{"id":306,"date":"2015-02-28T10:55:29","date_gmt":"2015-02-28T02:55:29","guid":{"rendered":"http:\/\/192.168.0.1\/blog_4.4.2\/?p=306"},"modified":"2015-02-28T10:55:29","modified_gmt":"2015-02-28T02:55:29","slug":"freebsd-w-ldap-server-uo","status":"publish","type":"post","link":"https:\/\/blog.worren.net\/?p=306","title":{"rendered":"FreeBSD \u4e0a Ldap server \u7b46\u8a18"},"content":{"rendered":"

\u60f3\u8981\u8b93 FreeBSD \u4e0a\u5e33\u865f\u6574\u5408 , ladp \u770b\u8d77\u4f86\u662f\u4e0d\u932f\u7684\u505a\u6cd5 . \u5df2\u4e0b\u63d0\u5230\u53ef\u4ee5\u5c07 freebsd \/etc\/master.passwd \u8f49\u6210 ladp \u683c\u5f0f … \u9019\u6a23\u5b50\u5c31\u53ef\u4ee5\u7121\u75db\u8f49\u79fb ! … \u7b46\u8a18\u4e00\u4e0b.<\/div>\n

\u8f49\u8f09\u81ea
\nhttp:\/\/mail.lsps.tp.edu.tw\/~gsyan\/freebsd2001\/pam_ldap.html
\n \n

2006\/07\/28 \u4fee\u6539 \n

\u4e00\u822c\u4f86\u8aaa\uff0cFreeBSD \u7684\u4e3b\u6a5f\u9810\u8a2d\u662f\u4ee5\u672c\u6a5f \/etc \u76ee\u9304\u4e2d\u7684\u5bc6\u78bc\u6a94 (passwd, pwd.db, master.passwd, spwd.db) \u548c \/etc\/group \u4f86\u8b58\u5225\u4f7f\u7528\u8005\u8eab\u4efd\u53ca\u4f9b\u4f5c\u8a8d\u8b49\u8cc7\u6599\uff0c \u81ea FreeBSD 5.x \u958b\u59cb\u5f15\u5165\u4e86 NetBSD \u4e2d\u7684 NSS (Name Service Switch) \u6a5f\u7f6e\uff0c\u8b93\u7cfb\u7d71\u7684\u8a8d\u8b49\u65b9\u5f0f\u66f4\u591a\u5143\u3002\n

\u4e0b\u9762\u662f\u5229\u7528 LDAP \u96c6\u4e2d\u8a8d\u8b49\u8cc7\u6599\u65bc LDAP Server \u4e0a\uff0c\u5176\u5b83\u4e3b\u6a5f\u518d\u5229\u7528 pam_ldap \u53ca nss_ldap \u4f86\u5411 LDAP Server \u8981\u8cc7\u6599\u4e26\u9a57\u8b49\u4f7f\u7528\u8005\u7684\u5e33\u865f\u548c\u5bc6\u78bc\uff0c\u4ee5\u53d6\u5f97\u767b\u5165\u7cfb\u7d71\u7684\u6b0a\u529b\u3002
\n1 LDAP Server \u7aef\n

\u9996\u5148\u6211\u5011\u5148\u67b6\u8a2d\u4e00\u53f0 LDAP Server \u4f86\u5132\u5b58\u4f7f\u7528\u8005\u7684\u5e33\u865f\u8cc7\u6599\uff0c\u4f9b\u5176\u5b83\u7684 servers \u4f86\u67e5\u8a62\uff0c\u4e0b\u9762\u4ee5 OpenLDAP 2.2 \u4f86\u8aaa\u660e\u5b89\u88dd\u7684\u6d41\u7a0b\u3002
\n1-1 \u5b89\u88dd OpenLDAP 2.2\n

\u6700\u61f6\u7684\u3001\u6700\u5feb\u7684\u65b9\u6cd5\u7576\u7136\u662f\u900f\u904e\u7db2\u8def\u7528 packages \u4f86\u5b89\u88dd\u56c9\uff01\u57f7\u884c\u4ee5\u4e0b\u7684\u6307\u4ee4\uff1a\n

# pkg_add -vr openldap22-server\n

\u4e0d\u7136\u5c31\u662f\u7528 ports \u4f86\u81ea\u5df1\u7de8\u8b6f\uff0c\u78ba\u5b9a\u5df2\u7d93\u66f4\u65b0\u597d ports tree \u5f8c\u57f7\u884c\u5e95\u4e0b\u6307\u4ee4\uff1a\n

# cd \/usr\/ports\/net\/openldap22-server
\n # make
\n # make install
\n # make clean\n

\u4e0d\u8ad6\u4ee5\u524d\u8ff0\u7684\u54ea\u4e00\u7a2e\u65b9\u6cd5\u5b89\u88dd\uff0c\u5982\u679c\u6b63\u5e38\u7684\u8a71\uff0c\u61c9\u8a72\u90fd\u6703\u5b89\u88dd\u4e86 OpenLDAP 2.2 \u7248\u7684 server \u548c client \u7aef\u7684\u7a0b\u5f0f\u3002\n

