Системный Администратор




SiteMap


LDAP авторизация в Microsoft AD (Разбираемся)



openldap: необходим для выполнения запросов в LDAP
pam: базовый пакет PAM (Pluggable Authentication Module)
nss_ldap: модуль Name Service для выполнения поиска пользователей, групп и т.п. в LDAP (nss_ldap можно не использовать, а создавать пользователей на локальном компьютере самостоятельно)



Server

[root@server ~]# yum install -y \
openldap-clients


Получение информации о пользователе в AD по протоколу LDAP

[root@server ~]# ldapsearch -x -h adserver.test.local -b "dc=test,dc=local" -D "cn=Administrator,cn=Users,dc=test,dc=local" -W "sAMAccountName=user1"


Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: sAMAccountName=user1
# requesting: ALL
#

# user1 user1, Users, test.local
dn: CN=user1 user1,CN=Users,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user1 user1
sn: user1
givenName: user1
distinguishedName: CN=user1 user1,CN=Users,DC=test,DC=local
instanceType: 4
whenCreated: 20140307205221.0Z
whenChanged: 20140307213548.0Z
displayName: user1 user1
uSNCreated: 13915
uSNChanged: 16414
name: user1 user1
objectGUID:: fULB5V5W+kC8XgL2AL5YQA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 130386992886454064
pwdLastSet: 130386991416334977
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAATVUoJcGW3nmAan4vUwQAAA==
accountExpires: 9223372036854775807
logonCount: 1
sAMAccountName: user1
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local
msSFU30Name: user1
msSFU30UidNumber: 10001
msSFU30GidNumber: 10001
msSFU30LoginShell: /bin/bash
msSFU30Password: ABCD!efgh12345$67890
msSFU30NisDomain: test
msSFU30HomeDirectory: /home/user1

# search reference
ref: ldap://ForestDnsZones.test.local/DC=ForestDnsZones,DC=test,DC=local

# search reference
ref: ldap://DomainDnsZones.test.local/DC=DomainDnsZones,DC=test,DC=local

# search reference
ref: ldap://test.local/CN=Configuration,DC=test,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

=============================================================================

nsswitch.conf

[root@server ~]# cp /etc/nsswitch.conf vi /etc/nsswitch.conf.orig
[root@server ~]# vi /etc/nsswitch.conf

passwd:     files
shadow:     files
group:      files

меняю на:

passwd:     files ldap
shadow:     files ldap
group:      files ldap


=============================================================================

Installing and configuring nss-pam-ldapd


[root@server ~]# yum install -y nss-pam-ldapd

[root@server ~]# chkconfig nslcd on

[root@server ~]# cp /etc/nslcd.conf /etc/nslcd.conf.orig

[root@server ~]# password=12345

[root@server ~]# cat > /etc/nslcd.conf << EOF
# Remove the comment char at the beginning of two lines below for
# debugging purposes
#logdir /var/log
#debug 1
# You can supply as many servers as you want, but only the
# first one will be asked normally. If the first one doesn't
# answer, the next one will be asked and so on.
uri ldap://adserver.test.local/
# The base DN of your AD domain
base dc=test,dc=local
# The LDAP version to use
ldap_version 3
# If you do not allow anonymous search in your AD domain, please set the right
# user name and password of a user account you'll use to search with.

binddn cn=Administrator,cn=Users,dc=test,dc=local
bindpw ${password}

# It's safe to leave them untouched
scope sub
pagesize 1000
referrals off

# The two lines below describes how it should be searched in AD for a user and for a group
filter passwd (&(objectCategory=user)(msSFU30UidNumber=*))
filter group  (&(objectCategory=group)(msSFU30GidNumber=*))

# The lines below describe the mapping of Posix attributes to their analogs in AD
map passwd uid sAMAccountName
map passwd uidNumber msSFU30UidNumber
map passwd homeDirectory msSFU30HomeDirectory
map passwd gecos displayName
map passwd loginShell msSFU30LoginShell
map passwd gidNumber msSFU30GidNumber
map group uniqueMember member
map group gidNumber msSFU30GidNumber

ssl no
tls_cacertdir /etc/openldap/cacerts

EOF

[root@server ~]# service nslcd start

# getent passwd user1
user1:*:10001:10001:user1 user1:/home/user1:/bin/bash
[root@server ~]#  getent group unix_users
unix_users:*:10001:

=============================================================================

Installing and configuring PAM to use LDAP


[root@server ~]# yum install -y pam_ldap

[root@server ~]# cp /etc/pam_ldap.conf /etc/pam_ldap.conf.orig

[root@server ~]# password=12345

[root@server ~]# cat > /etc/pam_ldap.conf << EOF
uri ldap://adserver.test.local
base dc=test,dc=local
binddn cn=Administrator,cn=Users,dc=test,dc=local
bindpw ${password}
scope sub

##############################

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attributes loginShell msSFU30LoginShell
nss_map_objectclass posixGroup Group
pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad

###############################

sasl_secprops maxssf=0
EOF

======================================================


configuring PAM subsystem to use AD as user backend.

[root@server ~]# authconfig --enableldapauth --update
[root@server ~]# authconfig --enablemkhomedir --updateall 


======================================================

Client


[root@client ~]# ssh user1@server
user1@server's password: 
Creating directory '/home/user1'.
[user1@server ~]$ id
uid=10001(user1) gid=10001(unix_users) groups=10001(unix_users)


Логи можно посмотреть:
[root@server ~]# less /var/log/secure





На виртуальных машинах авторизация проходила достаточно медленно 30-60 секунд. Если знаете как ускорить, подскажите мне.



Посмотреть:
http://hermannmaurer.blogspot.ru/2012/02/in-this-article-ill-show-you-how-to.html
http://wiki.gentoo.ru/wiki/%D0%90%D1%83%D1%82%D0%B5%D0%BD%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%86%D0%B8%D1%8F_%D0%B2_Active_Directory_%D0%B8%D1%81%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D1%83%D1%8F_LDAP
http://meinit.nl/user-authentication-centos-6-active-directory-based-hosts-and-groups






Работа над этой версией сайта остановлена. Обновление и добавление материалов планируется делать уже на sysadm.ru.


Системный Администратор


Системный Администратор
SYSADM.RU