Shabakada SWL (V): Debian Wheezy iyo ClearOS. Xaqiijinta SSSD ee lidka ku ah LDAP.

Saaxiibbo waad salaaman tihiin !. Fadlan, waan ku celinayaa, akhri kahor «Hordhac Shabakad leh Software Bilaash ah (I): Soo bandhigida ClearOS»Oo soo dejiso xirmooyinka rakibaadda ClearOS Tallaabo-tallaabo (1,1 mega), si aad ula socoto waxa aan ka hadlayno. Akhris la’aantaa way adkaan doontaa in nala raaco.

Adeegga Amniga Nidaamka Daemon

Barnaamijka SSDD o Daemon ee Adeegga Amniga Nidaamka, waa mashruuc ka mid ah Fedora, kaas oo ka dhashay mashruuc kale - sidoo kale Fedora - loo yaqaan FreeIPA. Marka loo eego abuurayaasheeda, qeexitaan gaaban oo xur ah oo la turjumay wuxuu noqon lahaa:

SSSD waa adeeg bixiya helitaanka aqoonsiyo kala duwan iyo Cadeeynta. Waxaa loo qaabeyn karaa domainka LDAP ee asalka ah (bixiyaha aqoonsiga ee ku saleysan LDAP ee leh xaqiijinta LDAP), ama bixiyaha aqoonsiga LDAP ee wata aqoonsiga Kerberos. SSSD waxay ku siisaa is dhexgalka nidaamka nidaamka NSS y PAM, iyo Gelin dhab ah oo la soo galin karo si loogu xiro asal ahaan xisaab badan iyo kuwo kala duwan.

Waxaan aaminsanahay inaan wajaheyno xal dhameystiran oo adag oo ku saabsan aqoonsiga iyo xaqiijinta isticmaaleyaasha diiwaangashan ee OpenLDAP, marka loo eego kuwa ku xusan qodobbadii hore, waana arrin u taal qof walba go'aankiisa iyo waaya-aragnimadiisa.

Xalka lagu soo jeediyay qodobkan ayaa ah midka loogu tallo-galay kombuyuutarrada gacanta iyo laptop-yada, tan iyo markii ay noo oggolaaneyso inaan shaqeyno kala-goyn, maaddaama SSSD ay ku keydiso aqoonsiyada kombuyuutarka maxalliga ah.

Tusaale shabakad

• Maamulaha Domain, DNS, DHCP: Shirkadda ClearOS 5.2sp1.
• Magaca Maamulaha: boqolkiiba
• Magaca Domain: asxaabta.cu
• IP xakamaynta: 10.10.10.60
• ---------------
• Nooca Debian: Qosol
• Magaca kooxda: debian7
• Cinwaanka IP: Adeegsiga DHCP

Waxaan hubinaynaa in adeegaha LDAP uu shaqeynayo

Waxaan wax ka badalnaa feylka /etc/ldap/ldap.conf oo rakib xirmada ldap-maacuunta:

: ~ # nano /etc/ldap/ldap.conf
[----] BASE dc = saaxiibo, dc = cu URI ldap: //centos.amigos.cu [----]

: ~ # aptitude rakibi ldap-utils: ~ $ ldapsearch -x -b 'dc = saaxiibo, dc = cu' '(objectclass = *)': ~ $ ldapsearch -x -b dc = saaxiibo, dc = cu 'uid = tillaabooyin '
: ~ $ ldapsearch -x -b dc = saaxiibo, dc = cu 'uid = legolas' cn gidNumber

Labadii amar ee ugu dambeeyay, waxaan ku hubinaynaa helitaanka adeegaha OpenLDAP ee ClearOS-keena. Aynu si fiican u eegno soo bixitaannada amarradii hore.

Muhiim: waxaan sidoo kale xaqiijinay in Adeegga Aqoonsiga ee adeegeena OpenLDAP uu si sax ah u shaqeeyo.

Waxaan rakibnaa xirmada sssd

Waxaa sidoo kale lagu talinayaa in lagu rakibo xirmada farta in la sameeyo jeegag ka cabitaan badan kuwa ldapsearch:

: ~ # karti ku rakib farta sssd

Marka la dhammeeyo rakibidda, adeegga ssd ma bilaabmayo faylka maqan awgeed /etc/sssd/sssd.conf. Soo saarida rakibida ayaa tan ka tarjumeysa. Sidaa darteed, waa inaan abuurnaa faylkaas oo aan uga tagno kan waxyaabaha ugu yar ee soo socda:

: ~ # nano /etc/sssd/sssd.conf
[sssd] config_file_version = 2 adeeg = nss, pam # SSSD ma bilaaban doono hadaadan habeynin wax xayeysiis ah. # Kudar qaabeynta domain cusub sida [domain / ] qaybaha, ka dibna # ku dar liistada cinwaannada (sida aad u rabto in iyaga # loo weyddiiyo) "aaladaha" loo yaqaan ee hoosta ku qoran oo aan la dareemin domains = amigos.cu [nss] filter_groups = xidid filter_users = xidid dib uxirfadle_retries = 3 [pam] reconnection_retries = 3 # LDAP domain [domain / amigos.cu] id_provider = ldap
auth_bixiyaha = ldap
chpass_provider = ldap # ldap_schema waxaa loo dejin karaa "rfc2307", kaas oo kaydiya magacyada xubnaha kooxda ee astaamaha # "xubin", ama "rfc2307bis", oo keydiya xubin koox DNs ee astaamaha "xubin". Hadaadan aqoon qiimahan, weydii maamulahaaga LDAP #. # wuxuu lashaqeeyaa ClearOS ldap_schema = rfc2307
ldap_uri = ldap: //centos.amigos.cu
ldap_search_base = dc = saaxiibo, dc = cu # Xusuusnow in suurta gelinta tirinta ay yeelan doonto saameyn waxqabad dhexdhexaad ah. # Sidaas awgeed, qiimaha asalka ah ee tirinta waa BEEN. # Waxaad tixraactaa sssd.conf nin bogga wixii faahfaahin ah oo buuxa. tiro = been ah # U oggolow gelitaanka qad la'aanta adiga oo maxalliga ah ku keydin kara xashiishka sirta ah (caadiga ah: been) cache_credentials = run
ldap_tls_reqcert = u oggolow
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

