个人工具

LDAPClientAuthentication

来自Ubuntu中文

跳转至: 导航, 搜索

原文出处:Ubuntu官方Wiki

原文作者:

授权许可:创作共用协议

翻译人员:FireHare

校对人员:

适用版本:

文章状态:等待校正


Intended Audience(阅读对象)

This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see UbuntuHelp:OpenLDAPServer.
本页是为那些想配置 Ubuntu 客户端以便从已有 OpenLDAP 服务得到认证的人而写的。服务器安装的详情请参见 UbuntuHelp:OpenLDAPServer

For authenticating on a Sun Java Enterprise System Directory Server should consult the UbuntuHelp:SunLDAPClientAuthentication page.
要从 Sun Java 企业系统目录服务中得到认证,可以参考 UbuntuHelp:SunLDAPClientAuthentication 页。

Installing and configuring LDAP authentication(安装配置 LDAP 认证)

Install the necessary packages(安装必需的软件包)

Install the following packages: libpam-ldap libnss-ldap (see InstallingSoftware). Note that you have to enable the universe repositories for this.
安装下列包:libpam-ldap libnss-ldap (参见 InstallingSoftware )。注意你必须激活 universe 库。

During installation, you will be asked the following questions:
在安装时,您将询问下列问题:

  • The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com
    所用 LDAP 服务器地址 在这里您也可以使用完整的域名。如ldap.example.com
  • The distinguished name of the search base. For example dc=example,dc=com
    搜索所基的标识名。如dc=example,dc=com
  • The LDAP version to use. You usually would choose 3 here.
    所用 LDAP 版本 在这您通常可以选 3
  • If your database requires logging in. You would usually choose no here.
    您的数据库是否要求登录 这里您通常可以选 no
  • If you want to make configuration readable/writeable by owner only. A no should be the answer to this.
    您是否只想为自己配置可读/可写权限 这里应该回答 no
  • A Dialog is displayed explaining it cannot manage nsswitch.conf automatically. Just select OK.
    显示的对话框说明它不能自动管理 nsswitch.conf。只需选择 OK
  • If you want the local root to be the database admin. You would usually choose yes here.
    您是否想让本地根用户成为数据库管理员 这里通常选 yes
  • Again If your database requires logging in. You would usually choose no here.
    再次询问您的数据库是否要求登录 这里您将选择 no
  • Your root login account. For example: cn=manager,dc=example,dc=com
    '''' 您的根用户登录帐号 如:cn=manager,dc=example,dc=com
  • Your root password.
    您的根用户密码
  • After, a dialog explaining the different encryption methods to specify the encryption method to use before sending your password. exop is usually a good choice.
    然后,一个对话框显示不同的加密方式以指定 发送您密码前所用的加密方式exop 通常是个好的选择。

Configuring nsswitch.conf(配置 nsswitch.conf)

Unfortunately we cannot test the above configuration until /etc/nsswitch.conf is configured:
不幸的是我们在 /etc/nsswitch.conf 被配置之前还不能测试上述配置:

$ sudo vi /etc/nsswitch.conf

and enter the following command, which will replace compat with ldap files:
输入下列命令,以便用 ldap files 代替 compat

:%s/compat/ldap files/g
Testing the nsswitch.conf configuration using getent(使用getent测试nsswitch.conf配置

Now you can test the configuration by using the following line (substitute <someldapuser> with a user and <someldapgroup> with a group known by your LDAP server):
现在您可以使用下列命令来测试配置(用用户代替 <someldapuser> 并用您 LDAP 服务已知组代替 <someldapgroup>):

$ getent passwd <someldapuser>
$ getent group <someldapgroup>

If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM.
如果您在上述情形下得到回复,那么您 LDAP nsswitch.conf 配置就是正确的,所有您所需做的就是去配置 PAM 了。

Changing the lookup order for nsswitch.conf(改变nsswitch.conf中的查找顺序)

You might want to swap around ldap and files to first check your local passwd file before consulting the LDAP server:
您也许想交换 ldapfiles 的顺序,以便在查询 LDAP 服务器之前先检查您的本地 passwd 文件:

$ sudo vi /etc/nsswitch.conf

...and change the lines to show the following:
...然后按下面形式改变每行的顺序:

passwd: files ldap
group:  files ldap
shadow: files ldap

Configuring PAM(配置 PAM)

The PAM configuration is split in 4 files: common-account, common-auth, common-password and common-session
PAM 配置被拆分成 4 个文件:common-account, common-auth, common-password and common-session

/etc/pam.d/common-account
$ sudo vi /etc/pam.d/common-account

Enter the following lines:
输入下列语句:

account sufficient      pam_ldap.so
account required        pam_unix.so
/etc/pam.d/common-auth
$ sudo vi /etc/pam.d/common-auth

Enter the following lines:
输入下列语句:

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password
Standard Configuration(标准配置)
$ sudo vi /etc/pam.d/common-password

Enter the following lines:
输入下列语句:

password        sufficient      pam_ldap.so
password        required        pam_unix.so nullok obscure min=4 max=8 md5
Using Stronger Passwords(使用强口令)

If you want stronger passwords, you might be interested in libpam-cracklib. Install the following packages: libpam-cracklib (see InstallingSoftware).
如果您想使用强口令,您也许会对 libpam-cracklib 感兴趣。安装下列软件包:

You than need to change the configuration of /etc/pam.d/common-password:libpam-cracklib (参见 InstallingSoftware)

$ sudo vi /etc/pam.d/common-password

Enter the following lines:
输入下列语句:

password        required        pam_cracklib.so retry=3 minlen=6 difok=3
password        sufficient      pam_ldap.so use_authtok nullok md5
password        required        pam_unix.so use_authtok use_first_pass
/etc/pam.d/common-session
Standard Configuration(标准配置)
$ sudo vi /etc/pam.d/common-session

Enter the following lines:
输入下列语句:

session sufficient      pam_ldap.so
session required        pam_unix.so
Automatically creating home directory on first logon(在首次登录时自动创建主文件夹)

If you want the home directory of the user to be created automatically at first logon, you need to edit the common-session file again:
如果您想在首次登录时自动创建用户主文件夹,您需要再次编辑 common-session 文件:

$ sudo vi /etc/pam.d/common-session

Enter the following lines:
输入下列语句:

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/
session optional        pam_ldap.so

Credits(鸣谢)