Adeegga Tusaha ee LDAP [5]: OpenLDAP (II)

fico

Daqiiqado 9

Aynu sii wadno, maaha iyada oo aan marka hore la tashan:

Qoraalkan waxaan ku arki doonnaa:

Aqoonsiga isticmaalaha maxalliga ah

Kadib markaan helno serverka OpenLDAP ee socda, hadaan rabno inaan tijaabino ama aan hayno aqoonsiga maxaliga ah ee isticmaaleyaasha diiwaangashan - ama inaan diiwaan galin doono - Buugga, waa inaan rakibno oo aan qaabeyno xirmooyinka lagama maarmaanka ah.

Tuujinta, xirmooyinka ku lug leh waa:

libnss-ldap: Waxay bixisaa Adeegga Isdhaafsiga Magaca (Wareejinta Adeegga Magaca NSS) taas oo u oggolaaneysa serverka LDAP inuu u shaqeeyo sidii server server.

Waxaa loola jeedaa bixinta macluumaadka ku saabsan Xisaabaadka Isticmaalaha, Aqoonsiyada Kooxda, macluumaadka ku saabsan martida loo yahay, Magacyada, NetGroups, iyo asal ahaan wixii xog ah ee kale ee sida caadiga ah laga helo feylasha qoraalka caadiga ah sida / etc / passwd/ iwm / kooxiwm, ama adeeg NIS.

libpam-ldap: "Module Aqoonsiga la Qaadan karo ee LDAP", Ama Module PAM loogu talagalay LDAP. Waxay bixisaa is dhexgal u dhexeeya serverka LDAP iyo nidaamka sugida PAM.

nscd: "Magaca Adeeg Cache Daemon“, Ama Daemon oo loogu talagalay Magaca Adeegga Kaydka. Waxay qabataa raadinta ereyada sirta ah, kooxaha iyo martigaliyayaasha waxayna kaydisaa natiijooyinka baaritaanka ku jira keydka si tixraac mustaqbalka ah loo helo.

: ~ # aptitude rakib farta libnss-ldap

Rakibida xirmada libnss-ldap, kaas oo sidoo kale rakibay sida ku-tiirsanaan libpam-ldap marhore shaydaan nscd, wuxuu ina kaxayn doonaa Saaxirka Qaabdhismeedka, kaas oo su'aalahiisa ay tahay inaan si habboon uga jawaabno:

libnss-01

libnss-02

libnss-03

libnss-04

libnss-05

libnss-06

libpam-01

libpam-02

libpam-03

libpam-04

Haddii aan rabno inaan dib u qaabeyno xirmooyinka libnss-ldap iyo / ama libpam-ldap, waa inaan fulino:

: ~ # dpkg-dib-u-habeyn libnss-ldap
: ~ # dpkg-dib-u-habeyn libpam-ldap

Goor dambe ayaan wax ka beddeleynaa feylka /etc/nsswitch.conf oo waxaan uga tagnay waxyaabaha soo socda:

: ~ # nano /etc/nsswitch.conf
# /etc/nsswitch.conf # # Qaabeynta tusaalaha ee GNU Magaca Adeegga Beddelka shaqeynta. # Haddii aad haysato xirmooyinka 'glibc-doc-reference' iyo 'info' oo la rakibay, iskuday: # 'info libc "Magaca Adeeg Beddelashada' 'wixii macluumaad ah ee ku saabsan feylkaan. passwd: kompat ldap group: kompreska ldap shadow: kompreska ldap host: faylasha dns shabakadaha: faylalka maamuuska: db faylasha adeegyada: db faylasha ethers: db files rpc: db faylasha netgroup: nis

Isbedelada lagu sameeyay feylka /etc/nsswitch.conf dhaqan gal, waxaan dib u bilaabi doonaa adeegga nscd:

: ~ # adeeg nscd dib u bilaw

Faahfaahin muhiim ah waa in wax laga beddelo feylka /etc/pam.d/ kulan-caadi ah faylka isticmaalaha ee lagu abuuri karo server-ka maxalliga ah marka aad gasho, isticmaale ka diiwaan gashan Tusaha:

