Konfigurácia LDAP autentifikácie v Ubuntu

Jednoduchy navod, ako rozbehnut autentifikaciu pouzivatelov na distribucii Linuxu Ubuntu oproti labakovemu LDAP serveru:

Rýchle linky:

Nainstalovat balicek stunnel4
Editovat /etc/default/stunnel4 a povolit jeho start
Vytvorit konfiguraciu STUNNEL-u oproti labakovemu LDAP serveru v subore /etc/stunnel4/stunnel.conf:
Naštartovanie STUNNEL-u
Nainstalovat balicek libnss-ldap
Nastavit kontrolu pouzivatelskych uctov a skupin oproti LDAPu v subore /etc/nsswitch.conf:
Nastavenie LDAPu v subore /etc/ldap.conf a /etc/ldap/ldap.conf (identicky subor, da sa spravit link):
Preverenie zoznamu pouzivatelov z LDAPu:
Preverenie zoznamu skupin z LDAPu:
Zmena PAMd v subore /etc/pam.d/common-account:
Zmena PAMd v subore /etc/pam.d/common-auth:
Zmena PAMd v subore /etc/pam.d/common-password:
Zmena PAMd v subore /etc/pam.d/common-session:

Nainstalovat balicek stunnel4

Linux:/# apt-get install stunnel4

Editovat /etc/default/stunnel4 a povolit jeho start

Linux:/# sed -i "s/ENABLED=0/ENABLED=1/g" /etc/default/stunnel4

Vytvorit konfiguraciu STUNNEL-u oproti labakovemu LDAP serveru v subore /etc/stunnel4/stunnel.conf:

setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = /var/log/stunnel4/stunnel.log
client = yes

[ldaps-primary]
accept  = 6361
connect = ldap1.dmz.cnl.tuke.sk:636

[ldaps-secondary]
accept  = 6362
connect = ldap2.dmz.cnl.tuke.sk:636

Naštartovanie STUNNEL-u

Linux:/# /etc/init.d/stunnel4 start

Nainstalovat balicek libnss-ldap

Linux:/# apt-get install libnss-ldap

Nastavit kontrolu pouzivatelskych uctov a skupin oproti LDAPu v subore /etc/nsswitch.conf:

passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

Nastavenie LDAPu v subore /etc/ldap.conf a /etc/ldap/ldap.conf (identicky subor, da sa spravit link):

base dc=top
uri ldap://localhost:6361 ldap://localhost:6362
ldap_version 3
scope sub
nss_base_passwd ou=Active,ou=People,dc=top?sub?|(accessTo=Public-Resources)(trustmodel=fullaccess)
nss_base_shadow ou=Active,ou=People,dc=top?sub?|(accessTo=Public-Resources)(trustmodel=fullaccess)
nss_base_group  ou=Groups,dc=top?one
pam_password md5crypt
bind_policy soft

- hodnotu accessTo=Public-Resources treba nahradit menom servera - napr. stargate.cnl.tuke.sk a vyziadat si u spravcov delegovanie spravy atributu accessTo=meno-servera...

Preverenie zoznamu pouzivatelov z LDAPu:

Linux:/# getent passwd

Preverenie zoznamu skupin z LDAPu:

Linux:/# getent group

Zmena PAMd v subore /etc/pam.d/common-account:

account sufficient       pam_ldap.so
account required         pam_unix.so try_first_pass

Zmena PAMd v subore /etc/pam.d/common-auth:

auth sufficient       pam_ldap.so
auth required         pam_unix.so try_first_pass

Zmena PAMd v subore /etc/pam.d/common-password:

password sufficient       pam_ldap.so md5
password required         pam_unix.so md5 try_first_pass

Zmena PAMd v subore /etc/pam.d/common-session:

session required         pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required         pam_unix.so

# V pripade problemov treba odsledovat /var/log/auth.log

-- Main.fecilak - 16 Dec 2008

Main

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback