注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

梦想之鹰的天空

天高任鸟飞......放飞....心情..........放飞.....梦想

 
 
 

日志

 
 

LDAP与Samba 整合[转]  

2013-12-27 12:01:37|  分类: Linux |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
Lightweight Directory Access Protocol
LDAP 與 Samba 整合
帳號集中管理
 
Openldap + Samba3
Version 1.
 
LDAP Server 建構步驟
 
安裝 LDAP
#yum  -y install openldap*
 
設定LDAP根(root)與管理者帳號與密碼
#vi /etc/openldap/slap.conf
 database bdb                                                         
 suffix  “dc=r105,dc=com”                                             
 rootdn  “cn=Manager,dc=r105,dc=com”                                  
 rootpw  secret                                                      
 
新增檔案root.ldif
#mkdir /etc/openldap/data
#vi /etc/openldap/data/root.ldif
 
 dn: dc=r105,dc=com                                                      
 dc: r105                                                                
 objectClass: dcObject                                                     
 objectClass: organizationalUnit                                             
 ou: r105 Dot com                                                        
 
新增檔案 group.ldif
#vi /etc/openldap/data/group.ldif
 dn: ou=group,dc=r105,dc=com                                             
 ou: group                                                               
 objectClass: organizationalUnit                                             
 
新增檔案 people.ldif
#vi /etc/openldap/data/people.ldif
 dn: ou=people,dc=r105,dc=com                                             
 ou: people                                                              
 objectClass: organizationalUnit                                              

複製 DB_CONFIG 到必要位置
#cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 
新增跟資料到 LDAP中
#slapadd  -v  -l /etc/openldap/data/root.ldif
 
新增 group容區到 r105.com 中
#slapadd  -v  -l /etc/openldap/data/group.ldif
 
新增 people容區到 r105.com 中
#slapadd  -v  -l /etc/openldap/data/people.ldif
 
開機啟動 LDAP
#chkconfig  -level 135 ldap on
 
轉換本機帳號到LDAP上
接下來我們開始將本機帳號轉換到LDAP Server,至於如何轉換 “本機
帳號”,”本機群組”為LDAP相容格式,我們再用MigrationTools套件來輔
助,以本案例子,該套件解壓縮在 /usr/src/MigrationTools 下
#wget http://www.padl.com/download/MigrationTools.tgz
#tar  -zxvf MigrationTools.tgz
#mv MigrationTools-47 /usr/src/MigrationTools
 
轉換前置作業,更改 site-specific default
#vi /usr/src/MigrationTools/migrate_common.ph
$DEFAULT_MAIL_DOMAIN=”r105.com”;                                   
$DEFAULT_BASE=”r105.com”                                            
 
轉換所有本機帳號(使用者)為 ldif 格式
#cd /usr/src/MigrationTools
#./migrate_passwd.pl /etc/passwd local.passwd.ldif
#slpadd  -v  -l local.passwd.ldif
 
轉換所有本機帳號(群組)為 ldif 格式, 使用MigrationTools套件輔助
#./migrate_group.pl /etc/group local.group.ldif
#slapadd  -v  -l local.group.ldif
 
將LDAP 資料庫設定的擁有者給 ldap
#chown ldap:ldap /var/lib/ldap/*
 
啟動LDAP
#service ldap start
 
列出 r105.com 下的使用者與群組
#ldapsearch  -x  -b “dc=r105,dc=com”
 
LDAP 與 PAM 結合
 
首先更改驗證順序
#vi /etc/nsswitch.conf
 passwd: files ldap                                                     
 shadow: files ldap                                                     
 group: files ldap                                                     
 
 
更改 /etc/openlad 下的 ldap.conf
#vi /etc/openladp/ldap.conf
#新增下面三行                                                        
HOST 127.0.0.1                                                         
BASE dc=rich,dc=com                                                    
URL ldap://127.0.0.1                                                     
 
 
再更改 /etc 下的 ldap.conf
#vi /etc/ldap.conf
host 127.0.0.1                                                         
base dc=r105,dc=com                                                   
url ldap://127.0.0.1/                                                     
                                                                     
bind_policy soft                                                         
 
更改 PAM 系統身分驗證為 LDAP (您會需要 nss_ldap-xxx-x 模組)
#vi /etc/pam.d/system-auth
auth required pam_env.so                                             
auth sufficient pam_unix.so nullok try_first_pass                            
auth requisite pam_successd_if.so uid >= 500 quiet                          
auth sufficient pam_ldap.so use_first_pass                                 
auth required pam_deny.so                                             
                                                                       
account required pam_unix.so broken_shadow                             
account sufficient pam_success_if.so uid < 500 quiet                        
account [default=bad success=ok user_unknow=ignore] pam_ldap.so           
account required pam_permit.so                                        
 
password requisite pam_cracklib.so try_first_pass retry=3                     
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok   
password sufficient pam_ldap.so use_authtok                               
password required pam_deny.so                                         
 
session optional pam_keyinit.so revoke                                   
session required pam_limits.so                                          
session [success=1 default=ignore] pam_successed_if.so service in crond
quiet use_uid                                                               
session required pam_unix.so                                         
session optional pam_ldap.so                                         
 
現在我們有了 LDAP 了, 也通知了 PAM 的驗證為 LDAP 了,現在我們要
新增帳號了,不過各位熟悉的useradd 或 adduser 在這就不能用了, 因為
他只能新增於本機的使用者,新增的使用者帳號就不能用了.
 
設定 LDAP Client 端
使用者對於電腦的組態設定不熟悉,利用簡單的方式達到設定使用者

開啟圖形介面設定模式
authconfig-tui
 
 
Smb.conf
修改 /etc/samba/smb.conf
#vi /etc/samba/smb.conf
Workgroup = r105                                                     
netbios name = samba2                                                        
encrypt passwords = yes                                                
sercurity = usr                                                        
#將”;” 號取消掉,將作業系統等級設為33,表示NT Server                     
os level = 33                                                          
# 將 “;”號取消掉, 將Samba設為網域主控站                             
                                                                    
#下列的IP位址指向LDAP Server                                         
passdb backend = ldapsam:ldap://10.120.13.31/                             
ldap suffix = “dc=r105,dc=com”                                            
ldap admin dn = “cn=Manager,dc=r105,dc=com”                             
lap port = 389                                                        
lap delete dn = no                                                     
lp ssl = no                                                             
                                                                    
#==== Share Definitions =======                                         
[home]                                                              
comment = Home Directories                                            
browseable = no                                                      
writeable = yes                                                        
                                                                    
[tmp]                                                               
path = /tmp                                                           
read only = no                                                          
 
Samba Sever與 LDAP server結合
在LDAP Server中新增 samba.schema如果不會自己撰寫schema,可以將
在Samba中的複製到LDAP中
#cp /usr/share/doc/samba-3.0.24/LDAP/samba.schema /etc/openldap/
schema/
或是複製從Samba Server
#scp root@10.120.13.10:/usr/share/doc/samba-3.0.24/LDAP/samba.
schema /etc/openldap/schema/
 
修改 slapd.conf 設定檔
#vi /etc/openldap/slap.conf
include  /etc/openldap/schema/samba.schema                         
database  ldbm                                                   
suffix   “dc=r105,dc=com”                                        
rootdn  “cn=Manager,dc=r105,dc=com”                               
rootpw  123456   #設定密碼為123456                            
#註解下列幾行                                                       
#index objectClass     eq,pres                         
#index ou,cn,mail,surname,givenname eq,pres,sub                        
#index uidNumber,gidNumber,loginShell eq,pres                          
#index uid,memberUid    eq,pres,sub                       
#index nisMapName,nisMapEntry  eq,pres,sub                     
#新增下列幾行                                                       
Index  cn,sn,uid,displayName   pres,sub,eq                      
Index  uidNumber,gidNumber   eq                              
Index  sambaSID     eq                             
Index  sambaPrimaryGroupSID   eq                             
Index  sambaDomainName   eq                              
Index  objectClass     pres,wq                            
Index  default      sub                                   
 
修改 ldap.conf 設定檔
#vi /etc/openldap/ldap.conf
HOST 127.0.0.1                                                         
BASE dc=r105,dc=com                                                  
 
啟動 LDAP Server
/etc/rc.d/init.d/ldap start
 
修改 Samba Server中的 smb.conf 設定檔
#vi /etc/samba/smb.conf
Passdb backend = ldapsam:ldap://127.0.0.1/                                 
ldap suffix = “dc=r105,dc=com”                                           
ldap machine suffix = ou=Computers                                      
ldap admin dn = “cn=Manager,dc=r105,dc=com”                                
ldap delete dn = no                                                    
ldap ssl = no                                                          
 