: ~ # nano /etc/pam.d/ fadhi caadi ah
[---]
fadhiga loo baahan yahay pam_mkhomedir.so skel = / etc / skel / umask = 0022
### Sadarka kore waa in lagu daro KA HOR # halkan waxaa ku jira modullada-xirmo (qaybta "Aasaasiga ah")

Dadweynaha keydka u keyd

Si loo buuxiyo diiwaanka Diiwaanka ama loo bilaabo, waa inaan ku darnaa Unugyada Aasaasiga ah ee muhiimka ah, diiwaangelinta ugu yaraan hal Kooxda Isticmaalayaasha, oo aan ku darno isticmaale. Si tan loo sameeyo, waxaan u abuurnay feyl qaab LDIF ah, oo aan mar dambe ku dari doonno Tusaha, oo leh waxyaabaha soo socda:

: ~ # nano content.ldif
dn: ou = Dadka, dc = asxaabta, dc = cu shahaClass: ururUnit ou: Dadka dn: ou = Kooxaha, dc = asxaabta, dc = cu objectClass: abaabulUnit ou: Kooxaha dn: cn = siddooyin, ou = Kooxaha, dc = sxb, dc = cu objectClass: posixGroup cn: rings gidNumber: 10000 dn: uid = frodo, ou = Dadka, dc = asxaabta, dc = cu objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: frodo sn: Bagins givenName: Frodo cn Magaca: Frodo Bagins uidNumber: 10000 gidNumber: 10000 userPassword: frodo mail: frodo@amigos.cu gecos: Frodo Bagins loginShell: / bin / bash homeDirectory: / home / frodo

Waxaan ku darnaa feylka galka.

: ~ # ldapadd -x -D cn = admin, dc = saaxiibo, dc = cu -W -f content.ldif
Gali LDAP Password: ku darida gelitaan cusub "ou = Dadka, dc = asxaabta, dc = cu" ku darista gelitaanka cusub "ou = Kooxaha, dc = saaxiibbada, dc = cu" ku darista gelitaanka cusub "cn = ring, ou = Groups, dc = saaxiibo, dc = cu "ku darida gelitaan cusub" uid = frodo, ou = Dadka, dc = saaxiibbada, dc = cu "

Waxaan fulinnaa baaritaanka ku habboon:

: ~ # id frodo
uid = 10000 (frodo) gid = 10000 (ring) kooxo = 10000 (siddooyin)

: ~ # getent passwd | grep frodo
frodo: x: 10000: 10000: Frodo Bagins: / home / frodo: / bin / bas

: ~ # far frodo
Soo gal: frodo Magaca: Frodo Bagins Directory: / home / frodo Shell: / bin / bash Weligaa ma soo galin. Boostada malahan Qorshe maleh.

: ~ # ldapsearch -Y EXTERNAL -H ldapi: /// -b uid = frodo, ou = Dadka, dc = saaxiibbada, dc = cu

Hadda waxaan haynaa Adeeg Diiwaan ah oo ay tahay inaan maamulno !!!. Waxaan horumarin doonaa laba dariiqo: midda ugu horreysa xirmada qoraallada, iyo tan labaad, oo aan ka hadli doono maqaalka soo socda, waxay noqon doonaan iyada oo loo marayoMaareeyaha Xisaabta Ldap.

Sidoo kale waa inaan dhahnaa xirmada ldap-maacuunta, wuxuu bixiyaa taxane amarro faa'iido leh oo lagu maareeyo Tusaha. Si loo ogaado waxa amarradu yihiin, waxaan fulinnaa:

: ~ # dpkg -L ldap-utils | saliid / bin
/ usr / bin / usr / bin / ldapmodrdn / usr / bin / ldapurl / usr / bin / ldapdelete / usr / bin / ldapwhoami / usr / bin / ldapexop / usr / bin / ldappasswd / usr / bin / ldapcompare / usr / bin / ldapsearch / usr / bin / ldapmodify / usr / bin / ldapadd

Si aad wax badan uga ogaato amar kasta, waxaan kugula talineynaa inaad ordo nin. Bixinta sharraxaadda mid kasta waxay ka dhigeysaa maqaalka mid aad u dheer.

