UbuntuHelp:SunLDAPClientAuthentication
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
目录
Foreword
After Sun had made the big announcement that they were open-sourcing and making free their Sun Java Enterprise System suite, there now exists another viable alternative to OpenLDAP. The following guide is intended only for readers wishing to authenticate Ubuntu clients off an existing Sun Java Enterprise System Directory Server. Users wishing to authenticate off an OpenLDAP server should use the LDAPClientAuthentication page instead.
Name Switch Server Setup
The first step is to setup nss-ldap, the LDAP-specific name switch server package. During installation, accept all the defaults:
[email protected]:~$ sudo apt-get install libnss-ldap
In order to authenticate using LDAP, /etc/nsswitch.conf will need to be edited:
[email protected]:~$ sudo vi /etc/nsswitch.conf # perform the following vi commands :1,$s/compat/files ldap/g :x!
The /etc/libnss-ldap.conf file is where all the settings are configured. For brevity, the example libnss-ldap.conf is attached and not listed in this document - attachment:libnss-ldap.conf To test the setup of nss-ldap, perform the following command to see a listing of LDAP shadow entries:
[email protected]:~$ getent shadow
Pluggable Authentication Modules Setup
The next step requires pam-ldap, the LDAP-specific PAM package. Answer <No> to the 2 questions asked during installation:
[email protected]:~$ sudo apt-get install libpam-ldap
The configuration file provided with the libpam-ldap package is unneccesary and can be replaced by libnss-ldap.conf:
[email protected]:~$ sudo rm /etc/pam_ldap.conf [email protected]:~$ sudo ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf
To complete the configuration of the pam-ldap package, the following files in the /etc/pam.d directory need to be changed:
[email protected]:~$ cd /etc/pam.d [email protected]:/etc/pam.d$ sudo vi common-account account sufficient pam_ldap.so account required pam_unix.so [email protected]:/etc/pam.d$ sudo vi common-auth auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass [email protected]:/etc/pam.d$ sudo vi common-password password sufficient pam_ldap.so nullok password required pam_unix.so nullok obscure min=4 max=8 md5 [email protected]:/etc/pam.d$ sudo vi common-session session sufficient pam_ldap.so session required pam_unix.so [email protected]:/etc/pam.d$ cd ~
To test the setup of the pam-ldap package, attempt to logon as an LDAP user.
Name Caching Service Daemon Setup
The final step in the LDAP client setup is to install nscd, the name service caching daemon, to prevent excess LDAP traffic:
[email protected]:~$ sudo apt-get install nscd [email protected]:~$ sudo mkdir -p /var/db/nscd /var/run/nscd [email protected]:~$ sudo /etc/init.d/nscd start
References
- LDAP Authentication for Linux
- Making a Debian or Ubuntu Machine an LDAP Authentication Client - more suited to an OpenLDAP environment
- Installing and configuring iPlanet Directory Server for Solaris9 - namely Step 4: Configure RedHat Linux LDAP Client (OpenLDAP+PADL libraries) - also a good source of information on setting up a Sun Directory Server
