Sadarwar SWL (IV): Ubuntu Precise da ClearOS. Tabbatar da SSSD akan asalin LDAP.

fico

7 minti

Barka dai abokai !. Kai tsaye zuwa zance, ba kafin karanta labarin ba «Gabatarwa ga hanyar sadarwa tare da Software na Kyauta (I): Gabatarwar ClearOS»Kuma zazzage ClearOS Mataki na Mataki shigarwa hotunan kunshin (1,1 mega), don sanin abin da muke magana akai. Idan ba tare da wannan karatun ba zai yi wahala mu bi mu. Lafiya? Itabi'a mara daɗi.

Sabis ɗin Tsaron Tsaro Daemon

Shirin SSD o Daemon don Sabis ɗin Tsaro na Tsaro, aiki ne na Fedora, wanda aka haife shi daga wani aikin - haka nan daga Fedora- ake kira FreeIPA. Dangane da masu kirkirarta, taƙaitaccen ma'anar fassara mai sauƙi zai kasance:

SSSD sabis ne wanda ke ba da dama ga daban-daban Identity da Tantance kalmar sirri. Ana iya saita shi don yankin LDAP na asali (mai ba da ainihi na LDAP tare da tabbatar da LDAP), ko don mai ba da shaidar LDAP tare da tabbatar da Kerberos. SSSD tana ba da hanyar dubawa ga tsarin ta hanyar NSS y Pam, da kuma Backarshen Baya wanda zai iya haɗawa zuwa asalin asusun daban-daban.

Mun yi imanin cewa muna fuskantar ingantacciyar hanya mai ƙarfi don ganowa da tabbatar da ingancin masu amfani da ke rajista a cikin OpenLDAP, fiye da waɗanda aka ambata a cikin abubuwan da suka gabata, wani al'amari da ya rage ga hankalin kowa da irin abubuwan da suka samu..

Maganin da aka gabatar a cikin wannan labarin shine mafi bada shawarar ga kwamfyutocin hannu da kwamfyutocin tafi-da-gidanka, tunda yana ba mu damar aiki katsewa, tunda SSSD tana adana takardun shaidarka a kan kwamfutar cikin gida.

Misali na hanyar sadarwa

  • Mai Kula da Yanki, DNS, DHCP: Kamfanin ClearOS 5.2sp1.
  • Sunan Mai Kulawa: tsakiya
  • Sunan Yanki: abokai.cu
  • Mai sarrafa IP: 10.10.10.60
  • ---------------
  • Tsarin Ubuntu: Ubuntu Desktop 12.04.2 daidai.
  • Sunan kungiya: daidai
  • Adireshin IP: Amfani da DHCP

Mun shirya Ubuntu ɗinmu

Mun gyara fayil din /etc/lightdm/lightdm.conf don karɓar hanyar shiga hannu, kuma mun bar muku abubuwan da ke tafe:

#

Bayan ajiye canje-canje, zamu sake farawa da Haske a cikin na'urar wasan bidiyo da aka kira ta Ctrl+Alt+F1 kuma a ciki muke aiwatarwa, bayan mun shiga, sudo service lightdm sake kunnawa.

Hakanan an bada shawara don shirya fayil ɗin / sauransu / runduna kuma bar shi da abun ciki mai zuwa:

127.0.0.1 localhost 127.0.1.1 precise.amigos.cu daidai [----]

Ta wannan hanyar muna samun martanin da ya dace ga umarnin sunan mai masauki y sunan gida -fqdn.

Muna bincika cewa sabar LDAP tana aiki

Mun gyara fayil din /etc/ldap/ldap.conf kuma shigar da kunshin Ldap-kayan aiki:

: ~ $ sudo nano /etc/ldap/ldap.conf
[----] BASE dc = abokai, dc = cu URI ldap: //centos.amigos.cu [----]
: ~ $ sudo ƙwarewar shigar da kayan aikin ldap: ~ $ ldapsearch -x -b 'dc = abokai, dc = cu' '(objectclass = *)': ~ $ ldapsearch -x -b dc = abokai, dc = cu 'uid = Matakai '
: ~ $ ldapsearch -x -b dc = abokai, dc = cu 'uid = legolas' cn gidNumber

Tare da umarni biyu na ƙarshe, muna bincika samuwar sabar OpenLDAP na ClearOS ɗinmu. Bari muyi duban kayan aikin umarnin da suka gabata.

