Red SWL (V): Debian Wheezy da ClearOS. Tabbatar da SSSD akan asalin LDAP.

Barka dai abokai !. Don Allah, na maimaita, karanta kafin «Gabatarwa ga hanyar sadarwa tare da Software na Kyauta (I): Gabatarwar ClearOS»Kuma zazzage ClearOS Matakan shigarwa hotunan shigarwa (1,1 mega), don sanin abin da muke magana akai. Idan ba tare da wannan karatun ba zai yi wahala mu bi mu.

Sabis ɗin Tsaron Tsaro Daemon

Shirin SSD o Daemon don Sabis ɗin Tsaro na Tsaro, aiki ne na Fedora, wanda aka haife shi daga wani aikin - haka nan daga Fedora- ake kira FreeIPA. Dangane da masu kirkirarta, taƙaitaccen ma'anar fassara mai sauƙi zai kasance:

SSSD sabis ne wanda ke ba da dama ga daban-daban Identity da Tantance kalmar sirri. Ana iya saita shi don yankin LDAP na asali (mai ba da ainihi na LDAP tare da tabbatar da LDAP), ko don mai ba da shaidar LDAP tare da tabbatar da Kerberos. SSSD tana ba da hanyar dubawa ga tsarin ta hanyar NSS y Pam, da kuma Backarshen Baya wanda zai iya haɗawa zuwa asalin asusun daban-daban.

Mun yi imanin cewa muna fuskantar ingantacciyar hanya mai ƙarfi don ganowa da tabbatar da ingancin masu amfani da ke rajista a cikin OpenLDAP, fiye da waɗanda aka ambata a cikin abubuwan da suka gabata, wani al'amari da ya rage ga hankalin kowa da irin abubuwan da suka samu..

Maganin da aka gabatar a cikin wannan labarin shine mafi bada shawarar ga kwamfyutocin hannu da kwamfyutocin tafi-da-gidanka, tunda yana ba mu damar aiki katsewa, tunda SSSD tana adana takardun shaidarka a kan kwamfutar cikin gida.

Misali na hanyar sadarwa

• Mai Kula da Yanki, DNS, DHCP: Kamfanin ClearOS 5.2sp1.
• Sunan Mai Kulawa: tsakiya
• Sunan Yanki: abokai.cu
• Mai sarrafa IP: 10.10.10.60
• ---------------
• Siffar Debian: Haushi.
• Sunan kungiya: debian 7
• Adireshin IP: Amfani da DHCP

Muna bincika cewa sabar LDAP tana aiki

Mun gyara fayil din /etc/ldap/ldap.conf kuma shigar da kunshin Ldap-kayan aiki:

: ~ # nano /etc/ldap/ldap.conf
[----] BASE dc = abokai, dc = cu URI ldap: //centos.amigos.cu [----]

: ~ # aptitude kafa ldap-utils: ~ $ ldapsearch -x -b 'dc = abokai, dc = cu' '(objectclass = *)': ~ $ ldapsearch -x -b dc = abokai, dc = cu 'uid = ci gaba '
: ~ $ ldapsearch -x -b dc = abokai, dc = cu 'uid = legolas' cn gidNumber

Tare da umarni biyu na ƙarshe, muna bincika samuwar sabar OpenLDAP na ClearOS ɗinmu. Bari muyi duban kayan aikin umarnin da suka gabata.

Muhimmanci: mun kuma tabbatar da cewa Sabis ɗin Shaida a cikin sabar OpenLDAP ɗinmu na aiki daidai.

Mun shigar da kunshin sssd

Hakanan an bada shawarar shigar da kunshin yatsa don yin cak sun fi abin sha ldapsearch:

: ~ # gwaninta shigar sssd yatsa

Bayan kammala shigarwa, sabis ɗin ssd baya farawa saboda ɓacewar fayil /etc/sssd/sssd.conf. Sakamakon fitarwa yana nuna wannan. Saboda haka, dole ne mu ƙirƙiri wannan fayil ɗin mu bar shi tare da mafi ƙarancin abun ciki:

: ~ # nano /etc/sssd/sssd.conf
[sssd] config_file_version = 2 sabis = nss, pam # SSSD ba zai fara ba idan ba ku saita kowane yanki ba. # Newara sabon rukunin yanki kamar [yanki / ] sassan, sannan # sannan ka ƙara jerin yankuna (kamar yadda kake so a tambaya su) ga alamun "yankuna" da ke ƙasa kuma ba damuwa. domains = amigos.cu [nss] filter_groups = tushen filter_users = tushen reconnection_retries = 3 [pam] reconnection_retries = 3 # LDAP yankin [domain / amigos.cu] id_provider = ldap
auth_provider = ldap
chpass_provider = ldap # ldap_schema za a iya saita shi zuwa "rfc2307", wanda ke adana sunayen mambobin rukuni a cikin sifar # "memberuid", ko kuma zuwa "rfc2307bis", wanda ke adana membobin ƙungiyar DNs a cikin sifofin "memba". Idan baku san wannan ƙimar ba, tambayi mai kula da LDAP #. # yana aiki tare da ClearOS ldap_schema = rfc2307
ldap_uri = ldap: //centos.amigos.cu
ldap_search_base = dc = abokai, dc = cu # Lura cewa ba da damar yin lissafi zai sami matsakaicin tasiri. # Sakamakon haka, tsoffin darajar yin lissafi QARYA ce. # Duba zuwa sssd.conf mutum don cikakken bayani. enumerate = ƙarya # Bada izinin shiga ta waje ta hanyar adana hashes na gida a ciki (tsoho: ƙarya). cache_credentials = gaskiya
ldap_tls_reqcert = ba da izini
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

