echochio

先用 YUM 裝套件

# rpm -qa |grep ldap
nss-pam-ldapd-0.8.13-8.el7.x86_64
openldap-clients-2.4.40-13.el7.x86_64
openldap-2.4.40-13.el7.x86_64

確定 nsswitch 有 ldap

# cat /etc/nsswitch.conf |grep ldap
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
netgroup:   files sss ldap
automount:  files ldap

有設  /etc/openldap/ldap.conf (加上去 URL , BASE)

URI ldap://192.168.0.200
BASE dc=tw,dc=demo

檢查  /etc/pam.d/password-auth

# cat /etc/pam.d/password-auth |grep ldap
auth        sufficient    pam_ldap.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so

檢查  /etc/pam.d/system-auth

# cat /etc/pam.d/system-auth |grep ldap
auth        sufficient    pam_ldap.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so

設定  /etc/nslcd.conf

# Local user account and group, nslcd uses.
uid nslcd
gid ldap

# Active Directory server settings (SSL encryption)
uri             ldap://192.168.0.200:389/
tls_reqcert     allow
base            dc=tw,dc=test

# LDAP bind account (AD account created in earlier)
binddn cn=Administrator,cn=Users,dc=tw,dc=test
bindpw P@ssw0rd


# Mappings for Active Directory
pagesize 1000
referrals off

filter passwd (&(objectClass=user)(!(objectClass=computer)))
map    passwd uid              sAMAccountName
map    passwd gecos            displayName
map    passwd homeDirectory    "/home/$uid"
map    passwd loginShell       "/bin/bash"
filter shadow (&(objectClass=user)(!(objectClass=computer)))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)
map     group   gidNumber       gidNumber
map     group   member          sAMAccountName

停止 nslcd.服務用 denug mode

# systemctl stop nslcd
# nslcd -d
nslcd: DEBUG: add_uri(ldap://192.168.0.220:389/)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,3)
nslcd: version 0.8.13 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",55) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections

測試 nslcd.服務

# getent passwd |grep Administrator
Administrator:*:2500:2512::/home/:/bin/bash
# su - Administrator
-bash-4.2$ id
uid=2500(Administrator) gid=2512(Domain Admins) groups=2512(Domain Admins)
-bash-4.2$ exit
logout
#

看 debug 內容

# nslcd -d
nslcd: DEBUG: add_uri(ldap://192.168.0.200:389/)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,3)
nslcd: version 0.8.13 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",55) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=23866 uid=0 gid=0
nslcd: [8b4567] <sess_c="Administrator"> DEBUG: nslcd_pam_sess_c("Administrator","su-l",12345)
nslcd: [7b23c6] DEBUG: connection from pid=23866 uid=0 gid=0
nslcd: [7b23c6] <passwd="Administrator"> DEBUG: myldap_search(base="dc=tw,dc=test", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=Administrator))")

如果沒問題就 ctrl-c 關閉用 systemctl restart nslcd  啟動 , 寫入開機 .........

後記 :  home 沒有辦法正確 ........XD
還有些帳號

nslcd: [1b58ba] <passwd(all)> CN=Admin,CN=Users,DC=tw,DC=test: uidNumber: missing

沒辦法使用 ......!@#$%^&*()