Molweni zihlobo! Nceda, ndiyaphinda, ndifunde ngaphambi ko «Intshayelelo yenethiwekhi eneSoftware yasimahla (I): Ukunikezelwa kwe-ClearOS»Khuphela i-ClearOS Inyathelo ngeNyathelo lokufaka imifanekiso yephakheji (1,1 mega), ukuze wazi ukuba sithetha ngantoni. Ngaphandle kolo kufunda kuya kuba nzima ukusilandela.
Inkonzo yoKhuseleko lweDemon
Inkqubo I-SSSD o I-Daemon yeNkonzo yoKhuseleko lweNkqubo, yiprojekthi ye Fedora, Wazalelwa kwenye iprojekti- nayo evela kuFedora- ebizwa MahalaIPA. Ngokwabayili bayo, inkcazo emfutshane nenokuguqulelwa ngokukhululekileyo iya kuba:
I-SSSD yinkonzo ebonelela ngokufikelela kubazisi abohlukeneyo kunye nabanikezeli boqinisekiso. Inokuqwalaselwa kwindawo yemveli ye-LDAP (umboneleli wesazisi osekwe kwi-LDAP ngokuqinisekiswa kwe-LDAP), okanye umboneleli wesazisi we-LDAP onobungqina beKerberos. I-SSSD ibonelela ngonxibelelwano kwinkqubo ngokusebenzisa NSS y WFP, kunye nesiphelo esingasemva esongeziweyo sokudibanisa okuninzi nokwahlukileyo kwimvelaphi yeakhawunti.
Siyakholelwa ukuba sijamelene nesisombululo esibanzi nesomeleleyo sokuchongwa kunye nokuqinisekiswa kwabasebenzisi ababhalisiweyo kwi-OpenLDAP, kunaleyo ibhekiswe kumanqaku angaphambili, umba oshiywe kukuqonda komntu wonke kunye namava abo.
Isisombululo esicetywayo kweli nqaku sesona sicetyiswayo kwiicompyuter kunye neelaptops, kuba iyasivumela ukuba sisebenze sinqanyuliwe, kuba i-SSSD igcina iziqinisekiso kwikhompyuter yalapha.
Umzekelo womnatha
- Umlawuli weDomain, iDNS, iDHCP: Cacisa ishishini 5.2sp1.
- Igama lomlawuli: iisenti
- Igama leNdawo: umhlobo.cu
- Umlawuli we-IP: 10.10.10.60
- ---------------
- Inguqulelo yeDebian: Nwabisa.
- Igama leqela: deb7
- Idilesi ye-IP: Sebenzisa i-DHCP
Sijonga ukuba iseva ye-LDAP iyasebenza
Silungisa ifayile /etc/ldap/ldap.conf kwaye ufake iphakheji ldap-izixhobo:
~ ~ # nano /etc/ldap/ldap.conf [----] BASE dc = abahlobo, dc = cu URI ldap: //centos.amigos.cu [----]
~ ~ aptitude install ldap-utils: ~ $ ldapsearch -x -b 'dc = friends, dc = cu' '(objectclass = *)': ~ $ ldapsearch -x -b dc = abahlobo, dc = cu 'uid = amanyathelo ' : ~ $ ldapsearch -x -b dc = abahlobo, dc = cu 'uid = legolas' cn gidNumber
Ngemiyalelo emibini yokugqibela, sijonga ubukho be-OpenLDAP iseva ye-ClearOS yethu. Makhe sijonge kakuhle kwiziphumo zemiyalelo yangaphambili.
Kubalulekile: siqinisekisile ukuba iNkonzo yokuchonga kwiseva yethu ye-OpenLDAP isebenza ngokuchanekileyo.