Marka feylka la abuuro, waxaan u xilsaarnaa rukhsadaha u dhigma oo dib u bilownaa adeegga:

: ~ # chmod 0600 /etc/sssd/sssd.conf
: ~ # service sssd dib u bilaw

Haddii aan rabno inaan kobcino nuxurka faylka hore, waxaan kugula talineynaa fulinta nin sssd.conf iyo / ama la tasho dukumiintiyada jira ee internetka, laga bilaabo xiriiriyeyaasha bilowga boostada. Sidoo kale la tasho nin sssd-ldap. Xirmada ssd waxaa ku jira tusaale /usr/share/doc/sssd/tusaale/sssd-example.conf, oo loo isticmaali karo in lagu xaqiijiyo ka soo horjeedka Microsoft Active Directory.

Hadda waxaan isticmaali karnaa amarrada ugu cabitaanka badan farta y helid:

: ~ $ farta oo lagu talaabsado
Login: strides Magaca: Strides El Rey Diiwaanka: / guriga / strides Shell: / bin / bash Weligaa ma soo galin. Boostada malahan Qorshe maleh.

: ~ $ sudo getent passwd legolas
legolas: *: 1004: 63000: Legolas The Elf: / guri / legolas: / bin / bash

Wali ma xaqiijin karno isticmaale ahaan serverka LDAP. Ka hor inta ay tahay inaan wax ka beddelno faylka /etc/pam.d/ kulan-caadi ah, si galka isticmaalaha si otomaatig ah loo abuuro markaad bilawdo fadhigaaga, haddii uusan jirin, ka dibna dib u cusbooneysii nidaamka:

[---]
fadhiga loo baahan yahay pam_mkhomedir.so skel = / etc / skel / umask = 0022

### Sadarka kore waa in lagu daraa kahor
# waa kuwan modules-per xirmo ("Primary" block) [----]

Waxaan dib u bilaabi doonnaa Wheezy-keena:

: ~ # reboot

Ka dib markaad gasho, barkinta shabakadda adoo adeegsanaya Maareeyaha Xiriirka oo ka bax oo dib ugu soo laabo. Waxba dhakhso badan. Ku orod terminal ifconfig oo waxay arki doonaan in eth0 looma habayn gabi ahaanba.

Dhaqaaq shabakadda. Fadlan bax oo markale gal. Mar kale ku hubi ifconfig.

Dabcan, in laga shaqeeyo qad la'aanta, waxaa lagama maarmaan ah in la galo ugu yaraan hal mar inta OpenLDAP ay khadka tooska ah ku jirto, si markaa aqoonsiyada loo keydiyo kombuyuutarkeena.

Ha iloobin in isticmaaleha dibadeed ee ka diiwaangashan OpenLDAP uu xubin ka noqdo kooxaha lagama maarmaanka ah, had iyo jeerna fiiro gaar ah u yeelo adeegsadaha la abuuray intii lagu jiray rakibidda

Nota:

Ikhtiyaar ku dhawaaq ldap_tls_reqcert = marna, ee Faylka /etc/sssd/sssd.conf, waxay ka dhigan tahay khatar amni sida lagu sheegay bogga SSSD - FAQ. Qiimaha asalka ah waa «baahida«. Eeg nin sssd-ldap. Si kastaba ha noqotee, cutubka 8.2.5 Dejinta Domains-ka Laga soo bilaabo dukumiintiyada Fedora, kuwan soo socda ayaa lagu sheegay:

SSSD kuma taageerto xaqiijinta kanaalka aan la duubin. Sidaa awgeed, haddii aad rabto inaad xaqiijiso ka hortagga serverka LDAP, sidoo kale TLS/SSL or LDAPS loo baahan yahay.

SSDD kuma taageereyso xaqiijinta kanaal aan la qarin. Sidaa darteed, haddii aad rabto inaad ka xaqiijiso server LDAP, waa lagama maarmaan TLS / SLL o LDAP.

Shakhsi ahaan waan ka fikirnaa in xalka laga qabtay waa ku filan tahay LAN Enterprise, marka laga eego dhinaca amniga. Iyada oo loo marayo Tuulada WWW, waxaan kugula talineynaa in la hirgaliyo kanaal sir ah iyadoo la adeegsanayo TLS ama «Lakabka Amniga Gaadiidka », inta udhaxeysa kumbuyuutarka macmiilka iyo serverka.

Waxaan isku dayeynaa inaan ka gaarno jiilka saxda ah ee shahaadooyinka Is-saxeexa ama «Is Saxeex “Server-ka ClearOS, laakiin ma aanan awoodin. Runtii waa arin sugeysa. Haddii akhriste kasta uu garanayo sida loo sameeyo, ku soo dhowow sharraxaadda!