##############################

##### unit8.ldap网络帐号 ######

##############################

 

 

####1.ldap是什么####

ldap目录服务认证,和windows活动目录类似,就是记录数据的一种方式

 

####2.ldap客户端所需软件####

[root@desktop19 ~]# yum install sssd krb5-workstation -y

 

####3.如何开启ldap用户认证####

[root@desktop19 ~]# id ldapuser1##查看ldapuser1用户,此时并没有该用户

id: ldapuser1: no such user

[root@desktop19 ~]# authconfig-tui

 

     ┌────────────────┤ Authentication Configuration ├─────────┐

     │                                                                    

     │  User Information        Authentication                            

     │  [ ] Cache Information   [ ] Use MD5 Passwords                      

     │  [*] Use LDAP           [*] Use Shadow Passwords                    

     │  [ ] Use NIS             [ ] Use LDAP Authentication                  

     │  [ ] Use IPAv2           [*] Use Kerberos                            

     │  [ ] Use Winbind         [ ] Use Fingerprint reader                    

     │                          [ ] Use Winbind Authentication              

     │                         [*] Local authorization is sufficient      

     │                                                                     

     │            ┌────────┐                      ┌──────┐          │

     │            │ Cancel  │                       Next   │          │

     │            └────────┘                      └──────┘          │

     │                                                                    

     │                                                                    

     └───────────────────────────────────────

            ┌─────────────────┤ LDAP Settings ├────────

            │                                                      

            │          [*] Use TLS                                

            │  Server: ldap://classroom.example.com/___________     

            │ Base DN: dc=example,dc=com_______________________

            │                                                   

            │         ┌──────┐                ┌──────┐          

            │         │ Back  │                │ Next  │         

            │         └──────┘                └──────┘             

            │                                                       │

            │                                                   

            └───────────────────────────────────┘

          ┌─────────────────┤ Kerberos Settings ├─────────┐

          │                                                        

          │        Realm: EXAMPLE.COM_____________________________

          │          KDC: classroom.example.com___________________

          │ Admin Server: classroom.example.com___________________    

          │               [ ] Use DNS to resolve hosts to realms   

          │               [ ] Use DNS to locate KDCs for realms    

          │                                                        

          │          ┌──────┐                    ┌────┐            

          │          │ Back │                    │ Ok │            

          │          └──────┘                    └────┘            

          │                                                        

          │                                                        

          └────────────────────────────────────┘

            ┌────────────────┤ Warning ├───────┐

            │                                            

            │ To connect to a LDAP server with TLS      

            │ protocol enabled you need a CA certificate

            │ which signed your server's certificate.    

            │ Copy the certificate in the PEM format to  

            │ the '/etc/openldap/cacerts' directory.     

            │ Then press OK.                            

            │                                            

            │                  ┌────┐                  

            │                  │ Ok  │                   

            │                  └────┘                   

            │                                            

            │                                            

            └─────────────────────────────┘

##该警告界面是因为tls的证书缺失,需要到服务器端下载所需要的证书到/etc/openldap/cacert

[root@desktop19 ~]# cd /etc/openldap/cacerts/

[root@desktop19 cacerts]# wget http://172.25.254.254/pub/example-ca.crt##下载证书

--2016-11-12 20:41:25--  http://172.25.254.254/pub/example-ca.crt

Connecting to 172.25.254.254:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1220 (1.2K)

Saving to: example-ca.crt

 

100%[=================================>] 1,220       --.-K/s   in 0s      

 

2016-11-12 20:41:25 (273 MB/s) - example-ca.crtsaved [1220/1220]

 

[root@desktop19 cacerts]# ls

example-ca.crt

===========以下两步是先将认证关闭,再开启===========

[root@desktop19 cacerts]# authconfig-tui

 

