Inethiwekhi ye-SWL (IV): Ubuntu Precise kunye ne-ClearOS. Ukuqinisekiswa kwe-SSSD ngokuchasene ne-LDAP yemveli.

fico

Imizuzu ye7

Molweni bahlobo!. Ngokuthe ngqo kwinqanaba, kodwa hayi ngaphambi kokufunda inqaku «Intshayelelo yenethiwekhi eneSoftware yasimahla (I): Ukunikezelwa kwe-ClearOS» kwaye ukhuphele iphakheji yomfanekiso we-ClearOS Inyathelo ngenyathelo (1,1 mega), ukwazi ukuba sithetha ngantoni. Ngaphandle koko kufunda kuya kuba nzima ukusilandela. Kulungile? Ukuzilahlela ngokwesiqhelo.

Inkonzo yoKhuseleko lweDemon

Inkqubo I-SSSD o I-Daemon yeNkonzo yoKhuseleko lweNkqubo, yiprojekthi ye Fedora, Wazalelwa kwenye iprojekti- nayo evela kuFedora- ebizwa MahalaIPA. Ngokwabayili bayo, inkcazo emfutshane nenokuguqulelwa ngokukhululekileyo iya kuba:

I-SSSD yinkonzo ebonelela ngokufikelela kubazisi abohlukeneyo kunye nabanikezeli boqinisekiso. Inokuqwalaselwa kwindawo yemveli ye-LDAP (umboneleli wesazisi osekwe kwi-LDAP ngokuqinisekiswa kwe-LDAP), okanye umboneleli wesazisi we-LDAP onobungqina beKerberos. I-SSSD ibonelela ngonxibelelwano kwinkqubo ngokusebenzisa NSS y WFP, kunye nesiphelo esingasemva esongeziweyo sokudibanisa okuninzi nokwahlukileyo kwimvelaphi yeakhawunti.

Siyakholelwa ukuba sijamelene nesisombululo esibanzi nesomeleleyo sokuchongwa kunye nokuqinisekiswa kwabasebenzisi ababhalisiweyo kwi-OpenLDAP, kunaleyo ibhekiswe kumanqaku angaphambili, umba oshiywe kukuqonda komntu wonke kunye namava abo.

Isisombululo esicetywayo kweli nqaku sesona sicetyiswayo kwiicompyuter kunye neelaptops, kuba iyasivumela ukuba sisebenze sinqanyuliwe, kuba i-SSSD igcina iziqinisekiso kwikhompyuter yalapha.

Umzekelo womnatha

  • Umlawuli weDomain, iDNS, iDHCP: Cacisa ishishini 5.2sp1.
  • Igama lomlawuli: iisenti
  • Igama leNdawo: umhlobo.cu
  • Umlawuli we-IP: 10.10.10.60
  • ---------------
  • Inguqulelo ka-Ubuntu: Ubuntu Desktop 12.04.2 Precise.
  • Igama leqela: ngqo
  • Idilesi ye-IP: Sebenzisa i-DHCP

Silungisa Ubuntu bethu

Silungisa ifayile /etc/lightdm/lightdm.conf ukwamkela ukungena ngesandla, kwaye siyishiya inomxholo olandelayo:

[SeatDefaults] umbuliso-iseshoni=ubunye-ubulisi user-session=ubuntu mbuliso-bonisa-manual-login=umbulisi-wokwenyani-fihla-abasebenzisi=inyani vumela-undwendwe=bubuxoki

Emva kokugcina utshintsho, siqala kwakhona ifayile Ukukhanya kwiconsole ecelwe ngu Ctrl+Alt+F1 kwaye kuyo senza, emva kokungena, inkonzo ye-sudo lightdm iqala kwakhona.

Kukwacetyiswa ukuba uhlele ifayile / njl / imikhosi kwaye uyishiye inomxholo olandelayo:

127.0.0.1 inginginya yasekhaya 127.0.1.1 precise.amigos.cu ichanekile [----]

Ngale ndlela sifumana iimpendulo ezifanelekileyo kwimiyalelo igama lomkhosi y igama lomamkeli -fqdn.

Sijonga ukuba iseva ye-LDAP iyasebenza

Silungisa ifayile /etc/ldap/ldap.conf kwaye ufake iphakheji ldap-izixhobo:

:~$ sudo nano /etc/ldap/ldap.conf
[----] BASE dc = abahlobo, dc = cu URI ldap: //centos.amigos.cu [----]
:~$ sudo ukufaneleka kokufaka i-ldap-utils :~$ ldapsearch -x -b 'dc=amigos,dc=cu' '(objectclass=*)' :~$ ldapsearch -x -b dc=amigos,dc=cu 'uid =amanyathelo'
: ~ $ ldapsearch -x -b dc = abahlobo, dc = cu 'uid = legolas' cn gidNumber

Ngemiyalelo emibini yokugqibela, sijonga ubukho be-OpenLDAP iseva ye-ClearOS yethu. Makhe sijonge kakuhle kwiziphumo zemiyalelo yangaphambili.

