Inethiwekhi ye-SWL (V): I-Debian Wheezy kunye ne-ClearOS. Ukuqinisekiswa kwe-SSSD ngokuchasene ne-LDAP yemveli.

Molweni zihlobo! Nceda, ndiyaphinda, ndifunde ngaphambi ko «Intshayelelo yenethiwekhi eneSoftware yasimahla (I): Ukunikezelwa kwe-ClearOS»Khuphela i-ClearOS Inyathelo ngeNyathelo lokufaka imifanekiso yephakheji (1,1 mega), ukuze wazi ukuba sithetha ngantoni. Ngaphandle kolo kufunda kuya kuba nzima ukusilandela.

Inkonzo yoKhuseleko lweDemon

Inkqubo I-SSSD o I-Daemon yeNkonzo yoKhuseleko lweNkqubo, yiprojekthi ye Fedora, Wazalelwa kwenye iprojekti- nayo evela kuFedora- ebizwa MahalaIPA. Ngokwabayili bayo, inkcazo emfutshane nenokuguqulelwa ngokukhululekileyo iya kuba:

I-SSSD yinkonzo ebonelela ngokufikelela kubazisi abohlukeneyo kunye nabanikezeli boqinisekiso. Inokuqwalaselwa kwindawo yemveli ye-LDAP (umboneleli wesazisi osekwe kwi-LDAP ngokuqinisekiswa kwe-LDAP), okanye umboneleli wesazisi we-LDAP onobungqina beKerberos. I-SSSD ibonelela ngonxibelelwano kwinkqubo ngokusebenzisa NSS y WFP, kunye nesiphelo esingasemva esongeziweyo sokudibanisa okuninzi nokwahlukileyo kwimvelaphi yeakhawunti.

Siyakholelwa ukuba sijamelene nesisombululo esibanzi nesomeleleyo sokuchongwa kunye nokuqinisekiswa kwabasebenzisi ababhalisiweyo kwi-OpenLDAP, kunaleyo ibhekiswe kumanqaku angaphambili, umba oshiywe kukuqonda komntu wonke kunye namava abo.

Isisombululo esicetywayo kweli nqaku sesona sicetyiswayo kwiicompyuter kunye neelaptops, kuba iyasivumela ukuba sisebenze sinqanyuliwe, kuba i-SSSD igcina iziqinisekiso kwikhompyuter yalapha.

Umzekelo womnatha

• Umlawuli weDomain, iDNS, iDHCP: Cacisa ishishini 5.2sp1.
• Igama lomlawuli: iisenti
• Igama leNdawo: umhlobo.cu
• Umlawuli we-IP: 10.10.10.60
• ---------------
• Inguqulelo yeDebian: Nwabisa.
• Igama leqela: deb7
• Idilesi ye-IP: Sebenzisa i-DHCP

Sijonga ukuba iseva ye-LDAP iyasebenza

Silungisa ifayile /etc/ldap/ldap.conf kwaye ufake iphakheji ldap-izixhobo:

~ ~ # nano /etc/ldap/ldap.conf
[----] BASE dc = abahlobo, dc = cu URI ldap: //centos.amigos.cu [----]

~ ~ aptitude install ldap-utils: ~ $ ldapsearch -x -b 'dc = friends, dc = cu' '(objectclass = *)': ~ $ ldapsearch -x -b dc = abahlobo, dc = cu 'uid = amanyathelo '
: ~ $ ldapsearch -x -b dc = abahlobo, dc = cu 'uid = legolas' cn gidNumber

Ngemiyalelo emibini yokugqibela, sijonga ubukho be-OpenLDAP iseva ye-ClearOS yethu. Makhe sijonge kakuhle kwiziphumo zemiyalelo yangaphambili.

Kubalulekile: siqinisekisile ukuba iNkonzo yokuchonga kwiseva yethu ye-OpenLDAP isebenza ngokuchanekileyo.

Sifaka iphakheji ye-sssd

Kukwacetyiswa ukuba ufake iphakheji umnwe ukwenza iitshekhi zisela xa kuselwa ukuhla:

: ~ # ukufaneleka ukufaka i-sssd ngomnwe

Ukugqitywa kofakelo, inkonzo ssd ayiqali ngenxa yokulahleka kwefayile /etc/sssd/sssd.conf. Iziphumo zofakelo zibonisa oku. Ke ngoko, kufuneka senze loo fayile kwaye siyishiye ne- Umxholo omncinci olandelayo:

: ~ # nano /etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam # SSSD ayizukuqala ukuba awuqwalaseli nayiphi na imimandla. # Yongeza ubumbeko lwesizinda esitsha njenge [domain / ], kwaye # emva koko yongeza uluhlu lwemimandla (ngolandelelwano ofuna babuzwe # kulo mbuzo) kwi "domains" uphawu olungezantsi kwaye ungalikhuphi. domains = amigos.cu [nss] filter_groups = root filter_users =
umboneleli_provider = ldap
chpass_provider = ldap # ldap_schema iset to "rfc2307", egcina amagama amalungu eqela kwi # "memberuid" uphawu, okanye "rfc2307bis", egcina amalungu eqela le-DNs kwi # "ilungu" lelungu. Ukuba awulazi eli xabiso, cela i-LDAP # yomlawuli. # isebenza nge-ClearOS ldap_schema = rfc2307
ldap_uri = ldap: //centos.amigos.cu
ldap_search_base = dc = abahlobo, dc = cu # Qaphela ukuba ukwenza ubalo kuya kuba nefuthe lokusebenza eliphakathi. # Ngenxa yoko, ixabiso elisisiseko lokuqikelela liBUXOKI. # Jonga i-sssd.conf iphepha lomntu ukufumana iinkcukacha ezipheleleyo. enumerate = false # Vumela ukungena ngaphandle kweintanethi ngokugcina kwalapha igama hashes (okungagqibekanga: ubuxoki). cache_credentials = yinyani
ldap_tls_reqcert = vumela
I-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