     ┌────────────┤ Authentication Configuration ├───────────┐

     │                                                                 │

     │  User Information        Authentication                         │

     │  [ ] Cache Information   [ ] Use MD5 Passwords                  │

     │  [ ] Use LDAP            [*] Use Shadow Passwords               │

     │  [ ] Use NIS             [ ] Use LDAP Authentication            

     │  [ ] Use IPAv2           [ ] Use Kerberos                       

     │  [ ] Use Winbind         [ ] Use Fingerprint reader             

     │                          [ ] Use Winbind Authentication         

     │                          [*] Local authorization is sufficient   

     │                                                                   | 

     │            ┌────────┐                      ┌──────┐    │

     │            │ Cancel │                       Next │   │

     │            └────────┘                      └──────┘    │

     │                                                                 

     │                                                                

     └─────────────────────────────────────┘

[root@desktop19 cacerts]# authconfig-tui

 

     ┌────────────────┤ Authentication Configuration ├─────────┐

     │                                                                 │

     │  User Information        Authentication                           

     │  [ ] Cache Information   [ ] Use MD5 Passwords                    

     │  [*] Use LDAP            [*] Use Shadow Passwords               │

     │  [ ] Use NIS             [ ] Use LDAP Authentication              

     │  [ ] Use IPAv2           [*] Use Kerberos                         

     │  [ ] Use Winbind         [ ] Use Fingerprint reader               

     │                          [ ] Use Winbind Authentication           

     │                          [*] Local authorization is sufficient  │

     │                                                                 │

     │            ┌────────┐                      ┌──────┐          |

     │            │ Cancel │                       Next   │          │

     │            └────────┘                      └──────┘          │

     │                                                                    

     │                                                                    

     └────────────────────────────────────────┘

##后续的配置不变

 

登陆检测:

[root@desktop19 cacerts]# id ldapuser1

uid=1701(ldapuser1) gid=1701(ldapuser1) groups=1701(ldapuser1)

[root@desktop19 cacerts]# getent passwd ldapuser1##如果用户信息可以正常显示,证明客户端认证成功

ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash

[root@desktop19 cacerts]# su - ldapuser1##可以切换到该用户,但因为没有家目录,所以不能进行操作

su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory

mkdir: cannot create directory '/home/guests': Permission denied

-bash-4.2$ whoami

ldapuser1

-bash-4.2$ logout

[root@desktop19 cacerts]#

 

列出所有用户

[root@localhost ~]# vim /etc/sssd/sssd.conf

 16 enumerate = True##注意:该条配置必须写在[domain/default]的下面

[root@localhost ~]# systemctl restart sssd

 

4.自动挂载用户家目录

[root@desktop19 cacerts]# yum install autofs.x86_64

[root@desktop19 cacerts]# vim /etc/auto.master

 14 /home/guests    /etc/auto.ldap

 

[root@desktop19 cacerts]# vim /etc/auto.ldap

  1 ldapuser1       172.25.254.254:/home/guests/ldapuser1

  1 *    172.25.254.254:/home/guests/&

 

[root@desktop19 cacerts]# systemctl restart autofs

[root@desktop19 cacerts]# systemctl enable autofs

 

 

 

 

 

补充:

shell脚本实现该实验:

[root@localhost ~]# vim /mnt/ldapuser_create.sh

#!/bin/bash

echo "install software ing ..."

yum install sssd krb5-workstation -y &> /dev/null

 

echo "config ldap auth client ing ..."

authconfig \

--enableldap \

--enablekrb5 \

--disableldapauth \

--enableldaptls \

--ldaploadcacert=http://172.25.254.254/pub/example-ca.crt \

--ldapserver="classroom.example.com" \

--ldapbasedn="dc=example,dc=com" \

--krb5realm="EXAMPLE.COM" \

--krb5kdc="classroom.example.com"

--krb5adminserver="classroom.example.com" \

--enablesssd \

--enablesssdauth \

--update

 

echo "config ldap user\'s home directory ing ..."

echo /home/guests/etc/auto.ldap >> /etc/auto.master

echo "*172.25.254.254:/home/guests/&" >> /etc/auto.ldap

systemctl restart autofs

systemctl enable autofs

echo "all is successfull !!!"