OpenLDAP : LDAPクライアントの設定2019/07/26 |
LDAP サーバーのユーザーアカウント情報を共有できるように LDAP クライアントとしての設定をします。
|
|
[1] | LDAP クライアントの設定です。 |
root@www:~#
apt -y install libnss-ldap libpam-ldap ldap-utils (1) LDAPサーバーのURIを指定 +-----------------------| Configuring libnss-ldap |-------------------------+ | Please enter the URI of the LDAP server to use. This is a string in the | | form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also | | be used. The port number is optional. | | | | Note: It is usually a good idea to use an IP address because it reduces | | risks of failure in the event name service problems. | | | | LDAP server Uniform Resource Identifier: | | | | ldap://dlp.srv.world/_________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (2) 識別名を指定 +-----------------------| Configuring libnss-ldap |-------------------------+ | Please enter the distinguished name of the LDAP search base. Many sites | | use the components of their domain names for this purpose. For example, | | the domain "example.net" would use "dc=example,dc=net" as the | | distinguished name of the search base. | | | | Distinguished name of the search base: | | | | dc=srv,dc=world_______________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (3) LDAPバージョンを指定 (当例は [3] を選択) +-----------------------| Configuring libnss-ldap |------------------------+ | Please enter which version of the LDAP protocol should be used by | | ldapns. It is usually a good idea to set this to the highest available | | version. | | | | LDAP version to use: | | | | 3 | | 2 | | | | | | <Ok> | | | +--------------------------------------------------------------------------+ (4) LDAP管理者アカウントの識別名を指定 +-----------------------+ Configuring libnss-ldap +------------------------+ | Please enter the name of the LDAP administrative account. | | | | This account will be used automatically for database management, so it | | must have the appropriate administrative privileges. | | | | LDAP administrative account: | | | | cn=admin,dc=srv,dc=world________________________________________________ | | | | <Ok> | | | +--------------------------------------------------------------------------+ (5) LDAP管理者アカウントのパスワードを指定 +-----------------------| Configuring libnss-ldap |-------------------------+ | Please enter the password to use when ldap-auth-config tries to login to | | the LDAP directory using the LDAP account for root. | | | | The password will be stored in a separate file /etc/ldap.secret which | | will be made readable to root only. | | | | Entering an empty password will re-use the old password. | | | | LDAP root account password: | | | | _________________________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (6) [OK] +-----------------------+ Configuring libnss-ldap +------------------------+ | | | nsswitch.conf not managed automatically | | | | For the libnss-ldap package to work, you need to modify your | | /etc/nsswitch.conf to use the "ldap" datasource. There is an example | | file at /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be | | used as an example for your nsswitch setup, or it can be copied over | | your current setup. | | | | Also, before removing this package, it is wise to remove the "ldap" | | entries from nsswitch.conf to keep basic services functioning. | | | | <Ok> | | | +--------------------------------------------------------------------------+ (7) 説明にあるように /etc をNFSマウントしたりしているなら [No] だが通常は [Yes] で OK +------------------------+ Configuring libpam-ldap +------------------------+ | | | This option will allow password utilities that use PAM to change local | | passwords. | | | | The LDAP admin account password will be stored in a separate file which | | will be made readable to root only. | | | | If /etc is mounted by NFS, this option should be disabled. | | | | Allow LDAP admin account to behave like local root? | | | | <Yes> <No> | | | +---------------------------------------------------------------------------+ (8) 説明にあるように 通常は [No] で OK +---------------------| Configuring libpam-ldap |----------------------+ | | | Choose this option if you are required to login to the database to | | retrieve entries. | | | | Note: Under a normal setup, this is not needed. | | | | Does the LDAP database require login? | | | | <Yes> <No> | | | +----------------------------------------------------------------------+ (9) LDAP管理者アカウントの識別名を指定 +-----------------------+ Configuring libpam-ldap +------------------------+ | Please enter the name of the LDAP administrative account. | | | | This account will be used automatically for database management, so it | | must have the appropriate administrative privileges. | | | | LDAP administrative account: | | | | cn=admin,dc=srv,dc=world________________________________________________ | | | | <Ok> | | | +--------------------------------------------------------------------------+ (10) LDAP管理者アカウントのパスワードを指定 +------------------------+ Configuring libpam-ldap +------------------------+ | Please enter the password of the administrative account. | | | | The password will be stored in the file /etc/pam_ldap.secret. This will | | be made readable to root only, and will allow libpam-ldap to carry out | | automatic database management logins. | | | | If this field is left empty, the previously stored password will be | | re-used. | | | | LDAP administrative password: | | | | ********_________________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+
root@www:~#
vi /etc/nsswitch.conf # 7行目:追記 passwd: compat systemd ldap group: compat systemd ldap shadow: compat
root@www:~#
vi /etc/pam.d/common-password # 26行目:変更 ( [use_authtok] を削除 ) password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
root@www:~#
vi /etc/pam.d/common-session # 必要があれば、最終行に追記 (ログイン時にホームディレクトリを自動作成) session optional pam_mkhomedir.so skel=/etc/skel umask=077
root@www:~#
Debian GNU/Linux 10 www.srv.world ttyS0 www login: buster # LDAP登録ユーザー Password: Linux www.srv.world 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Creating directory '/home/buster'. buster@www:~$ # ログインできた # パスワード変更は通常通り buster@www:~$ Enter login(LDAP) password: # 現在のパスワード New password: # 新しいパスワード Re-enter new password: LDAP password information changed for buster passwd: password updated successfully buster@www:~$ # 変更された |
Sponsored Link |