我已经在最低限度的centos 7上安装了openldap,并成功地为用户添加了newuser01数据库。 ldapsearch可以正常使用这种格式的主服务器和客户端:
ldapsearch -H ldaps://provider.example.com -x -D "cn=Manager,dc=example,dc=com" -W
但是getent passwd -s sss newuser01或getent passwd newuer01在客户端和主服务器上都getent passwd newuer01返回任何内容。
这里是我看到的文件,我不知道他们是否正确configuration,如果有其他人我应该看看,非常感谢你的努力:
主人:
/etc/nsswitch.conf包含:
passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files aliases: files nisplus
/etc/openldap/ldap.conf包含:
BASE dc=example,dc=com URI ldaps://provider.example.com TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand SASL_NOCANON on
/etc/sssd/sssd.conf在服务器上是空的
/etc/pam.d/system-auth包含:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
在客户端:
/etc/nsswitch.conf完全与服务器一样
/etc/openldap/ldap.conf包含:
TLS_CACERTDIR /etc/openldap/cacerts # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldaps://provider.example.com:636 BASE dc=example,dc=com
/etc/sssd/sssd.conf包含:
[domain/default] autofs_provider = ldap cache_credentials = False ldap_search_base = dc=example,dc=com krb5_server = # id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://provider.example.com:636 ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp]
/etc/pam.d/system-auth似乎包含了服务器用这个额外条目所做的事情:
session optional pam_sss.so
这对我使用sssd-ldap对付freeipa ldap服务器(不是使用内置的idm提供程序,而是sssd-ldap提供程序)。
authconfig --enablesssd --enablesssdauth --enablelocauthorize --update [domain/default] autofs_provider = ldap ldap_schema = rfc2307bis id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://your.ldap.host ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacertdir = /etc/pki/tls/certs ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_default_bind_dn = uid=user1,cn=users,cn=accounts,dc=your,dc=domain,dc=tld ldap_default_authtok_type = password ldap_default_authtok = secretpassword ldap_user_search_base = cn=users,cn=accounts,dc=your,dc=domain,dc=tld ldap_group_search_base = cn=groups,cn=accounts,dc=your,dc=domain,dc=tld [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp]
systemctl restart sssd 如果不需要绑定来获取用户列表,请删除ldap_default_bind_dn,ldap_default_authtok_type和ldap_default_authtok指令。 如果你不需要tls,删除那些,但你是validation用户,所以它应该被启用。 修改cacertdir和cacert指令的path,以符合您的情况,作为用户和组search的基础。
在这个博客: http : //www.couyon.net/blog/enabling-ldap-usergroup-support-and-authentication-in-centos-6你会发现一个类似的howto。 官方的红帽文档在这里: https ://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Domains.html#Configuring_Domains-Configuring_a_Native_LDAP_Domain
一如既往,证据是在布丁:
[root@localhost sssd]# grep user1 /etc/passwd [root@localhost sssd]# getent passwd user1 user1:*:1076200004:1076200004:ipa user:/home/user1:/bin/sh