Ubuntu 8.04 下配置LDAP客戶端簡直是個噩夢, 這在CentOS 5.1下本是一件非常輕松的事情. 要是網上沒有找到這篇文章, 估計我這輩子就別想配置成功了. 不過看原文中說的, 7.10似乎還要噩夢.
有些地方當然要修改成與自己服務器對應的設置, 另外, 我這裡有個小小的區別是: 注釋掉了/etc/ldap.conf中的ssl start_tls一行. 不是很明白什麼意思, 大概我的服務器沒有開啟SSL支持吧(事實上確實沒開啟^ ^)
Ubuntu 8.04 Hardy LDAP Client
Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.
We are going to set up a Hardy client on a desktop machine, which
involves using NFS (for /home) and allowing all desktop users to do
desktop tasks.
- apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd
apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd
Answer the questions; unlike Debian they should actually be put in the configuration file.
Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl
Edit /etc/ldap.conf (which both libnss and libpam use).
- host 192.168.1.1
- base dc=example,dc=com
-
- #This is important! Don’t use ldap:
- uri ldap:
- ldap_version 3
- rootbinddn cn=admin,dc=example,dc=com
- port 389
- bind_policy soft
- pam_password crypt
- ssl start_tls
- tls_checkpeer no
- tls_cacertfile /etc/ldap/ssl/cert.pem
- nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data
host 192.168.1.1
base dc=example,dc=com
#This is important! Don’t use ldap:///192.168.1.1
uri ldap://example.com/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
port 389
bind_policy soft
pam_password crypt
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/cert.pem
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data
Now edit /etc/ldap/ldap.conf
- BASE dc=example,dc=com
- URI ldap:
- TLS_CACERT /etc/ldap/ssl/cert.pem
- TLS_REQCERT never
BASE dc=example,dc=com
URI ldap://example.com
TLS_CACERT /etc/ldap/ssl/cert.pem
TLS_REQCERT never
/etc/pam.d/common-account
- account sufficient pam_ldap.so
- account required pam_unix.so
account sufficient pam_ldap.so
account required pam_unix.so
/etc/pam.d/common-auth
- auth sufficient pam_ldap.so
- auth required pam_unix.so nullok_secure use_first_pass
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password
- password sufficient pam_ldap.so
- password required pam_unix.so nullok obscure min=4 max=8 md5
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
/etc/pam.d/common-session
- session required pam_unix.so
- session required pam_mkhomedir.so skel=/etc/skel/
- session optional pam_ldap.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
/etc/nsswitch.conf
- passwd: files ldap
-
- group: files ldap
-
- shadow: files ldap
-
- hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
- networks: files
-
- protocols: db files
- services: db files
- ethers: db files
- rpc: db files
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
Now we want to make sure users are assigned to the correct groups
when they log in, so add the following to /etc/security/groups.conf
- gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner
gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner
Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf
We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following
- auth optional pam_group.so
As root, run
nss_updatedb ldap
To mount /home over NFS, add the following to /etc/fstab
- 192.168.1.1:/home /home nfs defaults 0 0
阅读(1270) | 评论(0) | 转发(0) |