1-2 \u8a2d\u5b9a OpenLDAP Server\n

\u5b89\u88dd\u5b8c OpenLDAP \u4ee5\u5f8c\uff0c\u7cfb\u7d71\u4e2d\u61c9\u8a72\u6703\u591a\u4e00\u500b\u53eb \/usr\/local\/etc\/openldap \u7684\u76ee\u9304\uff0c\u88e1\u9762\u6709\u5169\u500b\u6211\u5011\u9700\u8981\u4fee\u6539\u7684\u8a2d\u5b9a\u6a94\uff1a\n

slapd.conf\uff1a\u670d\u52d9\u7a0b\u5f0f slapd \u7684\u8a2d\u5b9a\u6a94\uff0c\u4e5f\u662f\u672c\u5c0f\u7bc0\u7684\u8a2d\u5b9a\u91cd\u9ede\u3002
\n ldap.conf\uff1a\u9019\u662f\u7528\u6236\u7aef\u7a0b\u5f0f\u6703\u53bb\u8b80\u53d6\u7684\u8a2d\u5b9a\u6a94\u3002\n

1-2-1 \u4fee\u6539 \/usr\/local\/etc\/openldap\/slapd.conf\n

\u5229\u7528 FreeBSD \u7684 packages\/ports \u5b89\u88dd\u5b8c OpenLDAP \u6703\u9644\u4e0a\u4e00\u500b\u53eb slapd.conf.default \u7684\u6a94\u6848\u4f9b\u6211\u5011\u53c3\u8003\uff0c\u5982\u679c sldapd.conf \u4e0d\u5b58\u5728\uff0c\u53ef\u4ee5\u5148\u5c07 slapd.conf.default \u8907\u88fd\u6210 slapd.conf \u5f8c\uff0c\u518d\u57f7\u884c\u4ee5\u4e0b\u7684\u6307\u4ee4\u4f86\u4fee\u6539 slapd \u7684\u8a2d\u5b9a\u6a94\uff1a\n

# ee \/usr\/local\/etc\/openldap\/slapd.conf\n

\u6211\u5011\u81f3\u5c11\u5728\u88e1\u9762\u7f6e\u5165\u4ee5\u4e0b\u7684\u5167\u5bb9\uff1a\n

include \/usr\/local\/etc\/openldap\/schema\/core.schema
\n include \/usr\/local\/etc\/openldap\/schema\/cosine.schema
\n include \/usr\/local\/etc\/openldap\/schema\/nis.schema\n

pidfile \/var\/run\/openldap\/slapd.pid
\n argsfile \/var\/run\/openldap\/slapd.args\n

database bdb\n

suffix \\”dc=happy,dc=edu,dc=tw\\”
\n rootdn \\”cn=root,dc=happy,dc=edu,dc=tw\\”
\n rootpw {SSHA}\/fnDhdeT\/UN03QG4uq2d4HYXpFTBewd4\n

directory \/var\/db\/openldap-data\n

index objectClass eq
\n index uid pres,eq,sub\n

\u5176\u4e2d\u7684 suffix , rootdn , rootpw \u8acb\u81ea\u884c\u66f4\u63db\u5167\u5bb9\uff0c\u9019\u4e09\u500b\u9078\u9805\u7684\u610f\u7fa9\u5982\u4e0b\uff1a\n

suffix\uff1a\u5047\u8a2d\u6211\u7684 domain name \u662f happy.edu.tw \uff0c\u5c31\u653e \\”dc=happy,dc=edu,dc=tw\\”
\n rootdn\uff1a\u5047\u8a2d OpenLDAP Server \u7684\u7ba1\u7406\u5e33\u865f\u53eb root (\u7576\u7136\u8981\u53eb Manager \u4e5f\u53ef\u4ee5\u5566!) \uff0c\u52a0\u4e0a\u524d\u9762\u7684 suffix \u5c31\u586b\u5165 \\”cn=root,dc=happy,dc=edu,dc=tw\\”
\n rootpw\uff1a\u662f\u524d\u8ff0 rootdn \u7ba1\u7406\u5e33\u865f\u7684\u5bc6\u78bc\uff0c\u5176\u5167\u5bb9\u53ef\u4ee5\u7528\u660e\u78bc\uff0c\u4e5f\u53ef\u4ee5\u7528 slappasswd \u4f86\u7522\u751f\u7de8\u904e\u78bc\u7684\u5167\u5bb9\u518d\u8cbc\u4e0a\uff0c\u4e0b\u9762\u662f\u5229\u7528 slappasswd \u4f86\u5c07 123 \u7de8\u78bc\u7684\u904e\u7a0b\n