Muhimmanci: mun kuma tabbatar da cewa Sabis ɗin Shaida a cikin sabar OpenLDAP ɗinmu na aiki daidai.

hanyar sadarwa-swl-04-masu amfani

Mun shigar da kunshin sssd

Hakanan an bada shawarar shigar da kunshin yatsa don yin cak sun fi abin sha ldapsearch:

: ~ $ sudo gwaninta shigar sssd yatsa

Bayan kammala shigarwa, sabis ɗin ssd baya farawa saboda ɓacewar fayil /etc/sssd/sssd.conf. Sakamakon fitarwa yana nuna wannan. Saboda haka, dole ne mu ƙirƙiri wannan fayil ɗin mu bar shi tare da mafi ƙarancin abun ciki:

: ~ $ sudo nano /etc/sssd/sssd.conf
[sssd] config_file_version = 2 sabis = nss, pam # SSSD ba zai fara ba idan ba ku saita kowane yanki ba. # Newara sabon rukunin yanki kamar [yanki / ] sassan, sannan # sannan ka ƙara jerin yankuna (kamar yadda kake so a tambaya su) ga alamun "yankuna" da ke ƙasa kuma ba damuwa. domains = amigos.cu [nss] filter_groups = tushen filter_users = tushen reconnection_retries = 3 [pam] reconnection_retries = 3 # LDAP yankin [domain / amigos.cu] id_provider = ldap
auth_provider = ldap
chpass_provider = ldap # ldap_schema za a iya saita shi zuwa "rfc2307", wanda ke adana sunayen mambobin rukuni a cikin sifar # "memberuid", ko kuma zuwa "rfc2307bis", wanda ke adana membobin ƙungiyar DNs a cikin sifofin "memba". Idan baku san wannan ƙimar ba, tambayi mai kula da LDAP #. # yana aiki tare da ClearOS ldap_schema = rfc2307
ldap_uri = ldap: //centos.amigos.cu
ldap_search_base = dc = abokai, dc = cu # Lura cewa ba da damar yin lissafi zai sami matsakaicin tasiri. # Sakamakon haka, tsoffin darajar yin lissafi QARYA ce. # Duba zuwa sssd.conf mutum don cikakken bayani. enumerate = ƙarya # Bada izinin shiga ta waje ta hanyar adana hashes na gida a ciki (tsoho: ƙarya). cache_credentials = gaskiya
ldap_tls_reqcert = ba da izini
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

Da zarar an ƙirƙiri fayil ɗin, za mu sanya izinin da ya dace kuma mu sake fara aikin:

: ~ $ sudo chmod 0600 /etc/sssd/sssd.conf
: ~ $ sudo service sssd sake kunnawa

Idan muna son wadatar da abubuwan fayil na baya, muna bada shawarar aiwatarwa mutum sssd.conf da / ko tuntuɓi takaddun data kasance akan Intanet, farawa da hanyoyin haɗin yanar gizo a farkon post ɗin. Har ila yau shawarta mutum sssd-ldap. Kunshin ssd hada da misali a /usr/share/doc/sssd/misali/ssd-example.conf, wanda za'a iya amfani dashi don gaskanta kan Microsoft Active Directory.

Yanzu zamu iya amfani da mafi yawan dokokin sha yatsa y samun:

: ~ $ yatsun kafa
Shiga ciki: masu motsa Sunan: Strides El Rey Directory: / gida / masu tafiya Shell: / bin / bash Ba a taɓa shiga ba. Babu wasiku Babu shiri.