Sifaka iphakheji ye-sssd
Kukwacetyiswa ukuba ufake iphakheji umnwe ukwenza iitshekhi zisela xa kuselwa ukuhla:
: ~ # ukufaneleka ukufaka i-sssd ngomnwe
Ukugqitywa kofakelo, inkonzo ssd ayiqali ngenxa yokulahleka kwefayile /etc/sssd/sssd.conf. Iziphumo zofakelo zibonisa oku. Ke ngoko, kufuneka senze loo fayile kwaye siyishiye ne- Umxholo omncinci olandelayo:
: ~ # nano /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam # SSSD ayizukuqala ukuba awuqwalaseli nayiphi na imimandla. # Yongeza ubumbeko lwesizinda esitsha njenge [domain / ], kwaye # emva koko yongeza uluhlu lwemimandla (ngolandelelwano ofuna babuzwe # kulo mbuzo) kwi "domains" uphawu olungezantsi kwaye ungalikhuphi. domains = amigos.cu [nss] filter_groups = root filter_users = umboneleli_provider = ldap chpass_provider = ldap # ldap_schema iset to "rfc2307", egcina amagama amalungu eqela kwi # "memberuid" uphawu, okanye "rfc2307bis", egcina amalungu eqela le-DNs kwi # "ilungu" lelungu. Ukuba awulazi eli xabiso, cela i-LDAP # yomlawuli. # isebenza nge-ClearOS ldap_schema = rfc2307 ldap_uri = ldap: //centos.amigos.cu ldap_search_base = dc = abahlobo, dc = cu # Qaphela ukuba ukwenza ubalo kuya kuba nefuthe lokusebenza eliphakathi. # Ngenxa yoko, ixabiso elisisiseko lokuqikelela liBUXOKI. # Jonga i-sssd.conf iphepha lomntu ukufumana iinkcukacha ezipheleleyo. enumerate = false # Vumela ukungena ngaphandle kweintanethi ngokugcina kwalapha igama hashes (okungagqibekanga: ubuxoki). cache_credentials = yinyani ldap_tls_reqcert = vumela I-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
Nje ukuba ifayile yenziwe, sinika iimvume ezihambelanayo kwaye siqale inkonzo kwakhona:
~ ~ # chmod 0600 /etc/sssd/sssd.conf : ~ # service sssd qala kwakhona
Ukuba sifuna ukutyebisa umxholo wefayile edlulileyo, sicebisa ukuba siphumeze indoda sssd.conf kunye / okanye uqhagamshelane namaxwebhu akhoyo kwi-Intanethi, ukuqala ngamakhonkco ekuqaleni kweposti. Nxibelelana kwakhona indoda sssd-ldap. Iphakheji ssd ibandakanya umzekelo kwi /usr/share/doc/sssd/examples/sssd-example.conf, enokusetyenziselwa ukunyaniseka ngokuchasene neMicrosoft Directory esebenzayo.
Ngoku sinokusebenzisa eyona miyalelo iselwayo umnwe y Fumana:
: ~ $ amanqanaba eminwe Ukungena: ukuhamba ngegama: Ukuhamba kwe-Re Re Directory: / ekhaya / ukuhamba kweShell: / bin / bash Ungaze ungene. Akukho meyile. Akukho siCwangciso. : ~ $ sudo ufumane i-passwd legolas iilegolas: *: 1004: 63000: iLegolas Elf: / ikhaya / iigolola: / bin / bash
Okwangoku asinakuqinisekisa njengomsebenzisi weseva ye-LDAP. Ngaphambi kokuba siguqule ifayile /etc/pam.d/indlela eqhelekileyo, ukuze ifolda yomsebenzisi yenziwe ngokuzenzekelayo xa uqala iseshoni yakho, ukuba ayikho, emva koko uqalise inkqubo kwakhona:
[----] Iseshoni efunekayo pam_mkhomedir.so skel = / etc / skel / umask = 0022 ### Lo mgca ungasentla kufuneka ubandakanywe NGAPHAMBI # nazi iimodyuli zephakeji nganye (ibhloko "yaseprayimari" [----]
Siyiqala kwakhona i-Wheezy yethu:
: ~ # ukuqala kwakhona
Emva kokungena ngemvume, nqamula inethiwekhi usebenzisa uMlawuli woQhagamshelo kwaye uphume kwaye ungene ngaphakathi. Ukukhawuleza akukho nto. Qalisa kwisiphelo sendlela ifconfig Kwaye baya kubona ukuba I-eth0 ayimiselwanga kwaphela.
Sebenzisa inethiwekhi. Nceda ungene kwaye ungene kwakhona. Jonga kwakhona nge ifconfig.
Ewe ukusebenza ngaphandle kweintanethi, kuya kufuneka ungene okungenani kube kanye ngelixa i-OpenLDAP ikwi-Intanethi, ukuze iziqinisekiso zigcinwe kwikhompyuter yethu.
Masingakulibali ukwenza umsebenzisi wangaphandle abhaliswe kwi-OpenLDAP abe lilungu lamaqela ayimfuneko, uhlala enikela ingqalelo kumsebenzisi owenziweyo ngexesha lofakelo.
Qaphela:
Chaza ukhetho ldap_tls_reqcert = soze, kwiFayile /etc/sssd/sssd.conf, Umngcipheko wokhuseleko njengoko kuchaziwe kwiphepha I-SSSD-FAQ. Ixabiso elingagqibekanga ngu «imfuneko«. Yabona indoda sssd-ldap. Nangona kunjalo, kwisahluko 8.2.5 Ukuqwalasela iiNdawo Ukusuka kumaxwebhu eFedora, oku kulandelayo kuchaziwe:
I-SSSD ayixhasi ubunyani ngaphezulu komjelo ongabhalwanga. Ngenxa yoko, ukuba ufuna ukungqinisisa ngokuchasene neseva ye-LDAP, nokuba yeyiphi
TLS/SSL
orLDAPS
Iyafuneka.I-SSSD ayixhasi ubunyani ngaphezulu komjelo ongabhalwanga. Ke ngoko, ukuba ufuna ukungqinisisa ngokuchasene neseva ye-LDAP, kuyakufuneka I-TLS / SLL o I-LDAP.
Sicinga ngokobuqu ukuba isisombululo sijongiwe yanele i-Enterprise LAN, ukusuka kwindawo yokhuseleko yokujonga. Kwidolophana yeWWW, sicebisa ukumiliselwa kwesitayile esiguqulelweyo TLS okanye «Umaleko Wokhuseleko Lwezothutho », phakathi kwekhompyuter yomthengi kunye neseva.
Sizama ukufezekisa oku kwisizukulwana esifanelekileyo sezatifikethi zokuSayina okanye «Uyityikityile Kwiseva ye-ClearOS, kodwa asikwazanga. Ngumcimbi osalindelweyo. Ukuba nawuphi na umfundi uyayazi indlela yokwenza, wamkelekile ukuyicacisa!
Efanelekileyo
Ndiyabulisa ku-ElioTime3000 kwaye enkosi ngokuphawula !!!
Ukubulisa eliotime3000 kunye nombulelo ngendumiso yenqaku !!!
Ogqwesileyo! Ndifuna ukudlulisa ukuvuyisa okukhulu kumbhali wopapasho ngokwabelana ngolwazi lwakhe olukhulu kunye nebhlog ngokuvumela ukupapashwa kwayo.
Imuchas Gracias!
Enkosi kakhulu ngendumiso yakho kunye nezimvo zakho !!! Amandla ondinika wona wokuqhubeka nokwabelana ngolwazi noluntu, apho sonke sifunda khona.
Inqaku elilungileyo! Qaphela ukuba malunga nokusetyenziswa kwezatifikethi, xa usenza isatifikethi kufuneka usongeze kulungiselelo lwe-ldap (cn = config):
Indawo ye -SSF: 71
olcTLSCIsatifikethi seFayile: / indlela / eya / ca / i-cert
olcTLSCertificateFile: / path / to / public / cert
olcTLSCertificateKeyFile: / path / to / private / key
olcTLSQinisekisa uMthengi: zama
Indawo ye-olcTLSCipherSuite: + RSA: + AES-256-CBC: + SHA1
Ngale nto (kunye nokwenza izatifikethi) uya kuba nenkxaso ye-SSL.
Nibuliso!
Enkosi ngegalelo lakho !!! Nangona kunjalo, ndipapasha amanqaku ama-7 malunga ne-OpenLDAP kwi:
http://humanos.uci.cu/2014/01/servicio-de-directorio-con-ldap-introduccion/
https://blog.desdelinux.net/ldap-introduccion/
Kubo ndigxininisa ukusetyenziswa kwe-Start TLS ngaphambi kwe-SSL, ekhuthazwa yi- openldap.org. Imibuliso @phenobarbital, kwaye enkosi kakhulu ngokuphawula.
Imeyile yam yile federico@dch.ch.gob.cu, ukuba ufuna ukutshintshiselana ngaphezulu. Ukungena kwi-Intanethi kuhamba kancinci kum.
Kwi-TLS ukumiselwa kuyafana, kukhunjulwa ukuba nge-SSL uthutho lwenziwa lubonakale ngaphaya komjelo ofihliweyo, ngelixa kwi-TLS iindlela ezimbini zokubethela kuthethathethwano zothutho lwedatha; nge-TLS ukuxhawulana kungaxoxwa kwizibuko elinye (389) ngelixa nge-SSL uthethathethwano lwenziwe kwelinye izibuko.
Guqula oku kulandelayo:
Indawo ye -SSF: 128
olcTLSQinisekisa uMthengi: vumela
I-olcTLSCipherSuite: NGOKUQHELEKILEYO
(ukuba ukhathazekile malunga nokhuseleko olisebenzisayo:
olcTLSCipherSuite: SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC)
kwaye uqalise kwakhona, uza kubona kamva nge:
gnutls-ehl-debug -p 636 ldap.ipm.org.gt
Kusonjululwa 'ldap.ipm.org.gt' ...
Ukujonga inkxaso ye-SSL 3.0… ewe
Ukujonga ukuba ngaba% COMPAT iyafuneka… hayi
Ukujonga inkxaso ye-TLS 1.0… ewe
Ukujonga inkxaso ye-TLS 1.1… ewe
Ukujonga ukubuyela umva kwi-TLS 1.1 ukuya… N / A.
Ukujonga inkxaso ye-TLS 1.2… ewe
Ukukhangela inkxaso yothethathethwano olukhuselekileyo… ewe
Ukujonga inkxaso yenkxaso yothethathethwano ngokukhuselekileyo (SCSV)… ewe
Ngenkxaso ye-TLS ekwenziwe ngayo amandla, usebenzisa i-389 (okanye i-636) ye-TLS kunye ne-636 (ldaps) ye-SSL; zizimele ngokupheleleyo omnye komnye kwaye akukho mfuneko yokuba ukhubazeke omnye ukuze usebenzise enye.
Nibuliso!