特殊:Badtitle/NS100:LDAPClientAuthentication:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/LDAPClientAuthentication}} | {{From|https://help.ubuntu.com/community/LDAPClientAuthentication}} | ||
{{Languages| | {{Languages|UbuntuHelp:LDAPClientAuthentication}} | ||
== Introduction == | == Introduction == | ||
| 第84行: | 第84行: | ||
Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following: | Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following: | ||
<pre><nowiki> | <pre><nowiki> | ||
LOCK=/var/run/auth-update.cron | LOCK=/var/run/auth-update.cron | ||
| 第179行: | 第178行: | ||
---- | ---- | ||
CategoryCleanup | [[category:CategoryCleanup]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2007年5月14日 (一) 11:04的版本
 |
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/LDAPClientAuthentication }} |
|
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/af | • {{#if: UbuntuHelp:LDAPClientAuthentication|Afrikaans| [[::LDAPClientAuthentication/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ar | • {{#if: UbuntuHelp:LDAPClientAuthentication|العربية| [[::LDAPClientAuthentication/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/az | • {{#if: UbuntuHelp:LDAPClientAuthentication|azərbaycanca| [[::LDAPClientAuthentication/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/bcc | • {{#if: UbuntuHelp:LDAPClientAuthentication|جهلسری بلوچی| [[::LDAPClientAuthentication/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/bg | • {{#if: UbuntuHelp:LDAPClientAuthentication|български| [[::LDAPClientAuthentication/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/br | • {{#if: UbuntuHelp:LDAPClientAuthentication|brezhoneg| [[::LDAPClientAuthentication/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ca | • {{#if: UbuntuHelp:LDAPClientAuthentication|català| [[::LDAPClientAuthentication/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/cs | • {{#if: UbuntuHelp:LDAPClientAuthentication|čeština| [[::LDAPClientAuthentication/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/de | • {{#if: UbuntuHelp:LDAPClientAuthentication|Deutsch| [[::LDAPClientAuthentication/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/el | • {{#if: UbuntuHelp:LDAPClientAuthentication|Ελληνικά| [[::LDAPClientAuthentication/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/es | • {{#if: UbuntuHelp:LDAPClientAuthentication|español| [[::LDAPClientAuthentication/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/fa | • {{#if: UbuntuHelp:LDAPClientAuthentication|فارسی| [[::LDAPClientAuthentication/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/fi | • {{#if: UbuntuHelp:LDAPClientAuthentication|suomi| [[::LDAPClientAuthentication/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/fr | • {{#if: UbuntuHelp:LDAPClientAuthentication|français| [[::LDAPClientAuthentication/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/gu | • {{#if: UbuntuHelp:LDAPClientAuthentication|ગુજરાતી| [[::LDAPClientAuthentication/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/he | • {{#if: UbuntuHelp:LDAPClientAuthentication|עברית| [[::LDAPClientAuthentication/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/hu | • {{#if: UbuntuHelp:LDAPClientAuthentication|magyar| [[::LDAPClientAuthentication/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/id | • {{#if: UbuntuHelp:LDAPClientAuthentication|Bahasa Indonesia| [[::LDAPClientAuthentication/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/it | • {{#if: UbuntuHelp:LDAPClientAuthentication|italiano| [[::LDAPClientAuthentication/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ja | • {{#if: UbuntuHelp:LDAPClientAuthentication|日本語| [[::LDAPClientAuthentication/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ko | • {{#if: UbuntuHelp:LDAPClientAuthentication|한국어| [[::LDAPClientAuthentication/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ksh | • {{#if: UbuntuHelp:LDAPClientAuthentication|Ripoarisch| [[::LDAPClientAuthentication/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/mr | • {{#if: UbuntuHelp:LDAPClientAuthentication|मराठी| [[::LDAPClientAuthentication/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ms | • {{#if: UbuntuHelp:LDAPClientAuthentication|Bahasa Melayu| [[::LDAPClientAuthentication/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/nl | • {{#if: UbuntuHelp:LDAPClientAuthentication|Nederlands| [[::LDAPClientAuthentication/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/no | • {{#if: UbuntuHelp:LDAPClientAuthentication|norsk| [[::LDAPClientAuthentication/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/oc | • {{#if: UbuntuHelp:LDAPClientAuthentication|occitan| [[::LDAPClientAuthentication/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/pl | • {{#if: UbuntuHelp:LDAPClientAuthentication|polski| [[::LDAPClientAuthentication/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/pt | • {{#if: UbuntuHelp:LDAPClientAuthentication|português| [[::LDAPClientAuthentication/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ro | • {{#if: UbuntuHelp:LDAPClientAuthentication|română| [[::LDAPClientAuthentication/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/ru | • {{#if: UbuntuHelp:LDAPClientAuthentication|русский| [[::LDAPClientAuthentication/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/si | • {{#if: UbuntuHelp:LDAPClientAuthentication|සිංහල| [[::LDAPClientAuthentication/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/sq | • {{#if: UbuntuHelp:LDAPClientAuthentication|shqip| [[::LDAPClientAuthentication/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/sr | • {{#if: UbuntuHelp:LDAPClientAuthentication|српски / srpski| [[::LDAPClientAuthentication/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/sv | • {{#if: UbuntuHelp:LDAPClientAuthentication|svenska| [[::LDAPClientAuthentication/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/th | • {{#if: UbuntuHelp:LDAPClientAuthentication|ไทย| [[::LDAPClientAuthentication/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/tr | • {{#if: UbuntuHelp:LDAPClientAuthentication|Türkçe| [[::LDAPClientAuthentication/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/vi | • {{#if: UbuntuHelp:LDAPClientAuthentication|Tiếng Việt| [[::LDAPClientAuthentication/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/yue | • {{#if: UbuntuHelp:LDAPClientAuthentication|粵語| [[::LDAPClientAuthentication/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/zh | • {{#if: UbuntuHelp:LDAPClientAuthentication|中文| [[::LDAPClientAuthentication/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/zh-hans | • {{#if: UbuntuHelp:LDAPClientAuthentication|中文(简体)| [[::LDAPClientAuthentication/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:LDAPClientAuthentication | UbuntuHelp:LDAPClientAuthentication | {{#if: | :}}LDAPClientAuthentication}}/zh-hant | • {{#if: UbuntuHelp:LDAPClientAuthentication|中文(繁體)| [[::LDAPClientAuthentication/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:LDAPClientAuthentication|:LDAPClientAuthentication|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :LDAPClientAuthentication/zh | | {{#ifexist: LDAPClientAuthentication/zh | | {{#ifeq: {{#titleparts:LDAPClientAuthentication|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:LDAPClientAuthentication|1|-1|}} | zh | | }}
Introduction
This page is intended for anyone who wants to enable an Ubuntu client to authenticate on an existing OpenLDAP server. For more details on the server installation part see UbuntuHelp:OpenLDAPServer.
For authenticating on a Sun Java Enterprise System Directory Server should consult the UbuntuHelp:SunLDAPClientAuthentication page.
Installation
Install the following packages: libpam-ldap libnss-ldap nss-updatedb (see InstallingSoftware). Note that you have to enable the universe repositories for this.
During installation, you will be asked the following questions:
- The address of the LDAP server used. You can also use a fully qualified domain name here. For example: ldap.example.com
- The distinguished name of the search base. For example dc=example,dc=com
- The LDAP version to use. You usually would choose 3 here.
- If your database requires logging in. You would usually choose no here.
- If you want to make configuration readable/writeable by owner only. A no should be the answer to this.
- A Dialog is displayed explaining it cannot manage nsswitch.conf automatically. Just select OK.
- If you want the local root to be the database admin. You would usually choose yes here.
- Again If your database requires logging in. You would usually choose no here.
- Your root login account. For example: cn=manager,dc=example,dc=com
- Your root password.
- After, a dialog explaining the different encryption methods to specify the encryption method to use before sending your password. exop is usually a good choice.
The above steps might vary a bit depending on the Ubuntu distribution used. When you want to restart the configuration you can use dpkg-reconfigure for both libpam-ldap and libnss-ldap packages.
When finished configuring you will need to double check the data in /etc/libnss-ldap.conf. Especially the 'host' entry which doesn't accept URI. Better is to use the 'uri' entries and comment out the 'host'.
Configuration
After the installation of the necessary packages you will need to configure the Name Service and PAM.
