- 论坛徽章:
- 0
|
Sorry,不是很清楚你的需求,只说说我对你的理解吧。
LDAP其实就是一个提供校验的控制中心,你如果是想登录服务器使用LDAP验证,这个没问题,因为我们所有服务器都是使用LDAP中心控制用户帐号密码。这个设置是在pam的验证设置的,可是使用密码+证书加密的方式。这样每次用户登录就都会去LDAP中心做校验,通过才让登录服务器。
参考:http://www.ibm.com/developerworks/cn/linux/l-openldap/
另一种是你想登录WEB应用,权限使用LDAP验证,这个需要上面的连接就解决不了了,你可以考虑自己写login页面,页面可以使用ldapsearch 的命令在服务器上做校验,通过则让登录。
下面的ldapsearch 的详细说明。
usage: ldapsearch [options] [filter [attributes...]]
where:
filter RFC-2254 compliant LDAP search filter
attributes whitespace-separated list of attribute descriptions
which may include:
1.1 no attributes
* all user attributes
+ all operational attributes
Search options:
-a deref one of never (default), always, search, or find
-A retrieve attribute names only (no values)
-b basedn base dn for search
-E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
[!]domainScope (domain scope)
[!]mv=<filter> (matched values filter)
[!]pr=<size>[/prompt|noprompt] (paged results/prompt)
[!]subentries[=true|false] (subentries)
[!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
-F prefix URL prefix for files (default: file:///tmp/)
-l limit time limit (in seconds, or "none" or "max") for search
-L print responses in LDIFv1 format
-LL print responses in LDIF format without comments
-LLL print responses in LDIF format without comments
and version
-s scope one of base, one, sub or children (search scope)
-S attr sort the results by attribute `attr'
-t write binary values to files in temporary directory
-tt write all values to files in temporary directory
-T path write files to directory specified by path (default: /tmp)
-u include User Friendly entry names in the output
-z limit size limit (in entries, or "none" or "max") for search
Common options:
-c continuous operation mode (do not stop on errors)
-C chase referrals (anonymously)
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (an RFC 2254 Filter)
[!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
[!]manageDSAit
[!]noop
ppolicy
[!]postread[=<attrs>] (a comma-separated attribute list)
[!]preread[=<attrs>] (a comma-separated attribute list)
abandon, cancel (SIGINT sends abandon/cancel; not really controls)
-f file read operations from `file'
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-k use Kerberos authentication
-K like -k, but do only step 1 of the Kerberos bind
-M enable Manage DSA IT control (-MM to make critical)
-n show what would be done but don't actually do it
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
-p port port on LDAP server
-P version protocol version (default: 3)
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response) |
|
免费注册
发表于 2010-11-09 15:32
