##############################
##### unit8.ldap网络帐号 ######
##############################
####1.ldap是什么####
ldap目录服务认证,和windows活动目录类似,就是记录数据的一种方式
####2.ldap客户端所需软件####
[root@desktop19 ~]# yum install sssd krb5-workstation -y
####3.如何开启ldap用户认证####
[root@desktop19 ~]# id ldapuser1##查看ldapuser1用户,此时并没有该用户
id: ldapuser1: no such user
[root@desktop19 ~]# authconfig-tui
Authentication Configuration ├─────────┐
│ │
│ User Information Authentication │
│ [ ] Cache Information [ ] Use MD5 Passwords │
│ [*] Use LDAP [*] Use Shadow Passwords │
│ [ ] Use NIS [ ] Use LDAP Authentication │
│ [ ] Use IPAv2 [*] Use Kerberos │
│ [ ] Use Winbind [ ] Use Fingerprint reader │
│ [ ] Use Winbind Authentication │
│ [*] Local authorization is sufficient │
│ │
│ ┌────────┐ ┌──────┐ │
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└───────────────────────────────────────—┘
LDAP Settings ├────────—┐
│ │
│ [*] Use TLS │
│ Server: ldap://cla***oom.example.com/___________ │
│ Base DN: dc=example,dc=com_______________________ │
│ │
│ ┌──────┐ ┌──────┐ │
│ │ Back │ │ Next │ │
│ └──────┘ └──────┘ │
│ │
│ │
└───────────────────────────────────┘
Kerberos Settings ├─────────┐
│ │
│ Realm: EXAMPLE.COM_____________________________ │
│ KDC: cla***oom.example.com___________________ │
│ Admin Server: cla***oom.example.com___________________ │
[ ] Use DNS to resolve hosts to realms │
[ ] Use DNS to locate KDCs for realms │
│ │
│ ┌──────┐ ┌────┐ │
│ │ Back │ │ Ok │ │
│ └──────┘ └────┘ │
│ │
│ │
└────────────────────────────────────┘
Warning ├───────┐
│ │
To connect to a LDAP server with TLS │
protocol enabled you need a CA certificate │
which signed your server's certificate. │
Copy the certificate in the PEM format to │
the '/etc/openldap/cacerts' directory. │
Then press OK. │
│ │
│ ┌────┐ │
│ │ Ok │ │
│ └────┘ │
│ │
│ │
└─────────────────────────────┘
##该警告界面是因为tls的证书缺失,需要到服务器端下载所需要的证书到/etc/openldap/cacert下
[root@desktop19 ~]# cd /etc/openldap/cacerts/
[root@desktop19 cacerts]# wget http://172.25.254.254/pub/example-ca.crt##下载证书
--2016-11-12 20:41:25-- http://172.25.254.254/pub/example-ca.crt
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1220 (1.2K)
Saving to: ‘example-ca.crt’
100%[=================================>] 1,220 --.-K/s in 0s
2016-11-12 20:41:25 (273 MB/s) - ‘example-ca.crt’ saved [1220/1220]
[root@desktop19 cacerts]# ls
example-ca.crt
===========以下两步是先将认证关闭,再开启===========
[root@desktop19 cacerts]# authconfig-tui
Authentication Configuration ├───────────┐
│ │
User Information Authentication │
[ ] Cache Information [ ] Use MD5 Passwords │
[ ] Use LDAP [*] Use Shadow Passwords │
[ ] Use NIS [ ] Use LDAP Authentication │
[ ] Use IPAv2 [ ] Use Kerberos │
[ ] Use Winbind [ ] Use Fingerprint reader │
[ ] Use Winbind Authentication │
[*] Local authorization is sufficient │
│ |
│ ┌────────┐ ┌──────┐ │
Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└─────────────────────────────────────┘
[root@desktop19 cacerts]# authconfig-tui
Authentication Configuration ├─────────┐
│ │
User Information Authentication │
[ ] Cache Information [ ] Use MD5 Passwords │
[*] Use LDAP [*] Use Shadow Passwords │
[ ] Use NIS [ ] Use LDAP Authentication │
[ ] Use IPAv2 [*] Use Kerberos │
[ ] Use Winbind [ ] Use Fingerprint reader │
[ ] Use Winbind Authentication │
[*] Local authorization is sufficient │
│ │
│ ┌────────┐ ┌──────┐ |
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└────────────────────────────────────────┘
##后续的配置不变
登陆检测:
[root@desktop19 cacerts]# id ldapuser1
uid=1701(ldapuser1) gid=1701(ldapuser1) groups=1701(ldapuser1)
[root@desktop19 cacerts]# getent passwd ldapuser1##如果用户信息可以正常显示,证明客户端认证成功
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
[root@desktop19 cacerts]# su - ldapuser1##可以切换到该用户,但因为没有家目录,所以不能进行操作
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ whoami
ldapuser1
-bash-4.2$ logout
[root@desktop19 cacerts]#
列出所有用户
[root@localhost ~]# vim /etc/sssd/sssd.conf
16 enumerate = True##注意:该条配置必须写在[domain/default]的下面
[root@localhost ~]# systemctl restart sssd
4.自动挂载用户家目录
[root@desktop19 cacerts]# yum install autofs.x86_64
[root@desktop19 cacerts]# vim /etc/auto.master
14 /home/guests /etc/auto.ldap
[root@desktop19 cacerts]# vim /etc/auto.ldap
1 ldapuser1 172.25.254.254:/home/guests/ldapuser1
或
1 * 172.25.254.254:/home/guests/&
[root@desktop19 cacerts]# systemctl restart autofs
[root@desktop19 cacerts]# systemctl enable autofs
补充:
shell脚本实现该实验:
[root@localhost ~]# vim /mnt/ldapuser_create.sh
#!/bin/bash
echo "install software ing ..."
yum install sssd krb5-workstation -y &> /dev/null
echo "config ldap auth client ing ..."
authconfig \
--enableldap \
--enablekrb5 \
--disableldapauth \
--enableldaptls \
--ldaploadcacert=http://172.25.254.254/pub/example-ca.crt \
--ldapserver="cla***oom.example.com" \
--ldapbasedn="dc=example,dc=com" \
--krb5realm="EXAMPLE.COM" \
--krb5kdc="cla***oom.example.com"
--krb5adminserver="cla***oom.example.com" \
--enablesssd \
--enablesssdauth \
--update
echo "config ldap user\'s home directory ing ..."
echo /home/guests/etc/auto.ldap >> /etc/auto.master
echo "*172.25.254.254:/home/guests/&" >> /etc/auto.ldap
systemctl restart autofs
systemctl enable autofs
echo "all is successfull !!!"
https://blog.51cto.com/10664148/1876276