本文详细介绍了在Ubuntu 8.04 Hardy系统中配置LDAP客户端的过程,包括安装必要的软件包、配置文件调整及NFS挂载设置等步骤。
Ubuntu 8.04 下配置LDAP客戶端簡直是個噩夢, 這在CentOS 5.1下本是一件非常輕松的事情. 要是網上沒有找到這篇文章, 估計我這輩子就別想配置成功了. 不過看原文中說的, 7.10似乎還要噩夢.
有些地方當然要修改成與自己服務器對應的設置, 另外, 我這裡有個小小的區別是: 注釋掉了/etc/ldap.conf中的ssl start_tls一行. 不是很明白什麼意思, 大概我的服務器沒有開啟SSL支持吧(事實上確實沒開啟^ ^)
Ubuntu 8.04 Hardy LDAP Client
[url]http://linuxadministration.us/2008/05/17/ubuntu-804-hardy-ldap-client/[/url]
Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.
We are going to set up a Hardy client on a desktop machine, which involves using NFS (for /home) and allowing all desktop users to do desktop tasks.
[code]
apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd
[/code]
Answer the questions; unlike Debian they should actually be put in the configuration file.
Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl
Edit /etc/ldap.conf (which both libnss and libpam use).
[code]
host 192.168.1.1
base dc=example,dc=com
#This is important! Don’t use ldap:///192.168.1.1
uri ldap://example.com/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/cert.pem
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data
[/code]
Now edit /etc/ldap/ldap.conf
[code]
BASE dc=example,dc=com
URI ldap://example.com
TLS_CACERT /etc/ldap/ssl/cert.pem
TLS_REQCERT never
[/code]
/etc/pam.d/common-account
[code]
account sufficient pam_ldap.so
account required pam_unix.so
[/code]
/etc/pam.d/common-auth
[code]
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
[/code]
/etc/pam.d/common-password
[code]
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
[/code]
/etc/pam.d/common-session
[code]
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
[/code]
/etc/nsswitch.conf
[code]
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
[/code]
Now we want to make sure users are assigned to the correct groups when they log in, so add the following to /etc/security/groups.conf
[code]
gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner
[/code]
Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf
[code]
<deny send_interface=”org.freedesktop.Hal.Device.Volume”/>
<deny send_interface=”org.freedesktop.Hal.Device.Volume.Crypto”/>
[/code]
We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following
[code]
auth optional pam_group.so
[/code]
As root, run
[code]
nss_updatedb ldap
[/code]
To mount /home over NFS, add the following to /etc/fstab
[code]
192.168.1.1:/home /home nfs defaults 0 0
[/code]
有些地方當然要修改成與自己服務器對應的設置, 另外, 我這裡有個小小的區別是: 注釋掉了/etc/ldap.conf中的ssl start_tls一行. 不是很明白什麼意思, 大概我的服務器沒有開啟SSL支持吧(事實上確實沒開啟^ ^)
Ubuntu 8.04 Hardy LDAP Client
[url]http://linuxadministration.us/2008/05/17/ubuntu-804-hardy-ldap-client/[/url]
Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.
We are going to set up a Hardy client on a desktop machine, which involves using NFS (for /home) and allowing all desktop users to do desktop tasks.
[code]
apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd
[/code]
Answer the questions; unlike Debian they should actually be put in the configuration file.
Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl
Edit /etc/ldap.conf (which both libnss and libpam use).
[code]
host 192.168.1.1
base dc=example,dc=com
#This is important! Don’t use ldap:///192.168.1.1
uri ldap://example.com/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/cert.pem
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data
[/code]
Now edit /etc/ldap/ldap.conf
[code]
BASE dc=example,dc=com
URI ldap://example.com
TLS_CACERT /etc/ldap/ssl/cert.pem
TLS_REQCERT never
[/code]
/etc/pam.d/common-account
[code]
account sufficient pam_ldap.so
account required pam_unix.so
[/code]
/etc/pam.d/common-auth
[code]
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
[/code]
/etc/pam.d/common-password
[code]
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
[/code]
/etc/pam.d/common-session
[code]
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
[/code]
/etc/nsswitch.conf
[code]
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
[/code]
Now we want to make sure users are assigned to the correct groups when they log in, so add the following to /etc/security/groups.conf
[code]
gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner
[/code]
Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf
[code]
<deny send_interface=”org.freedesktop.Hal.Device.Volume”/>
<deny send_interface=”org.freedesktop.Hal.Device.Volume.Crypto”/>
[/code]
We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following
[code]
auth optional pam_group.so
[/code]
As root, run
[code]
nss_updatedb ldap
[/code]
To mount /home over NFS, add the following to /etc/fstab
[code]
192.168.1.1:/home /home nfs defaults 0 0
[/code]
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
