这篇文章主要介绍“怎么配置nss-pam-ldap”,在日常操作中,相信很多人在怎么配置nss-pam-ldap问题上存在疑惑,小编查阅了各式资料,整理出简单好用的操作方法,希望对大家解答”怎么配置nss-pam-ldap”的疑惑有所帮助!接下来,请跟着小编一起来学习吧!
一、Centos7.repo/epel.repo 安装
rpm -Uvh http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-6.1810.2.el7.centos.x86_64.rpm
yum install epel-release*
二、nss-pam-ldap/openldap-clients安装
yum install nss-pam-ldap* openldap-clients*
三、nss-pam-ldap配置
配置openldap-clients
### backup $ cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.`date +%F` ## 指向实际的OpenLdap-Server $ vi /etc/openldap/ldap.conf ... BASE dc=example,dc=com URI ldap://ldap.example.com:389 ... ## 校验openldap-clients是可用 $ ldapsearch -x -b 'dc=example,dc=com'
$ vim /etc/ssh/sshd_config ... UsePAM yes ...
配置 /etc/sysconfig/authconfig
$ vi /etc/sysconf/authconfig ... USELDAP=yes USELDAPAUTH=yes USESHADOW=yes USESYSNETAUTH=yes USEMKHOMEDIR=yes ...
配置 /etc/nsswith.conf
$ vi /etc/nsswitch.conf ... passwd: files sss ldap shadow: files sss ldap group: files sss ldap ...
配置 /etc/pam.d/system-auth
$ vi /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so use_first_pass auth required pam_faillock.so authfail audit deny=5 unlock_time=900 auth required pam_deny.so account required pam_faillock.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so ~
authconfigure-tui
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication
Local authorization is sufficient
## 或者使用命令执行 authconfig --enableldap --enableldapauth --ldapserver=127.0.01 --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update --enablemd5 --enableshadow
验证
getent passwd
su - ${username}
ssh ${username}@${host}
四、限制用户、用户组ssh登录
$ vi /etc/nslcd.conf ... # The distinguished name of the search base. # 只有该OU下的,才可能可以登录 base ou=Employees,ou=Pano Users,dc=pano,dc=com ...
五、
id: cannot find name for group ID 1000
https://www.lisenet.com/2016/setup-ldap-authentication-on-centos-7/
vi /etc/nslcd.conf ... uid nslcd gid ldap base ou=Users,dc=harry,dc=com ## 只需要该OU下的group base group ou=Groups,dc=harry,dc=com ... ## 进一步限制OU下的某些group ... #filter passwd (memberof=cn=g1,ou=Groups,dc=harry,dc=com) #filter passwd (!memberof=cn=g1,ou=Groups,dc=harry,dc=com) ...
到此,关于“怎么配置nss-pam-ldap”的学习就结束了,希望能够解决大家的疑惑。理论与实践的搭配能更好的帮助大家学习,快去试试吧!若想继续学习更多相关知识,请继续关注亿速云网站,小编会继续努力为大家带来更多实用的文章!
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。