OpenLDAP : Configure LDAP Client (AD)2020/05/11 |
|
Configure LDAP Client for the case LDAP Server is Windows Active Directory.
|
|
| [1] | |
| [2] | Install OpenLDAP Client. |
|
root@node01:~#
apt -y install libnss-ldap libpam-ldap ldap-utils (1) specify AD server's URI +---------------------| Configuring ldap-auth-config |----------------------+ | Please enter the URI of the LDAP server to use. This is a string in the | | form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also | | be used. The port number is optional. | | | | Note: It is usually a good idea to use an IP address because it reduces | | risks of failure in the event name service problems. | | | | LDAP server Uniform Resource Identifier: | | | | ldap://fd3s.srv.world/_________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (2) specify suffix +---------------------| Configuring ldap-auth-config |----------------------+ | Please enter the distinguished name of the LDAP search base. Many sites | | use the components of their domain names for this purpose. For example, | | the domain "example.net" would use "dc=example,dc=net" as the | | distinguished name of the search base. | | | | Distinguished name of the search base: | | | | dc=srv,dc=world_______________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (3) specify LDAP version (generally OK to select Version [3]) +---------------------| Configuring ldap-auth-config |---------------------+ | Please enter which version of the LDAP protocol should be used by | | ldapns. It is usually a good idea to set this to the highest available | | version. | | | | LDAP version to use: | | | | 3 | | 2 | | | | | | <Ok> | | | +--------------------------------------------------------------------------+ (4) select the one you like. (this example selects [Yes]) +---------------------| Configuring ldap-auth-config |----------------------+ | | | This option will allow you to make password utilities that use pam to | | behave like you would be changing local passwords. | | | | The password will be stored in a separate file which will be made | | readable to root only. | | | | If you are using NFS mounted /etc or any other custom setup, you should | | disable this. | | | | Make local root Database admin: | | | | <Yes> <No> | | | +---------------------------------------------------------------------------+ (5) select the one you like. (this example selects [No]) +-------------------| Configuring ldap-auth-config |-------------------+ | | | Choose this option if you are required to login to the database to | | retrieve entries. | | | | Note: Under a normal setup, this is not needed. | | | | Does the LDAP database require login? | | | | <Yes> <No> | | | +----------------------------------------------------------------------+
root@node01:~#
vi /etc/nsswitch.conf # line 7: add passwd: files systemd ldap group: files systemd ldap shadow: files
root@node01:~#
vi /etc/pam.d/common-password # line 26: change ( remove [use_authtok] ) password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
root@node01:~#
vi /etc/pam.d/common-session # add to the end if need (create home directory automatically at initial login) session optional pam_mkhomedir.so skel=/etc/skel umask=077
root@node01:~#
vi /etc/ldap.conf # line 44: add a user's Suffix (the user is for connection user of AD and Linux, you added in [1] section)
binddn cn=ldapusers,cn=Users,dc=srv,dc=world
# line 48: add password of the user above
bindpw password
# line 223-232: uncomment all # RFC 2307 (AD) mappings nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad
root@node01:~#
Ubuntu 20.04 LTS www.srv.world ttyS0 # verisy to login with an AD user that you added UNIX attributes in [1] node01 login: Serverworld Password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon 11 May 2020 05:23:54 PM JST System load: 0.41 Processes: 135 Usage of /: 9.0% of 24.54GB Users logged in: 0 Memory usage: 5% IPv4 address for enp1s0: 10.0.0.31 Swap usage: 0% ..... ..... Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Creating directory '/home/Serverworld'. Serverworld@node01:~$ # logined Serverworld@node01:~$ id uid=5000(Serverworld) gid=100(users) groups=100(users) |
| Sponsored Link |