Linux
如何使用 Active Directory 對 linux 使用者進行身份驗證
使用 Active Directory 對 linux (Debian) 機器上的使用者進行身份驗證的最佳實踐是什麼?
我希望它工作的方式是將 AD 使用者添加到一個組中 - 例如linux administrators或linux webserver,並根據他們的組成員身份,他們將/不會被授予對特定伺服器的訪問權限。理想情況下,root 帳戶將是唯一以標準方式維護的帳戶。
我這樣做的目標如下:
- 允許在一處更改密碼
- 使用他們的 AD 憑據自動授予某些人訪問 linux 伺服器的權限
- 將我們所有的使用者資訊整合到一個數據庫中
我要避免的事情是:
- 我們的 Active Directory 管理員難以管理/違反直覺的任何事情
- 如果由於某種原因無法訪問 AD 伺服器(即,它需要以某種方式記憶體憑據),則將使用者鎖定在外
- 任何過於復雜或不標準的東西,在我下次升級伺服器時會損壞。
您沒有理由在大多數發行版上使用任何外部軟體。
對於 Debian/Ubuntu,您可以使用 libnss-ldap 和 libpam-krb5 來完成。有一些技巧可以100%獲得它。這假設您為 Linux 使用者填充了“unixHomeDirectory”,您的 Linux 機器使用 Windows 系統通用的 NTP(Kerberos 要求),並且您可以使用純文字 NSS 查找(不是密碼,而是組成員資訊等) - 您也可以使用 TLS,但設置起來更複雜)。除非您設置為使用 TLS,否則不應將 pam_ldap 作為 PAM 中的密碼或身份驗證源。
/etc/ldap.conf
# LDAP Configuration for libnss-ldap and libpam-ldap. # Permit host to continue boot process with out contacting LDAP server bind_policy soft # Define LDAP servers to use for queries, these must be Global Catalog servers uri ldap://ldap.site.company.local # Define root search location for queries base dc=company,dc=local #debug 1 # LDAP version, almost always going to be v3, it is quite mature ldap_version 3 # Username used to proxy authentication. You can have this in a separate file owned by root for security OR use TLS/SSL (see man page) # Do NOT use LDAP for authentication if you are using plain text binds, use Kerberos instead (and LDAP for authorization only). See libpam-krb5. binddn cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local # Password for proxy acct bindpw SooperSekeretPazzwerd # TCP port to perform queries on, 3268 is a Global Catalog port which will reply for all users in *.company.local port 3268 # Search range scope (sub = all) scope sub # Tell the client to close TCP connctions after 30 seconds, Windows will do this on the server side anyways, this will prevent errors from showing up in the logs. idle_timelimit 30 # Expect queries for group membership to return DN for group members instead of usernames (lets you use MSAD group membership seamlessly) nss_schema rfc2307bis # Filters - User accounts must have a UID >= 2000 to be recognized in this configuration and must have a unixHomeDirectory defined. nss_base_group dc=company,dc=local?sub?&(objectClass=group)(gidNumber=*) nss_base_user dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*) nss_base_shadow dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*) # Object Class mappings. You may want to have the posixAccount to map to "mail" and have users login with their email addresses, i.e. "nss_map_objectclass posixAccount mail". nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group # Attribute mappings. nss_map_attribute uniqueMember member nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet # Attribute in LDAP to query to match the username used by PAM for authentication pam_login_attribute sAMAccountName # Filter for objects which are allowed to login via PAM pam_filter objectclass=User
您不需要編輯 /etc/krb5.conf 假設您的 Linux 機器正在使用了解 AD 的 DNS 伺服器(具有適當 SRV 記錄的 _msdcs 區域是可解析的)
/etc/nsswitch.conf 應該有使用者、組、影子的“文件 ldap”。
對於使用 SSSD 的紅帽:
/etc/sssd/sssd.conf
[domain/AD] id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_uri = ldap://ldap.company.local:3268/ ldap_search_base = dc=company,dc=com ldap_default_bind_dn = cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local ldap_default_authtok = SooperSekeretPazzwerd ldap_schema = rfc2307bis ldap_user_object_class = user ldap_group_object_class = group ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory enumerate = true ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts ldap_id_use_start_tls = False cache_credentials = True krb5_realm = SITE.COMPANY.COM case_sensitive = false [sssd] services = nss, pam config_file_version = 2 domains = AD [nss] filter_users = root,named,avahi,nscd