I-SWL Network (IV): Ubuntu Precise ne-ClearOS. Ukuqinisekiswa kwe-SSSD kuqhathaniswa ne-LDAP yomdabu.

Sanibonani zihlobo !. Iqonde ngqo ephuzwini, hhayi ngaphambi kokufunda i-athikili «Isingeniso kuNethiwekhi eneSoftware yamahhala (I): Ukwethulwa kwe-ClearOS»Futhi landa iphakheji yezithombe ze-ClearOS Step by Step (1,1 mega), ukuze wazi ukuthi sikhuluma ngani. Ngaphandle kwalokho kufunda kuzoba nzima ukusilandela. Kulungile? Umkhuba uphelelwe yithemba.

Isevisi Yezokuphepha Kwesistimu iDaemon

Uhlelo I-SSSD o I-Daemon Yesevisi Yokuphepha Kwesistimu, kuwumsebenzi we Fedora, Ezalwe ngenye iphrojekthi - nayo evela kuFedora- ibizwa MahhalaIPA. Ngokuya ngabadali bayo, incazelo emfushane futhi ehunyushwe ngokukhululekile kungaba:

I-SSSD iyinsizakalo enikezela ukufinyelela kubanikezeli abahlukile be-Identity kanye nokufakazela ubuqiniso. Ingalungiselelwa isizinda sendabuko se-LDAP (umhlinzeki wobunikazi osuselwa ku-LDAP onokufakazela ubuqiniso be-LDAP), noma umhlinzeki wobunikazi be-LDAP onokufakazela ubuqiniso kweKerberos. I-SSSD inikeza isikhombimsebenzisi ohlelweni ngokusebenzisa NSS y WFP, kanye ne-Back End efakiwe yokuxhuma kumvelaphi yama-akhawunti amaningi nehlukile.

Sikholwa ukuthi sibhekene nesisombululo esibanzi futhi esiqinile sokukhonjwa nokufakazelwa ubuqiniso kwabasebenzisi ababhalisiwe ku-OpenLDAP, kunalabo okukhulunywe ngabo ezindatshaneni ezedlule, isici esishiyelwe ekuboneni kwawo wonke umuntu kanye nokuhlangenwe nakho kwabo.

Isixazululo esiphakanyiswe kulo mbhalo yiso esinconyelwa kakhulu kumakhompyutha aphathekayo nama-laptops, ngoba asivumela ukuthi sisebenze sinqanyuliwe, ngoba i-SSSD igcina imininingwane kwikhompyutha yendawo.

Isibonelo senethiwekhi

• Isilawuli Sesizinda, i-DNS, i-DHCP: I-ClearOS Enterprise 5.2sp1.
• Igama Lesilawuli: centos
• Igama Lesizinda: abangani.cu
• Isilawuli IP: 10.10.10.60
• ---------------
• Uhlobo lobuntu: Ubuntu Desktop 12.04.2 Precise.
• Igama leqembu: okuqondile
• Ikheli le-IP: Kusetshenziswa i-DHCP

Silungiselela Ubuntu bethu

Siguqula ifayela /etc/lightdm/lightdm.conf ukwamukela ukungena ngesandla, futhi sikushiya nokuqukethwe okulandelayo:

[SeatDefaults] greeter-session = united-greeter user-session = ubuntu greeter-show-manual-login = true greeter-fihla-users = true allow-guest = false

Ngemuva kokugcina izinguquko, siqala kabusha ifayela le- Khanyisa kukhonsoli efakwe ngu Ctrl+Alt+F1 futhi kuyo senza, ngemuva kokungena ngemvume, isevisi ye-sudo lightdm restart.

Kunconywa futhi ukuhlela ifayili / njll / amabamba bese uyishiya nokuqukethwe okulandelayo:

127.0.0.1 i-localhost 127.0.1.1 eqondile.amigos.cu inembile [----]

Ngaleyo ndlela sithola izimpendulo ezifanele emiyalweni igama lomkhosi y igama lomsingathi –fqdn.

