Linux

nslcd 與 domain.com 和 sub.domain.com

  • January 4, 2019

我正在嘗試在多個 AD 域 example.com 和 sub.exmaple.com 中使用 nslcd 設置我們的 linux 伺服器。

目前使用 nslcd 的設置非常簡單,適用於域 example.com:

uid nslcd
gid ldap

uri ldaps://dc1.example.com:636

base dc=example,dc=com

binddn cn=srv_authuser,ou=server,dc=example,dc=com
bindpw ----
tls_reqcert never

pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map    passwd uid              sAMAccountName
map    passwd uidNumber        objectSid:S-1-5-21-4129304498-564803152-741489137
map    passwd gidNumber        gidNumber
map    passwd loginShell       "/bin/bash"
map    passwd homeDirectory    "/home/$sAMAccountName"
map    passwd gecos            displayName)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    group  gidNumber        objectSid:S-1-5-21-4129304498-564803152-741489137
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)

tls_cacertdir /etc/openldap/cacerts
ssl on

nslcd (pam-nss-ldap) 是否可以為 sub.domain.com 設置第二個 ldap 查詢,或者這只能通過 sssd 實現?如果綁定使用者在 sub.domain.com 上具有管理員權限,他還能獲取密碼/帳戶數據嗎?

謝謝

您將無法僅使用 nslcd 做您想做的事。相反,您必須使用 slapd 和 slapd-meta 或 slapd-ldap 後端提供的假域名配置一個假 LDAP 伺服器。然後您將添加您的 AD 伺服器到例如 fakedomain.local。完成後,您將能夠將您的客戶端註冊到其中包含幾個域的 fakedomain.local。然後,您將能夠列出來自兩個不同 LDAP 伺服器的使用者。

這是您的 LDAP 代理配置範例:

sudo yum install -y openldap openldap-clients openldap-servers

貓 /etc/openldap/slapd.conf

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema

allow bind_v2
allow bind_anon_cred
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath      /usr/lib64/openldap/
moduleload      rwm.la
moduleload      back_ldap.la
moduleload      back_meta.la
loglevel        4095

attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )

#Active Directory1
database        meta
suffix          "dc=fakedomain,dc=local"
uri             "ldap://ipofyourldap1:389/dc=fakedomain,dc=local"
readonly        yes
lastmod         off
suffixmassage   "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real1,dc=domain"
idassert-bind bindmethod=simple
  binddn="CN=userwithadminrights,OU=users,OU=office,DC=real1,DC=domain"
  credentials="yourplaintextpassword"
idassert-authzFrom "*"

#Active Directory2
database        meta
suffix          "dc=fakedomain,dc=local"
uri             "ldap://ipofyourldap2:389/dc=fakedomain,dc=local"
readonly        yes
lastmod         off
suffixmassage   "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real2,dc=domain"
idassert-bind bindmethod=simple
  binddn="CN=userwithadminrights,OU=users,OU=office,DC=real2,DC=domain"
  credentials="yourplaintextpassword"
idassert-authzFrom "*"

添加以下內容:

#####################ADD TO /etc/openldap/schema/inetorgperson.schema############
attributetype ( 1.2.840.113556.1.4.221
     NAME 'sAMAccountName'
           SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )

#####################ADD TO /etc/openldap/schema/inetorgperson.schema############

sudo rm -r /etc/openldap/slapd.d && sudo mkdir /etc/openldap/slapd.d && sudo chown -R ldap.ldap /etc/openldap/slapd.d

sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

sudo slapd -d 1

引用自:https://serverfault.com/questions/941612