Kubalulekile: siqinisekisile ukuba iNkonzo yokuchonga kwiseva yethu ye-OpenLDAP isebenza ngokuchanekileyo.

Inethiwekhi-swl-04-abasebenzisi

Sifaka iphakheji ye-sssd

Kukwacetyiswa ukuba ufake iphakheji umnwe ukwenza iitshekhi zisela xa kuselwa ukuhla:

:~$ sudo aptitude faka i-sssd umnwe

Ukugqitywa kofakelo, inkonzo ssd ayiqali ngenxa yokulahleka kwefayile /etc/sssd/sssd.conf. Iziphumo zofakelo zibonisa oku. Ke ngoko, kufuneka senze loo fayile kwaye siyishiye ne- Umxholo omncinci olandelayo:

:~$ sudo nano /etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam # SSSD ayizukuqala ukuba awuqwalaseli nayiphi na imimandla. # Yongeza ubumbeko lwesizinda esitsha njenge [domain / ], kwaye # emva koko yongeza uluhlu lwemimandla (ngolandelelwano ofuna babuzwe # kulo mbuzo) kwi "domains" uphawu olungezantsi kwaye ungalikhuphi. domains = amigos.cu [nss] filter_groups = root filter_users =
umboneleli_provider = ldap
chpass_provider = ldap # ldap_schema iset to "rfc2307", egcina amagama amalungu eqela kwi # "memberuid" uphawu, okanye "rfc2307bis", egcina amalungu eqela le-DNs kwi # "ilungu" lelungu. Ukuba awulazi eli xabiso, cela i-LDAP # yomlawuli. # isebenza nge-ClearOS ldap_schema = rfc2307
ldap_uri = ldap: //centos.amigos.cu
ldap_search_base = dc = abahlobo, dc = cu # Qaphela ukuba ukwenza ubalo kuya kuba nefuthe lokusebenza eliphakathi. # Ngenxa yoko, ixabiso elisisiseko lokuqikelela liBUXOKI. # Jonga i-sssd.conf iphepha lomntu ukufumana iinkcukacha ezipheleleyo. enumerate = false # Vumela ukungena ngaphandle kweintanethi ngokugcina kwalapha igama hashes (okungagqibekanga: ubuxoki). cache_credentials = yinyani
ldap_tls_reqcert = vumela
I-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

Nje ukuba ifayile yenziwe, sinika iimvume ezihambelanayo kwaye siqale inkonzo kwakhona:

:~$ sudo chmod 0600 /etc/sssd/sssd.conf
:~$ sudo inkonzo ssd qala kwakhona

Ukuba sifuna ukutyebisa umxholo wefayile edlulileyo, sicebisa ukuba siphumeze indoda sssd.conf kunye / okanye uqhagamshelane namaxwebhu akhoyo kwi-Intanethi, ukuqala ngamakhonkco ekuqaleni kweposti. Nxibelelana kwakhona indoda sssd-ldap. Iphakheji ssd ibandakanya umzekelo kwi /usr/share/doc/sssd/examples/sssd-example.conf, enokusetyenziselwa ukunyaniseka ngokuchasene neMicrosoft Directory esebenzayo.

Ngoku sinokusebenzisa eyona miyalelo iselwayo umnwe y Fumana:

: ~ $ amanqanaba eminwe
Ukungena: ukuhamba ngegama: Ukuhamba kwe-Re Re Directory: / ekhaya / ukuhamba kweShell: / bin / bash Ungaze ungene. Akukho meyile. Akukho siCwangciso.

: ~ $ sudo ufumane i-passwd legolas
iilegolas: *: 1004: 63000: iLegolas Elf: / ikhaya / iigolola: / bin / bash

Asikwazi kuqhuba kwaye sizame ukuziqinisekisa njengabasebenzisi beseva ye-LDAP. Okokuqala kufuneka siyiguqule ifayile /etc/pam.d/indlela eqhelekileyo, ukuze ifolda yomsebenzisi yenziwe ngokuzenzekelayo xa uqala iseshoni yakho, ukuba ayikho, emva koko uqalise inkqubo kwakhona:

[----]
Iseshoni efunekayo pam_mkhomedir.so skel = / etc / skel / umask = 0022

### Lo mgca ungasentla kufuneka ubandakanywe NGAPHAMBI
# nazi iimodyuli zephakeji nganye (ibhloko "yaseprayimari" [----]

Ngoku ukuba siqala kwakhona:

: ~ $ sudo yokuqalisa kwakhona

Emva kokungena ngemvume, nqamula inethiwekhi usebenzisa uMlawuli woQhagamshelo kwaye uphume kwaye ungene ngaphakathi. Ukukhawuleza akukho nto. Qalisa kwisiphelo sendlela ifconfig Kwaye baya kubona ukuba I-eth0 ayimiselwanga kwaphela.