Nje ukuba ifayile yenziwe, sinika iimvume ezihambelanayo kwaye siqale inkonzo kwakhona:

~ ~ # chmod 0600 /etc/sssd/sssd.conf
: ~ # service sssd qala kwakhona

Ukuba sifuna ukutyebisa umxholo wefayile edlulileyo, sicebisa ukuba siphumeze indoda sssd.conf kunye / okanye uqhagamshelane namaxwebhu akhoyo kwi-Intanethi, ukuqala ngamakhonkco ekuqaleni kweposti. Nxibelelana kwakhona indoda sssd-ldap. Iphakheji ssd ibandakanya umzekelo kwi /usr/share/doc/sssd/examples/sssd-example.conf, enokusetyenziselwa ukunyaniseka ngokuchasene neMicrosoft Directory esebenzayo.

Ngoku sinokusebenzisa eyona miyalelo iselwayo umnwe y Fumana:

: ~ $ amanqanaba eminwe
Ukungena: ukuhamba ngegama: Ukuhamba kwe-Re Re Directory: / ekhaya / ukuhamba kweShell: / bin / bash Ungaze ungene. Akukho meyile. Akukho siCwangciso.

: ~ $ sudo ufumane i-passwd legolas
iilegolas: *: 1004: 63000: iLegolas Elf: / ikhaya / iigolola: / bin / bash

Okwangoku asinakuqinisekisa njengomsebenzisi weseva ye-LDAP. Ngaphambi kokuba siguqule ifayile /etc/pam.d/indlela eqhelekileyo, ukuze ifolda yomsebenzisi yenziwe ngokuzenzekelayo xa uqala iseshoni yakho, ukuba ayikho, emva koko uqalise inkqubo kwakhona:

[----]
Iseshoni efunekayo pam_mkhomedir.so skel = / etc / skel / umask = 0022

### Lo mgca ungasentla kufuneka ubandakanywe NGAPHAMBI
# nazi iimodyuli zephakeji nganye (ibhloko "yaseprayimari" [----]

Siyiqala kwakhona i-Wheezy yethu:

: ~ # ukuqala kwakhona

Emva kokungena ngemvume, nqamula inethiwekhi usebenzisa uMlawuli woQhagamshelo kwaye uphume kwaye ungene ngaphakathi. Ukukhawuleza akukho nto. Qalisa kwisiphelo sendlela ifconfig Kwaye baya kubona ukuba I-eth0 ayimiselwanga kwaphela.

Sebenzisa inethiwekhi. Nceda ungene kwaye ungene kwakhona. Jonga kwakhona nge ifconfig.

Ewe ukusebenza ngaphandle kweintanethi, kuya kufuneka ungene okungenani kube kanye ngelixa i-OpenLDAP ikwi-Intanethi, ukuze iziqinisekiso zigcinwe kwikhompyuter yethu.

Masingakulibali ukwenza umsebenzisi wangaphandle abhaliswe kwi-OpenLDAP abe lilungu lamaqela ayimfuneko, uhlala enikela ingqalelo kumsebenzisi owenziweyo ngexesha lofakelo.

Qaphela:

Chaza ukhetho ldap_tls_reqcert = soze, kwiFayile /etc/sssd/sssd.conf, Umngcipheko wokhuseleko njengoko kuchaziwe kwiphepha I-SSSD-FAQ. Ixabiso elingagqibekanga ngu «imfuneko«. Yabona indoda sssd-ldap. Nangona kunjalo, kwisahluko 8.2.5 Ukuqwalasela iiNdawo Ukusuka kumaxwebhu eFedora, oku kulandelayo kuchaziwe:

I-SSSD ayixhasi ubunyani ngaphezulu komjelo ongabhalwanga. Ngenxa yoko, ukuba ufuna ukungqinisisa ngokuchasene neseva ye-LDAP, nokuba yeyiphi TLS/SSL or LDAPS Iyafuneka.

I-SSSD ayixhasi ubunyani ngaphezulu komjelo ongabhalwanga. Ke ngoko, ukuba ufuna ukungqinisisa ngokuchasene neseva ye-LDAP, kuyakufuneka I-TLS / SLL o I-LDAP.

Sicinga ngokobuqu ukuba isisombululo sijongiwe yanele i-Enterprise LAN, ukusuka kwindawo yokhuseleko yokujonga. Kwidolophana yeWWW, sicebisa ukumiliselwa kwesitayile esiguqulelweyo TLS okanye «Umaleko Wokhuseleko Lwezothutho », phakathi kwekhompyuter yomthengi kunye neseva.

Sizama ukufezekisa oku kwisizukulwana esifanelekileyo sezatifikethi zokuSayina okanye «Uyityikityile Kwiseva ye-ClearOS, kodwa asikwazanga. Ngumcimbi osalindelweyo. Ukuba nawuphi na umfundi uyayazi indlela yokwenza, wamkelekile ukuyicacisa!