Unit8 ldap网络帐号

1.ldap是什么

ldap目录服务认证,和windows活动目录类似,就是记录数据的一种方式

 

2.ldap客户端所须软件

yum sssd krb5-workstation -y

 

3.如何开启ldap用户认证

authconfig-tui

 

┌────────────────┤ Authentication Configuration ├─────────────────┐

│                                                                 │

│  User Information        Authentication                         │

│  [ ] Cache Information   [ ] Use MD5 Passwords                  │

│  [*] Use LDAP            [*] Use Shadow Passwords               │

│  [ ] Use NIS             [ ] Use LDAP Authentication            │

│  [ ] Use IPAv2           [*] Use Kerberos                       │

│  [ ] Use Winbind         [ ] Use Fingerprint reader             │

│                          [ ] Use Winbind Authentication         │

│                          [*] Local authorization is sufficient  │

│                                                                 │

│            ┌────────┐                      ┌──────┐             │

│            │ Cancel │                      │ Next │             │

│            └────────┘                      └──────┘             │

│                                                                 │

│                                                                 │

└─────────────────────────────────────────────────────────────────┘

   wKiom1kJ-y2DPuhPAAC7YxYymaM744.jpg                                                                                        

 

 

┌─────────────────┤ LDAP Settings ├─────────────────┐

│                                                   │

│          [*] Use TLS                              │

│  Server: ldap://cla***oom.example.com/___________ │

│ Base DN: dc=example,dc=com_______________________ │

│                                                   │

│         ┌──────┐                ┌──────┐          │

│         │ Back │                │ Next │          │

│         └──────┘                └──────┘          │

│                                                   │

│                                                   │

└───────────────────────────────────────────────────┘

wKiom1kJ-z-wj9EqAABlTuFEOCU506.jpg                                                      

 

 

 

┌─────────────────┤ Kerberos Settings ├──────────────────┐

│                                                        │

│        Realm: EXAMPLE.COM_____________________________ │

│          KDC: cla***oom.example.com___________________ │

│ Admin Server: cla***oom.example.com___________________ │

│               [ ] Use DNS to resolve hosts to realms   │

│               [ ] Use DNS to locate KDCs for realms    │

│                                                        │

│          ┌──────┐                    ┌────┐            │

│          │ Back │                    │ Ok │            │

│          └──────┘                    └────┘            │

│                                                        │

│                                                        │

└────────────────────────────────────────────────────────┘

 wKioL1kJ-1uAL9aFAAB5zUu05fU642.jpg                                                         

<当出现以下报错时>

 

┌────────────────┤ Warning ├─────────────────┐

│                                            │

│ To connect to a LDAP server with TLS       │

│ protocol enabled you need a CA certificate │

│ which signed your server's certificate.    │

│ Copy the certificate in the PEM format to  │

│ the '/etc/openldap/cacerts' directory.     │

│ Then press OK.                             │

│                                            │

│                  ┌────┐                    │

│                  │ Ok │                    │

│                  └────┘                    │

│                                            │

│                                            │

└────────────────────────────────────────────┘

                                                                                

时因为tls的证书缺失,需要到服务器端下载所需要的证书到/etc/openldap/cacerts,

用到的命令

wget http://172.25.254.254/pub/example-ca.crt

 

<测试>

getent passwd ldapuser1

如果用户信息可以正常显示,证明客户端认成功。

 

4.自动挂载用户家目录

yum install autofs -y

vim /etc/autofs.master

/home/guests/etc/auto.ldap

 

vim /etc/auto.ldap

ldapuser1172.25.254.254:/home/guests/ldapuser1

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

*172.25.254.254:/home/guests/&

 

systemctl restart autofs                               

wKioL1kJ-9HhL_K_AAEl-Rrfnk0933.jpg


wKiom1kJ-jSDU95OAABgxvJRWLs067.jpg

wKioL1kJ-jXx1QUOAAFjtfAP-w0395.jpg

wKiom1kJ-jWS9oYHAABp9HUjCZU901.jpg

wKiom1kJ-jaQdaSSAADdLQrsUc8419.jpg

wKioL1kJ-jaTTLLlAACDigQ3kdk058.jpg

wKiom1kJ-jey0R8vAADuqv3gjLI540.jpg

wKioL1kJ-jeS-6eaAACSck8sH44830.jpg

wKiom1kJ-jigfnlUAACkUW8TUZo494.jpg