Linux
nslcd 與 domain.com 和 sub.domain.com
我正在嘗試在多個 AD 域 example.com 和 sub.exmaple.com 中使用 nslcd 設置我們的 linux 伺服器。
目前使用 nslcd 的設置非常簡單,適用於域 example.com:
uid nslcd gid ldap uri ldaps://dc1.example.com:636 base dc=example,dc=com binddn cn=srv_authuser,ou=server,dc=example,dc=com bindpw ---- tls_reqcert never pagesize 1000 referrals off idle_timelimit 800 filter passwd (&(objectClass=user)(!(objectClass=computer))) map passwd uid sAMAccountName map passwd uidNumber objectSid:S-1-5-21-4129304498-564803152-741489137 map passwd gidNumber gidNumber map passwd loginShell "/bin/bash" map passwd homeDirectory "/home/$sAMAccountName" map passwd gecos displayName)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map group gidNumber objectSid:S-1-5-21-4129304498-564803152-741489137 map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group) tls_cacertdir /etc/openldap/cacerts ssl on
nslcd (pam-nss-ldap) 是否可以為 sub.domain.com 設置第二個 ldap 查詢,或者這只能通過 sssd 實現?如果綁定使用者在 sub.domain.com 上具有管理員權限,他還能獲取密碼/帳戶數據嗎?
謝謝
您將無法僅使用 nslcd 做您想做的事。相反,您必須使用 slapd 和 slapd-meta 或 slapd-ldap 後端提供的假域名配置一個假 LDAP 伺服器。然後您將添加您的 AD 伺服器到例如 fakedomain.local。完成後,您將能夠將您的客戶端註冊到其中包含幾個域的 fakedomain.local。然後,您將能夠列出來自兩個不同 LDAP 伺服器的使用者。
這是您的 LDAP 代理配置範例:
sudo yum install -y openldap openldap-clients openldap-servers
貓 /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/pmi.schema include /etc/openldap/schema/ppolicy.schema allow bind_v2 allow bind_anon_cred pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap/ moduleload rwm.la moduleload back_ldap.la moduleload back_meta.la loglevel 4095 attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) #Active Directory1 database meta suffix "dc=fakedomain,dc=local" uri "ldap://ipofyourldap1:389/dc=fakedomain,dc=local" readonly yes lastmod off suffixmassage "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real1,dc=domain" idassert-bind bindmethod=simple binddn="CN=userwithadminrights,OU=users,OU=office,DC=real1,DC=domain" credentials="yourplaintextpassword" idassert-authzFrom "*" #Active Directory2 database meta suffix "dc=fakedomain,dc=local" uri "ldap://ipofyourldap2:389/dc=fakedomain,dc=local" readonly yes lastmod off suffixmassage "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real2,dc=domain" idassert-bind bindmethod=simple binddn="CN=userwithadminrights,OU=users,OU=office,DC=real2,DC=domain" credentials="yourplaintextpassword" idassert-authzFrom "*"
添加以下內容:
#####################ADD TO /etc/openldap/schema/inetorgperson.schema############ attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) #####################ADD TO /etc/openldap/schema/inetorgperson.schema############
sudo rm -r /etc/openldap/slapd.d && sudo mkdir /etc/openldap/slapd.d && sudo chown -R ldap.ldap /etc/openldap/slapd.d
sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
sudo slapd -d 1