This document details the steps required to make an Ubuntu or Debian machine an LDAP client for authentication purposes.
此文档描述如何将Ubuntu或Debian Linux加入到Ldap认证登录。

So you've got an LDAP server floating around and you'd like to have your Ubuntu or Debian client authenticate against it. It's assumed here that you already have an LDAP server and you or your admin can provide the answers to some of the questions asked upon configuration. Firstly, you'll need to open up your favourite package manager and install libpam-ldap and libnss-ldap:  
$ apt-get install libpam-ldap libnss-ldap

This command will bring down all the required libraries to enable you to have your machine authenticating against the LDAP server of your dreams. Once the packages start being unpacked you'll be hit up for a few questions:

  • IP address / hostname of the LDAP server. ie: ldap.my.domain  
  • The search base of your LDAP domain. ie: dc=my,dc=domain  
  • You'll be asked the version of LDAP server you're connecting to, "Version 3" ought to be safe in most cases.  
  • A screen titled "Configuring LIBNSS-LDAP will appear with only the "OK" option. Select it :)  
  • On the next screen you'll be asked if you want to make root the DB admin. The best answer is "yes".  
  • Now you'll be asked whether the DB requires logging in, say "No"  
  • You'll be asked for the root login account for LDAP. It is often something like: cn=manager,dc=my,dc=domain  
  • Then you'll need to enter the LDAP password for the aforementioned LDAP account

That will see all the packages installed and the base configurations satisfied. If your LDAP server is already populated with content then at this point you should be able to run commands such as "getent passwd <username>" and if that username is unique to LDAP and you get a response then you answered all the questions correctly. Now you need to customise PAM to make it use LDAP for authentication.You'll need to run the following command:

$ sudo vi /etc/pam.d/sudo

Once deep in the bowells of the sudo file, you need to add one line above the existing line, something like this:

auth    sufficient      pam_ldap.so 
auth    required        pam_unix.so

(Note: From Ubuntu 5.10 (Breezy) and Debian 3.1 (Sarge) you no longer need to edit /etc/pam.d/sudo.) This process now gets repeated for four more files, so I'll show the vi command and then the changes required:

$ sudo vi /etc/pam.d/common-account

account sufficient      pam_ldap.so
account required        pam_unix.so

$ sudo vi /etc/pam.d/common-auth

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure

$ sudo vi /etc/pam.d/common-password

password        sufficient      pam_ldap.so
password     required   pam_unix.so nullok obscure min=4 max=8 md5

$ sudo vi /etc/pam.d/common-session

session   sufficient      pam_ldap.so
session   required        pam_unix.so

Last but not least we need to edit nsswitch.conf:

$ sudo vi /etc/nsswitch.conf

and once you're in that file, run this command:

:%s/compat/ldap files/g

Tada! If you've entered in all your local configuration information correctly, you'll have a living breathing LDAP authentication client. Enjoy :)

鱼漂已测试过ubuntu9.10,可正确配置ldap认证,需要注意的是:
1. 不再需要手动修改pam.d下面的文件, 安装libpam-ldap时会根据你的回答自动配置pam.d下的文件。
2. 更新后的/etc/pam.d/sudo 可能会导致sudo时要求输入多次密码,在线更新程序也会失败,解决办法是将/etc/pam.d/sudo中的pam_ldap.so, pam_unix.so行注释。
3. ldap中的用户如果需要使用sudo, 可以将用户加到admin组,默认情况下,所有admin组的用户都可以sudo. 或者修改/etc/sudoers,允许ldap用户对应的组可以sudo
4. ldap中,一个组设置多个成员,需要在对应的组中添加memberUid属性,此属性可以有多个值,对应的是用户名,而不是用户id。
OS | 评论(0) | 引用(0) | 阅读(4644)