OpenLDAP : LDAPクライアントの設定 (AD)2019/04/25 |
|
LDAP サーバーが Windows Active Directory である場合の LDAP クライアントの設定です。
|
|
| [1] | |
| [2] | OpenLDAP クライアントをインストールして設定します。 |
|
root@www:~#
apt -y install libnss-ldap libpam-ldap ldap-utils (1) AD の URIを指定 +---------------------| Configuring ldap-auth-config |----------------------+ | Please enter the URI of the LDAP server to use. This is a string in the | | form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also | | be used. The port number is optional. | | | | Note: It is usually a good idea to use an IP address because it reduces | | risks of failure in the event name service problems. | | | | LDAP server Uniform Resource Identifier: | | | | ldap://fd3s.srv.world/_________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (2) 識別名を指定 +---------------------| Configuring ldap-auth-config |----------------------+ | Please enter the distinguished name of the LDAP search base. Many sites | | use the components of their domain names for this purpose. For example, | | the domain "example.net" would use "dc=example,dc=net" as the | | distinguished name of the search base. | | | | Distinguished name of the search base: | | | | dc=srv,dc=world_______________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (3) LDAPバージョンを指定 ([3] で OK) +---------------------| Configuring ldap-auth-config |---------------------+ | Please enter which version of the LDAP protocol should be used by | | ldapns. It is usually a good idea to set this to the highest available | | version. | | | | LDAP version to use: | | | | 3 | | 2 | | | | | | <Ok> | | | +--------------------------------------------------------------------------+ (4) 説明にあるように /etc を NFSマウントしている等であれば [No] だが通常は [Yes] で OK +---------------------| Configuring ldap-auth-config |----------------------+ | | | This option will allow you to make password utilities that use pam to | | behave like you would be changing local passwords. | | | | The password will be stored in a separate file which will be made | | readable to root only. | | | | If you are using NFS mounted /etc or any other custom setup, you should | | disable this. | | | | Make local root Database admin: | | | | <Yes> <No> | | | +---------------------------------------------------------------------------+ (5) 説明にあるように 通常は [No] で OK
+-------------------| Configuring ldap-auth-config |-------------------+
| |
| Choose this option if you are required to login to the database to |
| retrieve entries. |
| |
| Note: Under a normal setup, this is not needed. |
| |
| Does the LDAP database require login? |
| |
| <Yes> <No> |
| |
+----------------------------------------------------------------------+
(6) 指定不要 そのまま続行で OK (後で無効化するパラメーター)
+-------------| Configuring ldap-auth-config |-------------+
| This account will be used when root changes a password. |
| |
| Note: This account has to be a privileged account. |
| |
| LDAP account for root: |
| |
| cn=admin,dc=srv,dc=world_____________________________ |
| |
| <Ok> |
| |
+----------------------------------------------------------+
(7) 適当に入力で OK (使用しないパラメーター) +---------------------| Configuring ldap-auth-config |----------------------+ | Please enter the password to use when ldap-auth-config tries to login to | | the LDAP directory using the LDAP account for root. | | | | The password will be stored in a separate file /etc/ldap.secret which | | will be made readable to root only. | | | | Entering an empty password will re-use the old password. | | | | LDAP root account password: | | | | _________________________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+
root@www:~#
vi /etc/nsswitch.conf # 7行目:追記 passwd: compat systemd ldap group: compat systemd ldap shadow: compat
root@www:~#
vi /etc/pam.d/common-password # 26行目:変更 ( [use_authtok] を削除 ) password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
root@www:~#
vi /etc/pam.d/common-session # 必要があれば、最終行に追記 (ログイン時にホームディレクトリを自動作成) session optional pam_mkhomedir.so skel=/etc/skel umask=077
root@www:~#
vi /etc/ldap.conf # 43行目:コメント解除して [1] で AD 側に追加した接続用ユーザーの Suffix を追記
binddn cn=ldapusers,cn=Users,dc=srv,dc=world
# 47行目:コメント解除して [1] で AD 側に追加した接続用ユーザーのパスワードを追記
bindpw password
# 52行目:コメントにする # rootbinddn cn=manager,dc=example,dc=com
# 223-232行目:全行コメント解除 # RFC 2307 (AD) mappings nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad
root@www:~#
# [1] で AD 側で UNIX 属性を追加したユーザーが参照可能か確認 root@www:~# id Redstone uid=5002(Redstone) gid=100(users) groups=100(users) # AD ユーザーでローカルホストに認証可能か確認 root@www:~# ssh Redstone@localhost The authenticity of host 'localhost (::1)' can't be established. ECDSA key fingerprint is SHA256:84c3JIdg+sQLmqD4DZDcNtKU74qfpRuxOXzE9Efgf2g. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. Redstone@localhost's password: Creating directory '/home/Redstone'. Welcome to Ubuntu 19.04 (GNU/Linux 5.0.0-13-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Redstone@www:~$ Redstone@www:~$ id uid=5002(Redstone) gid=100(users) groups=100(users) |
| Sponsored Link |