# slappasswd
\n New password: 123
\n Re-enter new password: 123
\n {SSHA}\/fnDhdeT\/UN03QG4uq2d4HYXpFTBewd4\n

\u6ce8\u610f\uff1a\u524d\u8ff0\u7684\u8a2d\u5b9a\u5167\u5bb9\u5c11\u4e86 ACL \u4f86\u63a7\u7ba1\u8cc7\u6599\u7684\u5b58\u53d6\u6b0a\u9650\uff0c\u4e5f\u5c31\u662f\u4efb\u4f55\u4eba\u90fd\u53ef\u80fd\u900f\u904e LDAP \u7684\u67e5\u8a62\u53d6\u5f97\u5bc6\u78bc\uff0c\u76f8\u7576\u7684\u5371\u96aa\uff0c\u6240\u4ee5\uff0c\u6e2c\u8a66\u5b8c\u5f8c\u5225\u5fd8\u4e86\u8981\u52a0\u4e0a ACL \u7684\u8a2d\u5b9a\u4f5c\u7ba1\u5236\u3002\n

1-2-2 \u5efa\u7acb\u57fa\u672c\u7684\u8cc7\u6599\n

\u5047\u8a2d\u4ee5 happ.edu.tw \u70ba\u4f8b\uff0c\u6211\u5011\u5148\u5efa\u7acb\u5b58\u653e user \u5e33\u865f\u8cc7\u6599 (\u985e\u4f3c\u539f\u4f86\u7684 \/etc\/master.passwd\u7684\u8cc7\u6599) \u548c group \u8cc7\u6599 (\u76f8\u7576\u65bc\u539f\u4f86\u7684 \/etc\/group) \u7684 container \u3002\n

\u7de8\u8f2f\u4e00\u500b\u53eb \/root\/container.ldif \u7684\u6587\u5b57\u6a94\uff0c\u88e1\u9762\u653e\u5165\u5e95\u4e0b\u7684\u5167\u5bb9\uff1a\n

dn: dc=happy,dc=edu,dc=tw
\n dc: happy
\n objectClass: top
\n objectClass: domain
\n objectClass: domainRelatedObject
\n associatedDomain: happy.edu.tw
\n structuralObjectClass: domain\n

dn:ou=Group, dc=happy,dc=edu,dc=tw
\n objectclass: top
\n objectclass: organizationalUnit
\n ou: Group
\n structuralObjectClass: organizationalUnit\n

dn:ou=People, dc=happy,dc=edu,dc=tw
\n objectclass: top
\n objectclass: organizationalUnit
\n ou: People
\n structuralObjectClass: organizationalUnit\n

\u85cd\u8272\u7684\u90e8\u4efd\u8acb\u81ea\u884c\u7f6e\u63db\u6210\u81ea\u5df1\u7684\u8cc7\u6599\uff0c\u5b58\u597d\u6a94\u5f8c\u6211\u5011\u5c31\u53ef\u4ee5\u6e96\u5099\u532f\u5165 LDAP Server \u4e2d\uff0c\u57f7\u884c\u4ee5\u4e0b\u6307\u4ee4\uff1a\n

# slapadd -l \/root\/container.ldif\n

1-2-3 \u8f49\u79fb\u7cfb\u7d71\u5e33\u865f\u5230 LDAP Server\n

\u5982\u679c\u60f3\u628a\u73fe\u6709\u7684 \/etc\/master.passwd \u548c \/etc\/group \u532f\u5165 LDAP Server \u4e2d\uff0c\u6211\u5011\u53ef\u4ee5\u5229\u7528\u4e0b\u9762\u7531 padl.com \u6240\u91cb\u653e\u51fa\u4f86\u7684\u5de5\u5177\u8f49\u63db\u5f8c\u518d\u532f\u5165 LDAP Server \u4e2d\uff1a\n

\u5148\u7531 http:\/\/www.padl.com\/OSS\/MigrationTools.html \u7db2\u9801\u4e2d\u4e0b\u8f09 MigrationTools.tgz \uff0c\u5c07\u8a72\u6a94\u6848\u89e3\u958b\u5f8c\u5148\u4fee\u6539\u88e1\u9762\u7684 migrate_common.ph \uff0c\u914d\u5408\u524d\u4e00\u7bc0\u4e2d container.ldif \u4e2d\u7684\u8a2d\u5b9a\u4fee\u6539\u4e0b\u9762\u5169\u884c\uff1a\n

$DEFAULT_MAIL_DOMAIN = \\”happy.edu.tw\\”;\n

$DEFAULT_BASE = \\”dc=happy,dc=edu,dc=tw\\”;\n

\u85cd\u8272\u90e8\u4efd\u8acb\u81ea\u884c\u7f6e\u63db\u3002\n

\u7531\u65bc\u8f49\u63db\u5bc6\u78bc\u6a94\u7684\u7a0b\u5f0f migrate_passwd.pl \u4e26\u975e\u91dd\u5c0d FreeBSD \u5beb\u7684\uff0c\u6240\u4ee5\u6211\u5011\u4e5f\u8981\u7a0d\u4f5c\u4fee\u6539\uff0c\u5c07\u4e0b\u9762\u9019\u884c\uff1a\n

local($user, $pwd, $uid, $gid, $gecos, $homedir, $shell) = split(\/:\/);\n

\u6539\u70ba\u4e0b\u9762\u7684\u5167\u5bb9 (\u5beb\u6210\u4e00\u884c\u54e6\uff01)\uff1a\n

local($user, $pwd, $uid, $gid, $class, $change, $expired, $gecos, $homedir, $shell) = split(\/:\/);\n