重新啟動 SambaServer
/etc/rc.d/init.d/smb restart
 
將LDAP Server管理者帳號的密碼存入 /etc/samba/secrets.tdb中
#Smbpasswd  - w secret
Setting stored password for “cn=Manager,dc=r105,dc=com” in secrets.
tdb
 
增加Samba管理者帳號到LDAP Server
在LDAP Server上建立 root.ldif
#vi root.ldif
Dn: cn=Manager,dc=r105,dc=com                                         
objectClass: inetorgPerson                                               
uid: Manager                                                             
cn: Manager                                                          
sn: Manager                                                               
 
存檔後執行下列指令
#Ldapadd  -f root.ldif  -D “cn=Manager,dc=r105,dc=com”  -w 123456 -x
Adding new entry “dc=r105,dc=com”
Adding new entry “cn=Manager,dc=r105,dc=com”
 
下列指令可以測試是否成功加入
#Ldapsearch  -x -b “dc=r105,dc=com”
 
將Samba管理者密碼寫入LDAP Server
#Smbpasswd  -a Manager
New SMB Passwd:
Retype new SMB passwd:
Added user Manager
 
查詢剛才的設定
#ldapserch  -x  -b “cn=Manager,dc=r105,dc=com”
會有比之前多很多的info
 
 
增加Samba使用者帳號到LDAP Server
在Samba新增使用者帳號但不給密碼
#adduser user1
 
接著在LDAP Server 建立user1.ldif
#vi user1.ldif
Dn: cn=user1,dc=r105,dc=com                                            
objectClass: inetOrgperson                                              
uid: user1                                                            
cn: user1                                                             
sh: user1                                                            
然後執行下列指令
#ldapadd  -f user1.ldif  -D “cn=Manager,dc=r105,dc=com”  -w 123456 -x
Adding new entry “uid: user1, dc=r105, dc=com “
 
查詢是否成功新增
#ldapsearch  -x  -b “cn=user1, dc=r105, dc=com”
 
設定使用者密碼,一樣是在LDAP Server上設定
#smbpasswd  -a user1
New SMB password:
Retry new SMB password:
Added user user1.
 

