【指导】LDAP 与 linux login users 集成
来源:互联网 发布:meta分析怎么提取数据 编辑:程序博客网 时间:2024/06/05 11:07
源自:https://www.digitalocean.com/community/tutorials/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps
In this article, we will discuss how to configure a client machine to remotely authenticate with that server for various services.
Install Client Packages
On the client machine, you will needs to install a few packages to make authentication function correctly with an LDAP server:
sudo apt-get updatesudo apt-get install libpam-ldap nscd
You will be asked a variety of questions similar to the those asked when you were installing the server components.
LDAP server Uniform Resource Identifier: ldap://LDAP-server-IP-Address
- Change the initial string from "ldapi:///" to "ldap://" before inputing your server's information
Distinguished name of the search base:
- This should match the value you put in your LDAP server's
/etc/phpldapadmin/config.php
file. - Search for: " 'server','base',array " within the file.
- Our example was "dc=test,dc=com"
- This should match the value you put in your LDAP server's
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root:
- This should also match the value in your
/etc/phpldapadmin/config.php
. - Search for: " 'login','bind_id' " within the file
- Our example was "cn=admin,dc=test,dc=com"
- This should also match the value in your
LDAP root account password: Your-LDAP-root-password
If you make a mistake and need to change a value, you can go through the menu again by issuing this command:
sudo dpkg-reconfigure ldap-auth-config
Configure Client Software
We have to adjust a few files to tell our authentication files that they can look to our LDAP server for authentication information.
First, edit the /etc/nsswitch.conf
file. This will allow us to specify that the LDAP credentials should be modified when users issue authentication change commands.
sudo nano /etc/nsswitch.conf
The three lines we are interested in are the "passwd", "group", and "shadow" definitions. Modify them to look like this:
passwd: ldap compatgroup: ldap compatshadow: ldap compat
Next, we will add a value to our PAM configuration.
PAM, or Pluggable Authentication Modules, is a system that connects applications that can provide authentication to applications that require authentication.
PAM is already implemented on most computers, and works behind the scenes without needing user interaction. When we installed and configured our LDAP PAM module, most of the needed information was added to the configuration files.
Edit the /etc/pam.d/common-session
file:
sudo nano /etc/pam.d/common-session
Add a line to the bottom of the configuration that reads:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
This will create a home directory on the client machine when an LDAP user logs in who does not have a home directory.
We have to restart a service for these changes to be implemented:
sudo /etc/init.d/nscd restart
Permissions
During the LDAP server configuration, we created a group called "admin". This was not chosen at random. It coincides with the "admin" group that is created by default on Ubuntu machines.
The LDAP users that you added to the "admin" group will have access to the sudo
command.
This is because we have a line that gives members of the "admin" group sudo access within the/etc/sudoers
file. Edit the file by issuing this command:
sudo visudo
There is a line that reads:
%admin ALL=(ALL) ALL
Entries that begin with a percentage sign (%) specify a group instead of a user. If you wish to disable this functionality, or only grant specific users this functionality, comment out this line:
#%admin ALL=(ALL) ALL
Log In as an LDAP User
We have now configured our client machine enough to be able to log in as one of our LDAP users. This user does not have to exist on the client machine.
In a new terminal window (it is best to keep your original terminal window logged in, in case of a configuration mistake), ssh into the client machine using an LDAP user's credentials:
ssh LDAP_user@LDAP_client_IP_Address
You should be able to log in as if your user had been created locally. Issue the print working directory command:
pwd
You should see that the home directory you selected for your user on the LDAP server is being used on this machine. It has been created on-demand to serve the LDAP user.
If you log out and log in with a different LDAP user, you can see that there will be two home directory entries:
ls /home
user1 user2
If your user is part of the "admin" group and you didn't disable the ability in the previous section, you will have normal sudo access, otherwise, you will not.
If you issue the passwd
command to change your password, you can see that it will be modifying your LDAP credentials:
passwd
Enter login(LDAP) password:
- 【指导】LDAP 与 linux login users 集成
- WebLogic 与LDAP集成
- ldap login (cgi)
- (原创)Ldap与JetSpeed2集成部署
- (原创)Ldap与JetSpeed2集成部署
- LDAP 与各系统的集成
- Linux的Login Shell与Non-Login Shell
- (原创)LDAP与CAS单点登录集成
- Lotus的JAVA与DOMINO通过LDAP集成方法
- Lotus的JAVA与DOMINO通过LDAP集成方法!
- Apache2.2.6 + SVN 1.4.3 与LDAP集成问题
- PHP Record the number of login users
- QC集成LDAP指南
- impala集成LDAP
- hive集成LDAP
- LDAP集成SSL/TLS
- gitlab集成ldap配置
- Hibernate与Spring集成时配制SessionFactory的指导原则
- hdu ---2034做题笔记(c++)
- NOIP 2013 车站分级
- EditText
- 联系人快速索引
- Java 使用Redis缓存工具的图文详细方法
- 【指导】LDAP 与 linux login users 集成
- Android SDK 目录结构以及工具介绍
- Unity默认目录(中英文对照)
- self
- UICollectionView 设置section的背景色
- RatingBar
- 数据结构基础之数组实现线性表各种操作(二)
- MPI_Send和MPI_Recv影响下程序的执行顺序是怎样的?
- Android性能优化之常见的内存泄漏