查看“LDAPClientAuthentication”的源代码

原文出处：Ubuntu官方Wiki

原文作者：

授权许可：[http://www.creativecommons.cn/licenses/by-nc-sa/1.0/ 创作共用协议]

翻译人员：FireHare

校对人员：

适用版本：

文章状态：等待校正
----

=== Intended Audience（阅读对象） ===

This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see [[UbuntuHelp:OpenLDAPServer]].<br> 本页是为那些想配置 Ubuntu 客户端以便从已有 OpenLDAP 服务得到认证的人而写的。服务器安装的详情请参见 [[UbuntuHelp:OpenLDAPServer]]。

For authenticating on a Sun Java Enterprise System Directory Server should consult the [[UbuntuHelp:SunLDAPClientAuthentication]] page.<br> 要从 Sun Java 企业系统目录服务中得到认证，可以参考 [[UbuntuHelp:SunLDAPClientAuthentication]] 页。

=== Installing and configuring LDAP authentication（安装配置 LDAP 认证） ===

==== Install the necessary packages（安装必需的软件包） ====
Install the following packages: <code><nowiki>libpam-ldap libnss-ldap</nowiki></code> (see InstallingSoftware). Note that you have to enable the universe repositories for this.<br> 安装下列包：<code><nowiki>libpam-ldap libnss-ldap</nowiki></code> （参见 InstallingSoftware ）。注意你必须激活 universe 库。

During installation, you will be asked the following questions:<br> 在安装时，您将询问下列问题：

* '''The address of the LDAP server used'''. You can also use a fully qualified domain name here. For example: ''ldap.example.com''<br>'''所用 LDAP 服务器地址''' 在这里您也可以使用完整的域名。如''ldap.example.com''

* '''The distinguished name of the search base'''. For example ''dc=example,dc=com''<br>'''搜索所基的标识名'''。如''dc=example,dc=com''

* '''The LDAP version to use'''. You usually would choose ''3'' here.<br>'''所用 LDAP 版本''' 在这您通常可以选 ''3''。

* '''If your database requires logging in'''. You would usually choose ''no'' here.<br>'''您的数据库是否要求登录''' 这里您通常可以选 ''no''。

* '''If you want to make configuration readable/writeable by owner only'''. A ''no'' should be the answer to this.<br>'''您是否只想为自己配置可读／可写权限''' 这里应该回答 ''no''

* A Dialog is displayed explaining it cannot manage ''nsswitch.conf'' automatically. Just select ''OK''.<br>显示的对话框说明它不能自动管理 ''nsswitch.conf''。只需选择 ''OK''。

* '''If you want the local root to be the database admin'''. You would usually choose ''yes'' here.<br>'''您是否想让本地根用户成为数据库管理员''' 这里通常选 ''yes''

* Again '''If your database requires logging in'''. You would usually choose ''no'' here.<br> 再次询问'''您的数据库是否要求登录 '''这里您将选择'' no''

* '''Your root login account'''. For example: ''cn=manager,dc=example,dc=com ''<br>''''''''' 您的根用户登录帐号 '''如：''cn=manager,dc=example,dc=com''

* '''Your root password'''. <br> '''您的根用户密码'''

* After, a dialog explaining the different encryption methods to specify the '''encryption method to use before sending your password'''. ''exop'' is usually a good choice. <br> 然后，一个对话框显示不同的加密方式以指定 '''发送您密码前所用的加密方式'''。 ''exop'' 通常是个好的选择。

==== Configuring nsswitch.conf（配置 nsswitch.conf） ====

Unfortunately we cannot test the above configuration until /etc/nsswitch.conf is configured:<br>
不幸的是我们在 /etc/nsswitch.conf 被配置之前还不能测试上述配置：

<pre><nowiki>
$ sudo vi /etc/nsswitch.conf
</nowiki></pre>

and enter the following command, which will replace ''compat'' with ''ldap files'':<br>
输入下列命令，以便用 ''ldap files'' 代替 ''compat''：

<pre><nowiki>
:%s/compat/ldap files/g
</nowiki></pre>

===== Testing the ''nsswitch.conf'' configuration using ''getent''（使用''getent''测试''nsswitch.conf''配置 =====

Now you can test the configuration by using the following line (substitute ''<someldapuser>'' with a user and ''<someldapgroup>'' with a group known by your LDAP server):<br>
现在您可以使用下列命令来测试配置（用用户代替 ''<someldapuser>'' 并用您 LDAP 服务已知组代替 ''<someldapgroup>''）：

