Saaxiibbo waad salaaman tihiin !. Fadlan, waan ku celinayaa, akhri kahor «Hordhac Shabakad leh Software Bilaash ah (I): Soo bandhigida ClearOS»Oo soo dejiso xirmooyinka rakibaadda ClearOS Tallaabo-tallaabo (1,1 mega), si aad ula socoto waxa aan ka hadlayno. Akhris la’aantaa way adkaan doontaa in nala raaco.
Adeegga Amniga Nidaamka Daemon
Barnaamijka SSDD o Daemon ee Adeegga Amniga Nidaamka, waa mashruuc ka mid ah Fedora, kaas oo ka dhashay mashruuc kale - sidoo kale Fedora - loo yaqaan FreeIPA. Marka loo eego abuurayaasheeda, qeexitaan gaaban oo xur ah oo la turjumay wuxuu noqon lahaa:
SSSD waa adeeg bixiya helitaanka aqoonsiyo kala duwan iyo Cadeeynta. Waxaa loo qaabeyn karaa domainka LDAP ee asalka ah (bixiyaha aqoonsiga ee ku saleysan LDAP ee leh xaqiijinta LDAP), ama bixiyaha aqoonsiga LDAP ee wata aqoonsiga Kerberos. SSSD waxay ku siisaa is dhexgalka nidaamka nidaamka NSS y PAM, iyo Gelin dhab ah oo la soo galin karo si loogu xiro asal ahaan xisaab badan iyo kuwo kala duwan.
Waxaan aaminsanahay inaan wajaheyno xal dhameystiran oo adag oo ku saabsan aqoonsiga iyo xaqiijinta isticmaaleyaasha diiwaangashan ee OpenLDAP, marka loo eego kuwa ku xusan qodobbadii hore, waana arrin u taal qof walba go'aankiisa iyo waaya-aragnimadiisa.
Xalka lagu soo jeediyay qodobkan ayaa ah midka loogu tallo-galay kombuyuutarrada gacanta iyo laptop-yada, tan iyo markii ay noo oggolaaneyso inaan shaqeyno kala-goyn, maaddaama SSSD ay ku keydiso aqoonsiyada kombuyuutarka maxalliga ah.
Tusaale shabakad
- Maamulaha Domain, DNS, DHCP: Shirkadda ClearOS 5.2sp1.
- Magaca Maamulaha: boqolkiiba
- Magaca Domain: asxaabta.cu
- IP xakamaynta: 10.10.10.60
- ---------------
- Nooca Debian: Qosol
- Magaca kooxda: debian7
- Cinwaanka IP: Adeegsiga DHCP
Waxaan hubinaynaa in adeegaha LDAP uu shaqeynayo
Waxaan wax ka badalnaa feylka /etc/ldap/ldap.conf oo rakib xirmada ldap-maacuunta:
: ~ # nano /etc/ldap/ldap.conf [----] BASE dc = saaxiibo, dc = cu URI ldap: //centos.amigos.cu [----]
: ~ # aptitude rakibi ldap-utils: ~ $ ldapsearch -x -b 'dc = saaxiibo, dc = cu' '(objectclass = *)': ~ $ ldapsearch -x -b dc = saaxiibo, dc = cu 'uid = tillaabooyin ' : ~ $ ldapsearch -x -b dc = saaxiibo, dc = cu 'uid = legolas' cn gidNumber
Labadii amar ee ugu dambeeyay, waxaan ku hubinaynaa helitaanka adeegaha OpenLDAP ee ClearOS-keena. Aynu si fiican u eegno soo bixitaannada amarradii hore.
Muhiim: waxaan sidoo kale xaqiijinay in Adeegga Aqoonsiga ee adeegeena OpenLDAP uu si sax ah u shaqeeyo.
