Adireshin Directory tare da LDAP [5]: OpenLDAP (II)

fico

9 minti

Bari mu ci gaba, ba tare da fara tuntuba ba:

A cikin wannan sakon zamu ga:

Tabbatar da mai amfani na gari

Bayan mun sami uwar garken OpenLDAP da ke gudana, idan muna so mu gwada ko kuma mu sami tabbaci na gida na masu amfani da ke da rajista - ko kuma za mu yi rajista - a cikin Littafin Adireshin, dole ne mu girka kuma mu daidaita abubuwan fakitin.

A cikin Matsi, abubuwan fakitin da ke ciki sune:

libnss-ldap: Yana ba da sabis na Canjin Suna (NSS Canja Sabis na Suna) wanda ke bawa uwar garken LDAP damar aiki azaman uwar garken suna.

Yana nufin samar da bayanai game da Asusun Mai amfani, ID ɗin rukuni, bayani game da mai masaukin, sunayen laƙabi, NetGroups, da mahimmancin duk wani bayanan da aka saba samu daga fayilolin rubutu mai haske kamar / sauransu / passwd/ sauransu / rukuni, da sauransu, ko sabis NIS.

libpam-ldap: "Module Ingantaccen Module na LDAP", Ko Module Pam don LDAP. Yana bayar da haɗin kai tsakanin sabar LDAP da tsarin tabbatarwa ta hanyar Pam.

nscd: "Suna Cache Daemon Sabis na Sabis“, Ko Daemon don Sunan Sabis na Suna. Yana sarrafa bincike na kalmomin shiga, kungiyoyi da runduna kuma yana adana sakamakon bincike a cikin ɓoye don tunani anan gaba.

: ~ # iyawa shigar yatsa libnss-ldap

Shigar da kunshin libnss-ldap, wanda kuma ya girka azaman abubuwan dogaro libpam-ldap riga shaidan nscd, zai kai mu ta hanyar Wizard Configuration, wanda dole ne mu amsa tambayoyinsa yadda ya dace:

libss-01

libss-02

libss-03

libss-04

libss-05

libss-06

libpam-01

libpam-02

libpam-03

libpam-04

Idan muna so mu sake tsara fakitin libnss-ldap da / ko libpam-ldap, dole ne mu aiwatar da:

: ~ # dpkg-sake shirya libnss-ldap
: ~ # dpkg-sake shirya libpam-ldap

Daga baya zamu gyara fayil din /etc/nsswitch.conf kuma mun bar shi tare da abubuwan da ke tafe:

: ~ # nano /etc/nsswitch.conf
# /etc/nsswitch.conf # # Misalin daidaitawar GNU Sunan Sabis na Canja aiki. # Idan kuna da 'glibc-doc-reference' da kuma 'info' kunshin da aka sanya, gwada: # 'info libc "Canja Sabis na Suna' 'don bayani game da wannan fayil ɗin. passwd: rukunin ldap masu jituwa: inuwa mai ldap masu dacewa: masu karɓar ldap masu amfani: fayilolin dns cibiyoyin sadarwa: ladabi na fayiloli: sabis na fayiloli db: db fayiloli ethers: db files rpc: db fayiloli netgroup: nis

Ga canje-canje da aka yi wa fayil /etc/nsswitch.conf yi tasiri, mun sake kunna sabis ɗin nscd:

: ~ # service nscd zata sake farawa

Mahimmin bayani shine gyara fayil ɗin /etc/pam.d/ haduwa- don ƙirƙirar babban fayil ɗin mai amfani akan sabar gida lokacin shiga ciki, mai amfani yayi rijista a cikin Littafin Adireshin:

: ~ # nano /etc/pam.d/ haduwa-
[---]
zaman da ake buƙata pam_mkhomedir.so skel = / sauransu / skel / umask = 0022
### Dole ne a haɗa layin da ke sama KAFIN # a nan su ne matakan ɗa-kunshin (maɓallin "Firamare") [----]

Ya cika bayanan

Don cike bayanan kundin adireshi ko fara shi, dole ne mu ƙara manyan Rukunin Organiungiyoyi, yi rijista aƙalla Userungiyar Masu amfani ɗaya, kuma ƙara mai amfani. Don yin wannan, muna ƙirƙirar fayil a cikin tsarin LDIF, wanda daga baya za mu ƙara zuwa Directory, tare da abubuwan da ke tafe:

: ~ # nano abun ciki.ldif
dn: ou = Mutane, dc = abokai, dc = cu abu Class: kungiyaUnit ou: Mutane dn: ou = Kungiyoyi, dc = abokai, dc = cu abu abokai, dc = cu abu Class: posixGroup cn: ring gid gidNumber: 10000 dn: uid = frodo, ou = Mutane, dc = abokai, dc = cu abuClass: inetOrgPerson abuClass: posixAccount objectClass: shadowAccount uid: frodo sn: Bagins da aka baName: Frodo cn Frodo Bagins nuniName: Frodo Bagins uidNumber: 10000 gidNumber: 10000 userPassword: frodo mail: frodo@amigos.cu gecos: Frodo Bagins loginShell: / bin / bash Home Directory: / home / frodo

Mun kara da abun ciki na fayil zuwa Directory:

: ~ # ldapadd -x -D cn = gudanarwa, dc = abokai, dc = cu -W -f abun ciki.ldif
Shigar da LDAP Kalmar wucewa: ƙara sabon shigarwa "ou = Mutane, dc = abokai, dc = cu" ƙara sabon shigarwa "ou = Kungiyoyi, dc = abokai, dc = cu" ƙara sabon shigarwa "cn = zobba, ou = sungiyoyi, dc = abokai, dc = cu "ƙara sabon shiga" uid = frodo, ou = Mutane, dc = abokai, dc = cu "

Muna gudanar da bincike masu dacewa:

: ~ # id frodo
uid = 10000 (frodo) gid = 10000 (zobba) kungiyoyi = 10000 (zobba)

: ~ # samun passwd | grep frodo
frodo: x: 10000: 10000: Frodo Bagins: / gida / frodo: / bin / bas

: ~ # yatsan frodo
Shiga ciki: frodo Suna: Frodo Bagins Directory: / gida / frodo Shell: / bin / bash Ba a taɓa shiga ba. Babu wasiku Babu shiri.

: ~ # ldapsearch -Y BANZA -H ldapi: /// -b uid = frodo, ou = Mutane, dc = abokai, dc = cu

Yanzu muna da Sabis ɗin Directory wanda dole ne mu sarrafa shi !!!. Za mu haɓaka hanyoyi biyu: na farko ta hanyar kunshin takardun rubutu, na biyu kuma, wanda za mu tattauna a talifi na gaba, zai kasance ta cikinManajan Asusun Ldap.

Yakamata kuma muce kunshin Ldap-kayan aiki, yana ba da cikakken jerin umarni masu amfani don gudanar da Littafin. Don sanin menene waɗannan umarnin, muna aiwatarwa:

: ~ # dpkg -L ldap-kayan amfani | man shafawa / bin
/ usr / bin / usr / bin / ldapmodrdn / usr / bin / ldapurl / usr / bin / ldapdelete / usr / bin / ldapwhoami / usr / bin / ldapexop / usr / bin / ldappasswd / usr / bin / ldapcompare / usr / bin / ldapsearch / usr / bin / ldapmodify / usr / bin / ldapadd

Don ƙarin koyo game da kowane umarni, muna ba da shawarar gudu mutum. Ba da bayanin kowane ɗayan zai sa labarin ya yi tsayi sosai.

Sarrafa bayanan bayanan ta amfani da abubuwan amfani da kayan wasan bidiyo

Mun zabi kunshin takardun rubutu don irin wannan aiki. Shigarwa da tsarin daidaitawa kamar haka:

: ~ # ƙwarewar shigar da kayan rubutu

: ~ # cp /etc/ldapscripts/ldapscripts.conf \ /etc/ldapscripts/ldapscripts.conf.original

: ~ # cp / dev / null /etc/ldapscripts/ldapscripts.conf

: ~ # nano /etc/ldapscripts/ldapscripts.conf
SERVER = localhost BINDDN = 'cn = admin, dc = abokai, dc = cu' BINDPWDFILE = "/ etc / ldapscripts / ldapscripts.passwd" SUFFIX = 'dc = abokai, dc = cu' GSUFFIX = 'ou = Groups' USUFFIX = 'ou = Mutane' # MSUFFIX = 'ou = Computers' GIDSTART = 10001 UIDSTART = 10001 # MIDSTART = 10000 # OpenLDAP abokin ciniki ya umarci LDAPSEARCHBIN = "/ usr / bin / ldapsearch" LDAPADDBIN = "/ usr / bin / ldapadd" LDAPDELE / usr / bin / ldapdelete "LDAPMODIFYBIN =" / usr / bin / ldapmodify "LDAPMODRDNBIN =" / usr / bin / ldapmodrdn "LDAPPASSWDBIN =" / usr / bin / ldappasswd "GCLASS =" posixGroup = "etc" . /ldapadduser.template "PASSWORDGEN =" amsa kuwwa% u "

### Ka lura cewa rubutun suna amfani da umarnin na
Kunshin ### ldap-utils

: ~ # sh -c "echo -n 'tupassowrd'> \ /etc/ldapscripts/ldapscripts.passwd"

