- 论坛徽章:
- 0
|
搞了几天,一体化认证,看很多人都说配置通过,也不分想给别人,风气不行。
顺便说一句,垃圾suse!
这个例子有一部分是migration,如果重新安装系统,就不用麻烦导入以前的用户信息了,建议重新安装,不然user id , group id 冲突,麻烦。
suse 10.1
安装下列软件:
pam_ldap
nss_ldap
openldap2
openldap2-back-meta
openldap2-back-perl
openldap2-client
smbldap-tools
配置 openldap, 注意的地方是/etc/openldap/schema/rfc2307bis.schema, 不用使用suse默认的这个schema
time:~/ldap # grep ^[^#] /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
database bdb
suffix "dc=time,dc=tim-net"
checkpoint 1024 5
cachesize 10000
rootdn "cn=Manager,dc=time,dc=tim-net"
rootpw secret
directory /var/lib/ldap
index objectClass eq
配置给ldap client 的文件
time:~/ldap # grep ^[^#] /etc/ldap.conf
host 127.0.0.1
base dc=time,dc=tim-net
ldap_version 3
bind_policy soft
pam_password crypt
ssl no
nss_map_attribute uniqueMember member
pam_filter objectclass=posixAccount
nss_base_passwd dc=time,dc=tim-net
nss_base_shadow dc=time,dc=tim-net
nss_base_group dc=time,dc=tim-net
重新启动 ldap
/etc/init.d/ldap start
这里用于移植以前的用户,组信息
time:~/ldap # more time.tim-net.ldif
dn: dc=time,dc=tim-net
objectClass: dcObject
objectClass: organization
dc: time
o: Corporation
description: d Corporation
dn u=people, dc=time, dc=tim-net
objectclass: top
objectclass: organizationalUnit
ou: people
dnu=group, dc=time, dc=tim-net
objectclass: top
objectclass: organizationalUnit
ou: group
ldapadd -x -D 'cn=Manager,dc=time,dc=tim-net' -f time.tim-net -w secret
下载这个工具,然后导出用户,组信息为ldif文件
time:~/ldap # tar zxvf MigrationTools.tgz
time:~/ldap # cd MigrationTools-47/
time:~/ldap/MigrationTools-47 # ./migrate_passwd.pl /etc/passwd passwd.ldif
time:~/ldap/MigrationTools-47 # ./migrate_group.pl /etc/group group.ldif
ldapadd -x -D 'cn=Manager,dc=time,dc=tim-net' -w secret -f passwd.ldif
ldapadd -x -D 'cn=Manager,dc=time,dc=tim-net' -w secret -f group.ldif
让unix通过ldap 认证
time:~/ldap # grep ^[^#] /etc/nsswitch.conf
passwd: compat
group: compat
shadow: files ldap
hosts: files dns
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files nis
aliases: files ldap
passwd_compat: ldap
group_compat: ldap
或者通过垃圾yast
* In Yast2 go to "Network Services" and start the "LDAP-client"
* Tick of "Use LDAP"
* Try to search for the LDAP server, if the SLP search does not find it try disabling the firewall (rcSuSEfirewall2 stop) and retry. If it still does not show up enter the IP adress or the network name of the server.
* Make sure that the "LDAP SSL/TLS" is not hooked of.
* Click "Get DN" and select the top entry
上面是看了suse wiki里面的。
首先需要配置samba为pdc, 获得samba 的sid
time:~ # net getlocalsid
SID for domain TIME is: S-1-5-21-2923238489-4283043884-1344020638
配置smbldap-tool,注意SID需要跟自己的实际情况确定
time:~ # grep ^[^#] /etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-2923238489-4283043884-1344020638"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="1"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key"
suffix="dc=time,dc=tim-net"
usersdn="ou=People,${suffix}"
computersdn="ou=People,${suffix}"
groupsdn="ou=Group,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=SAMBA,${suffix}"
scope="sub"
hash_encrypt="CRYPT"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="100"
defaultComputerGid="500"
skeletonDir="/etc/skel"
userSmbHome=""
userProfile=""
userHomeDrive="H:"
userScript="startup.bat"
mailDomain="time.tim-net"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
还有
time:~ # grep ^[^#] /etc/smbldap-tools/smbldap_bind.conf
slaveDN="cn=Manager,dc=time,dc=tim-net"
slavePw="secret"
masterDN="cn=Manager,dc=time,dc=tim-net"
masterPw="secret"
通过smbldap-tool在ldap里面产生给samba的结构
time:~/ldap # /usr/sbin/smbldap-populate
Populating LDAP directory for domain TIM-NET (S-1-5-21-2923238489-4283043884-134402063
(using builtin directory structure)
entry dc=time,dc=tim-net already exist.
