“UbuntuHelp:OSXLDAPClientAuthentication”的版本间的差异
来自Ubuntu中文
小 (新页面: {{From|https://help.ubuntu.com/community/OSXLDAPClientAuthentication}} {{Languages|UbuntuHelp:OSXLDAPClientAuthentication}} Purpose - make an Ubuntu install authenticate against a Leopard...) |
小 |
||
(未显示同一用户的1个中间版本) | |||
第2行: | 第2行: | ||
{{Languages|UbuntuHelp:OSXLDAPClientAuthentication}} | {{Languages|UbuntuHelp:OSXLDAPClientAuthentication}} | ||
Purpose - make an Ubuntu install authenticate against a Leopard Server with an Open Directory Master running on it. | Purpose - make an Ubuntu install authenticate against a Leopard Server with an Open Directory Master running on it. | ||
− | Details taken from [ "LDAPClientAuthentication" ]. Here's a quick how-to on how to get authenticating (partially) successfully against a Leopard Server. | + | Details taken from [ "LDAPClientAuthentication" ]. Here's a quick how-to on how to get authenticating (partially) successfully against a Leopard and Tiger Server. |
* apt-get install libpam-ldap libnss-ldap nss-updatedb | * apt-get install libpam-ldap libnss-ldap nss-updatedb | ||
To complete this recipe you will need: | To complete this recipe you will need: | ||
第9行: | 第9行: | ||
** LDAP Search Base: dc=blah,dc=blah,dc=blah | ** LDAP Search Base: dc=blah,dc=blah,dc=blah | ||
** call this "SearchBase" | ** call this "SearchBase" | ||
− | I ended up just editing the /etc/ldap.conf file manually. The only lines I | + | I ended up just editing the /etc/ldap.conf file manually. The only lines I needed to change were: |
* host "IP ADDRESS" | * host "IP ADDRESS" | ||
− | * base | + | * base "SearchBase" |
− | ** i.e. base | + | ** i.e. base dc=blah,dc=blah,dc=blah |
+ | (this was noted as needing to be * base cn=users,"SearchBase" for Leopard, and will work for users, but won't find groups properly) | ||
+ | New for 8.04 it seems we need to also ignore the "root" user in the Open Directory. So add to your /etc/ldap.conf | ||
+ | * pam_filter !(uid=root) | ||
+ | Thanks for figuring this out, Bart. | ||
Then edit /etc/nsswitch.conf and change the passwd, group, and shadow lines to resemble: | Then edit /etc/nsswitch.conf and change the passwd, group, and shadow lines to resemble: | ||
* passwd: files ldap | * passwd: files ldap | ||
* group: files ldap | * group: files ldap | ||
* shadow: files ldap | * shadow: files ldap | ||
− | + | Have /etc/pam.d/common-account read | |
− | * auth sufficient pam_ldap.so | + | * account sufficient pam_ldap.so |
+ | * account required pam_unix.so | ||
+ | Have /etc/pam.d/common-auth read | ||
+ | * auth sufficient pam_ldap.so | ||
+ | * auth required pam_unix.so nullok_secure try_first_pass | ||
+ | Have /etc/pam.d/common-passwd read | ||
+ | * password sufficient pam_ldap.so md5 | ||
+ | * password required pam_unix.so nullok obscure md5 | ||
+ | * password optional pam_smbpass.so nullok use_authtok try_first_pass missingok | ||
+ | Finally, have /etc/pam.d/common-session read | ||
+ | * session sufficient pam_ldap.so | ||
+ | * session required pam_unix.so | ||
You should be good to go. Test with a command like: | You should be good to go. Test with a command like: | ||
getent passwd | getent passwd |
2009年5月12日 (二) 18:18的最新版本
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
Purpose - make an Ubuntu install authenticate against a Leopard Server with an Open Directory Master running on it. Details taken from [ "LDAPClientAuthentication" ]. Here's a quick how-to on how to get authenticating (partially) successfully against a Leopard and Tiger Server.
- apt-get install libpam-ldap libnss-ldap nss-updatedb
To complete this recipe you will need:
- host "ip for your server"
- Open Directory Search Base - from Server Admin, Open Directory Overview
- LDAP Search Base: dc=blah,dc=blah,dc=blah
- call this "SearchBase"
I ended up just editing the /etc/ldap.conf file manually. The only lines I needed to change were:
- host "IP ADDRESS"
- base "SearchBase"
- i.e. base dc=blah,dc=blah,dc=blah
(this was noted as needing to be * base cn=users,"SearchBase" for Leopard, and will work for users, but won't find groups properly) New for 8.04 it seems we need to also ignore the "root" user in the Open Directory. So add to your /etc/ldap.conf
- pam_filter !(uid=root)
Thanks for figuring this out, Bart. Then edit /etc/nsswitch.conf and change the passwd, group, and shadow lines to resemble:
- passwd: files ldap
- group: files ldap
- shadow: files ldap
Have /etc/pam.d/common-account read
- account sufficient pam_ldap.so
- account required pam_unix.so
Have /etc/pam.d/common-auth read
- auth sufficient pam_ldap.so
- auth required pam_unix.so nullok_secure try_first_pass
Have /etc/pam.d/common-passwd read
- password sufficient pam_ldap.so md5
- password required pam_unix.so nullok obscure md5
- password optional pam_smbpass.so nullok use_authtok try_first_pass missingok
Finally, have /etc/pam.d/common-session read
- session sufficient pam_ldap.so
- session required pam_unix.so
You should be good to go. Test with a command like: getent passwd You should see your local accounts followed by your Open Directory accounts. Now you can try to "su" to one of the OD users. Finally try to ssh in as one of the OD users.