\u4e3b\u8981\u662f \/etc\/maser.passwd \u7684\u6b04\u4f4d\u6bd4\u4e00\u822c\u7684 passwd \u6a94\u7684\uff0c\u591a\u4e86\u4e09\u500b\u6b04\u4f4d\u7684\u95dc\u4fc2\u3002\n

\u63a5\u8457\u6211\u5011\u5c31\u53ef\u4ee5\u9032\u884c\u8f49\u63db\u4e86\uff0c\u5728 MigrationTools \u7684\u76ee\u9304\u4e2d\u57f7\u884c\uff1a\n

# .\/migrate_passwd.pl \/etc\/master.passwd \/root\/user.ldif
\n # .\/migrate_group.pl \/etc\/group \/root\/group.ldif\n

\u4e0b\u9762\u662f \/etc\/master.passwd \u8f49\u5b8c\u7684\u5176\u4e2d\u4e00\u7b46\u8cc7\u6599\uff1a\n

dn: uid=gsyan,ou=People,dc=happy,dc=edu,dc=tw
\n uid: gsyan
\n cn: G.S. Yan
\n objectClass: account
\n objectClass: posixAccount
\n objectClass: top
\n userPassword: {crypt}$1$abc7defg$hij8kLMnopqrSTUV445wxy
\n loginShell: \/bin\/csh
\n uidNumber: 1001
\n gidNumber: 1001
\n homeDirectory: \/home\/gsyan
\n gecos: G.S. Yan\n

\u6ce8\u610f\uff1a\u4e0a\u9762\u8f49\u51fa\u7684 objectClass \u70ba account , posixAccount , top \uff0c\u9019\u6a23\u7684\u8cc7\u6599\u53ef\u5728 FreeBSD, Linux \u4e0a\u901a\u7528\uff0c\u5982\u679c objectClass \u6709 shadowAccount \uff0cFreeBSD \u7684 client \u7aef\u7684 nss_ldap ports \u8981\u7d93\u904e\u4fee\u6539\u5f8c\u624d\u53ef\u4ee5\u6293\u5230\u6b63\u78ba\u7684\u5bc6\u78bc\u6b04\u4f4d\u3002\n

\u4e0b\u9762\u662f \/etc\/group \u8f49\u5b8c\u7684\u5176\u4e2d\u4e00\u7b46\u8cc7\u6599\uff1a\n

dn: cn=wheel,ou=Groups,dc=happy,dc=edu,dc=tw
\n objectClass: posixGroup
\n objectClass: top
\n cn: wheel
\n userPassword: {crypt}*
\n gidNumber: 0
\n memberUid: gsyan
\n memberUid: root\n

\u6700\u5f8c\uff0c\u518d\u5c07 \/root\/user.ldif \u548c \/root\/group.ldif \u532f\u5165 LDAP Server\uff0c\u57f7\u884c\uff1a\n

# slapadd -l \/root\/user.ldif
\n # slapadd -l \/root\/group.ldif\n

1-2-4 \u555f\u52d5 OpenLDAP Server\n

\u548c\u5176\u5b83\u670d\u52d9\u4e00\u6a23\uff0c\u6211\u5011\u8981\u555f\u52d5 OpenLDAP Server \u8981\u5148\u5728 \/etc\/rc.conf \u4e2d\u52a0\u5165\u4e0b\u9762\u9019\u884c\uff1a\n

slapd_enable=\\”YES\\”\n

\u7136\u5f8c\u5c31\u53ef\u4ee5\u57f7\u884c\u4e0b\u9762\u7684\u6307\u4ee4\u4f86\u555f\u52d5 LDAP \u670d\u52d9\uff1a\n

\/usr\/local\/etc\/rc.d\/slapd.sh start\n

\u8981\u66ab\u6642\u505c\u6b62\u670d\u52d9\u7576\u7136\u5c31\u662f\u57f7\u884c\uff1a\n

\/usr\/local\/etc\/rc.d\/slapd.sh stop\n

1-2-5 \u67e5\u8a62 LDAP Server \u4e2d\u7684\u8cc7\u6599\n

\u5728 OpenLDAP \u7684 client \u7a0b\u5f0f\u4e2d\u6709\u500b\u53eb ldapsearch \u7684\u5de5\u5177\u53ef\u4ee5\u8b93\u6211\u5011\u67e5\u8a62 LDAP Server \u4e2d\u7684\u8cc7\u6599\uff0c\u4f7f\u7528\u4e4b\u524d\u6211\u5011\u5148\u4fee\u6539 \/usr\/local\/etc\/openldap\/ldap.conf \uff0c\u5047\u8a2d\u6211\u7684 LDAP Server \u4e3b\u6a5f\u53eb test.happy.edu.tw \uff0c\u5c31\u5728 ldap.conf \u88e1\u9762\u52a0\u5165\u5e95\u4e0b\u7684\u5167\u5bb9\uff1a\n