Maamul keydka macluumaadka adoo isticmaalaya koronto-qabatada

Waxaan dooranaa xirmada qoraallada hawshan oo kale. Nidaamka rakibidda iyo qaabeynta waa sida soo socota:

: ~ # aptitude rakibi ldapscripts

: ~ # cp /etc/ldapscripts/ldapscripts.conf \ /etc/ldapscripts/ldapscripts.conf.original

: ~ # cp / dev / null /etc/ldapscripts/ldapscripts.conf

: ~ # nano /etc/ldapscripts/ldapscripts.conf
SERVER = localhost BINDDN = 'cn = admin, dc = asxaabta, dc = cu' BINDPWDFILE = "/ etc / ldapscripts / ldapscripts.passwd" SUFFIX = 'dc = saaxiibo, dc = cu' GSUFFIX = 'ou = Kooxaha' USUFFIX = 'ou = Dadka' # MSUFFIX = 'ou = Computers' GIDSTART = 10001 UIDSTART = 10001 # MIDSTART = 10000 # Macaamiilka OpenLDAP wuxuu amraa LDAPSEARCHBIN = "/ usr / bin / ldapsearch" LDAPADDBIN = "/ usr / bin / ldapadd" LDAPDELE / usr / bin / ldapdelete "LDAPMODIFYBIN =" / usr / bin / ldapmodify "LDAPMODRDNBIN =" / usr / bin / ldapmodrdn "LDAPPASSWDBIN =" / usr / bin / ldappasswd "GCLASS =" posixGroup = "/ UT iwm" . /ldapadduser.template "PASSWORDGEN =" echo% u "

### Ogeysiis in qoraallada ay adeegsadaan amarrada
xirmo ### ldap-utils

: ~ # sh -c "echo -n 'tupassowrd'> \ /etc/ldapscripts/ldapscripts.passwd"

: ~ # chmod 400 /etc/ldapscripts/ldapscripts.passwd

: ~ # cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \ /etc/ldapscripts/ldapadduser.template

: ~ # nano /etc/ldapscripts/ldapadduser.template
dn: uid = , , shayga: fasalka: inetOrgPerson shayga: fasalka: posixAccount itemClass: shadowAccount cn: sn: Magac: Magaca: uid: Tirada: gidNumber: Hoyga Tilmaamaha: Shell: boostada: geckos: sharaxaad: Account Account

: ~ # nano /etc/ldapscripts/ldapscripts.conf
## waxaan ka saareynaa faallada UTEMPLATE = "/ etc / ldapscripts / ldapadduser.template"

Aynu isku dayno ku darista isticmaale Strider Boqorka kooxda isticmaalaha fardaha oo aan hubino xogta la geliyay:

: ~ # ldapadduser wuxuu kudhacayaa siddo
[dn: uid = strides, ou = Dadka, dc = asxaabta, dc = cu] Gali qiimaha "sn": Boqorka [dn: uid = strides, ou = Dadka, dc = saaxiibbada, dc = cu] Ku qor qiimaha "givenName": Strides [dn: uid = strides, ou = Dadka, dc = saaxiibo, dc = cu] Gali qiimaha "displayName": Strides El Rey [dn: uid = strides, ou = Dadka, dc = saaxiibada, dc = cu] Gali qiimaha "mail": trancos@amigos.cu Si guul leh loogu daray trancos isticmaale LDAP Si guul leh loogu dejiyay erayga sirta ah ee loogu talagalay isticmaalaha trancos

xididka @ mildap: ~ # ldapfinger strides
dn: uid = strides, ou = Dadka, dc = sxb, dc = cu waxClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: strides sn: El Rey givenName: Strides displayName: Strides El Rey uid: strides uidNumber: 10002 gidNum homeDirectory: / home / trancos loginShell: / bin / bash mail: trancos@amigos.cu gecos: trancos description: User Account AccountPassword :: e10000NTSEF1UnlmcWxCem9iUzBuSzQzTkM5ZFRFcTUwV3VsVnBqRm2

Aan ku dhawaaqno erey sir ah isticmaaleha Frodo, aan taxno "DN”Isticmaalayaasha diiwaangashan, oo tirtir isticmaalaha cusub ee la abuuray Striders:

