авторизация_с_использованием_ldap_сервера

Авторизация с использованием LDAP сервера

Установка LDAP клиента

  • !!! Не требуется для nss_ldap, удобен для отладки

Debian/Ubuntu

root@gate:~# apt install ldap-utils

FreeBSD

[gate:~] # pkg install openldap-client

Тестирование доступности каталога с клиентов

OpenLDAP

gate# ldapsearch -x -b"dc=corpX,dc=un" -H ldap://server "uid=user1"

Microsoft Active Directory

gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=user1"

или через ldaps:

gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -w 'Pa$$w0rd' -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1"

или с Kerberos GSSAPI аутентификацией

gate# apt install libsasl2-modules-gssapi-mit
gate# kinit Administrator
gate# ldapsearch -h server -b "dc=corpX,dc=un" "sAMAccountName=user1"
...
msSFU30NisDomain: corpX
uidNumber: 10001
gidNumber: 10001
unixHomeDirectory: /home/user1
loginShell: /bin/sh
...
# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=guser1"
...
msSFU30NisDomain: corpX
gidNumber: 10001
...

Установка библиотеки nss ldap

Debian/Ubuntu

root@gate:~# DEBIAN_FRONTEND=noninteractive apt install libnss-ldap
...
Ответы по умолчанию, все равно все сотрем;)
...
ubuntu# cat /etc/ldap.conf

debian# cat /etc/libnss-ldap.conf

FreeBSD

[gate:~] # pkg install nss_ldap

[gate:~] # cat /usr/local/etc/nss_ldap.conf

Настройка библиотеки nss ldap

OpenLDAP

uri ldap://server
base dc=corpX,dc=un
nss_base_passwd ou=People,
nss_base_group ou=Group,

Microsoft Active Directory

Настройка Active Directory сервера (Сервис NIS)

2003

host server
base dc=corpX,dc=un
binddn cn=user1,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd1
scope sub
nss_base_passwd         cn=Users,dc=corpX,dc=un?one
nss_base_group          cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectClass posixGroup Group
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute loginShell msSFU30LoginShell

2008

host server

base dc=corpX,dc=un
binddn cn=Administrator,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd
scope sub
nss_base_passwd         cn=Users,dc=corpX,dc=un?one
nss_base_group          cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_objectClass posixGroup Group
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMemberOf
nss_map_attribute homeDirectory unixHomeDirectory

2016/Samba4

host server

# uri ldaps://server.corpX.un/
# tls_checkpeer no

base dc=corpX,dc=un
binddn cn=Administrator,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd
scope sub
nss_base_passwd         cn=Users,dc=corpX,dc=un?one
nss_base_group          cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_objectClass posixGroup Group
nss_map_attribute uid SamAccountName
nss_map_attribute homeDirectory unixHomeDirectory

Настройка библиотеки nsswitch

root@gate:~# cat /etc/nsswitch.conf
...
passwd:         files systemd ldap
group:          files systemd ldap
shadow:         files ldap
...
debian# service nscd restart && service nscd reload

# getent passwd user1

# id user1

Установка сертификатов

Дополнительные материалы

Изменения в Debian 12

debian12# apt install libnss-ldapd

debian12# grep "^[^#]"  /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://server/
base dc=corp20,dc=un
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

service nslcd restart

gate# chown -R user1:user1 /home/user1
gate# chown -R user2:user2 /home/user2
авторизация_с_использованием_ldap_сервера.txt · Last modified: 2024/01/26 13:06 by val