#### 第八单元. ldap网络用户账户 ####
1.LDAP网络用户
ldap目录服务认证,和windows活动目录类似,就是记录数据的一种方式
2.ldap客户端所须软件
yum sssd krb5-wordstation -y
3.如何开启ldap用户认证
authconfig-tui
┌────────────────┤ Authentication Configuration ├─────────────────┐
│ │
│ User Information Authentication │
│ [ ] Cache Information [ ] Use MD5 Passwords │
│ [*] Use LDAP [*] Use Shadow Passwords │
│ [ ] Use NIS [ ] Use LDAP Authentication │
│ [ ] Use IPAv2 [*] Use Kerberos │
│ [ ] Use Winbind [ ] Use Fingerprint reader │
│ [ ] Use Winbind Authentication│
│ [*] Local authorization is sufficient│
│ │
│ ┌────────┐ ┌──────┐ │
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────┤ LDAP Settings ├─────────────────┐
│ │
│ [*] Use TLS │
│ Server: ldap://classroom.example.com/___________ │
│ Base DN: dc=example,dc=com_______________________ │
│ │
│ ┌──────┐ ┌──────┐ │
│ │ Back │ │ Next │ │
│ └──────┘ └──────┘ │
│ │
│ │
└───────────────────────────────────────────────────┘
┌─────────────────┤ Kerberos Settings ├──────────────────┐
│ │
│ Realm: EXAMPLE.COM_____________________________ │
│ KDC: classroom.example.com___________________ │
│ Admin Server: classroom.example.com___________________ │
│ [ ] Use DNS to resolve hosts to realms │
│ [ ] Use DNS to locate KDCs for realms │
│ │
│ ┌──────┐ ┌────┐ │
│ │ Back │ │ Ok │ │
│ └──────┘ └────┘ │
│ │
│ │
└────────────────────────────────────────────────────────┘
<当出现以下报错时>
┌────────────────┤ Warning ├─────────────────┐
│ │
│ To connect to a LDAP server with TLS │
│ protocol enabled you need a CA certificate │
│ which signed your server‘s certificate. │
│ Copy the certificate in the PEM format to │
│ the ‘/etc/openldap/cacerts‘ directory. │
│ Then press OK. │
│ │
│ ┌────┐ │
│ │ Ok │ │
│ └────┘ │
│ │
│ │
└────────────────────────────────────────────┘
出现这种情况时 因为tls的证书缺失,需要到服务器端下载所需要的证书到/etc/openldap/cacerts,用到的命令
wget http://172.25.254.254/pub/example-ca.crt
<测试>
getent passwd ldapuser1
如果用户信息可以正常显示,证明客户端认证成功。
列出所有用户
vim /etc/sssd/sssd.conf
enumerate = True
systemctl restart sssd
4.自动挂在用户家目录
yum install autofs -y
vim /etc/autofs.master
/home/guests /etcauto.ldap
vim /etc/auto.ldap
ldapuser1 172.25.254.254:/home/guests/ldapuser1
++++++++++++++++++++++++++++++++++++++++++++
* 172.25.254.254:/home/guests/&
systemctl restart autofs
systemctl enable autofs
#### ldap脚本 ####
#!/bin/bash
echo "install software ing ..."
yum install sssd krb5-workstation autofs -y &> /dev/null
echo "config ldap auth client ing ..."
authconfig \
--enableldap \
--enablekrb5 \
--disabledapauth \
--enableldaptls \
--ldaploadcacert-http://172.25.254.254/pub/example-ca.crt \
--ldapserver="classroom.example.com" \
--ldapbasedn="dc=example,dc=com" \
--krb5kdc="EXAMPLE.COM" \
--krb5adminserver="classroom.example.com" \
--enablesssd \
--enablesssdauth \
--update
echo "config ldap user\‘s home directory ing ..."
echo /home/guests /etc/auto.ldap >> /etc/auto.master
echo "* 172.25.254.254:/home/guests/&" >> /etc/auto.ldap
systemctl restart autofs
systemctl enable autofs &> /dev/null