: ~ # chmod 400 /etc/ldapscripts/ldapscripts.passwd

: ~ # cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \ /etc/ldapscripts/ldapadduser.template

: ~ # nano /etc/ldapscripts/ldapadduser.template
dn: uid = , , abuClass: inetOrgPerson abuClass: posixAccount abuClass: inuwaAccount cn: sn: Sunan suna: Suna: uid: Adadin: gidNumber: Gida: Shiga Shell: wasiku: kwarkwata: bayanin: Asusun Mai amfani

: ~ # nano /etc/ldapscripts/ldapscripts.conf
## mun cire sharhin UTEMPLATE = "/ etc / ldapscripts / ldapadduser.template"

Bari a gwada ƙara mai amfani Strider Sarki zuwa rukunin masu amfani zobba kuma bari mu bincika bayanan da aka shigar:

: ~ # ldapadduser ya dagule zobba
[dn: uid = strides, ou = Mutane, dc = abokai, dc = cu] Shigar da darajar "sn": Sarki [dn: uid = strides, ou = Mutane, dc = abokai, dc = cu] Shigar da darajar don "givenName": Strides [dn: uid = strides, ou = Mutane, dc = abokai, dc = cu] Shigar da darajar "displayName": Strides El Rey [dn: uid = strides, ou = Mutane, dc = abokai, dc = cu] Shigar da darajar "mail": trancos@amigos.cu An sami nasarar ƙara trancos ɗin mai amfani zuwa LDAP Cikin nasara an saita kalmar sirri don trancos mai amfani

tushen @ mildap: ~ # ldapfinger strides
dn: uid = strides, ou = Mutane, dc = abokai, dc = cu abuClass: inetOrgPerson abuClass: posixAccount objectClass: shadowAccount cn: strides sn: El Rey da aka baName: Strides displayName: Strides El Rey uid: strides uidNumber: 10002 gidNum homeDirectory: / gida / shiga trancosShell: / bin / bash mail: trancos@amigos.cu gecos: bayanin trancos: Mai amfani da Asusun Mai amfaniPassword :: e10000NTSEF1UnlmcWxCem9iUzBuSzQzTkM5ZFRFcTUwV3VsVnBqRm =

Bari mu bayyana kalmar sirri ga mai amfani Frodo, bari mu jera "DN”Na masu amfani masu rajista, da kuma share sabon mai amfani da aka kirkira Striders:

: ~ # ldapsetpasswd frodo
Canza kalmar sirri don mai amfani uid = frodo, ou = Mutane, dc = abokai, dc = cu Sabuwar Kalmar wucewa: Sake Rubuta Sabuwar Kalmar wucewa: Cikin nasara saita kalmar sirri don mai amfani uid = frodo, ou = Mutane, dc = abokai, dc = cu

: ~ # lsldap -u | grep dn
dn: uid = frodo, ou = Mutane, dc = abokai, dc = cu dn: uid = strides, ou = Mutane, dc = abokai, dc = cu

: ~ # ldapfinger frodo
dn: uid = frodo, ou = Mutane, dc = abokai, dc = cu abuClass: inetOrgPerson abuClass: posixAccount objectClass: shadowAccount uid: frodo sn: Bagins da aka baName: Frodo cn: Frodo Bagins nuniName: Frodo Bagins uidNumber: 10000 gidNumber: 10000 gidNumber: : frodo@amigos.cu gecos: Frodo Bagins loginShell: / bin / bash homeDirectory: / home / frodo userPassword :: e1NTSEF9TnI4ZXN3YXA1VnplK1ZIZXZzbFZKaWF1SVdWeU5oVjA =

: ~ # ldapdeleteuser ya ci gaba
Anyi nasarar share mai amfani uid = strides, ou = Mutane, dc = abokai, dc = cu daga LDAP

: ~ # lsldap -u | grep dn
dn: uid = frodo, ou = Mutane, dc = abokai, dc = cu

Bari mu bincika cewa Tabbacin Yankin yana aiki daidai:

: ~ # ssh frodo @ mildap
kalmar sirri ta frodo @ mildap: Linux mildap 2.6.32-5-686 # 1 SMP Fri Mayu 10 08:33:48 UTC 2013 i686 [---] Debian GNU / Linux sun zo tare da KWATANTAWA BA GARANTI, gwargwadon yadda doka ta yarda. . Shigowar ƙarshe: Talata Feb 18 18:54:01 2014 daga mildap.amigos.cu
frodo @ mildap: ~ $ pwd
/ gida / frodo
frodo @ mildap: ~ $

Akwai misalai da yawa waɗanda za mu iya rubutawa, amma rashin alheri labarin zai yi tsawo sosai. Kullum muna cewa muna bayarwa wurin shiga ga al'amuran aiyuka gabaɗaya. Ba shi yiwuwa a maye gurbin manyan takardu a cikin rubutu guda.