BASE dc=happy,dc=edu,dc=tw
\n URI ldap:\/\/test.happy.edu.tw\/\n

\u85cd\u8272\u7684\u90e8\u4efd\u8acb\u81ea\u884c\u7f6e\u63db\u3002\n

\u5b58\u597d\u6a94\u5f8c\u6211\u5011\u5c31\u53ef\u4ee5\u4f86\u6e2c\u8a66\u4e00\u4e0b\u56c9\uff1a\n

# ldapsearch -x\n

\u5982\u679c\u4e0d\u60f3\u6539\u4fee\u6539 \/usr\/local\/etc\/openldap\/ldap.conf \uff0c\u6216\u662f\u60f3\u67e5\u5176\u5b83\u7684 LDAP Server \uff0c\u6211\u5011\u4e5f\u53ef\u4ee5\u57f7\u884c\u4e0b\u9762\u7684\u6307\u4ee4\uff1a\n

# ldapsearch -x -h test.happy.edu.tw -b \\’dc=happy,dc=edu,dc=tw\\’\n

ldapsearch \u8a73\u7d30\u7684\u7528\u6cd5\u8acb\u81ea\u884c man ldapsearch \u3002\n

\u57f7\u884c\u5b8c\u61c9\u8a72\u6703\u770b\u5230\u4e4b\u524d\u532f\u5165\u7684\u8cc7\u6599\u986f\u793a\u5728\u87a2\u5e55\u4e0a\u3002\u78ba\u5b9a\u53ef\u4ee5\u9032\u884c\u67e5\u8a62\u5f8c\uff0c\u6211\u5011\u5c31\u53ef\u4ee5\u6e2c\u8a66\u7531\u5225\u53f0\u4e3b\u6a5f\u4f86\u67e5\u8a62\u8cc7\u6599\u4e26\u9032\u884c\u8a8d\u8b49\u7684\u90e8\u4efd\u3002\n

2 LDAP Client \u7aef\n

\u5728 LDAP Client \u7aef\u7684\u4e3b\u6a5f\u4e0a\u6211\u5011\u81f3\u5c11\u8981\u5b89\u88dd pam_ldap \u548c nss_ldap \u3002
\n2-1 \u5b89\u88dd pam_ldap \u548c nss_ldap\n

\u5982\u679c\u4f7f\u7528\u820a\u7248\u7684 nss_ldap \uff0c\u7531 LDAP Server \u67e5\u8a62\u5230\u7684\u4f7f\u7528\u8005\u8cc7\u6599\u5982\u679c\u6709 shadowAccount \u7684 objectClass \uff0c\u5c0d\u65bc\u5bc6\u78bc\u6703\u6709\u932f\u8aa4\u7684\u8655\u7406\uff0c\u6703\u56e0\u6b64\u800c\u5c0e\u81f4\u767b\u5165\u5931\u6557\uff0c\u6240\u4ee5\u5efa\u8b70 nss_ldap \u6700\u597d\u5148\u66f4\u65b0 ports tree \u5f8c\uff0c\u5229\u7528 ports \u4f86\u5b89\u88dd\u6700\u65b0\u7248\u7684\u7a0b\u5f0f\uff0c\u4ee5\u514d\u7522\u751f\u56f0\u64fe\u3002\n

\u5b89\u88dd net\/nss_ldap\uff1a\n

# cd \/usr\/ports\/net\/nss_ldap
\n # make
\n # make install
\n # make clean\n

\u5b89\u88dd security\/pam_ldap\uff1a\n

# cd \/usr\/ports\/security\/pam_ldap
\n # make
\n # make install
\n # make clean\n

2-2 \u8a2d\u5b9a pam_ldap \u548c nss_ldap\n

pam_ldap \u548c nss_ldap \u7684\u8a2d\u5b9a\u6a94\u5167\u5bb9\u5176\u5be6\u662f\u4e00\u6a23\u7684\uff0c\u6a94\u6848\u5206\u5225\u53eb \/usr\/local\/etc\/ldap.conf \u548c \/usr\/local\/etc\/nss_ldap.conf\uff0c\u6240\u4ee5\u6211\u5011\u53ef\u4ee5\u5148\u4fee\u6539 \/usr\/local\/etc\/ldap.conf (\u53ef\u5225\u548c \/usr\/local\/etc\/oepnldap\/ldap.conf \u641e\u6df7\u4e86\uff01) \u7136\u5f8c\u518d\u7528 soft link \u8655\u7406 nss_ldap.conf \u3002\n

\u57f7\u884c\u4ee5\u4e0b\u6307\u4ee4\u4fee\u6539 \/usr\/local\/etc\/ldap.conf\uff1a\n

