This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
авторизация_с_использованием_ldap_сервера [2021/03/09 11:00] val [Настройка библиотеки nsswitch] |
авторизация_с_использованием_ldap_сервера [2024/01/23 11:25] val [Microsoft Active Directory] |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== Установка LDAP клиента ===== | ===== Установка LDAP клиента ===== | ||
- | !!! Не требуется для nss_ldap, удобен для отладки | + | * !!! Не требуется для nss_ldap, удобен для отладки |
==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
Line 26: | Line 26: | ||
* Права на чтение атрибутов LDAP ([[http://support.microsoft.com/kb/976063]]) | * Права на чтение атрибутов LDAP ([[http://support.microsoft.com/kb/976063]]) | ||
+ | * [[https://ldap.com/dns-srv-records-for-ldap/|DNS SRV Records for LDAP]] | ||
<code> | <code> | ||
- | gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=user1" | + | gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=user1" |
или через ldaps: | или через ldaps: | ||
gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -w 'Pa$$w0rd' -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1" | gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -w 'Pa$$w0rd' -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1" | ||
+ | |||
+ | или с Kerberos GSSAPI аутентификацией | ||
+ | |||
+ | gate# apt install libsasl2-modules-gssapi-mit | ||
+ | gate# kinit Administrator | ||
+ | gate# ldapsearch -h server -b "dc=corpX,dc=un" "sAMAccountName=user1" | ||
</code><code> | </code><code> | ||
... | ... | ||
Line 42: | Line 49: | ||
... | ... | ||
</code><code> | </code><code> | ||
- | # ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=guser1" | + | # ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=guser1" |
</code><code> | </code><code> | ||
... | ... | ||
Line 53: | Line 60: | ||
==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
<code> | <code> | ||
- | root@gate:~# apt install libnss-ldap | + | root@gate:~# DEBIAN_FRONTEND=noninteractive apt install libnss-ldap |
</code><code> | </code><code> | ||
... | ... | ||
Line 155: | Line 162: | ||
debian# service nscd restart && service nscd reload | debian# service nscd restart && service nscd reload | ||
- | # getent passwd | + | # getent passwd user1 |
# id user1 | # id user1 | ||
Line 162: | Line 169: | ||
===== Установка сертификатов ===== | ===== Установка сертификатов ===== | ||
- | ==== FreeBSD ==== | + | * [[Пакет OpenSSL#Импорт сертификата центра сертификации]] |
- | <code> | + | |
- | # setenv LDAPTLS_REQCERT never | + | |
- | или | + | |
- | # pkg install ca_root_nss | + | |
- | # setenv LDAPTLS_CACERT /usr/local/etc/ssl/cert.pem | + | |
- | </code> | + | |
- | ==== Linux ==== | + | |
<code> | <code> | ||
# export LDAPTLS_REQCERT=never | # export LDAPTLS_REQCERT=never | ||
</code> | </code> |