LinkBack URL
About LinkBacks
من به تنظیمات openldap برای اتصال یک سرور openldap به یک سرور اکتیو دایرکتوری احتیاج دارم. متاسفانه مطالبی که پیدا کردم خیلی توضیحات کلی دارن و من درست نمیدونم باید چه کار کنم، آیا کسی تجربه این کار رو داره که بتونه در اختیار من بذاره؟ برای مثال گفته شده که نیاز به یک اکانت bind برای ldap در اکتیو دایرکتوری هست، من درست نمیدونم چطور باید این رو تعریف کرد و کجا در فایلهای تنظیمات ldap اون رو قرار داد و یا برای مثال نمیدونم که دامین رو در کجای ldap باید تعریف کنم. لطفاً اگر اطلاعات یا مراجعی دارین در اختیارم قرار بدین بسیار متشکر
- - - Updated - - -
ببینید برای مثال من اینو پیدا کردم اما هنوز تستش نکردم، یعنی چون تا به حال این کار رو نکردم شک دارم درست کار کنه به هر حال میخوام امتحانش کنم. لطفاً کسی اگر تجربه ای داره بهم بگه
LDAP/Active Directory integration Configuration:
Required Packages:
openldap
openssl
nss_ldap(pam_ldap)
cyrus-sasl
krb5-libs
krb5-auth-dialog
krb5-workstation
pam_krb5
system-config-authentication (Should be installed by default)
nscd
ntpd
1st there is a couple naming convention I tried to use:
FQDN or fqdn = Fully Qualified Domain Name
ipaddr = ip address
subdomain.domain.com = example of domain structure
servername = DUH!
I believe that's all of the packages, but I am not %100 sure for each distro.
By installing the packages listed above with yum/apt/zypper, the system SHOULD get all the
necessary dependant packages that need to be installed too.
Remember /etc/ldap.conf and /etc/openldap/ldap.conf are 2 different files and are for different applications.
/etc/ldap.conf: # Used by pam to perform authentication.
/etc/openldap/ldap.conf: # Used by the openldap tools and application to connect.
/etc/krb5.conf: # Used to bind to kerberos
/etc/nsswitch.conf: # Used to define where to collect user info (local 1st, network 2nd)
/etc/sysconfig/authconfig: # Used to tell the system what applications to use to authenticate.
/etc/ntp/steptickers # Used for lock sync at boot
/etc/ntp/ntpserver # servers to use by ntpd
/etc/ntp.conf # configure system to use or act as a stratum 1,2 10 server (10 is no source available use BIOS clock)
################################################## ##################################################
How To configure:
Start by getting the certificate from the Active Directory server. The windows certificate will be
<servername.domainname>.crt. This has to be converted to a PEM format. CRT is a DER format.
To do this use the following commands
openssl x509 –in input.crt –inform DER –out output.crt –outform PEM
Place the newly converted certificate in /etc/pki/tls/certs or in a drectory the openldap
application can read. I used /etc/openldap/cacerts.
---------------------------------------------------------------------------
Ensure kerberos is configured correctly.
You can verify this with kinit <AD username>. This will prompt you for a password.
If configured correctly you will receive a token from AD.
LDAP DOES NOT need to be configured for this to work
(See below for configuring the /etc/krb5.conf file)
----------------------------------------------------------------------------
Next you want to configure the /etc/openldap/ldap.conf. Again, this file IS NOT the same as
/etc/ldap.conf. Only the basic information is necessary here.
HOST = The LDAP server
URI = The ldap://<ipaddr> to use. If use tls/SSL use ldaps://<ipaddr>
BASE = The root to start searching from in the AD tree (Notice I start below the root domain)
TLS_REQCERT = Whether or not to request a certificate from the server
TLS_CACERT = The root cert form AD that was converted earlier(This can be any dir openldap can access)
SSL start_tls = Use TLS to do basic encryption to AD
If you are using SE_LINUX ensure the context is corect.
Use semanage to set the context if is it wrong.
------------------------------------------------------------------------
# To configure /etc/ldap.conf do the following:
# (To avoid DNS lookups place the IP/FQDN in the /etc/hosts/file
# 192.168.0.1 myhost.example.com
uri = ldap://<fqdn> or ldaps://<fqdn>
#host = same as above. This can be the IP or FQDN.
(Only use uri or host)
base = Same as above
ldap_version = not necessary if doing version 3, it is the default
binddn = User acct to connect to AD ad querry informaion with.
(MS admins should limit the access as much as possible to this account, ex..guest)
bindpw = password used to connect to AD by user specified above
scope = sub specifies to search the tree from base and below
(Remember base is specified above)
timelimit = Time for ldap querry to wait
#ssl = I use sasl so ssl is not used.
nss_map_objectclass = maps the LDAP attribute posixAccount to User
nss_map_objectclass = maps the LDAP attribute shadowAccount to User
nss_map_objectclass = maps the LDAP attribute posixGroup to Group
nss_map_objectclass = maps the UNIX attribute uid to sAMAccountName
nss_map_objectclass = maps the LDAP attribute uidNmuber to uidNmber
nss_map_objectclass = maps the LDAP attribute gidNumber to gidNumber
nss_map_objectclass = maps the LDAP attribute cn = sAMAccountName
nss_map_objectclass = maps the LDAP attribute homeDirectory to unixHomeDirectory
(you must have the path mounted or tell the system to create dirs for this to work)
nss_map_objectclass = maps the LDAP attribute gecos to name
pam_login_attribute = assignes the pam userid to sAMAccountName
pam_filter = filters pam for user iformation
nss_base_passwd = specifies the nss_ldap base, the sub at the end tells it to search base and below
nss_base_shadow = same as above
nss_base_group = same as above but collects group info
tls_cacert = path to the converted pem certificte from AD
tls_reqcert = Never request a certificate, it is already installed above.
bind_policy = Fixes a problem when booting to stop hangs at messagesbus(Fedora/Redhat)
(There is a chiken/egg problem here.)