# ee \/usr\/local\/etc\/ldap.conf\n

\u7136\u5f8c\u4f9d LDAP Server \u7684\u8a2d\u5b9a\u4f86\u4fee\u6539\u4ee5\u4e0b\u7684\u5167\u5bb9\uff1a\n

uri ldap:\/\/192.168.1.10\/\n

binddn cn=root,dc=happy,dc=edu,dc=tw\n

bindpw 123\n

nss_base_passwd ou=People,dc=happy,dc=edu,dc=tw?one
\n nss_base_shadow ou=People,dc=happy,dc=edu,dc=tw?one
\n nss_base_group ou=Groups,dc=happy,dc=edu,dc=tw?one\n

\u8aaa\u660e\uff1a\n

\u5047\u8a2d\u6211\u5011\u524d\u9762\u69cb\u5efa\u597d\u7684 OpenLDAP Server IP \u70ba 192.168.1.10\uff0c\u6240\u4ee5 LDAP \u67e5\u8a62\u7684 URI \u662f ldap:\/\/192.168.1.10\/
\n binddn \u548c bindpw \u662f\u4f9d\u64da\u524d\u9762 OpenLDAP Server \u7684 slapd.conf \u8a2d\u5b9a\u5167\u5bb9\u800c\u4f86\u7684\uff0c\u4f46\u662f bindpw \u5fc5\u9808\u7528\u660e\u78bc\u3002
\n nss_base_passwd \uff0c nss_base_shadow \u548c nss_base_group \u5247\u662f\u4f9d\u64da\u6211\u5011\u524d\u9762\u5229\u7528 \/root\/container.ldif \u532f\u5165 LDAP Server \u7684\u5167\u5bb9\uff0c\u4e5f\u5c31\u662f\u544a\u8a34\u4e3b\u6a5f\uff1a\u4ee5\u5f8c\u8981\u67e5\u4f7f\u7528\u8005\u7684\u5e33\u865f\u5bc6\u78bc\u53ca\u6240\u5c6c\u7fa4\u7d44\u8cc7\u6599\u67e5\u8a62\u7684\u95dc\u9375\u5b57(\u6b04\u4f4d)\u662f\u4ec0\u9ebc\u3002\n

\u6700\u5f8c\uff0c\u5efa\u7acb\u4e00\u500b soft link \u4f86\u7522\u751f \/usr\/local\/etc\/nss_ldap.conf\uff0c\u57f7\u884c\u4ee5\u4e0b\u6307\u4ee4\uff1a\n

# cd \/usr\/local\/etc
\n # ln -s ldap.conf nss_ldap.conf\n

2-3 \u4fee\u6539 \/etc\/nsswitch.conf\n

\u91cd\u982d\u6232\u4f86\u4e86\uff0c\u6211\u5011\u8981\u4fee\u6539 \/etc\/nsswitch.conf \uff0c\u544a\u8a34\u7cfb\u7d71\u4f7f\u7528 LDAP \u4f86\u67e5\u4f7f\u7528\u8005\u7684\u8cc7\u6599\uff0c\u9019\u500b\u6a94\u6848\u6709\u5169\u7a2e\u6539\u6cd5\uff0c\u7b2c\u4e00\u7a2e\u65b9\u5f0f\u8981\u4fee\u6539\u4e09\u500b\u6a94\u6848\uff0c\u800c\u7b2c\u4e8c\u7a2e\u65b9\u6cd5\u53ea\u8981\u6539\u4e00\u500b\u6a94\u6848\uff0c\u81ea\u5df1\u9078\u64c7\u56c9\u3002
\n2-3-1 \u4fee\u6539 \/etc\/nsswitch.conf \u7b2c\u4e00\u7a2e\u65b9\u6cd5\n

\u5047\u8a2d FreeBSD 5.x , 6.x \/etcnsswitch.conf \u7684\u539f\u59cb\u5167\u5bb9\u70ba\uff1a\n

group: compat
\n group_compat: nis
\n hosts: files dns
\n networks: files
\n passwd: compat
\n passwd_compat: nis
\n shells: files\n

\u4fee\u6539 group_compat \u548c password_compat \u7684\u90a3\u5169\u884c\u70ba\u5e95\u4e0b\u7684\u5167\u5bb9\u5f8c\u5b58\u6a94\uff1a\n

group_compat: ldap nis\n

passwd_compat ldap nis\n

\u518d\u4f86\u5982\u540c\u67b6\u8a2d NIS \u4e00\u6a23\uff0c\u8981\u4fee\u6539\u5bc6\u78bc\u6a94\u548c \/etc\/group\u3002\n

1.\u57f7\u884c vipw \u4fee\u6539\u5bc6\u78bc\u6a94\uff0c\u5728\u6700\u5f8c\u9762\u52a0\u4e0a\u5e95\u4e0b\u9019\u884c\uff1a\n

+:*::::::::\n

2.\u4fee\u6539 \/etc\/group \uff0c\u5728\u6700\u5f8c\u9762\u52a0\u4e0a\u5e95\u4e0b\u9019\u884c\uff1a\n

