This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
авторизация_с_использованием_ldap_сервера [2019/06/28 12:09] val |
авторизация_с_использованием_ldap_сервера [2024/01/26 13:06] (current) val [Установка сертификатов] |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== Установка LDAP клиента ===== | ===== Установка LDAP клиента ===== | ||
- | ==== FreeBSD ==== | + | * !!! Не требуется для nss_ldap, удобен для отладки |
- | <code> | + | |
- | [gate:~] # pkg install openldap-client | + | |
- | </code> | + | |
==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
+ | |||
<code> | <code> | ||
root@gate:~# apt install ldap-utils | root@gate:~# apt install ldap-utils | ||
+ | </code> | ||
+ | |||
+ | ==== FreeBSD ==== | ||
+ | <code> | ||
+ | [gate:~] # pkg install openldap-client | ||
</code> | </code> | ||
Line 17: | Line 20: | ||
==== OpenLDAP ==== | ==== OpenLDAP ==== | ||
<code> | <code> | ||
- | gate# ldapsearch -x -b"dc=corpX,dc=un" -h server "uid=user1" | + | gate# ldapsearch -x -b"dc=corpX,dc=un" -H ldap://server "uid=user1" |
</code> | </code> | ||
Line 23: | Line 26: | ||
* Права на чтение атрибутов LDAP ([[http://support.microsoft.com/kb/976063]]) | * Права на чтение атрибутов LDAP ([[http://support.microsoft.com/kb/976063]]) | ||
+ | * [[https://ldap.com/dns-srv-records-for-ldap/|DNS SRV Records for LDAP]] | ||
<code> | <code> | ||
- | gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=user1" | + | gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=user1" |
или через ldaps: | или через ldaps: | ||
- | gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldaps://server -b "dc=corpX,dc=un" "sAMAccountName=user1" | + | gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -w 'Pa$$w0rd' -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1" |
+ | |||
+ | или с Kerberos GSSAPI аутентификацией | ||
+ | |||
+ | gate# apt install libsasl2-modules-gssapi-mit | ||
+ | gate# kinit Administrator | ||
+ | gate# ldapsearch -h server -b "dc=corpX,dc=un" "sAMAccountName=user1" | ||
</code><code> | </code><code> | ||
... | ... | ||
+ | msSFU30NisDomain: corpX | ||
uidNumber: 10001 | uidNumber: 10001 | ||
gidNumber: 10001 | gidNumber: 10001 | ||
Line 38: | Line 49: | ||
... | ... | ||
</code><code> | </code><code> | ||
- | # ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=guser1" | + | # ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=guser1" |
</code><code> | </code><code> | ||
... | ... | ||
+ | msSFU30NisDomain: corpX | ||
gidNumber: 10001 | gidNumber: 10001 | ||
- | ... | ||
- | </code><code> | ||
- | # ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -h server -b "dc=corpX,dc=un" "sAMAccountName=group1" | ||
- | </code><code> | ||
- | ... | ||
- | gidNumber: 15001 | ||
- | memberUid: user2 | ||
- | memberUid: user1 | ||
... | ... | ||
</code> | </code> | ||
===== Установка библиотеки nss ldap ===== | ===== Установка библиотеки nss ldap ===== | ||
- | |||
- | ==== FreeBSD ==== | ||
- | <code> | ||
- | [gate:~] # pkg install nss_ldap | ||
- | |||
- | [gate:~] # cat /usr/local/etc/nss_ldap.conf | ||
- | </code> | ||
==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
<code> | <code> | ||
- | root@gate:~# apt install libnss-ldap | + | root@gate:~# DEBIAN_FRONTEND=noninteractive apt install libnss-ldap |
</code><code> | </code><code> | ||
... | ... | ||
Line 72: | Line 69: | ||
debian# cat /etc/libnss-ldap.conf | debian# cat /etc/libnss-ldap.conf | ||
+ | </code> | ||
+ | |||
+ | ==== FreeBSD ==== | ||
+ | <code> | ||
+ | [gate:~] # pkg install nss_ldap | ||
+ | |||
+ | [gate:~] # cat /usr/local/etc/nss_ldap.conf | ||
</code> | </code> | ||
Line 78: | Line 82: | ||
==== OpenLDAP ==== | ==== OpenLDAP ==== | ||
<code> | <code> | ||
- | host server | + | uri ldap://server |
base dc=corpX,dc=un | base dc=corpX,dc=un | ||
- | nss_base_passwd ou=users,dc=corpX,dc=un?one | + | nss_base_passwd ou=People, |
- | nss_base_group ou=groups,dc=corpX,dc=un?one | + | nss_base_group ou=Group, |
</code> | </code> | ||
Line 108: | Line 112: | ||
</code> | </code> | ||
- | === 2008/Samba4 === | + | === 2008 === |
<code> | <code> | ||
host server | host server | ||
- | |||
- | # uri ldaps://server/ | ||
- | # tls_checkpeer no | ||
base dc=corpX,dc=un | base dc=corpX,dc=un | ||
Line 129: | Line 130: | ||
</code> | </code> | ||
- | === 2016 === | + | === 2016/Samba4 === |
<code> | <code> | ||
host server | host server | ||
+ | |||
+ | # uri ldaps://server.corpX.un/ | ||
+ | # tls_checkpeer no | ||
base dc=corpX,dc=un | base dc=corpX,dc=un | ||
Line 151: | Line 155: | ||
</code><code> | </code><code> | ||
... | ... | ||
- | passwd: files ldap | + | passwd: files systemd ldap |
- | group: files ldap | + | group: files systemd ldap |
- | #shadow: files ldap # for linux | + | shadow: files ldap |
- | #gshadow: files ldap # for linux, may be no need? | + | |
... | ... | ||
</code><code> | </code><code> | ||
- | debian# service nscd restart | + | debian# service nscd restart && service nscd reload |
- | debian# service nscd reload | + | # getent passwd user1 |
- | + | ||
- | # getent passwd | + | |
# id user1 | # id user1 | ||
</code> | </code> | ||
- | ===== Решение проблемы доверенности сертификатов ===== | + | ===== Установка сертификатов ===== |
* [[Пакет OpenSSL#Импорт сертификата центра сертификации]] | * [[Пакет OpenSSL#Импорт сертификата центра сертификации]] | ||
- | ==== Отключение проверки ==== | ||
<code> | <code> | ||
# export LDAPTLS_REQCERT=never | # export LDAPTLS_REQCERT=never | ||
</code> | </code> | ||
+ | ===== Дополнительные материалы ===== | ||
+ | ==== Изменения в Debian 12 ==== | ||
+ | <code> | ||
+ | debian12# apt install libnss-ldapd | ||
+ | |||
+ | debian12# grep "^[^#]" /etc/nslcd.conf | ||
+ | uid nslcd | ||
+ | gid nslcd | ||
+ | uri ldap://server/ | ||
+ | base dc=corp20,dc=un | ||
+ | tls_cacertfile /etc/ssl/certs/ca-certificates.crt | ||
+ | |||
+ | service nslcd restart | ||
+ | |||
+ | gate# chown -R user1:user1 /home/user1 | ||
+ | gate# chown -R user2:user2 /home/user2 | ||
+ | </code> |