Da zarar an ƙirƙiri fayil ɗin, za mu sanya izinin da ya dace kuma mu sake fara aikin:

: ~ # chmod 0600 /etc/sssd/sssd.conf
: ~ # service sssd sake kunnawa

Idan muna son wadatar da abubuwan fayil na baya, muna bada shawarar aiwatarwa mutum sssd.conf da / ko tuntuɓi takaddun data kasance akan Intanet, farawa da hanyoyin haɗin yanar gizo a farkon post ɗin. Har ila yau shawarta mutum sssd-ldap. Kunshin ssd hada da misali a /usr/share/doc/sssd/misali/ssd-example.conf, wanda za'a iya amfani dashi don gaskanta kan Microsoft Active Directory.

Yanzu zamu iya amfani da mafi yawan dokokin sha yatsa y samun:

: ~ $ yatsun kafa
Shiga ciki: masu motsa Sunan: Strides El Rey Directory: / gida / masu tafiya Shell: / bin / bash Ba a taɓa shiga ba. Babu wasiku Babu shiri.

: ~ $ sudo samun lambar wucewa legolas
legolas: *: 1004: 63000: Legolas The Elf: / gida / legolas: / bin / bash

Har yanzu ba za mu iya gaskatawa ba azaman mai amfani da sabar LDAP. Kafin mu gyara fayil ɗin /etc/pam.d/ haduwa-, don haka an ƙirƙiri babban fayil ɗin mai amfani ta atomatik lokacin da kuka fara zamanku, idan babu shi, sannan sake sake tsarin:

[---]
zaman da ake buƙata pam_mkhomedir.so skel = / sauransu / skel / umask = 0022

### Dole ne a hada layin da ke sama KAFIN
# a nan akwai matakan kunshin-kunshin (maɓallin "Firamare") [----]

Mun sake kunna Wheezy dinmu:

: ~ # sake yi

Bayan ka shiga, cire haɗin hanyar sadarwa ta amfani da Manajan Haɗin sannan ka fita ka dawo. Da sauri ba komai. Gudu a cikin tashar mota idanconfig kuma za su ga cewa eth0 ba a daidaita shi kwata-kwata.

Kunna cibiyar sadarwa. Da fatan za a fita sannan a sake shiga. Duba sake tare idanconfig.

Tabbas, yin aiki ba tare da layi ba, ya zama dole a shiga aƙalla sau ɗaya yayin da OpenLDAP ke kan layi, don a sami takardun shaidarka a kwamfutar mu.

Kada mu manta da sanya mai amfani na waje ya yi rijista a cikin OpenLDAP memba na ƙungiyoyi masu buƙata, koyaushe yana mai da hankali ga mai amfani da aka ƙirƙira yayin shigarwar.

Note:

Bayyana zaɓi ldap_tls_reqcert = ba, a cikin Fayil /etc/sssd/sssd.conf, ya zama haɗarin tsaro kamar yadda aka bayyana a shafin SSSD - FAQ. Valueimar tsoho ita ce «bukatar«. Duba mutum sssd-ldap. Koyaya, a cikin babin 8.2.5 Harhadawa Domains Daga bayanan Fedora, yana tambaya mai zuwa:

SSSD ba ta goyi bayan tabbatarwa kan wata hanyar da ba a ɓoye ta ba. Sakamakon haka, idan kuna son tabbatarwa akan sabar LDAP, ko dai TLS/SSL or LDAPS Ana buƙata.

SSD ba ya goyi bayan tabbatarwa akan tashar da ba a ɓoye ta ba. Saboda haka, idan kuna son tabbatarwa akan sabar LDAP, zai zama dole TLS / SLL o LDAP.

Mu kanmu muna tunani cewa an magance matsalar ya wadatar da LAN na Ciniki, ta fuskar tsaro. Ta hanyar Kauyen WWW, muna ba da shawarar aiwatar da hanyar da aka rufa ta amfani da ita TLS ko «Kafa Layer Tsaro, tsakanin kwamfutar abokin ciniki da sabar.

Muna ƙoƙari mu cim ma sa daga daidai ƙarni na takaddun takaddun Kai ko «Kai Sa hannu “A kan sabar ClearOS, amma ba za mu iya ba. Tabbas batun ne da ake jira. Idan kowane mai karatu ya san yadda ake yi, to ya yi maraba da bayyana shi!