+:*::\n

\u4e0a\u9762\u5169\u500b\u7684\u5192\u865f\u6578\u53ef\u5225\u7b97\u932f\u4e86\uff0c\u8981\u662f\u89ba\u5f97\u9ebb\u7169\uff0c\u53ef\u4ee5\u63a1\u7528\u5e95\u4e0b\u7684\u7b2c\u4e8c\u7a2e\u65b9\u6cd5\uff0c\u53ea\u8981\u4fee\u6539 \/etc\/nsswitch.conf \u5373\u53ef\u3002\n

2-3-2 \u4fee\u6539 \/etc\/nsswitch.conf \u7b2c\u4e8c\u7a2e\u65b9\u6cd5\n

\u7b2c\u4e8c\u7a2e\u65b9\u6cd5\u53ea\u8981\u4fee\u6539 \/etc\/nsswitch.conf \u5373\u53ef\uff0c\u5047\u8a2d\u539f\u4f86\u7684\u5167\u5bb9\u70ba\uff1a\n

group: compat
\n group_compat: nis
\n hosts: files dns
\n networks: files
\n passwd: compat
\n passwd_compat: nis
\n shells: files\n

\u6211\u5011\u5c07\u5b83\u6539\u70ba\u5e95\u4e0b\u7684\u5167\u5bb9\uff1a\n

#group: compat
\n #group_compat: nis
\n hosts: files dns
\n networks: files
\n #passwd: compat
\n #passwd_compat: nis
\n shells: files
\n group: files ldap
\n passwd: files ldap\n

\u5c07\u539f\u4f86\u7d05\u8272\u7684\u90a3\u56db\u884c\u52a0\u4e0a\u4e95\u5b57\u865f\u8a3b\u89e3\u6389\uff0c\u65b0\u589e\u85cd\u8272\u7684\u90a3\u4e8c\u884c\u3002\u4e0a\u9762\u8a2d\u5b9a\u7684\u610f\u601d\u662f\uff0c\u5148\u67e5\u672c\u6a5f\u7684\u8cc7\u6599\uff0c\u5982\u679c\u6c92\u6709\u8a72\u4f7f\u7528\u8005\uff0c\u518d\u5411 LDAP Server \u67e5\u8a62\n

2-3-3 \u6e2c\u8a66\n

\u8a2d\u5b9a\u597d \/etc\/nsswitch.conf \uff0c\u6211\u5011\u53ef\u4ee5\u57f7\u884c id \u9019\u500b\u6307\u4ee4\u4f86\u6e2c\u8a66\uff1a\n

# id ming
\n uid=10010(ming) gid=10010(ming) groups=10010(ming)\n

\u4e0a\u9762\u7684\u4f8b\u5b50 ming \u9019\u500b\u5e33\u865f\u662f\u7531 LDAP Server \u63d0\u4f9b\u7684\uff0c\u518d\u4f86\u4e5f\u53ef\u4ee5\u7528 finger \u5e33\u865f \u4f86\u67e5\u8a62 LDAP Server \u4e0a\u5efa\u7acb\u7684\u5e33\u865f\u3002\u6700\u5f8c\u53ef\u4ee5\u6e2c\u8a66 telnet , ssh , ftp …… \u7b49\u670d\u52d9\u3002\n

\u5982\u679c\u7528\u524d\u9762\u7684\u65b9\u6cd5\u4e00\u4fee\u6539 nsswitch.conf \uff0c\u57f7\u884c\u5b8c id \u7684\u7d50\u679c\u53ea\u51fa\u73fe\uff1a\n

# id ming
\n uid=10010(ming) gid=10010 groups=10010\n

\u53ef\u80fd\u662f\u5fd8\u8a18\u5728 \/etc\/group \u5f8c\u9762\u52a0\u4e0a +:*:: \u4e86\uff0c\u5982\u679c\u51fa\u73fe \\”no such user\\” \uff0c\u5247\u53ef\u80fd\u662f\u5bc6\u78bc\u6a94\u7684\u5f8c\u9762\u6c92\u52a0 +:*:::::::: \u3002\n

\u8a3b\uff1a\u672c\u4f86\u61c9\u8a72\u662f\u8981\u6539 \/etc\/pam.d \u4e2d\u7684\u6a94\u6848\u624d\u53ef\u4ee5\u6e2c\u8a66 telnet , ssh , ftp …… \u7684\uff0c\u53ef\u662f\u6211\u5728 FreeBSD 5.4R \u548c FreeBSD 6.1 R \u4e0a\u90fd\u662f\u6539\u5b8c \/etc\/nsswitch.conf \u5c31\u53ef\u4ee5\u767b\u5165\u56c9\uff01\n

3 \u5176\u5b83
\n3-1 \u5e6b\u4f7f\u7528\u8005\u81ea\u52d5\u7522\u751f HOMEDIR\n

\u5982\u679c\u5e0c\u671b\u4f7f\u7528\u8005\u5728\u767b\u5165\u5f8c\u53ef\u4ee5\u81ea\u52d5\u5efa\u7acb\u4ed6\u7684 HOME \u76ee\u9304\uff0c\u53ef\u4ee5\u5b89\u88dd\u4e0b\u9762 pam_mkhomedir \u7684 ports \uff0c\u57f7\u884c\u4e0b\u9762\u7684\u6307\u4ee4\uff1a\n

