“UbuntuHelp:AlternativeActiveDirectory”的版本间的差异
来自Ubuntu中文
小 (新页面: {{From|https://help.ubuntu.com/community/AlternativeActiveDirectory}} {{Languages|UbuntuHelp:AlternativeActiveDirectory}} '''Active Directory''' from Microsoft is a directory service that...) |
小 |
||
| (未显示同一用户的8个中间版本) | |||
| 第2行: | 第2行: | ||
{{Languages|UbuntuHelp:AlternativeActiveDirectory}} | {{Languages|UbuntuHelp:AlternativeActiveDirectory}} | ||
'''Active Directory''' from Microsoft is a directory service that uses some open protocols, like Kerberos, LDAP and SSL. | '''Active Directory''' from Microsoft is a directory service that uses some open protocols, like Kerberos, LDAP and SSL. | ||
| − | |||
There are several ways to use AD for authentication, and with LDAP tools you can extend a local authentication scheme to "cache" your Active Directory credentials. | There are several ways to use AD for authentication, and with LDAP tools you can extend a local authentication scheme to "cache" your Active Directory credentials. | ||
| − | |||
== LDAP Caching: == | == LDAP Caching: == | ||
=== Configuration and Installation === | === Configuration and Installation === | ||
| − | + | To install a LDAP caching system you need to compile '''libpam-script''' from source and install '''ldap-utils'''. Note: you don't have to configure anything in Active Directory for LDAP caching. I have a premade deb for installing libpam-script ([[UbuntuHelp:attachment:libpam-script_0.1.11-1_i386.deb|attachment:libpam-script_0.1.11-1_i386.deb]]) on a Feisty system for anyone not interested in compiling their own. It was compiled with default options and a deb file automatically generated with '''checkinstall'''. | |
| − | To install a LDAP caching system you need to compile '''libpam-script''' from source and install '''ldap-utils'''. Note: you don't have to configure anything in Active Directory for LDAP caching. I have a premade deb for installing libpam-script ( | + | |
| − | + | ||
Then you need to set up /etc/pam.d/common-auth as follows: | Then you need to set up /etc/pam.d/common-auth as follows: | ||
| − | + | <pre><nowiki> | |
| − | <pre><nowiki> auth required pam_script.so runas=root expose=1 | + | auth required pam_script.so runas=root expose=1 |
| − | auth required pam_unix.so nullok_secure use_first_pass | + | auth required pam_unix.so nullok_secure use_first_pass |
</nowiki></pre> | </nowiki></pre> | ||
set up /etc/security/onauth: | set up /etc/security/onauth: | ||
| − | + | <pre><nowiki> | |
| − | <pre><nowiki> #!/bin/bash | + | #!/bin/bash |
userid=$1 | userid=$1 | ||
service=$2 | service=$2 | ||
| 第24行: | 第20行: | ||
ldapsearch -h <serverip> -p <port> -D"[email protected]" -x -w$authtok -b "dc=your,dc=domain,dc=here" "(samaccountname=$1)" samaccountname | grep -v filter | grep -i $1 | cut -f2 -d' ' > /tmp/ldap | ldapsearch -h <serverip> -p <port> -D"[email protected]" -x -w$authtok -b "dc=your,dc=domain,dc=here" "(samaccountname=$1)" samaccountname | grep -v filter | grep -i $1 | cut -f2 -d' ' > /tmp/ldap | ||
if [ "`cat /tmp/ldap`" == "$1" ]; then | if [ "`cat /tmp/ldap`" == "$1" ]; then | ||
| − | usermod -p `mkpasswd $authtok` $1; | + | usermod -p `mkpasswd $authtok` $1; |
fi | fi | ||
exit 0 | exit 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
This script sets the local password for any domain account to whatever the domain password is. Make sure this is what you want, because any local accounts will have their password changed after a successful login to the domain. | This script sets the local password for any domain account to whatever the domain password is. Make sure this is what you want, because any local accounts will have their password changed after a successful login to the domain. | ||
| − | |||
Password changing must be done through other means; the Active Directory is the final authority on passwords with this mechanism, and it is one way. | Password changing must be done through other means; the Active Directory is the final authority on passwords with this mechanism, and it is one way. | ||
| − | |||
== Local Accounts == | == Local Accounts == | ||
=== Configure Accounts === | === Configure Accounts === | ||
| − | |||
Local accounts are necessary before any users can login to the system. This can be done either through a local passwd file or by setting up LDAP for the Linux users. Either way, extraction of the account names from Active Directory has to be done to synchronize the accounts before use. The following script illustrates one way to make the users: | Local accounts are necessary before any users can login to the system. This can be done either through a local passwd file or by setting up LDAP for the Linux users. Either way, extraction of the account names from Active Directory has to be done to synchronize the accounts before use. The following script illustrates one way to make the users: | ||
| − | + | <pre><nowiki> | |
| − | <pre><nowiki>#!/bin/bash | + | #!/bin/bash |
# usage: makeuser <domain> <username> [details] | # usage: makeuser <domain> <username> [details] | ||
useradd $2 -c"$3 $4 $5 $6" -d/home/$1/$2 -m | useradd $2 -c"$3 $4 $5 $6" -d/home/$1/$2 -m | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
This script can be called recursively with a list of usernames from a file by using: | This script can be called recursively with a list of usernames from a file by using: | ||
| − | + | <pre><nowiki> | |
| − | <pre><nowiki>cat userlist | while read line; do sudo ./makeuser mydomain ${line}; done | + | cat userlist | while read line; do sudo ./makeuser mydomain ${line}; done |
