Debian 8 Jessie
Sponsored Link

クライアントの設定2015/05/10

 
LDAP サーバーのユーザーアカウント情報を共有できるように LDAP クライアントとしての設定をします。
[1] LDAP クライアントの設定です。
root@www:~#
aptitude -y install libnss-ldap libpam-ldap ldap-utils
(1) LDAPサーバーのURIを指定

  +-----------------------+ Configuring libnss-ldap +------------------------+
  | Please enter the Uniform Resource Identifier of the LDAP server. The     |
  | format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively, 'ldaps://'   |
  | or 'ldapi://' can be used. The port number is optional.                  |
  |                                                                          |
  | Using an IP address is recommended to avoid failures when domain name    |
  | services are unavailable.                                                |
  |                                                                          |
  | LDAP server URI:                                                         |
  |                                                                          |
  | ldap://dlp.srv.world/________________________________________________ |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+

(2) 識別名を指定

 +------------------------+ Configuring libnss-ldap +------------------------+
 | Please enter the distinguished name of the LDAP search base. Many sites   |
 | use the components of their domain names for this purpose. For example,   |
 | the domain "example.net" would use "dc=example,dc=net" as the             |
 | distinguished name of the search base.                                    |
 |                                                                           |
 | Distinguished name of the search base:                                    |
 |                                                                           |
 | dc=srv,dc=world_______________________________________________________    |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

(3) LDAPバージョンを指定

  +-----------------------+ Configuring libnss-ldap +-----------------------+
  | Please choose the version of the LDAP protocol that should be used by   |
  | ldapns. Using the highest available version number is recommended.      |
  |                                                                         |
  | LDAP version to use:                                                    |
  |                                                                         |
  |                                    3                                    |
  |                                    2                                    |
  |                                                                         |
  |                                                                         |
  |                                 <Ok>                                    |
  |                                                                         |
  +-------------------------------------------------------------------------+

(4) LDAP管理者アカウントの識別名を指定

  +-----------------------+ Configuring libnss-ldap +------------------------+
  | Please choose which account will be used for nss requests with root      |
  | privileges.                                                              |
  |                                                                          |
  | Note: For this to work the account needs permission to access the        |
  | attributes in the LDAP directory that are related to the users' shadow   |
  | entries as well as users' and groups' passwords.                         |
  |                                                                          |
  | LDAP account for root:                                                   |
  |                                                                          |
  | cn=admin,dc=srv,dc=world_____________________________________________    |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+

(5) LDAP管理者アカウントのパスワードを指定

 +------------------------+ Configuring libnss-ldap +------------------------+
 | Please enter the password to use when libnss-ldap tries to login to the   |
 | LDAP directory using the LDAP account for root.                           |
 |                                                                           |
 | The password will be stored in a separate file /etc/libnss-ldap.secret    |
 | which will be made readable to root only.                                 |
 |                                                                           |
 | Entering an empty password will re-use the old password.                  |
 |                                                                           |
 | LDAP root account password:                                               |
 |                                                                           |
 | ********_________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

(6) nsswitch.conf は要手動編集の通知のみ

  +-----------------------+ Configuring libnss-ldap +------------------------+
  |                                                                          |
  | nsswitch.conf not managed automatically                                  |
  |                                                                          |
  | For the libnss-ldap package to work, you need to modify your             |
  | /etc/nsswitch.conf to use the "ldap" datasource.  There is an example    |
  | file at /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be   |
  | used as an example for your nsswitch setup, or it can be copied over     |
  | your current setup.                                                      |
  |                                                                          |
  | Also, before removing this package, it is wise to remove the "ldap"      |
  | entries from nsswitch.conf to keep basic services functioning.           |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+

(7) LDAP 管理者アカウントにパスワード関連ツールでの passwd 等の変更権限を与えるか否か

 +------------------------+ Configuring libpam-ldap +------------------------+
 |                                                                           |
 | This option will allow password utilities that use PAM to change local    |
 | passwords.                                                                |
 |                                                                           |
 | The LDAP admin account password will be stored in a separate file which   |
 | will be made readable to root only.                                       |
 |                                                                           |
 | If /etc is mounted by NFS, this option should be disabled.                |
 |                                                                           |
 | Allow LDAP admin account to behave like local root?                       |
 |                                                                           |
 |                    <Yes>                       <No>                       |
 |                                                                           |
 +---------------------------------------------------------------------------+

(8) 説明にあるように 通常は「No」でOK

 +------------------------+ Configuring libpam-ldap +------------------------+
 |                                                                           |
 | Please choose whether the LDAP server enforces a login before retrieving  |
 | entries.                                                                  |
 |                                                                           |
 | Such a setup is not usually needed.                                       |
 |                                                                           |
 | Does the LDAP database require login?                                     |
 |                                                                           |
 |                    <Yes>                       <No>                       |
 |                                                                           |
 +---------------------------------------------------------------------------+

(9) LDAP管理者アカウントの識別名を指定

  +-----------------------+ Configuring libpam-ldap +------------------------+
  | Please enter the name of the LDAP administrative account.                |
  |                                                                          |
  | This account will be used automatically for database management, so it   |
  | must have the appropriate administrative privileges.                     |
  |                                                                          |
  | LDAP administrative account:                                             |
  |                                                                          |
  | cn=admin,dc=srv,dc=world_____________________________________________    |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+

(10) LDAP管理者アカウントのパスワードを指定

 +------------------------+ Configuring libpam-ldap +------------------------+
 | Please enter the password of the administrative account.                  |
 |                                                                           |
 | The password will be stored in the file /etc/pam_ldap.secret. This will   |
 | be made readable to root only, and will allow libpam-ldap to carry out    |
 | automatic database management logins.                                     |
 |                                                                           |
 | If this field is left empty, the previously stored password will be       |
 | re-used.                                                                  |
 |                                                                           |
 | LDAP administrative password:                                             |
 |                                                                           |
 | ********_________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

root@www:~#
vi /etc/nsswitch.conf
# 7行目:追記

passwd:     compat
ldap

group:     compat
ldap

shadow:     compat
ldap
root@www:~#
vi /etc/pam.d/common-password
# 26行目:変更 ( use_authtok を削除する )

password     [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass
root@www:~#
vi /etc/pam.d/common-session
# 必要があれば、最終行に追記 ( ログイン時にホームディレクトリを自動作成 )

session optional        pam_mkhomedir.so skel=/etc/skel umask=077
root@www:~#
Debian GNU/Linux 8 www.srv.world ttyS0
www login:
debian
   
# LDAP登録ユーザー

Password:
Last login: Thu May  7 20:14:33 JST 2015 from 10.0.0.19 on pts/0
Linux www.srv.world 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Creating directory '/home/debian'.

debian@www:~$
# ログインできた

debian@www:~$
# LDAPパスワード変更

Enter login(LDAP) password:
# 現在のパスワード入力

New password:
# 新しいパスワード入力

Re-enter new password:
# 確認再入力

LDAP password information changed for debian
passwd: password updated successfully    
# 変更された

関連コンテンツ