: ~ $ sudo samun lambar wucewa legolas
legolas: *: 1004: 63000: Legolas The Elf: / gida / legolas: / bin / bash

Har yanzu ba za mu iya aika kanmu don gudu ba da ƙoƙarin tabbatarwa a matsayin mai amfani a kan sabar LDAP. Kafin mu gyara fayil din /etc/pam.d/ haduwa-, don haka an ƙirƙiri babban fayil ɗin mai amfani ta atomatik lokacin da kuka fara zamanku, idan babu shi, sannan sake sake tsarin:

[---]
zaman da ake buƙata pam_mkhomedir.so skel = / sauransu / skel / umask = 0022

### Dole ne a hada layin da ke sama KAFIN
# a nan akwai matakan kunshin-kunshin (maɓallin "Firamare") [----]

Yanzu idan zamu sake farawa:

: ~ $ sudo sake yi

Bayan ka shiga, cire haɗin hanyar sadarwa ta amfani da Manajan Haɗin sannan ka fita ka dawo. Da sauri ba komai. Gudu a cikin tashar mota idanconfig kuma za su ga cewa eth0 ba a daidaita shi kwata-kwata.

Kunna cibiyar sadarwa. Da fatan za a fita sannan a sake shiga. Duba sake tare idanconfig.

Tabbas, don yin aiki ba tare da layi ba, ya zama dole a fara zama aƙalla sau ɗaya yayin da OpenLDAP ke kan layi, don a sami takardun shaidarka a kwamfutarmu.

Kar mu manta da sanya mai amfani na waje yayi rijista a cikin OpenLDAP memba na ƙungiyoyi masu buƙata, koyaushe yana mai da hankali ga mai amfani da aka ƙirƙira yayin shigarwar.

Idan kayan aikin basa son a kashe ta Applet daidai, to, gudu a cikin na'ura mai kwakwalwa sudo power kashe kashe, kuma sudo sake yi don sake farawa Ya rage don gano dalilin da yasa abin ke faruwa a wasu lokuta.

Note:

Bayyana zaɓi ldap_tls_reqcert = ba, a cikin Fayil /etc/sssd/sssd.conf, ya zama haɗarin tsaro kamar yadda aka bayyana a shafin SSSD - FAQ. Valueimar tsoho ita ce «bukatar«. Duba mutum sssd-ldap. Koyaya, a cikin babin 8.2.5 Harhadawa Domains Daga bayanan Fedora, yana tambaya mai zuwa:

SSSD ba ta goyi bayan tabbatarwa kan wata hanyar da ba a ɓoye ta ba. Sakamakon haka, idan kuna son tabbatarwa akan sabar LDAP, ko dai TLS/SSL or LDAPS Ana buƙata.

SSD ba ya goyi bayan tabbatarwa akan tashar da ba a ɓoye ta ba. Saboda haka, idan kuna son tabbatarwa akan sabar LDAP, zai zama dole TLS / SLL o LDAP.

Mu kanmu muna tunani cewa an magance matsalar ya wadatar da LAN na Ciniki, ta fuskar tsaro. Ta hanyar Kauyen WWW, muna ba da shawarar aiwatar da hanyar da aka rufa ta amfani da ita TLS ko «Kafa Layer Tsaro, tsakanin kwamfutar abokin ciniki da sabar.

Muna ƙoƙari mu cim ma sa daga daidai ƙarni na takaddun takaddun Kai ko «Kai Sa hannu “A kan sabar ClearOS, amma ba za mu iya ba. Tabbas batun ne da ake jira. Idan kowane mai karatu ya san yadda ake yi, to ya yi maraba da bayyana shi!

strides-katse


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   kari m
    sa 10 shekaru

    Wani labarin zuwa Alamomin shafi 😀

    Amsa zuwa bayani
    1.    federico m
      sa 10 shekaru

      Godiya ga tsokaci da Gaisuwa !!!

      Amsa wa federico
  2.   Joel m
    sa 10 shekaru

    Barka dai. Ina kokarin sanya shi aiki tare da sabar ubuntu da wani ubuntu a matsayin abokin ciniki, kuma na hada komai yana aiki sosai, amma lokacin da na tsayar da saba ko cire hanyar sadarwa, ba ya karbar kalmomin shiga na masu amfani. Ban san abin da zan iya yin kuskure ba. Shin zai iya zama saboda bani da sabar ldap don amfani da tsaro (ssl)?

    Amsa don joel
    1.    bayana m
      sa 9 shekaru

      Wannan shine ainihin dalilin da yasa, tunda baku da hanyar da aka rufaffen ta, ba zata karɓi kalmar sirri ba.

      Amsa zuwa braybaut