# cd \/usr\/ports\/security\/pam_mkhomedir
\n # make
\n # make install
\n # make clean\n

\u7136\u5f8c\uff0c\u5728 \/etc\/pam.d\/login \u6216 \/etc\/pam.d\/sshd \u4e2d\u52a0\u5165\u5e95\u4e0b\u7684\u9019\u884c\uff1a\n

session required \/usr\/local\/lib\/pam_mkhomedir.so\n

\u9019\u6a23\uff0c\u4e0b\u6b21\u4f7f\u7528\u8005\u7528 telnet \u6216 ssh \u767b\u5165\u6642\u5373\u53ef\u81ea\u52d5\u5e6b\u4ed6\u5efa\u7acb\u597d HOME\u3002\n

3-2 Linux \u4e0a\u7684\u8a2d\u5b9a\n

\u5728 Linux \u4e3b\u6a5f\u4e0a\u6211\u5011\u5982\u679c\u88dd\u597d libpam-ldap \u548c libnss-ldap \uff0c\u8a2d\u5b9a\u597d\u5f8c\u5c31\u53ef\u4ee5\u548c FreeBSD \u5171\u7528\u4f7f\u7528\u8005\u8cc7\u6599\uff0c\u518d\u52a0\u4e0a pam_mkhomedir.so (\u4ee5 Debian \u70ba\u4f8b)\uff0c\u9023\u4f7f\u7528\u8005\u76ee\u9304\u90fd\u53ef\u4ee5\u81ea\u52d5\u5efa\u7acb\u597d\u3002\n

\u4ee5 Debian \u4f86\u8aaa\uff0clibpam-ldap \u548c libnss-ldap \u7684\u8a2d\u5b9a\u6a94\u8def\u5f91\u662f\uff1a\n

\/etc\/libnss-ldap.conf
\n \/etc\/pam_ldap.conf\n

\u8a2d\u5b9a\u7684\u5167\u5bb9\u548c FreeBSD \u4e00\u6a23\u3002\n

\u800c \/etc\/nsswitch.conf \u5247\u5c07\u4e0b\u9762\u7684\u4e09\u884c\u6539\u70ba\uff1a\n

passwd: compat ldap
\n group: compat ldap
\n shadow: compat ldap\n

\u57fa\u672c\u4e0a\uff0c\u6539\u5b8c\u4e0a\u9762\u7684\u6a94\u6848\uff0c\u61c9\u8a72\u5c31\u53ef\u4ee5\u57f7\u884c id , finger ….. \u6216\u9032\u884c\u672c\u6a5f\u767b\u5165\u3001telnet \u3001ftp …… \uff0c\u5982\u679c\u60f3\u7528 ssh \u767b\u5165\u5247\u9700\u8981\u518d\u4fee\u6539 \/etc\/pam.d\/ssh \u7684\u8a2d\u5b9a\uff0c\u4ee5 Debian \u70ba\u4f8b\uff0c\u5148\u627e\u5230 auth required pam_env.so \u9019\u884c\uff0c\u7136\u5f8c\u5728\u5b83\u7684\u4e0b\u9762\u52a0\u4e0a\u9019\u4e09\u884c\uff1a\n

auth sufficient pam_ldap.so
\n account sufficient pam_ldap.so
\n session sufficient pam_ldap.so\n

\u6539\u597d\u5b58\u6a94\u5f8c\u5373\u53ef\u7528 ssh \u4f86\u6e2c\u8a66\u4e86\u3002\n","protected":false},"excerpt":{"rendered":"

\u60f3\u8981\u8b93 FreeBSD \u4e0a\u5e33\u865f\u6574\u5408 , ladp \u770b\u8d77\u4f86\u662f\u4e0d\u932f\u7684\u505a\u6cd5 . \u5df2\u4e0b\u63d0\u5230\u53ef\u4ee5\u5c07 freebsd \/etc\/master.passwd \u8f49\u6210 ladp \u683c\u5f0f … \u9019\u6a23\u5b50\u5c31\u53ef\u4ee5\u7121\u75db\u8f49\u79fb ! … \u7b46\u8a18\u4e00\u4e0b. \u8f49\u8f09\u81ea http:\/\/mail.lsps.tp.edu.tw\/~gsyan\/freebsd2001\/pam_ldap.html <\/p> \n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,1],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.worren.net\/index.php?rest_route=\/wp\/v2\/posts\/306"}],"collection":[{"href":"https:\/\/blog.worren.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.worren.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.worren.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.worren.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=306"}],"version-history":[{"count":0,"href":"https:\/\/blog.worren.net\/index.php?rest_route=\/wp\/v2\/posts\/306\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.worren.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.worren.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.worren.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}