Name Service
In /etc/nsswitch.conf replace compat with files ldap for both the passwd and group entries so you get something like this:
passwd: files ldap group: files ldap
There is a full example provided in the documentation of libnss-ldap: /usr/share/doc/libnss-ldap/examples/nsswitch.ldap
Now you can test the configuration by using the following line (substitute <someldapuser> with a user and <someldapgroup> with a group known by your LDAP server):
$ getent passwd <someldapuser> $ getent group <someldapgroup>
If you get a response in both cases, your LDAP nsswitch.conf configuration is correct and all you need to do is to configure PAM.
If the user is in your LDAP and not locally, 1 online should be returned. If not:
- double check /etc/libnss-ldap.conf (e.g. use 'uri' instead of the 'host' entry)
- check the password in /etc/libnss-ldap.secret
There appears to be a bug in libnss-ldap which can create a rather nasty boot problem in udevd. If you do not enable a "soft" bind policy, booting can hang and authentication will not operate properly. Use the following command to edit the nss-ldap file:
$ sudo editor /etc/libnss-ldap.conf
Add this line in the bind policy section:
bind_policy soft
Also, Make sure you have the correct ldap settings listed in this file. If not, you may have to change them too.
Some extra tips:
- It is also good to set the timeouts lower.
- Don't use sudo when editing this file or leave it open while testing. If you save with a typo, it could mean that you can't access your server anymore.
Caching Name Service directories (optional)
[(Geert) This needs editing, I can't make it work.] [(Geert) nscd can be used, but didn't work either.]
In order to prevent network slowdown or outage from preventing user name lookup and thus login, use the nss-updatedb package to create a local database of the user names. You first need to populate the database for the first time and then create a scheduled job to update the database at a random time each hour (the random time means that all clients are no hitting the LDAP server simultaneously for updates). Run:
$ sudo nss_updatedb ldap
nss_updatedb is storing the cache in /var/lib/misc/.
Now you need to create a script to update the database randomly.
Create a script called nssupdate.sh in /etc/cron.hourly/ and make it executable. It should contain the following:
LOCK=/var/run/auth-update.cron [ "$1" != "0" ] && [ -f $LOCK ] && [ -d /proc/"$(cat $LOCK)" ] && exit 0 echo $$ > $LOCK RANGE=3600 [ "$1" != "" ] && RANGE=$1 SLEEP=$RANDOM [ "$RANGE" != "0" ] && let "SLEEP %= $RANGE" || SLEEP=0 sleep $SLEEP go=true while $go; do /usr/sbin/nss_updatedb ldap [ $? -eq 0 ] && go=false [ "$go" == "true" ] && sleep 10 done rm $LOCK exit 0
To make actual use of the cached data you will need to edit /etc/nsswitch.conf like this:
passwd: files ldap [NOTFOUND=return] db group: files ldap [NOTFOUND=return] db
This means:
- look first in the local files (/etc/passwd and /etc/group)
- if not found, use LDAP
- when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
- if the LDAP server was not reachable, proceed with using the cached data
PAM
The PAM configuration is split in 4 files: common-account, common-auth, common-password and common-session. They are included in the other configuration files like login, ssh, ..
Edit /etc/pam.d/common-account and add pam_ldap.so, like this:
account sufficient pam_ldap.so account required pam_unix.so
Edit /etc/pam.d/common-auth and add pam_ldap.so, like this:
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass
Edit /etc/pam.d/common-password and add pam_ldap.so, like this:
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
Optionally, and not related to LDAP, if you want stronger passwords, you might be interested in libpam-cracklib (see InstallingSoftware).
To activate it you'll need to edit /etc/pam.d/common-password:
password required pam_cracklib.so retry=3 minlen=6 difok=3 password sufficient pam_ldap.so use_authtok nullok md5 password required pam_unix.so use_authtok use_first_pass
Edit /etc/pam.d/common-session and add pam_ldap.so, like this:
session sufficient pam_ldap.so session required pam_unix.so
Handy is to automatically create the home directory at first logon. Edit the common-session file again:
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so session optional pam_foreground.so
Credits
- Most of the information used in this document was found on the following page:
- Some additional documentation I found here: http://www.gentoo.org/doc/en/ldap-howto.xml
