“UbuntuHelp:AlternativeActiveDirectory/zh”的版本间的差异
来自Ubuntu中文
小 |
|||
| 第1行: | 第1行: | ||
| − | {{Translation}}<br> {{From|http://wiki.ubuntu.org.cn/UbuntuHelp:AlternativeActiveDirectory}}<br> {{Translator|isbasic}}<br> {{Languages| | + | {{Translation}}<br> {{From|http://wiki.ubuntu.org.cn/UbuntuHelp:AlternativeActiveDirectory}}<br> {{Translator|isbasic}}<br> {{Languages|UbuntuHelp:AlternativeActiveDirectory}} |
Active Directory from Microsoft is a directory service that uses some open protocols, like Kerberos, LDAP and SSL. There are several ways to use AD for authentication, and with LDAP tools you can extend a local authentication scheme to "cache" your Active Directory credentials. <br> | Active Directory from Microsoft is a directory service that uses some open protocols, like Kerberos, LDAP and SSL. There are several ways to use AD for authentication, and with LDAP tools you can extend a local authentication scheme to "cache" your Active Directory credentials. <br> | ||
| 第21行: | 第21行: | ||
auth required pam_script.so runas=root expose=1 | auth required pam_script.so runas=root expose=1 | ||
auth required pam_unix.so nullok_secure use_first_pass | auth required pam_unix.so nullok_secure use_first_pass | ||
| + | |||
| + | |||
| 第39行: | 第41行: | ||
fi | fi | ||
exit 0 | exit 0 | ||
| + | |||
| + | |||
| 第66行: | 第70行: | ||
cat userlist | while read line; do sudo ./makeuser mydomain ${line}; done | cat userlist | while read line; do sudo ./makeuser mydomain ${line}; done | ||
| + | |||
| + | |||
2008年3月13日 (四) 11:03的版本
 |
翻译人员: |
isbasic |
|
点击翻译: |
English • 中文 |
Active Directory from Microsoft is a directory service that uses some open protocols, like Kerberos, LDAP and SSL. There are several ways to use AD for authentication, and with LDAP tools you can extend a local authentication scheme to "cache" your Active Directory credentials.
微软推出的活动目录是一种采用开放式协议的目录服务,类似Kerberos,LDAP和SSL。有几种方法采用AD(Active Directory)进行认证,结合LDAP的工具,你可以扩展本地的认证计划,以"快取"您的Active Directory证书。
目录
LDAP Caching:
LDAP快速设置
Configuration and Installation
配置和安装
To install a LDAP caching system you need to compile libpam-script from source and install ldap-utils. Note: you don't have to configure anything in Active Directory for LDAP caching. I have a premade deb for installing libpam-script (https://help.ubuntu.com/community/AlternativeActiveDirectory?action=AttachFile&do=get&target=libpam-script_0.1.11-1_i386.deb%29) on a Feisty system for anyone not interested in compiling their own. It was compiled with default options and a deb file automatically generated with checkinstall. Then you need to set up /etc/pam.d/common-auth as follows:
安装一个LDAP的缓存系统,你需要从源代码编译libpam-script并且安装ldap-utils.注:你不需要在Active Directory中为LDAP的缓存做任何配置。我这预先编译好了一个libpam -script文件(https://help.ubuntu.com/community/AlternativeActiveDirectory?action=AttachFile&do=get&target=libpam-script_0.1.11-1_i386.deb%29) 在Feisty上,任何人不用担心自己不会编译软件。deb文件会在编译时添加默认的选项且deb文件会自动生成checkinstall 。那么你需要按照如下方法设置 / etc / pam.d /common-auth:
auth required pam_script.so runas=root expose=1 auth required pam_unix.so nullok_secure use_first_pass
set up /etc/security/onauth:
编辑 /etc/security/onauth:
# /bin/bash userid=$1 service=$2 # $3 is supposed to contain $PAM_AUTHTOK, but this guarantees the correct token is used authtok=$PAM_AUTHTOK ldapsearch -h <serverip> -p <port> -D"[email protected]" -x -w$authtok -b "dc=your,dc=domain,dc=here" "(samaccountname=$1)" samaccountname | grep -v filter | grep -i $1 | cut -f2 -d' ' > /tmp/ldap if [ "`cat /tmp/ldap`" == "$1" ]; then usermod -p `mkpasswd $authtok` $1; fi exit 0
This script sets the local password for any domain account to whatever the domain password is. Make sure this is what you want, because any local accounts will have their password changed after a successful login to the domain. Password changing must be done through other means; the Active Directory is the final authority on passwords with this mechanism, and it is one way.
这个脚本设定了所有域成员的本地域密码。请确定这是你想要做的,因为任何帐户登录域成功后密码都会改变。而要再次改变密码,只能通过其他的方法; “活动目录”是其中一个比较权威的解决办法。
Local Accounts
本地帐户
配置帐户
Local accounts are necessary before any users can login to the system. This can be done either through a local passwd file or by setting up LDAP for the Linux users. Either way, extraction of the account names from Active Directory has to be done to synchronize the accounts before use. The following script illustrates one way to make the users:
在加入活动目录之前必须有一个本地帐户用来登录到本地系统。通过修改本地密码文件或者设立的LDAP中的Linux用户可以做到这一点。无论那种方法都必须在活动目录将本地帐户与域帐户同步之后才可以使用。下面的脚本范例就是其中一种创建域用户的办法:
#!/bin/bash # usage: makeuser <domain> <username> [details] useradd $2 -c"$3 $4 $5 $6" -d/home/$1/$2 -m
This script can be called recursively with a list of usernames from a file by using: 这个脚本可以从一个文件中递归一个用户名清单以供调用:
cat userlist | while read line; do sudo ./makeuser mydomain ${line}; done
The userlist file should be formatted similar to the following:
userlist档案中的内容要用如下格式填写:
firstuser User, First seconduser User, Second 2nd thirduser User, 3rd Third details
By calling the makeuser script with a domain component, it is easier to search which domain the user was created from at authentication time; thus this method supports multiple domains (for example using a simple getent passwd <user>, and grepping/cutting the results), as long as each domain contains a unique set of users. To create the userlist file, I used a bit of LDAP querying and manipulating the results. You can use any means you wish to get the list. Once accounts are created, you should have an automated way to recreate this list and reimport the usernames on a regular basis to ensure any new accounts created on the Active Directory are also reflected in your local cache. Inquiries: MailTo(clay DOT berlo AT gmail DOT com)
通过构建域的makeuser脚本,可以快速的从创建认证时间来搜索用户,因此这种方法支持多种域名(如:用一个简单的getent在 passwd <user> , grepping /切割结果),只要每一个域用户都具有唯一性。创造userlist文件后,我们用LDAP来手动查询结果。你也可以使用任何方法来获得这份名单。一旦账户创造了,你应该有一个自动化的方法来定期维护用户名单,以确保任何在活动目录(Active Directory)上新设立的账户可以同步缓存到本地。MailTo:(clayDOTberloATgmailDOTcom)