Sebenzisa inethiwekhi. Nceda ungene kwaye ungene kwakhona. Jonga kwakhona nge ifconfig.

Ewe kunjalo, ukusebenza ngaphandle kweintanethi, kuyafuneka ungene nokuba kukanye ngelixa i-OpenLDAP ikwi-intanethi, ukuze iimqinisekiso zigcinwe kwikhompyuter yethu.

Masingalibali ukwenza umsebenzisi wangaphandle obhalisiweyo kwi-OpenLDAP ilungu lamaqela ayimfuneko, ehlala ejonge umsebenzisi owenziwe ngexesha lofakelo.

Ukuba ikhompyuter ayifuni ukucima usebenzisa i applet ehambelanayo, emva koko isebenze kwi-console Isiphumo samandla ukucima, kwaye sudo kabusha ukuqalisa kwakhona. Kuhlala kukufumanisa ukuba kutheni oku kusenzeka ngamanye amaxesha.

Qaphela:

Chaza ukhetho ldap_tls_reqcert = soze, kwiFayile /etc/sssd/sssd.conf, Umngcipheko wokhuseleko njengoko kuchaziwe kwiphepha I-SSSD-FAQ. Ixabiso elingagqibekanga ngu «imfuneko«. Yabona indoda sssd-ldap. Nangona kunjalo, kwisahluko 8.2.5 Ukuqwalasela iiNdawo Ukusuka kumaxwebhu eFedora, oku kulandelayo kuchaziwe:

I-SSSD ayixhasi ubunyani ngaphezulu komjelo ongabhalwanga. Ngenxa yoko, ukuba ufuna ukungqinisisa ngokuchasene neseva ye-LDAP, nokuba yeyiphi TLS/SSL or LDAPS Iyafuneka.

I-SSSD ayixhasi ubunyani ngaphezulu komjelo ongabhalwanga. Ke ngoko, ukuba ufuna ukungqinisisa ngokuchasene neseva ye-LDAP, kuyakufuneka I-TLS / SLL o I-LDAP.

Sicinga ngokobuqu ukuba isisombululo sijongiwe yanele i-Enterprise LAN, ukusuka kwindawo yokhuseleko yokujonga. Kwidolophana yeWWW, sicebisa ukumiliselwa kwesitayile esiguqulelweyo TLS okanye «Umaleko Wokhuseleko Lwezothutho », phakathi kwekhompyuter yomthengi kunye neseva.

Sizama ukufezekisa oku kwisizukulwana esifanelekileyo sezatifikethi zokuSayina okanye «Uyityikityile Kwiseva ye-ClearOS, kodwa asikwazanga. Ngumcimbi osalindelweyo. Ukuba nawuphi na umfundi uyayazi indlela yokwenza, wamkelekile ukuyicacisa!

amanyathelo-aqhawulwe


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.

  1.   iyeva sitsho
    yenzayo 10 iminyaka

    Elinye inqaku eliya kwiiBhukhimaksi 😀

    Phendula u-elav
    1.    UFrederick sitsho
      yenzayo 10 iminyaka

      Enkosi ngezimvo kunye nokuBulisa !!!

      Phendula kwi-federico
  2.   joel sitsho
    yenzayo 10 iminyaka

    Mholo. Ndizama ukuyenza isebenze ngomncedisi we-Ubuntu kunye nomnye u-Ubuntu njengomthengi, kwaye iqhagamshele yonke into isebenza kakuhle, kodwa xa ndimisa umncedisi okanye ndiqhawula inethiwekhi ayiwamkeli amagama ayimfihlo abasebenzisi. Andazi ukuba ndinokuba ndenza ntoni na. Ngaba kungenxa yokuba andinayo iseva ye-ldap elungiselelwe ukusebenzisa ukhuseleko (ssl)?

    Phendula joel
    1.    ibraybaut sitsho
      yenzayo 9 iminyaka

      Yiyo loo nto kanye, kuba ungenayo itshaneli efihliweyo, ayisayi kwamkela igama lokugqithisa lakho.

      Phendula kwi-braybaut