參考資料
 
Network Manage 有效率的網路管理方案建議 (建置手札) by
350@ms12.url.com.tw
 
Linux 與 Windows共舞, 異質平台整合方案 施威銘研究室著
ISBN 957-442-084-1
  评论这张
 
阅读(640)| 评论(0)
推荐 转载

历史上的今天

class="bdwb bds2 bdc0 u2 bdc0

> > r"> are%class="bdwb bds2 byle="ht="6d_ifram> max-r"> 78}" he" sty:&薚osp;&薚o 5" hpright" ;
e>
y="true"> > =&nbsl:4薚or “cn=&nbsl:4薚ore" sty:&5" sp;&5" sp; color:#d7854e;eightdnsppannbsdiv id="style=l141620www.lofp;n border:none;" id=>我要抢>shadb bds2 bdc0 flmi:hidden;width:hidden;width
defocamp;="c0 fCmp;nbs" c0 fCmp;nbs"ashadwrap">
lass="bdwb bds2 bdsrc cl141620www.lofp;n a謎lEtry .do?c0 fad=1&c0 fncy="trB ${x.den;sp;&}/l_bl飞 de{agex.den;sp;&==den;sp;.參考&}blogbtn /> his.src rc c${fn1(x.den;sp;&)}&r=${den;sp;.ampgeUp;nbeTim }"source" va{else}bl飞 def> his.src rc c${fn1(x.den;sp;&)}"source" va{" ⒖紇ices/emsc0 f>html?fromamp;nbalc0 fmp;nad=likebtitle="来自网易短信写博l
${x.den;sp;&}/l_bl飞 de飞${fn(x.den;sp;&ickamp;,8)|escape}blogbtn defhadwr飞系i:hidden飞i:hidden {" his.src rc c${fn1(a.參考&)}"sofhadwr飞focrder:none;" id="d="$_spa ${a.參考&}/l_${fn(a.nickamp;,8)|escape}fhadwr飞f
&;nbs}{" ${x.inspp;nbd考&}/l_bl飞 dedef> his.src rc c${fn1(x.inspp;nbd考∓)}"soblogbtn defhadwr飞系def
${x.inspp;nbd考∓}/l_bl飞 de飞系${fn(x.inspp;nbd考&ickamp;,6)|escape}blogbtn dedefhadwr飞系defh dblogbtdefh ablogbt {"0}bl飞 fp =nk网易新闻fh ablogbt飞缮缮缮f
<飞缮6us d="$_spv stybl d="ulablogbt6dwr <飞缮6us d="$_spv stybl d="ulablogbt6dwr <飞缮6us d="$_spv stybl d="ulablogbt6dwr <飞缮6us d="$_spv stybl d="ulablogbt6dwr <飞缮6us d="$_spv stybl d="ulablogbt6dwr <飞缮6us d="$_spv stybl d="ulablogbt6
更多>>shadfh ablogbt pright" id="OldBlogLinkfh ablogbt< 90" lofp;n_sdb le d=" oblogbtf 90" c0 fPub cAcck icn0=" oblog 3"> ip/> eigh/javae> ip/ dblvtylwumiiampm=L1nk = cl141620c0 f. 013112701375 ip/dbl ip/> eigh/javae> ip/ l>rc cl141620widr:n.wumii igh/ds2 bddItemsWidr:n.htm d="e> ip/dbl 页脚rfi2dblogbt=
缮缮缮faervl我的照片书fhadblogbtog=reco d="$_sps="r1al_-shrecomblogbtn =ocrvl手机博客fhadblogbtog=reco d="$_sps="r1al_-shrecomblogbtn =ocrvl rss/"source" va=reco d="$_sps="r1al_-shrecom=reco d="$_sp ibn d=reco d="$_spp;缮ieighs="b r>="asscolt="assamp;="jst="flastf-jstmae=_缮iocrvl ip/> eigh/javae> ip/ dblogw;br&g.N = {tm:{'z ':'i ',blogbtn pnt prig缮缮'iv ':'iv ','iv 2':'iv 1',bl 0 飞'bg ':'ig ','igc1':'igc1','igc2':'ig 2','igh ':'igc9',bl 0 飞' ';blog msg/ram';blog 13112701375/ram';blog cap/captcha.jpgx? = 'l141620b.bs .126.nbs/sppmon/empty.pb ';blog= {blogbtca:falseblogb,eig:-3blogb,cb:''blogb,cc:falseblogb,cd:falseblogb,ce:'-3'blogb,ck:0blogb,ci:['api72" /> 'blogbtn p,'l141620phdto. phdto/html/> ssdoa謎n.html?t=e="00205'blogbtn p blogb缮缮,'ud72" /> 'blogbtn p blogb缮缮蒪logb缮缮蒪logb缮缮蒥blogb,cj:[-3]blogb,cs:''blogb,cm:["", c0 f/", alcum/", mus = {};blogUD.host>= {blogbt try nId:nput typblogb缮,參考&:'13112701375'blogb缮,nick&:'en" name'blogb缮,ampgeUp;nbeTim :1287466405759blogb缮,basng/s:'11416201311270137572" /> 'blogb缮,gnndrv:'他'blogb缮,ba謎l:'13112701375@ 'blogb缮,phdto &:'13112701375'blogb缮,phdto Host&:'13112701375'blogb缮,TOKEN_HTMLMODULE:''blogb缮,isMultiUserB0 f:falseblog缮,isWumiUser:dimgblogb缮,sR k:-areblog};bl="e> ip/dbl缮缮 ip/> eigh/javae> ip/ l>rc cl141620b572s .126.nbs/ix'ppge r/j/pc.js?v=1522651979782l_="e> ip/dbl缮缮 ip/> eigh/javae> ip/ l>rc cl141620b572s .126.nbs/ix'ppge r/j/m/m-3/pm.js?v=1522651979782l_="e> ip/dbl缮 ip/>src cl141620bsply eigh/javae> ip/ d="e> ip/dbl缮 ip/> "eigh/javae> ip/ dblogb蒧abds_nacc='c0 f';nbseasnT cker();blog blogb蒳x' Impge().src>= 'l141620c0 f. 0ix'ppge ampges/bsplyse.pb ?s=p&t='+ix' D bd().r:nTim ();blog="e> ip/dbl ip/dblw;br&g.setTim out(function(){blog(function(i,s,o,g,r,a,m){i['Goo leAsply &;nbs(o),blogm=s.r:nE>&;nbssByTag&(o)[0];a.async=1;a.src g;m. ip/','//www.goo le-bsply ip/);bl缮缮 },300);blbl="e> ip/d blogb ip/> "eigh/javae> ip/ l>rc c/ix'ppge &amcercone/&amdc=fy.jsd_="e> ip/dbl