Waxaan rakibnaa xirmada sssd
Waxaa sidoo kale lagu talinayaa in lagu rakibo xirmada farta in la sameeyo jeegag ka cabitaan badan kuwa ldapsearch:
: ~ # karti ku rakib farta sssd
Marka la dhammeeyo rakibidda, adeegga ssd ma bilaabmayo faylka maqan awgeed /etc/sssd/sssd.conf. Soo saarida rakibida ayaa tan ka tarjumeysa. Sidaa darteed, waa inaan abuurnaa faylkaas oo aan uga tagno kan waxyaabaha ugu yar ee soo socda:
: ~ # nano /etc/sssd/sssd.conf [sssd] config_file_version = 2 adeeg = nss, pam # SSSD ma bilaaban doono hadaadan habeynin wax xayeysiis ah. # Kudar qaabeynta domain cusub sida [domain / ] qaybaha, ka dibna # ku dar liistada cinwaannada (sida aad u rabto in iyaga # loo weyddiiyo) "aaladaha" loo yaqaan ee hoosta ku qoran oo aan la dareemin domains = amigos.cu [nss] filter_groups = xidid filter_users = xidid dib uxirfadle_retries = 3 [pam] reconnection_retries = 3 # LDAP domain [domain / amigos.cu] id_provider = ldap auth_bixiyaha = ldap chpass_provider = ldap # ldap_schema waxaa loo dejin karaa "rfc2307", kaas oo kaydiya magacyada xubnaha kooxda ee astaamaha # "xubin", ama "rfc2307bis", oo keydiya xubin koox DNs ee astaamaha "xubin". Hadaadan aqoon qiimahan, weydii maamulahaaga LDAP #. # wuxuu lashaqeeyaa ClearOS ldap_schema = rfc2307 ldap_uri = ldap: //centos.amigos.cu ldap_search_base = dc = saaxiibo, dc = cu # Xusuusnow in suurta gelinta tirinta ay yeelan doonto saameyn waxqabad dhexdhexaad ah. # Sidaas awgeed, qiimaha asalka ah ee tirinta waa BEEN. # Waxaad tixraactaa sssd.conf nin bogga wixii faahfaahin ah oo buuxa. tiro = been ah # U oggolow gelitaanka qad la'aanta adiga oo maxalliga ah ku keydin kara xashiishka sirta ah (caadiga ah: been) cache_credentials = run ldap_tls_reqcert = u oggolow ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
Marka feylka la abuuro, waxaan u xilsaarnaa rukhsadaha u dhigma oo dib u bilownaa adeegga:
: ~ # chmod 0600 /etc/sssd/sssd.conf : ~ # service sssd dib u bilaw
Haddii aan rabno inaan kobcino nuxurka faylka hore, waxaan kugula talineynaa fulinta nin sssd.conf iyo / ama la tasho dukumiintiyada jira ee internetka, laga bilaabo xiriiriyeyaasha bilowga boostada. Sidoo kale la tasho nin sssd-ldap. Xirmada ssd waxaa ku jira tusaale /usr/share/doc/sssd/tusaale/sssd-example.conf, oo loo isticmaali karo in lagu xaqiijiyo ka soo horjeedka Microsoft Active Directory.
Hadda waxaan isticmaali karnaa amarrada ugu cabitaanka badan farta y helid:
: ~ $ farta oo lagu talaabsado Login: strides Magaca: Strides El Rey Diiwaanka: / guriga / strides Shell: / bin / bash Weligaa ma soo galin. Boostada malahan Qorshe maleh. : ~ $ sudo getent passwd legolas legolas: *: 1004: 63000: Legolas The Elf: / guri / legolas: / bin / bash
Wali ma xaqiijin karno isticmaale ahaan serverka LDAP. Ka hor inta ay tahay inaan wax ka beddelno faylka /etc/pam.d/ kulan-caadi ah, si galka isticmaalaha si otomaatig ah loo abuuro markaad bilawdo fadhigaaga, haddii uusan jirin, ka dibna dib u cusbooneysii nidaamka:
[---] fadhiga loo baahan yahay pam_mkhomedir.so skel = / etc / skel / umask = 0022 ### Sadarka kore waa in lagu daraa kahor # waa kuwan modules-per xirmo ("Primary" block) [----]
Waxaan dib u bilaabi doonnaa Wheezy-keena:
: ~ # reboot
Ka dib markaad gasho, barkinta shabakadda adoo adeegsanaya Maareeyaha Xiriirka oo ka bax oo dib ugu soo laabo. Waxba dhakhso badan. Ku orod terminal ifconfig oo waxay arki doonaan in eth0 looma habayn gabi ahaanba.
Dhaqaaq shabakadda. Fadlan bax oo markale gal. Mar kale ku hubi ifconfig.
Dabcan, in laga shaqeeyo qad la'aanta, waxaa lagama maarmaan ah in la galo ugu yaraan hal mar inta OpenLDAP ay khadka tooska ah ku jirto, si markaa aqoonsiyada loo keydiyo kombuyuutarkeena.
Ha iloobin in isticmaaleha dibadeed ee ka diiwaangashan OpenLDAP uu xubin ka noqdo kooxaha lagama maarmaanka ah, had iyo jeerna fiiro gaar ah u yeelo adeegsadaha la abuuray intii lagu jiray rakibidda
Nota:
Ikhtiyaar ku dhawaaq ldap_tls_reqcert = marna, ee Faylka /etc/sssd/sssd.conf, waxay ka dhigan tahay khatar amni sida lagu sheegay bogga SSSD - FAQ. Qiimaha asalka ah waa «baahida«. Eeg nin sssd-ldap. Si kastaba ha noqotee, cutubka 8.2.5 Dejinta Domains-ka Laga soo bilaabo dukumiintiyada Fedora, kuwan soo socda ayaa lagu sheegay:
SSSD kuma taageerto xaqiijinta kanaalka aan la duubin. Sidaa awgeed, haddii aad rabto inaad xaqiijiso ka hortagga serverka LDAP, sidoo kale
TLS/SSL
orLDAPS
loo baahan yahay.SSDD kuma taageereyso xaqiijinta kanaal aan la qarin. Sidaa darteed, haddii aad rabto inaad ka xaqiijiso server LDAP, waa lagama maarmaan TLS / SLL o LDAP.