** If you need to add attributes jus follow the syntax above for mapping
-------------------------------------------------------------------------
Tells the system where to get its User/Group/Password info from.
I only use it for auth and group membership.
/etc/nsswhich
passwd: = Use local files first, winbind, then LDAP
shadow: = Use local files first, then LDAP
group: = Use local files first, winbind, then LDAP
You can use more but with LDAP you will need to map the attribute above.
------------------------------------------------------------------------
/etc/sysconfig/authconfig: (Fedora/Redhat not sure about the rest)
This is self explanitory. It is either yes or no. I recommend using LDAP for user info and Kerberos
for Auth. This howto is for that specific configuration.
This can be configured with system-config-authentication
Do not modify the setting if you are configuring the files manually.
Run:
system-config-authentication (In runlevel 5 a gui will pop up, in runlevel 3 this will use ncurses)
Select LDAP on the user-information tab.
Select kerberos on the Authentication tab.
On the last tab select create home directory if you want the system to create the home dir for you.
Click OK.
This will also configure PAM for you
The final steps are simple
ensure nscd, cyrus-sasl start at reboot.
chkconfig nscd on
chkconfig saslauthd on
That should be about it.
------------------------------------------------------------------------
The files I use are listed below:
################################################## #######################
FILES: #
################################################## #######################
/etc/openldap/ldap.conf
HOST <FQDN> #This can be an IP
URI ldaps://<ipaddr> # Use ldaps if port 636 is used
BASE cn=users,dc=subdomain,dc=domain,dc=com # Base domain to start search from
TLS_REQCERT never # Request a Cert from server
TLS_CACERT /etc/openldap/cacerts/certificate.pem # ENSURE this is the right cert and not from a different domain
BINDDN ldapman@subdomain.domain.com # User to connect as
SSL start_tls # Start tls for simple encryption
------------------------------------------------------------------------
/etc/ldap.conf
uri ldaps://<fqdn hostname>/ # Same as above
#host <ip address> # IP address of server
base cn=users,dc=subdomain,dc=domain,dc=com # Search base
ldap_version 3 # Version
binddn cn=ldapman,ou=ServiceAccts,dc=subdomain,dc=domain, dc=com # User to bind as
bindpw <user passwd> # Users password
scope sub # search base, "sub"ordinate too
timelimit 30
#ssl start_tls # SSL not used same as above
#
# Active Directory attributes that correspond with LDAP
#
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
nss_map_attribute uniqueMember member
nss_map_attribute gecos name
pam_login_attribute sAMAccountName # Login name from Windows
pam_filter objectclass=User
nss_base_passwd dc=subdomain,dc=domain,dc=com?sub
nss_base_shadow dc=subdomain,dc=domain,dc=com?sub
nss_base_group dc=subdomain,dc=domain,dc=com?sub
tls_cacert /etc/openldap/cacerts/<servername.domainname.pem> # Path to server cert issued by AD
tls_reqcert never # Never request a certificate from the server
bind_policy soft # hard/soft hard retries, soft fails
---------------------------------------------------------------------------
/etc/nsswhich.conf
#
# Controls where linux looks for user/pass info and what order
#
passwd: files winbind ldap
shadow: files ldap
group: files winbind ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
-------------------------------------------------------------------------
To set this you can use system-config/authentication or manually
toggle which methods you want to use
/etc/sysconfig/authconfig
USEWINBINDAUTH=yes
USEKERBEROS=yes
USESYSNETAUTH=no
USEPAMACCESS=yes
USEMKHOMEDIR=yes
FORCESMARTCARD=no
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=no
USEDB=no
USEWINBIND=yes
USESHADOW=yes
PASSWDALGORITHM=md5
USEHESIOD=no
USELDAP=yes
USELOCAUTHORIZE=yes
USEPASSWDQC=no
USECRACKLIB=yes
USENIS=no
--------------------------------------------------------------------------
/etc/krb5.conf
#
# This must function correctly
#
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.COM = {
kdc = <FQDN>:88
admin_server = <FQDN>:749
default_domain = domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
---------------------------------------------------------------------
/etc/ntp/steptickers
123.123.123.123 # ipaddr of time source
---------------------------------------------------------------------
/etc/ntp/ntpservers
123.123.123.123 # ipaddr of time source
---------------------------------------------------------------------
/etc/ntp.conf
remove lines that specify the default server and replace with your info
server 123.123.123.123
---------------------------------------------------------------------
After all of this is complete you should be able to do:
kinit <Domain Admin Acct>
password:
net ads join -U <Domain Admin Acct>
password:
net ads testjoin -U <Domain Admin Acct>
password: # Test server comunication
ldapsearch -D "binddn@domain.com" -x -W # -D is the user
# -x turns off encryption
# -W prompts for a password
wbinfo -u # List domain users
wbinfo -g # List domain groups
wbinfo -t # Check domain trust
after setting the nsswitch.conf run:
getent passwd # Should list users
getent group # Should list groups
MAKE SURE HOME DIRS ARE AVAILABLE FOR DOMAIN USERS/GROUPS!!!
Attempt to login
Should Work
موضوعات مشابه:
- مشورت در زمینه اکتیو دایرکتوری
- مشکل اتصال به اکتیو دارکتوری
- اتصال آیزا سرور و اکتیو دایرکتوری
- ایا می توان لیست یوزرها رو در اکتیو دایرکتوری اپلود کرد؟
- اکتیو دایرکتوری چگونه نصب میشود
