OpenLDAP : LDAP クライアントの設定 (AD)2020/05/11 |
LDAP サーバーが Windows Active Directory である場合の LDAP クライアントの設定です。
|
|
[1] | |
[2] | OpenLDAP クライアントをインストールして設定します。 |
root@node01:~#
apt -y install libnss-ldap libpam-ldap ldap-utils (1) AD の URI を指定 +---------------------| Configuring ldap-auth-config |----------------------+ | Please enter the URI of the LDAP server to use. This is a string in the | | form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also | | be used. The port number is optional. | | | | Note: It is usually a good idea to use an IP address because it reduces | | risks of failure in the event name service problems. | | | | LDAP server Uniform Resource Identifier: | | | | ldap://fd3s.srv.world/_________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (2) 識別名を指定 +---------------------| Configuring ldap-auth-config |----------------------+ | Please enter the distinguished name of the LDAP search base. Many sites | | use the components of their domain names for this purpose. For example, | | the domain "example.net" would use "dc=example,dc=net" as the | | distinguished name of the search base. | | | | Distinguished name of the search base: | | | | dc=srv,dc=world_______________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ (3) LDAP バージョンを指定 (通常は [3] で OK) +---------------------| Configuring ldap-auth-config |---------------------+ | Please enter which version of the LDAP protocol should be used by | | ldapns. It is usually a good idea to set this to the highest available | | version. | | | | LDAP version to use: | | | | 3 | | 2 | | | | | | <Ok> | | | +--------------------------------------------------------------------------+ (4) 説明にあるように [/etc] を NFS マウントしている等であれば [No] だが通常は [Yes] で OK +---------------------| Configuring ldap-auth-config |----------------------+ | | | This option will allow you to make password utilities that use pam to | | behave like you would be changing local passwords. | | | | The password will be stored in a separate file which will be made | | readable to root only. | | | | If you are using NFS mounted /etc or any other custom setup, you should | | disable this. | | | | Make local root Database admin: | | | | <Yes> <No> | | | +---------------------------------------------------------------------------+ (5) 説明にあるように 通常は [No] で OK +-------------------| Configuring ldap-auth-config |-------------------+ | | | Choose this option if you are required to login to the database to | | retrieve entries. | | | | Note: Under a normal setup, this is not needed. | | | | Does the LDAP database require login? | | | | <Yes> <No> | | | +----------------------------------------------------------------------+
root@node01:~#
vi /etc/nsswitch.conf # 7行目:追記 passwd: files systemd ldap group: files systemd ldap shadow: files
root@node01:~#
vi /etc/pam.d/common-password # 26行目:変更 ( [use_authtok] を削除 ) password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
root@node01:~#
vi /etc/pam.d/common-session # 必要があれば、最終行に追記 (ログイン時にホームディレクトリを自動作成) session optional pam_mkhomedir.so skel=/etc/skel umask=077
root@node01:~#
vi /etc/ldap.conf # 44行目:[1] AD 側に追加した接続用ユーザーの Suffix を追記
binddn cn=ldapusers,cn=Users,dc=srv,dc=world
# 48行目:[1] で AD 側に追加した接続用ユーザーのパスワードを追記
bindpw password
# 223-232行目:全行コメント解除 # RFC 2307 (AD) mappings nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad
root@node01:~#
Ubuntu 20.04 LTS www.srv.world ttyS0 # [1] で AD 側で UNIX 属性を追加した任意のユーザーでログイン node01 login: Serverworld Password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon 11 May 2020 05:23:54 PM JST System load: 0.41 Processes: 135 Usage of /: 9.0% of 24.54GB Users logged in: 0 Memory usage: 5% IPv4 address for enp1s0: 10.0.0.31 Swap usage: 0% ..... ..... Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Creating directory '/home/Serverworld'. Serverworld@node01:~$ # ログインできた Serverworld@node01:~$ id uid=5000(Serverworld) gid=100(users) groups=100(users) |
Sponsored Link |
|