: ~ # ldapsetpasswd frodo
Beddelida erayga sirta ah ee isticmaalaha uid = frodo, ou = Dadka, dc = saaxiibbada, dc = cu furaha cusub: Dib u qor erayga sirta ah ee cusub: Si guul leh ayaa loo dejiyay erayga sirta ah ee loogu talagalay uid = frodo, ou = Dadka, dc = saaxiibbada, dc = cu

: ~ # lsldap -u | salaax dn
dn: uid = frodo, ou = Dadka, dc = asxaabta, dc = cu dn: uid = tillaabooyin, ou = Dadka, dc = saaxiibbada, dc = cu

: ~ # ldapfinger frodo
dn: uid = frodo, ou = Dadka, dc = asxaabta, dc = cu waxClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: frodo sn: Bagins givenName: Frodo cn: Frodo Bagins displayName: Frodo Bagins uidNumber: 10000 gidNumber: : 10000 boosto: frodo@amigos.cu gecos: Frodo Bagins loginShell: / bin / bash homeDirectory: / home / frodo userPassword :: e1NTSEF9TnI4ZXN3YXA1VnplK1ZIZXZzbFZKaWF1SVdWeU5oVjA =

: ~ # ldapdeleteuser tillaabo
Si guul leh ayaa loo tirtiray isticmaalaha uid = strides, ou = Dadka, dc = saaxiibbada, dc = cu laga bilaabo LDAP

: ~ # lsldap -u | salaax dn
dn: uid = frodo, ou = Dadka, dc = saaxiibbada, dc = cu

Aynu hubino in Xaqiijinta Maxalliga ahi si sax ah u shaqeyso:

: ~ # ssh frodo @ mildap
lambarka sirta ah ee frodo @ mildap: Linux mildap 2.6.32-5-686 # 1 SMP Fri May 10 08:33:48 UTC 2013 i686 [---] Debian GNU / Linux waxay la imaanaysaa ABSOLUTELY NO WARRANTY, ilaa iyo inta uu ogolyahay sharciga khuseeya . Soo galitaankii ugu dambeeyay: Talaado Feb 18 18:54:01 2014 from mildap.amigos.cu
frodo @ mildap: ~ $ pwd
/ guriga / frodo
frodo @ mildap: ~ $

Waxaa jira tusaalooyin badan oo aan qori karno, laakiin nasiib daro maqaalka ayaa aad u dheeraan lahaa. Had iyo jeer waxaan dhahnaa waan bixinnaa bar laga soo galo arrimaha adeegyada guud ahaan. Suurtagal maaha in la beddelo dukumiintiyada ballaadhan ee hal qoraal ah.

Si aad wax badan uga barato xirmada qoraallada iyo amarradiisa, fadlan la tasho nin ldapscripts.

Ilaa hadda Adeeggeenna Tusaha Fudud ee ku saleysan OpenLDAP si fiican ayuu u shaqeeyaa.

Soo koobid ilaa hadda ...

Dad badan oo masuulka ka ah adeegyada shabakadaha ganacsiga, markay la wareegaan mid adeegyo ku saleysan alaabada Microsoft, haddii ay doonayaan inay u haajiraan Linux, waxay tixgelinayaan socdaalka Domain Controllers iyo adeegyada kale.

Haddii aysan dooranin shey dhinac saddexaad ah sida ClearOS ama Zentyal, ama haddii sababo kale ay rabaan inay madax banaanaadaan, markaa waxay qaadayaan hawsha foosha xun ee noqoshada Koodhka Maamulahooda, ama ka Samba 4 Diiwaanka Firfircoon ee iyaga u gaar ah.

Kadib dhibaatooyinka ayaa bilaabmaya iyo niyad jab kale. Khaladaadka hawlgalka. Ma helaan meesha dhibaatooyinka ka jiraan si ay u xalliyaan. Ku celcelinta iskudajinta rakibida. Hawlaha qayb ka mid ah adeegyada. Iyo liis dheer oo dhibaatooyin ah.

