##############################
##### unit8.ldap网络帐号 ######
##############################
 
 
####1.ldap是什么####
ldap目录服务认证,和windows活动目录类似,就是记录数据的一种方式
 
####2.ldap客户端所需软件####
[root@desktop19 ~]# yum install sssd krb5-workstation -y
 
####3.如何开启ldap用户认证####
[root@desktop19 ~]# id ldapuser1##查看ldapuser1用户,此时并没有该用户
id: ldapuser1: no such user
[root@desktop19 ~]# authconfig-tui
 
Authentication Configuration ├─────────┐
     │                                                                    │ 
     │  User Information        Authentication                            │ 
     │  [ ] Cache Information   [ ] Use MD5 Passwords                      │ 
     │  [*] Use LDAP           [*] Use Shadow Passwords                    │ 
     │  [ ] Use NIS             [ ] Use LDAP Authentication                  │ 
     │  [ ] Use IPAv2           [*] Use Kerberos                            │ 
     │  [ ] Use Winbind         [ ] Use Fingerprint reader                    │ 
     │                          [ ] Use Winbind Authentication              │ 
     │                         [*] Local authorization is sufficient     │ 
     │                                                                    │ 
     │            ┌────────┐                      ┌──────┐          │ 
     │            │ Cancel  │                       │ Next   │          │ 
     │            └────────┘                      └──────┘          │ 
     │                                                                    │ 
     │                                                                    │ 
     └───────────────────────────────────────—┘ 
LDAP Settings ├────────—┐
            │                                                      │ 
            │          [*] Use TLS                                │ 
            │  Server: ldap://cla***oom.example.com/___________     │ 
            │ Base DN: dc=example,dc=com_______________________ │ 
            │                                                   │ 
            │         ┌──────┐                ┌──────┐          │ 
            │         │ Back  │                │ Next  │         │ 
            │         └──────┘                └──────┘             │ 
            │                                                       │ 
            │                                                   │ 
            └───────────────────────────────────┘ 
Kerberos Settings ├─────────┐
          │                                                        │ 
          │        Realm: EXAMPLE.COM_____________________________ │ 
          │          KDC: cla***oom.example.com___________________ │ 
          │ Admin Server: cla***oom.example.com___________________    │ 
[ ] Use DNS to resolve hosts to realms   │ 
[ ] Use DNS to locate KDCs for realms    │ 
          │                                                        │ 
          │          ┌──────┐                    ┌────┐            │ 
          │          │ Back │                    │ Ok │            │ 
          │          └──────┘                    └────┘            │ 
          │                                                        │ 
          │                                                        │ 
          └────────────────────────────────────┘ 
Warning ├───────┐
            │                                            │ 
To connect to a LDAP server with TLS      │ 
protocol enabled you need a CA certificate │ 
which signed your server's certificate.    │ 
Copy the certificate in the PEM format to  │ 
the '/etc/openldap/cacerts' directory.     │ 
Then press OK.                            │ 
            │                                            │ 
            │                  ┌────┐                  │ 
            │                  │ Ok   │                   │ 
            │                  └────┘                   │ 
            │                                            │ 
            │                                            │ 
            └─────────────────────────────┘ 
##该警告界面是因为tls的证书缺失,需要到服务器端下载所需要的证书到/etc/openldap/cacert下
[root@desktop19 ~]# cd /etc/openldap/cacerts/
[root@desktop19 cacerts]# wget http://172.25.254.254/pub/example-ca.crt##下载证书
--2016-11-12 20:41:25--  http://172.25.254.254/pub/example-ca.crt
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1220 (1.2K)
Saving to: ‘example-ca.crt’
 
100%[=================================>] 1,220       --.-K/s   in 0s      
 
2016-11-12 20:41:25 (273 MB/s) - ‘example-ca.crt’ saved [1220/1220]
 
[root@desktop19 cacerts]# ls
example-ca.crt
===========以下两步是先将认证关闭,再开启===========
[root@desktop19 cacerts]# authconfig-tui
 