Sihlola ukuthi iseva ye-LDAP iyasebenza

Siguqula ifayela /etc/ldap/ldap.conf bese ufaka iphakheji i-ldap-utils:

: ~ $ sudo nano /etc/ldap/ldap.conf
[----] BASE dc = abangani, dc = cu URI ldap: //centos.amigos.cu [----]

: ~ $ sudo aptitude ukufaka i-ldap-utils: ~ $ ldapsearch -x -b 'dc = abangani, dc = cu' '(objectclass = *)': ~ $ ldapsearch -x -b dc = abangane, dc = cu 'uid = amagxathu '
: ~ $ ldapsearch -x -b dc = abangane, dc = cu 'uid = legolas' cn gidNumber

Ngemiyalo emibili yokugcina, sibheka ukutholakala kweseva ye-OpenLDAP ye-ClearOS yethu. Ake sibheke kahle imiphumela yemiyalo yangaphambilini.

Okubalulekile: siqinisekisile nokuthi Insiza Yokuhlonza kuseva yethu ye-OpenLDAP isebenza kahle.

Sifaka iphakethe le-sssd

Kunconywa futhi ukufaka iphakheji umunwe ukwenza amasheke aphuze ukudlula i- ldapsearch:

: ~ $ sudo ukufaneleka ukufaka umunwe we-sssd

Lapho kuqedwa ukufakwa, insizakalo ssd ayiqali ngenxa yefayela elilahlekile /etc/sssd/sssd.conf. Ukukhishwa kokufakwa kukhombisa lokhu. Ngakho-ke, kufanele sidale lelo fayela bese silishiya nefayela le- okuqukethwe okulandelayo okuncane:

: ~ $ sudo nano /etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam # SSSD ngeke iqale uma ungalungiseleli noma yiziphi izizinda. # Engeza ukucushwa kwesizinda esisha njenge [domain / ] izigaba, bese # bese ufaka uhlu lwezizinda (ngendlela ofuna zibuzwe ngayo # kumfanelo "yezizinda" engezansi bese uyayekisa. domains = amigos.cu [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 # domain LDAP [domain / amigos.cu] id_provider = ldap
auth_provider = ldap
chpass_provider = ldap # ldap_schema ingasethwa ku- "rfc2307", egcina amagama amalungu eqembu kumfanelo # "memberuid", noma ku- "rfc2307bis", egcina amalungu eqembu ama-DNs kumfanelo # "yelungu". Uma ungalazi leli nani, buza umphathi wakho we-LDAP #. # isebenza nge-ClearOS ldap_schema = rfc2307
ldap_uri = ldap: //centos.amigos.cu
ldap_search_base = dc = abangane, dc = cu # Qaphela ukuthi ukunika amandla ukubala kuzoba nomthelela wokusebenza ngokulingene. # Ngenxa yalokho, inani elizenzakalelayo lokubala liyiFALSE. # Bheka i-sssd.conf man page ukuthola imininingwane egcwele. enumerate = false # Vumela ukungena ngemvume ungaxhunyiwe ku-inthanethi ngokugcina endaweni ama-hashes we-password (okuzenzakalelayo: amanga). cache_credentials = kuyiqiniso
ldap_tls_reqcert = vumela
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

Lapho ifayili selakhiwe, sinikezela izimvume ezihambelanayo bese siqala kabusha insiza:

: ~ $ sudo chmod 0600 /etc/sssd/sssd.conf
: ~ $ sudo service sssd restart

Uma sifuna ukucebisa okuqukethwe kwefayela langaphambilini, sincoma ukusebenzisa indoda sssd.conf kanye / noma uthintane nemibhalo ekhona ku-Intanethi, uqale ngezixhumanisi ekuqaleni kokuthunyelwe. Futhi thintana indoda sssd-ldap. Iphakheji ssd kufaka isibonelo ku /usr/share/doc/sssd/examples/sssd-example.conf, engasetshenziselwa ukugunyaza ngokumelene ne-Microsoft Active Directory.

Manje sesingasebenzisa imiyalo ephuzwa kakhulu umunwe y uthole:

: ~ $ finger strides
Login: strides Name: Strides El Rey Directory: / home / strides Shell: / bin / bash Ungakaze ungene ngemvume. Ayikho imeyili. Alikho icebo.

