| - | root@gate:~# apt install libnss-ldap | + | root@gate:~# DEBIAN_FRONTEND=noninteractive apt install libnss-ldap |
| </code><code> | </code><code> | ||
| ... | ... | ||
| Line 49: | Line 69: | ||
| debian# cat /etc/libnss-ldap.conf | debian# cat /etc/libnss-ldap.conf | ||
| + | </code> | ||
| + | |||
| + | ==== FreeBSD ==== | ||
| + | <code> | ||
| + | [gate:~] # pkg install nss_ldap | ||
| + | |||
| + | [gate:~] # cat /usr/local/etc/nss_ldap.conf | ||
| </code> | </code> | ||
| Line 55: | Line 82: | ||
| ==== OpenLDAP ==== | ==== OpenLDAP ==== | ||
| <code> | <code> | ||
| - | host server | + | uri ldap://server |
| base dc=corpX,dc=un | base dc=corpX,dc=un | ||
| - | nss_base_passwd ou=users,dc=corpX,dc=un?one | + | nss_base_passwd ou=People, |
| - | nss_base_group ou=groups,dc=corpX,dc=un?one | + | nss_base_group ou=Group, |
| </code> | </code> | ||
| Line 85: | Line 112: | ||
| </code> | </code> | ||
| - | === 2008/Samba4 === | + | === 2008 === |
| <code> | <code> | ||
| host server | host server | ||
| - | |||
| - | # uri ldaps://server/ | ||
| - | # tls_checkpeer no | ||
| base dc=corpX,dc=un | base dc=corpX,dc=un | ||
| Line 105: | Line 129: | ||
| nss_map_attribute homeDirectory unixHomeDirectory | nss_map_attribute homeDirectory unixHomeDirectory | ||
| </code> | </code> | ||
| + | |||
| + | === 2016/Samba4 === | ||
| + | <code> | ||
| + | host server | ||
| + | |||
| + | # uri ldaps://server.corpX.un/ | ||
| + | # tls_checkpeer no | ||
| + | |||
| + | base dc=corpX,dc=un | ||
| + | binddn cn=Administrator,cn=Users,dc=corpX,dc=un | ||
| + | bindpw Pa$$w0rd | ||
| + | scope sub | ||
| + | nss_base_passwd cn=Users,dc=corpX,dc=un?one | ||
| + | nss_base_group cn=Users,dc=corpX,dc=un?one | ||
| + | nss_map_objectClass posixAccount User | ||
| + | nss_map_objectClass posixGroup Group | ||
| + | nss_map_attribute uid SamAccountName | ||
| + | nss_map_attribute homeDirectory unixHomeDirectory | ||
| + | </code> | ||
| + | |||
| ===== Настройка библиотеки nsswitch ===== | ===== Настройка библиотеки nsswitch ===== | ||
| Line 111: | Line 155: | ||
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | passwd: files ldap | + | passwd: files systemd ldap |
| - | group: files ldap | + | group: files systemd ldap |
| - | #shadow: files ldap # for linux | + | shadow: files ldap |
| - | #gshadow: files ldap # for linux | + | |
| ... | ... | ||
| + | </code><code> | ||
| + | debian# service nscd restart && service nscd reload | ||
| + | |||
| + | # getent passwd user1 | ||
| + | |||
| + | # id user1 | ||
| </code> | </code> | ||
| ===== Установка сертификатов ===== | ===== Установка сертификатов ===== | ||
| - | ==== FreeBSD ==== | + | * [[Пакет OpenSSL#Импорт сертификата центра сертификации]] |
| - | <code> | + | |
| - | # setenv LDAPTLS_REQCERT never | + | |
| - | или | + | |
| - | # pkg install ca_root_nss | + | |
| - | # setenv LDAPTLS_CACERT /usr/local/etc/ssl/cert.pem | + | |
| - | </code> | + | |
| - | ==== Linux ==== | + | |
| <code> | <code> | ||
| # export LDAPTLS_REQCERT=never | # export LDAPTLS_REQCERT=never | ||
| </code> | </code> | ||
авторизация_с_использованием_ldap_сервера.txt · Last modified: 2024/01/26 13:06 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