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
The userlist file should be formatted similar to the following: | The userlist file should be formatted similar to the following: | ||
| − | + | <pre><nowiki> | |
| − | <pre><nowiki>firstuser User, First | + | firstuser User, First |
seconduser User, Second 2nd | seconduser User, Second 2nd | ||
thirduser User, 3rd Third details | thirduser User, 3rd Third details | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
By calling the makeuser script with a domain component, it is easier to search which domain the user was created from at authentication time; thus this method supports multiple domains (for example using a simple getent passwd <user>, and grepping/cutting the results), as long as each domain contains a unique set of users. | By calling the makeuser script with a domain component, it is easier to search which domain the user was created from at authentication time; thus this method supports multiple domains (for example using a simple getent passwd <user>, and grepping/cutting the results), as long as each domain contains a unique set of users. | ||
| − | |||
To create the userlist file, I used a bit of LDAP querying and manipulating the results. You can use any means you wish to get the list. Once accounts are created, you should have an automated way to recreate this list and reimport the usernames on a regular basis to ensure any new accounts created on the Active Directory are also reflected in your local cache. | To create the userlist file, I used a bit of LDAP querying and manipulating the results. You can use any means you wish to get the list. Once accounts are created, you should have an automated way to recreate this list and reimport the usernames on a regular basis to ensure any new accounts created on the Active Directory are also reflected in your local cache. | ||
| − | + | Inquiries: <<MailTo(clay DOT berlo AT gmail DOT com)>> | |
| − | Inquiries: | + | |
---- | ---- | ||
[[category:CategorySecurity]] | [[category:CategorySecurity]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2010年5月19日 (三) 17:19的最新版本
Active Directory from Microsoft is a directory service that uses some open protocols, like Kerberos, LDAP and SSL.
There are several ways to use AD for authentication, and with LDAP tools you can extend a local authentication scheme to "cache" your Active Directory credentials.
LDAP Caching:
Configuration and Installation
To install a LDAP caching system you need to compile libpam-script from source and install ldap-utils. Note: you don't have to configure anything in Active Directory for LDAP caching. I have a premade deb for installing libpam-script (attachment:libpam-script_0.1.11-1_i386.deb) on a Feisty system for anyone not interested in compiling their own. It was compiled with default options and a deb file automatically generated with checkinstall. Then you need to set up /etc/pam.d/common-auth as follows:
auth required pam_script.so runas=root expose=1 auth required pam_unix.so nullok_secure use_first_pass
set up /etc/security/onauth:
#!/bin/bash userid=$1 service=$2 # $3 is supposed to contain $PAM_AUTHTOK, but this guarantees the correct token is used authtok=$PAM_AUTHTOK ldapsearch -h <serverip> -p <port> -D"[email protected]" -x -w$authtok -b "dc=your,dc=domain,dc=here" "(samaccountname=$1)" samaccountname | grep -v filter | grep -i $1 | cut -f2 -d' ' > /tmp/ldap if [ "`cat /tmp/ldap`" == "$1" ]; then usermod -p `mkpasswd $authtok` $1; fi exit 0
This script sets the local password for any domain account to whatever the domain password is. Make sure this is what you want, because any local accounts will have their password changed after a successful login to the domain. Password changing must be done through other means; the Active Directory is the final authority on passwords with this mechanism, and it is one way.
Local Accounts
Configure Accounts
Local accounts are necessary before any users can login to the system. This can be done either through a local passwd file or by setting up LDAP for the Linux users. Either way, extraction of the account names from Active Directory has to be done to synchronize the accounts before use. The following script illustrates one way to make the users:
#!/bin/bash # usage: makeuser <domain> <username> [details] useradd $2 -c"$3 $4 $5 $6" -d/home/$1/$2 -m
This script can be called recursively with a list of usernames from a file by using:
cat userlist | while read line; do sudo ./makeuser mydomain ${line}; done
The userlist file should be formatted similar to the following:
firstuser User, First seconduser User, Second 2nd thirduser User, 3rd Third details
By calling the makeuser script with a domain component, it is easier to search which domain the user was created from at authentication time; thus this method supports multiple domains (for example using a simple getent passwd <user>, and grepping/cutting the results), as long as each domain contains a unique set of users. To create the userlist file, I used a bit of LDAP querying and manipulating the results. You can use any means you wish to get the list. Once accounts are created, you should have an automated way to recreate this list and reimport the usernames on a regular basis to ensure any new accounts created on the Active Directory are also reflected in your local cache. Inquiries: <<MailTo(clay DOT berlo AT gmail DOT com)>>
