ldap网络帐号 1.ldap是什么 ldap目录服务认证,和windows活动目录类似,就是记录数据的一种方式 2.ldap客户端所须软件 [root@server37 ~]# vim /etc/yum.repos.d/rhel_dvd.repo [root@server37 ~]# cat /etc/yum.repos.d/rhel_dvd.repo # Created by cloud-init on Thu, 10 Jul 2014 22:19:11 +0000 [rhel_dvd] gpgcheck = 0 enabled = 1 baseurl = http://172.25.37.254/content/rhel7.0/x86_64 name = Remote classroom copy of dvd yum install sssd krb5-workstation -y 3.如何开启ldap用户认证 authconfig-tui ┌────────────────┤ Authentication Configuration ├─────────────────┐ │ │ │ User Information Authentication │ │ [ ] Cache Information [ ] Use MD5 Passwords │ │ [*] Use LDAP [*] Use Shadow Passwords │ │ [ ] Use NIS [ ] Use LDAP Authentication │ │ [ ] Use IPAv2 [*] Use Kerberos │ │ [ ] Use Winbind [ ] Use Fingerprint reader │ │ [ ] UseWinbind Authentication │ │ [*] Localauthorization is sufficient │ │ │ │ ┌────────┐ ┌──────┐ │ │ │ Cancel │ │ Next │ │ │ └────────┘ └──────┘ │ │ │ │ │ └─────────────────────────────────────────────────────────────────┘ ┌─────────────────┤ LDAP Settings ├─────────────────┐ │ │ │ [*] Use TLS │ │ Server:ldap://classroom.example.com/___________ │ │ Base DN: dc=example,dc=com_______________________ │ │ │ │ ┌──────┐ ┌──────┐ │ │ │ Back │ │ Next │ │ │ └──────┘ └──────┘ │ │ │ │ │ └───────────────────────────────────────────────────┘ ┌─────────────────┤ Kerberos Settings ├──────────────────┐ │ │ │ Realm:EXAMPLE.COM_____________________________ │ │ KDC:classroom.example.com___________________ │ │ Admin Server: classroom.example.com___________________ │ │ [ ] Use DNS to resolvehosts to realms │ │ [ ] Use DNS to locateKDCs for realms │ │ │ │ ┌──────┐ ┌────┐ │ │ │ Back │ │ Ok │ │ │ └──────┘ └────┘ │ │ │ │ │ └────────────────────────────────────────────────────────┘ <当出现以下报错时> ┌────────────────┤ Warning ├─────────────────┐ │ │ │ To connect to a LDAP server with TLS │ │ protocol enabled you need a CA certificate │ │ which signed your server's certificate. │ │ Copy the certificate in the PEM format to │ │ the '/etc/openldap/cacerts' directory. │ │ Then press OK. │ │ │ │ ┌────┐ │ │ │ Ok │ │ │ └────┘ │ │ │ │ │ └────────────────────────────────────────────┘ 时因为tls的证书缺失,需要到服务器端下载所需要的证书到/etc/openldap/cacerts, 用到的命令 wget http://172.25.254.254/pub/example-ca.crt [root@server37 ~]# wget http://172.25.254.254/pub/example-ca.crt --2017-04-13 04:30:16-- http://172.25.254.254/pub/example-ca.crt Connecting to 172.25.254.254:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1220 (1.2K) Saving to: ‘example-ca.crt’ 100%[===================>] 1,220 --.-K/s in 0s 2017-04-13 04:30:16 (137 MB/s) - ‘example-ca.crt’ saved [1220/1220] [root@server37 cacerts]# ls d5912a02.0 example-ca.crt [root@server37 cacerts]# getent passwd ldapuser1 ldapuser1:x:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash [root@server37 cacerts]# su - ldapuser1 Last login: Wed Apr 12 04:36:14 EDT 2017 on pts/1 su: warning: cannot change directory to /home/guests/ldapuser1: No such file ordirectory mkdir: cannot create directory '/home/guests/ldapuser1': Permissiondenied -bash-4.2$ <测试> getent passwd ldapuser1 如果用户信息可以正常显示,证明客户端认成功。 列出所有用户 vim /etc/sssd/sssd.conf enumerate = True systemctl restart sssd 4.自动挂载用户家目录 yum install autofs -y vim /etc/autofs.master /home/guests /etc/auto.ldap vim /etc/auto.ldap ldapuser1 172.25.254.254:/home/guests/ldapuser1 * 172.25.254.254:/home/guests/& systemctl restart autofs systemctl enable autofs