entry ou=People,dc=time,dc=tim-net already exist.
entry ou=Group,dc=time,dc=tim-net already exist.
entry ou=People,dc=time,dc=tim-net already exist.
adding new entry: ou=Idmap,dc=time,dc=tim-net
entry uid=root,ou=People,dc=time,dc=tim-net already exist.
entry uid=nobody,ou=People,dc=time,dc=tim-net already exist.
adding new entry: cn=Domain Admins,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Domain Users,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Domain Guests,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Domain Computers,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Administrators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Account Operators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Print Operators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Backup Operators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Replicators,ou=Group,dc=time,dc=tim-net
adding new entry: sambaDomainName=TIM-NET,dc=time,dc=tim-net
Please provide a password for the domain root:
Changing password for root
New password :
Retype new password :
因为之前已经倒入了一些unix的用户和组的信息,所以会看到上面的root 和nobody没有成功,没关系。如果是重新安装系统,可以省略掉前面导入unix用户信息的部分,这样来得更简单,而且不会出现奇怪的错误(组冲突,或者提示找不到组)。这里的密码我还是用secret
samba的配置文件
[global]
workgroup = TIM-NET
server string = tim test
update encrypted = Yes
map to guest = Bad User
password level = 4
printcap name = cups
logon script = startup.bat
logon path = \\%N\%U\%m\profile
logon drive = h:
domain logons = Yes
os level = 255
domain master = Yes
wins support = Yes
admin users = @admins
passdb backend = ldapsam:ldap://localhost
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd '%u'
ldap suffix = dc=time,dc=tim-net
ldap ssl = no
ldap timeout = 20
ldap admin dn = cn=Manager,dc=time,dc=tim-net
ldap group suffix = ou=Group
ldap machine suffix = ou=People
ldap passwd sync = Yes
ldap user suffix = ou=People
[data]
comment = data
path = /data/
invalid users = all
valid users = leber, @admins, schulz
read only = No
create mask = 0770
directory mask = 0770
hide dot files = No
可以删除samba的配置文件
rm /etc/samba/secrets.tdb
rm /etc/samba/smbpasswd
/etc/init.d/smb restart
重新添加ldap的用户信息
time:~ # smbpasswd -w secret
Setting stored password for "cn=Manager,dc=time,dc=tim-net" in secrets.tdb
可以用此命令倒入以前的samba的用户信息,其中smbpasswd就是刚才删掉的,嘿嘿。
pdbedit -i smbpasswd:/etc/samba_bak/smbpasswd -e ldapsam:ldap://127.0.0.1/
察看samba组状态。
time:~ # net groupmap list
Domain Admins (S-1-5-21-604817653-464570487-1053615190-512) -> Domain Admins
Domain Users (S-1-5-21-604817653-464570487-1053615190-513) -> Domain Users
Domain Guests (S-1-5-21-604817653-464570487-1053615190-514) -> Domain Guests
Domain Computers (S-1-5-21-604817653-464570487-1053615190-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-54 -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
建议大家重新安装!!!!别去migration,我是还没有找到好方法把以前的samba中的组迁移到新的系统上来。也许,直接join到一个域里面能自动下在也说不定,有待大家实践。
以上实现unix_auth,samba pdc,通过windows的管理工具添加用户,组,机器,windows xp professional登陆域。其中samba的profile配置,我没有做,需要修改才能实现profile漫游,不过不难。我这里只是copy了一个。
有用的地址
http://www.padl.com/OSS/MigrationTools.html
windows的管理工具可以到microsoft去下,srvtool,好像叫,忘了。
问题:在samba中设置自动删除user的目录例如/home/user1,不能够成功,导致重新添加同名用户的时候会有点小问题,在unix下面。 smbldap-userdel -r 不行。但是在console下面却可以。。垃圾suse,不知道是不是suse的特色。
今天还去看看fetchmail用ldap的例子,成功了贴上来。
[ 本帖最后由 cnchun 于 2007-6-20 18:16 编辑 ] |
|
免费注册
发表于 2007-06-20 18:03