Authentication Configuration ├───────────┐
     │                                                                 │ 
User Information        Authentication                         │ 
[ ] Cache Information   [ ] Use MD5 Passwords                  │ 
[ ] Use LDAP            [*] Use Shadow Passwords               │ 
[ ] Use NIS             [ ] Use LDAP Authentication            │ 
[ ] Use IPAv2           [ ] Use Kerberos                       │ 
[ ] Use Winbind         [ ] Use Fingerprint reader             │ 
[ ] Use Winbind Authentication         │ 
[*] Local authorization is sufficient  │ 
     │                                                                   | 
     │            ┌────────┐                      ┌──────┐    │ 
Cancel │                       │ Next │   │ 
     │            └────────┘                      └──────┘    │ 
     │                                                                 │ 
     │                                                                │ 
     └─────────────────────────────────────┘ 
[root@desktop19 cacerts]# authconfig-tui
 
Authentication Configuration ├─────────┐
     │                                                                 │ 
User Information        Authentication                           │ 
[ ] Cache Information   [ ] Use MD5 Passwords                    │ 
[*] Use LDAP            [*] Use Shadow Passwords               │ 
[ ] Use NIS             [ ] Use LDAP Authentication              │ 
[ ] Use IPAv2           [*] Use Kerberos                         │ 
[ ] Use Winbind         [ ] Use Fingerprint reader               │ 
[ ] Use Winbind Authentication           │ 
[*] Local authorization is sufficient  │ 
     │                                                                 │ 
     │            ┌────────┐                      ┌──────┐          |
     │            │ Cancel │                       │ Next   │          │ 
     │            └────────┘                      └──────┘          │ 
     │                                                                    │ 
     │                                                                    │ 
     └────────────────────────────────────────┘ 
##后续的配置不变
 
登陆检测:
[root@desktop19 cacerts]# id ldapuser1
uid=1701(ldapuser1) gid=1701(ldapuser1) groups=1701(ldapuser1)
[root@desktop19 cacerts]# getent passwd ldapuser1##如果用户信息可以正常显示,证明客户端认证成功
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
[root@desktop19 cacerts]# su - ldapuser1##可以切换到该用户,但因为没有家目录,所以不能进行操作
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ whoami
ldapuser1
-bash-4.2$ logout
[root@desktop19 cacerts]# 
 
列出所有用户
[root@localhost ~]# vim /etc/sssd/sssd.conf 
 16 enumerate = True##注意:该条配置必须写在[domain/default]的下面
[root@localhost ~]# systemctl restart sssd
 
4.自动挂载用户家目录
[root@desktop19 cacerts]# yum install autofs.x86_64 
[root@desktop19 cacerts]# vim /etc/auto.master
 14 /home/guests    /etc/auto.ldap
 
[root@desktop19 cacerts]# vim /etc/auto.ldap
  1 ldapuser1       172.25.254.254:/home/guests/ldapuser1
或
  1 *    172.25.254.254:/home/guests/&
 
[root@desktop19 cacerts]# systemctl restart autofs
[root@desktop19 cacerts]# systemctl enable autofs
 
 
 
 
 
补充:
shell脚本实现该实验:
[root@localhost ~]# vim /mnt/ldapuser_create.sh
#!/bin/bash
echo "install software ing ..."
yum install sssd krb5-workstation -y &> /dev/null
 
echo "config ldap auth client ing ..."
authconfig \
--enableldap \
--enablekrb5 \
--disableldapauth \
--enableldaptls \
--ldaploadcacert=http://172.25.254.254/pub/example-ca.crt \
--ldapserver="cla***oom.example.com" \
--ldapbasedn="dc=example,dc=com" \
--krb5realm="EXAMPLE.COM" \
--krb5kdc="cla***oom.example.com"
--krb5adminserver="cla***oom.example.com" \
--enablesssd \
--enablesssdauth \
--update
 
echo "config ldap user\'s home directory ing ..."
echo /home/guests/etc/auto.ldap >> /etc/auto.master
echo "*172.25.254.254:/home/guests/&" >> /etc/auto.ldap
systemctl restart autofs
systemctl enable autofs
echo "all is successfull !!!"

 

 

https://blog.51cto.com/10664148/1876276