Shakhsi ahaan waan ka fikirnaa in xalka laga qabtay waa ku filan tahay LAN Enterprise, marka laga eego dhinaca amniga. Iyada oo loo marayo Tuulada WWW, waxaan kugula talineynaa in la hirgaliyo kanaal sir ah iyadoo la adeegsanayo TLS ama «Lakabka Amniga Gaadiidka », inta udhaxeysa kumbuyuutarka macmiilka iyo serverka.
Waxaan isku dayeynaa inaan ka gaarno jiilka saxda ah ee shahaadooyinka Is-saxeexa ama «Is Saxeex “Server-ka ClearOS, laakiin ma aanan awoodin. Runtii waa arin sugeysa. Haddii akhriste kasta uu garanayo sida loo sameeyo, ku soo dhowow sharraxaadda!
Aad u fiican.
Salaan ElioTime3000 waadna ku mahadsantahay faallooyinka !!!
Salaan eliotime3000 waadna ku mahadsan tahay amaanta maqaalka !!!
Aad u fiican! Waxaan rabaa in aan hambalyo balaaran u diro qoraaga daabacaada ee uu la wadaagay aqoontiisa baaxada leh iyo blogka u ogolaaday daabicitaankiisa.
Mahadsanid!
Aad baad ugu mahadsantahay amaantaada iyo faallooyinkaaga !!! Awood aad isiiso si aan usii wado wadaagista aqoonta bulshada, taas oo aan dhamaanteen wax ku baranayno.
Maqaal wanaagsan! Ogsoonow in ku saabsan isticmaalka shahaadooyinka, markaad abuureyso shahaadada waa inaad ku dartaa qaabeynta ldap (cn = config):
olcLocalSSF: 71
olcTLSCACSharedFaylka: / dariiqa / illaa / ca / cert
olcTLSCertificateFile: / dariiqa / ilaa / dadweynaha / cert
olcTLSCertificateKeyFile: / path / to / private / key
olcTLSVerifyClient: iskuday
olcTLSCipherSuite: + RSA: + AES-256-CBC: + SHA1
Tan (iyo soo saarista shahaadooyinka) waxaad heli doontaa taageero SSL.
Waad ku mahadsan tahay!
Waad ku mahadsantahay tabarucaadkaaga !!! Si kastaba ha noqotee, waxaan ku daabacaa 7 qodob oo ku saabsan OpenLDAP:
http://humanos.uci.cu/2014/01/servicio-de-directorio-con-ldap-introduccion/
https://blog.desdelinux.net/ldap-introduccion/
Iyaga dhexdooda waxaan ku nuuxnuuxsanayaa isticmaalka Start TLS kahor SSL, oo ay kugula talinayso openldap.org. Waad salaaman tihiin @phenobarbital, aad iyo aad baad ugu mahadsantahay faallooyinkaaga.
Emailkeygu waa Federico@dch.ch.gob.cu, haddii ay dhacdo inaad rabto inaad waxbadan is dhaafsato. Galaangalka internetka aad ayuu iigu yar yahay aniga.
TLS qaabeynta ayaa isku mid ah, iyadoo la xasuusto in SSL gaadiidka loo sameeyay si hufan kanaalka loo duubay, halka TLS qaab laba-geesood ah loo gorgortamayo gudbinta xogta; TLS isgacan qaadashada waxaa lagu gorgortami karaa isla dekedda (389) halka halka SSL gorgortanka lagu sameynayo deked kale.
Beddel waxyaabaha soo socda:
olcLocalSSF: 128
olcTLSVerifyClient: u oggolow
olcTLSCipherSuite: Caadi
(haddii aad ka caajiseyso amniga waxaad isticmaashaa:
olcTLSCipherSuite: SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC)
oo dib u bilow, waxaad gadaal ka arki doontaa:
gnutls-cli-debug -p 636 ldap.ipm.org.gt
Xallinta 'ldap.ipm.org.gt'…
Hubinta taageerada SSL 3.0… haa
Hubinta in% COMPAT loo baahan yahay… maya
Hubinta taageerada TLS 1.0… haa
Hubinta taageerada TLS 1.1… haa
Hubinta soo noqoshada laga bilaabo TLS 1.1 ilaa… N / A
Hubinta taageerada TLS 1.2… haa
Hubinta taageerada dib-u-gorgortanka nabdoon… haa
Hubinta taageerada dib-u-gorgortanka nabdoon (SCSV)… haa
Iyada oo taageerada TLS ay sidoo kale karti u leedahay, waxaad u isticmaashaa 389 (ama 636) TLS iyo 636 (ldaps) ee SSL; gabi ahaanba way ka madax banaanyihiin midba midka kale umana baahnid inaad mid curyaan ah u isticmaasho midka kale.
Waad ku mahadsan tahay!