Windows默认不允许匿名查询,用ldapsearch来查询的话,只要用户密码正确就可,如果用getent来获取就麻烦一些。
Windows要在服务管理器中添加角色服务Microsoft Identity Management for UNIX,然后只有设置UNIX属性的用户和组才会被getent获取,不需要samba和winbind中转。
RHEL 5
在/etc/ldap.conf中设置好用户密码和映射
-
binddn cn=Linux-NSS,cn=Users,dc=ad,dc=example,dc=com
-
bindpw Windows2008
-
-
nss_map_objectclass posixAccount user
-
nss_map_objectclass shadowAccount user
-
nss_map_objectclass posixGroup group
-
-
nss_map_attribute uid sAMAccountName
-
nss_map_attribute gecos cn
-
nss_map_attribute homeDirectory unixHomeDirectory
-
-
pam_login_attribute sAMAccountName
-
pam_filter objectclass=User
-
nss_base_passwd cn=Users,dc=ad,dc=example,dc=com
-
pam_password ad
ssl no
RHEL 6中使用nslcd来连接Windows 域,所以要配置/etc/nslcd.conf
-
binddn cn=Linux-NSS,cn=Users,dc=ad,dc=example,dc=com
-
bindpw Windows2008
-
-
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
-
map passwd uid sAMAccountName
-
map passwd homeDirectory unixHomeDirectory
-
map passwd gecos displayName
-
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
-
map shadow uid sAMAccountName
-
map shadow shadowLastChange pwdLastSet
-
filter group (objectClass=group)
-
map group uniqueMember member
-
-
uid nslcd
-
gid ldap
-
-
uri ldap://w2k8.ad.example.com
-
base dc=ad,dc=example,dc=com
-
ssl no
每次修改之后要从起nslcd服务。
阅读(9878) | 评论(0) | 转发(0) |