- 论坛徽章:
- 0
|
/etc/ldap.conf
uri ldaps://web:636/web
base dc=test,dc=com
pam_password md5
ssl start_tls
ssl on
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
#tls_cacertdir /etc/openldap/cacerts
pam_filter host=zj-jgg01
host web
sldap.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/ppolicy.schema
allow bind_v2
loglevel 0
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap
moduleload ppolicy.la
#TLSCipherSuite HIGH::MEDIUM:LOW
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient allow
access to attrs=userPassword
by self write
by * auth
access to *
by * read
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=test,dc=com"
rootdn "cn=Manager,dc=test,dc=com"
rootpw test.com&2007
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=test,dc=com"
#ppolicy_use_lockout
#openldap slave server
updatedn "cn=Manager,dc=test,dc=com"
updateref ldaps://gw1:636
pam模块system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so |
|