我有一个现有的LDAP(openldap)服务器,我试图让CentOS服务器进行身份validation,而且对于我来说,我无法做到这一点。 例如,我想要#ssh some_ldap_user @ whateverclientserver并能够成功进行身份validation。 有人可以请我指出一个资源,可以帮助我做到这一点? 这似乎不是一个特别复杂的任务,但我的search技能真的让我失望或什么。
假设您的LDAP服务器设置正确(并且有一个TONvariables)..这是我写在每台机器上执行的一个小脚本,以启用LDAP身份validation:
#!/bin/sh #Redhats tool to configure LDAP auth (aka, 'setup' from command line) #change order of two servers to change which one to check first (I pick closest one) authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=server1.local,server2.local --ldapbasedn="dc=whatever,dc=local" --update #I use sudo in LDAP. (very handy tool, see the SUDO LDAP files on the web) echo 'sudoers: files ldap' >> /etc/nsswitch.conf echo 'base dc=whatever,dc=local timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 uri ldaps://server1.local/ uri ldaps://server2.local/ ssl yes #without this line, will complain about our self signed certs tls_checkpeer no #because of security choices, have to send the password in the clear (but it goes over SSL, so no big deal). Then Ldap will hash it and compare. #without this line, my people couldn't change passwords. pam_password clear sudoers_base ou=SUDOers,dc=whatever,dc=local ' > /etc/ldap.conf #this lets us know which servers LDAP authentication is setup on... echo '*************************************************' >> /etc/ssh/banner echo '*Authorized users, please use your LDAP password*' >> /etc/ssh/banner echo '*************************************************' >> /etc/ssh/banner echo 'Banner /etc/ssh/banner' >> /etc/ssh/sshd_config service sshd restart