ldap client ubuntu设定

==================================

update 2015-03-04

http://ubuntuforums.org/showthread.php?t=1640070

 

==================================

 

1.安装:

apt-get install libpam-ldap libnss-ldap

以下包存在:

ii ldap-auth-client 0.5.2 meta-package for LDAP authentication
ii ldap-auth-config 0.5.2 Config package for LDAP authentication
ii libldap-2.4-2 2.4.21-0ubuntu5 OpenLDAP libraries
ii libnss-ldap 264-2ubuntu2 NSS module for using LDAP as a naming servic
ii libpam-ldap 184-8.2ubuntu1 Pluggable Authentication Module for LDAP

安装后交互配置:

  • Configuring ldap-auth-config:
    • Should debconf manage LDAP configuration? Yes
    • LDAP server Uniform Resource Identifier: ldaps:ldap.neuroimaging.org.au (Note: use ldap: if the server does not enable TLS)
    • Distinguished name of the search base: dc=example,dc=org
    • LDAP version to use: 3
    • Make local root Database admin: Yes
    • Does the LDAP database require login? No
    • LDAP account for root: cn=admin,dc=example,dc=org
    • LDAP root account password: XXXXXXXX
    • Local crypt to use when changing passwords: md5

 

配置:

1.ldap.conf

uri ldap://10.1.1.11
ldap_version 3
pam_check_host_attr yes
pam_password md5
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data

 

2.nsswitch.conf

passwd: compat ldap       #添加ldap
group: compat ldap       #添加ldap
shadow: compat ldap       #添加ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

3.、/etc/pam.d/common-account

account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so

 

4, /etc/pam.d/common-auth

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so

 

5./etc/pam.d/common-password

password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
password requisite pam_deny.so
password required pam_permit.so

 

6./etc/pam.d/common-session

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so

 

7./etc/pam.d/common-session-noninteractive

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so

一个很好的参考:

LDAPClientAuthentication

posted @ 2013-10-16 18:07  silence.li  阅读(1096)  评论(3)    收藏  举报