: ~ $ sudo getw passwd legolas
i-legolas: *: 1004: 63000: I-Legolas I-Elf: / ikhaya / i-legolas: / bin / bash

Asikwazi ukuzithumela ukuze sizame ukugunyaza njengomsebenzisi kuseva ye-LDAP. Ngaphambi kokuthi siguqule ifayela /etc/pam.d/common-session, ukuze ifolda yomsebenzisi yenziwe ngokuzenzakalela lapho uqala iseshini yakho, uma ingekho, bese uqala kabusha uhlelo:

[----]
isikhathi sidingeka pam_mkhomedir.so skel = / etc / skel / umask = 0022

### Umugqa ongenhla kufanele ufakwe NGAPHAMBI
# nanka amamojula ephakeji ngalinye (ibhulokhi "Eyinhloko") [----]

Manje uma siqala kabusha:

: ~ $ sudo qala kabusha

Ngemuva kokungena ngemvume, nqamula inethiwekhi usebenzisa iMenenja yokuXhuma bese uphuma uphinde ungene ngaphakathi. Ungasheshisi lutho. Qalisa esigungwini ifconfig futhi bazobona ukuthi i eth0 ayimisiwe nhlobo.

Yenza kusebenze inethiwekhi. Sicela ungene futhi ungene ngemvume futhi. Hlola futhi nge ifconfig.

Vele, ukusebenza ngokungaxhunyiwe ku-inthanethi, kuyadingeka ukuqala iseshini okungenani kanye ngenkathi i-OpenLDAP iku-inthanethi, ukuze iziqinisekiso zigcinwe kukhompyutha yethu.

Masingakhohlwa ukwenza umsebenzisi wangaphandle obhaliswe ku-OpenLDAP abe yilungu lamaqembu adingekayo, abheke njalo umsebenzisi owenziwe ngesikhathi sokufakwa.

Uma okokusebenza kungafuni ukucishwa ngu i-applet elihambisanayo, bese ugijima kukhonsoli Sudo poweroff ukucisha, futhi ukuqala kabusha kwe-sudo ukuqala kabusha. Kuhlala ukuthola ukuthi kungani lokhu okungenhla kwesinye isikhathi kwenzeka.

Note:

Memezela inketho ldap_tls_reqcert = akakaze, kufayela /etc/sssd/sssd.conf, kuyingozi yokuphepha njengoba kushiwo ekhasini I-SSSD - Imibuzo Evame Ukubuzwa. Inani elizenzakalelayo lithi «kwesidzingo«. Bheka indoda sssd-ldap. Noma kunjalo, esahlukweni 8.2.5 Ukuhlela Izizinda Kusuka kumadokhumenti e-Fedora, okulandelayo kuyashiwo:

I-SSSD ayisekeli ukufakazela ubuqiniso ngaphezu kwesiteshi esingabhalwanga. Ngenxa yalokho, uma ufuna ukuqinisekisa ngeseva ye-LDAP, noma TLS/SSL or LDAPS iyadingeka.

I-SSSD akusekeli ukufakazela ubuqiniso ngaphezu kwesiteshi esingabhalwanga. Ngakho-ke, uma ufuna ukuqinisekisa ngeseva ye-LDAP, kuzodingeka I-TLS / SLL o I-LDAP.

Ngokwethu sicabanga ukuthi isixazululo sibhekiwe yanele i-Enterprise LAN, kusuka endaweni yokubuka yokuphepha. Ngokusebenzisa iWWW Village, sincoma ukusebenzisa ishaneli ebethelwe usebenzisa TLS noma «Isendlalelo Sokuphepha Kwezokuthutha », phakathi kwekhompyutha yeklayenti neseva.

Sizama ukukufeza kusuka esizukulwaneni esifanele sezitifiketi ze-Self Signed noma i- «Uyasayina “Kusiphakeli se-ClearOS, kepha asikwazanga. Empeleni kuyinkinga esalindile. Uma kukhona umfundi okwazi ukukwenza, wamukelekile ukukuchaza!