Saldhigga Maamulaha Domain ama Tusaha Firfircoon ee Linux, kuna saleysan OpenLDAP iyo Samba, waxay daruuri u tahay aqoonta aasaasiga ah ee Waa maxay serverka LDAP, sidee loo rakibaa, sidee loo qaabeeyaa loona maareeyaa, iyo wixii la mid ah?. Kuwa akhriyay dukumiintiyada ballaaran ee Samba, waxay si fiican u ogaan doonaan waxa aan ula jeedno.

Si sax ah uga jawaabida su'aashaas waxaan qornay dhamaan taxanaha maqaalada ilaa tan, waanan ku sii wadaynaa kuwa lagama maarmaanka ah. Waxaan rajeyneynaa inay adiga wax kuu tarayaan.


Ka tag faalladaada

cinwaanka email aan la daabacin doonaa. Beeraha loo baahan yahay waxaa lagu calaamadeeyay la *

*

*

  1. Masuul ka ah xogta: Miguel Ángel Gatón
  2. Ujeedada xogta: Xakamaynta SPAM, maaraynta faallooyinka.
  3. Sharci: Oggolaanshahaaga
  4. Isgaarsiinta xogta: Xogta looma gudbin doono dhinacyada saddexaad marka laga reebo waajibaadka sharciga ah.
  5. Kaydinta xogta: Macluumaadka ay martigelisay Shabakadaha Occentus (EU)
  6. Xuquuqda: Waqti kasta oo aad xadidi karto, soo ceshan karto oo tirtiri karto macluumaadkaaga.

  1.   vidagnu dijo
    samee 10 sano

    Wanaagsan boostadaada Fico, weydiin, oo leh OpenLDAP, mala sameyn karaa siyaasadaha domain? si aad ugu dabaqdo isticmaaleyaasha isku xiran, sida shaashadda shaashadda oo la hawlgelinayo 5 daqiiqo ka dib oo aan wax dhaqdhaqaaq ah lahayn, qaabeynta gidaarka, ka-hortagga codsiyada qaarkood inay socdaan, qaabeynta qoraallada bilowga ah, iwm

    Thanks,
    Oscar

    Ku jawaab vidagnu
    1.    federico dijo
      samee 10 sano

      Waad ku mahadsantahay faallooyinka !!!. Oscar, xusuusnow in siyaasadahaas, ee Linux, loo fuliyo si ka duwan markay tahay macaamiisha Linux. GNOME waxay keeneysaa qalab lagu gaaro taas oo hadda aanan xusuusan magaceeda. Haa, waan ogahay inaan si toos ah uga abuuri karno siyaasadaha koontada isticmaale OpenLDAP. Qaar badan baa aniga isla su’aasha i weyddiista oo marwalba waxaan uga jawaabaa wax kabadan ama kayar. Policies Xeerarkaas amniga waxay khuseeyaan oo keliya macaamiisha Microsoft, MAYA macaamiisha Linux. Waa laba falsafad kala duwan. Tusaha Firfircoon waa codsi lahaansho ku saleysan OpenLDAP, Kerberos shaqsi ah oo ka socda Microsft iyo Maamulaha Shabakadda, oo aanan garanayn waxa ay ugu yeeraan hadda. Kahor, waxay ku jirtay Lan Manager. Kama fikiri karno inaan ku dayano Tusaha Firfircoon oo kaliya LDAP. Waxaan ku qasbanaan lahayn inaan dhexgalno Samba ama aan isticmaalno Samba 4 si aan u aragno haddii la gaari karo iyo in kale. Saaxiibkayna, xitaa hal jeer kamaan eegin Samba 4. 🙂 Ma aqaano haddii Zentyal oo leh Tusaha Firfircoon ay ku dabaqi karto iyaga ... laakiin software-kaasi ma aha oo kaliya OpenLDAP. Waa OpenLDAP + Samba + Kerberos + waxyaabo kale oo aanan si fiican u aqoon. Taxanahan waxaan kaliya ka hadlayaa OpenLDAP, oo hadaad raacdo waxaad ku arki doontaa jaantuska aan ku qorayo taxanaha oo dhan, iyo adeegyo kale oo muhiim ah, wax walba waxay ku saleysan yihiin xaqiijin ka dhan ah Buugga OpenLDAP.

      Salaan

      Ku jawaab feederico