<pre><nowiki>
$ getent passwd <someldapuser>
$ getent group <someldapgroup>
</nowiki></pre>

If you get a response in both cases, your LDAP ''nsswitch.conf'' configuration is correct and all you need to do is to configure PAM.<br>
如果您在上述情形下得到回复，那么您 LDAP ''nsswitch.conf'' 配置就是正确的，所有您所需做的就是去配置 PAM 了。

===== Changing the lookup order for ''nsswitch.conf''（改变''nsswitch.conf''中的查找顺序） =====

You might want to swap around ''ldap'' and ''files'' to first check your local passwd file before consulting the LDAP server:<br>
您也许想交换 ''ldap'' 和 ''files'' 的顺序，以便在查询 LDAP 服务器之前先检查您的本地 passwd 文件：

<pre><nowiki>
$ sudo vi /etc/nsswitch.conf
</nowiki></pre>

...and change the lines to show the following:<br>
...然后按下面形式改变每行的顺序：

<pre><nowiki>
passwd: files ldap
group:  files ldap
shadow: files ldap
</nowiki></pre>

==== Configuring PAM（配置 PAM） ====

The PAM configuration is split in 4 files: common-account, common-auth, common-password and common-session<br>
PAM 配置被拆分成 4 个文件：common-account, common-auth, common-password and common-session

===== /etc/pam.d/common-account =====
<pre><nowiki>
$ sudo vi /etc/pam.d/common-account
</nowiki></pre>

Enter the following lines:<br>
输入下列语句：

<pre><nowiki>
account sufficient      pam_ldap.so
account required        pam_unix.so
</nowiki></pre>

===== /etc/pam.d/common-auth =====

<pre><nowiki>
$ sudo vi /etc/pam.d/common-auth
</nowiki></pre>

Enter the following lines:<br>
输入下列语句：

<pre><nowiki>
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure use_first_pass
</nowiki></pre>

===== /etc/pam.d/common-password =====

====== Standard Configuration（标准配置） ======

<pre><nowiki>
$ sudo vi /etc/pam.d/common-password
</nowiki></pre>

Enter the following lines:<br>
输入下列语句：

<pre><nowiki>
password        sufficient      pam_ldap.so
password        required        pam_unix.so nullok obscure min=4 max=8 md5
</nowiki></pre>

====== Using Stronger Passwords（使用强口令） ======

If you want stronger passwords, you might be interested in ''libpam-cracklib''. Install the following packages: <code><nowiki>libpam-cracklib</nowiki></code> (see InstallingSoftware).<br>
如果您想使用强口令，您也许会对 ''libpam-cracklib'' 感兴趣。安装下列软件包：

You than need to change the configuration of ''/etc/pam.d/common-password'':<code><nowiki>libpam-cracklib</nowiki></code> （参见 InstallingSoftware）

<pre><nowiki>
$ sudo vi /etc/pam.d/common-password
</nowiki></pre>

Enter the following lines:<br>
输入下列语句：

<pre><nowiki>
password        required        pam_cracklib.so retry=3 minlen=6 difok=3
password        sufficient      pam_ldap.so use_authtok nullok md5
password        required        pam_unix.so use_authtok use_first_pass
</nowiki></pre>

===== /etc/pam.d/common-session =====

====== Standard Configuration（标准配置） ======

<pre><nowiki>
$ sudo vi /etc/pam.d/common-session
</nowiki></pre>

Enter the following lines:<br>
输入下列语句：

<pre><nowiki>
session sufficient      pam_ldap.so
session required        pam_unix.so
</nowiki></pre>

====== Automatically creating home directory on first logon（在首次登录时自动创建主文件夹） ======

If you want the home directory of the user to be created automatically at first logon, you need to edit the ''common-session'' file again:<br>
如果您想在首次登录时自动创建用户主文件夹，您需要再次编辑 ''common-session'' 文件：

<pre><nowiki>
$ sudo vi /etc/pam.d/common-session
</nowiki></pre>

Enter the following lines:<br>
输入下列语句：

<pre><nowiki>
session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/
session optional        pam_ldap.so
</nowiki></pre>

=== Credits（鸣谢） ===
* Most of the information used in this document was found on the following page: http://mcwhirter.com.au/documentation/MakingaDebianorUbuntuMachineanLDAPAuthenticationClient<br>关于本文档的更多信息可以在以下网页找到：http://mcwhirter.com.au/documentation/MakingaDebianorUbuntuMachineanLDAPAuthenticationClient

* Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml<br>我还找到了其他一些文档，在这里：http://www.gentoo.org/doc/en/ldap-howto.xml
----