Don ƙarin koyo game da kunshin takardun rubutu da dokokinta, don Allah ka yi shawara mutum ldapscripts.

Ya zuwa yanzu Sabis ɗin Adireshinmu Mai sauƙi bisa tushen OpenLDAP yana aiki lafiya.

Takaitawa zuwa yanzu ...

Mutane da yawa da ke kula da ayyuka a cikin hanyoyin sadarwar kasuwanci, lokacin da suka ɗauki ɗayan ayyuka tare da kayayyakin Microsoft, idan suna son yin ƙaura zuwa Linux, suna la'akari da ƙaurawar Masu Gudanarwar Yanki tsakanin sauran sabis.

Idan basu zaɓi samfuri na ɓangare na uku kamar ClearOS ko Zentyal ba, ko kuma saboda wasu dalilai suna so su zama masu cin gashin kansu ba, to suna gudanar da aiki mai wahala na zama mai kula da Yankin su, ko daga Samba 4 nasu Littafin Aiki.

Daga nan sai matsalolin su fara da wasu abubuwan cizon yatsa. Kuskuren aiki. Ba su sami wurin matsalolin ba don su iya magance su. Maimaita ƙoƙarin shigarwa. Ayyuka na ɓangare na ayyukan. Da kuma jerin matsaloli masu yawa.

Tushen kowane Mai Gudanar da Yanki ko Littafin Aiki a cikin Linux, dangane da OpenLDAP da Samba, yana zuwa cikin ilimin asali na Menene sabar LDAP, yaya aka girka ta, yaya aka saita ta da sarrafa ta, da sauransu?. Wadanda suka karanta manyan takardun Samba, zasu san abin da muke nufi da kyau.

Daidai don amsa wannan tambayar mun rubuta dukkanin jerin labaran har zuwa wannan, kuma zamu ci gaba da waɗanda suka cancanta. Muna fatan zasu amfane ku.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   vidagnu m
    sa 10 shekaru

    Kyakkyawan sakon Fico, tambaya, tare da OpenLDAP, ana iya ƙirƙirar manufofin yanki? don amfani da su ga masu amfani da aka haɗa, kamar ajiyar allo da aka kunna bayan mintuna 5 ba tare da wani aiki ba, daidaita fuskar bangon waya, hana wasu aikace-aikace gudana, tsara rubutun farawa, da dai sauransu.

    Na gode,
    Oscar

    Amsa zuwa vidagnu
    1.    federico m
      sa 10 shekaru

      Godiya ga bayani !!!. Oscar, ka tuna cewa waɗancan manufofin, a kan Linux, ana aiwatar da su daban idan ya zo ga abokan cinikin Linux. GNOME ta kawo kayan aiki don cimma wannan wanda yanzu ban tuna sunanta ba. Ee, Na san za mu iya kafa manufofin asusun mai amfani kai tsaye a cikin OpenLDAP. Dayawa suna yi mani tambaya iri ɗaya kuma koyaushe ina amsa ƙari ko ƙasa da ɗaya. Waɗannan manufofin tsaro suna aiki ne kawai ga abokan cinikin Microsoft, BA abokan cinikin Linux ba. Falsafa ne daban daban. Littafin Adireshin aiki aikace-aikace ne na mallakar wanda ya dogara da OpenLDAP, Kerberos na sirri daga Microsft da kuma Administrator Network, wanda ban san me suke kira da shi yanzu ba. Kafin, ya kasance a cikin Manajan Lan. Ba za mu iya yin tunanin kwaikwayon Littafin Aiki kawai tare da LDAP ba. Dole ne mu hade Samba ko mu yi amfani da Samba 4 don ganin ko za a cimma hakan. Kuma abokina, ban ko kalli kallo guda ɗaya da Samba 4 ba. 🙂 Haka kuma ban sani ba idan Zentyal tare da Active Directory zai iya amfani dasu ... amma wannan software ɗin ba OpenLDAP ce kawai ba. Yana da OpenLDAP + Samba + Kerberos + sauran abubuwan da ban sani sosai ba. A cikin wannan jerin na yi ma'amala da OpenLDAP ne kawai, kuma idan kun bi shi za ku ga cewa a cikin rubutun da nake rubuta jerin duka, da sauran mahimman ayyuka, komai ya dogara ne akan tabbaci akan OpenLDAP Directory.

      gaisuwa

      Amsa wa federico