注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

梦想之鹰的天空

天高任鸟飞......放飞....心情..........放飞.....梦想

 
 
 

日志

 
 

LDAP与Samba 整合[转]  

2013-12-27 12:01:37|  分类: Linux |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
Lightweight Directory Access Protocol
LDAP 與 Samba 整合
帳號集中管理
 
Openldap + Samba3
Version 1.
 
LDAP Server 建構步驟
 
安裝 LDAP
#yum  -y install openldap*
 
設定LDAP根(root)與管理者帳號與密碼
#vi /etc/openldap/slap.conf
 database bdb                                                         
 suffix  “dc=r105,dc=com”                                             
 rootdn  “cn=Manager,dc=r105,dc=com”                                  
 rootpw  secret                                                      
 
新增檔案root.ldif
#mkdir /etc/openldap/data
#vi /etc/openldap/data/root.ldif
 
 dn: dc=r105,dc=com                                                      
 dc: r105                                                                
 objectClass: dcObject                                                     
 objectClass: organizationalUnit                                             
 ou: r105 Dot com                                                        
 
新增檔案 group.ldif
#vi /etc/openldap/data/group.ldif
 dn: ou=group,dc=r105,dc=com                                             
 ou: group                                                               
 objectClass: organizationalUnit                                             
 
新增檔案 people.ldif
#vi /etc/openldap/data/people.ldif
 dn: ou=people,dc=r105,dc=com                                             
 ou: people                                                              
 objectClass: organizationalUnit                                              

複製 DB_CONFIG 到必要位置
#cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 
新增跟資料到 LDAP中
#slapadd  -v  -l /etc/openldap/data/root.ldif
 
新增 group容區到 r105.com 中
#slapadd  -v  -l /etc/openldap/data/group.ldif
 
新增 people容區到 r105.com 中
#slapadd  -v  -l /etc/openldap/data/people.ldif
 
開機啟動 LDAP
#chkconfig  -level 135 ldap on
 
轉換本機帳號到LDAP上
接下來我們開始將本機帳號轉換到LDAP Server,至於如何轉換 “本機
帳號”,”本機群組”為LDAP相容格式,我們再用MigrationTools套件來輔
助,以本案例子,該套件解壓縮在 /usr/src/MigrationTools 下
#wget http://www.padl.com/download/MigrationTools.tgz
#tar  -zxvf MigrationTools.tgz
#mv MigrationTools-47 /usr/src/MigrationTools
 
轉換前置作業,更改 site-specific default
#vi /usr/src/MigrationTools/migrate_common.ph
$DEFAULT_MAIL_DOMAIN=”r105.com”;                                   
$DEFAULT_BASE=”r105.com”                                            
 
轉換所有本機帳號(使用者)為 ldif 格式
#cd /usr/src/MigrationTools
#./migrate_passwd.pl /etc/passwd local.passwd.ldif
#slpadd  -v  -l local.passwd.ldif
 
轉換所有本機帳號(群組)為 ldif 格式, 使用MigrationTools套件輔助
#./migrate_group.pl /etc/group local.group.ldif
#slapadd  -v  -l local.group.ldif
 
將LDAP 資料庫設定的擁有者給 ldap
#chown ldap:ldap /var/lib/ldap/*
 
啟動LDAP
#service ldap start
 
列出 r105.com 下的使用者與群組
#ldapsearch  -x  -b “dc=r105,dc=com”
 
LDAP 與 PAM 結合
 
首先更改驗證順序
#vi /etc/nsswitch.conf
 passwd: files ldap                                                     
 shadow: files ldap                                                     
 group: files ldap                                                     
 
 
更改 /etc/openlad 下的 ldap.conf
#vi /etc/openladp/ldap.conf
#新增下面三行                                                        
HOST 127.0.0.1                                                         
BASE dc=rich,dc=com                                                    
URL ldap://127.0.0.1                                                     
 
 
再更改 /etc 下的 ldap.conf
#vi /etc/ldap.conf
host 127.0.0.1                                                         
base dc=r105,dc=com                                                   
url ldap://127.0.0.1/                                                     
                                                                     
bind_policy soft                                                         
 
更改 PAM 系統身分驗證為 LDAP (您會需要 nss_ldap-xxx-x 模組)
#vi /etc/pam.d/system-auth
auth required pam_env.so                                             
auth sufficient pam_unix.so nullok try_first_pass                            
auth requisite pam_successd_if.so uid >= 500 quiet                          
auth sufficient pam_ldap.so use_first_pass                                 
auth required pam_deny.so                                             
                                                                       
account required pam_unix.so broken_shadow                             
account sufficient pam_success_if.so uid < 500 quiet                        
account [default=bad success=ok user_unknow=ignore] pam_ldap.so           
account required pam_permit.so                                        
 
password requisite pam_cracklib.so try_first_pass retry=3                     
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok   
password sufficient pam_ldap.so use_authtok                               
password required pam_deny.so                                         
 
session optional pam_keyinit.so revoke                                   
session required pam_limits.so                                          
session [success=1 default=ignore] pam_successed_if.so service in crond
quiet use_uid                                                               
session required pam_unix.so                                         
session optional pam_ldap.so                                         
 
現在我們有了 LDAP 了, 也通知了 PAM 的驗證為 LDAP 了,現在我們要
新增帳號了,不過各位熟悉的useradd 或 adduser 在這就不能用了, 因為
他只能新增於本機的使用者,新增的使用者帳號就不能用了.
 
設定 LDAP Client 端
使用者對於電腦的組態設定不熟悉,利用簡單的方式達到設定使用者

開啟圖形介面設定模式
authconfig-tui
 
 
Smb.conf
修改 /etc/samba/smb.conf
#vi /etc/samba/smb.conf
Workgroup = r105                                                     
netbios name = samba2                                                        
encrypt passwords = yes                                                
sercurity = usr                                                        
#將”;” 號取消掉,將作業系統等級設為33,表示NT Server                     
os level = 33                                                          
# 將 “;”號取消掉, 將Samba設為網域主控站                             
                                                                    
#下列的IP位址指向LDAP Server                                         
passdb backend = ldapsam:ldap://10.120.13.31/                             
ldap suffix = “dc=r105,dc=com”                                            
ldap admin dn = “cn=Manager,dc=r105,dc=com”                             
lap port = 389                                                        
lap delete dn = no                                                     
lp ssl = no                                                             
                                                                    
#==== Share Definitions =======                                         
[home]                                                              
comment = Home Directories                                            
browseable = no                                                      
writeable = yes                                                        
                                                                    
[tmp]                                                               
path = /tmp                                                           
read only = no                                                          
 
Samba Sever與 LDAP server結合
在LDAP Server中新增 samba.schema如果不會自己撰寫schema,可以將
在Samba中的複製到LDAP中
#cp /usr/share/doc/samba-3.0.24/LDAP/samba.schema /etc/openldap/
schema/
或是複製從Samba Server
#scp root@10.120.13.10:/usr/share/doc/samba-3.0.24/LDAP/samba.
schema /etc/openldap/schema/
 
修改 slapd.conf 設定檔
#vi /etc/openldap/slap.conf
include  /etc/openldap/schema/samba.schema                         
database  ldbm                                                   
suffix   “dc=r105,dc=com”                                        
rootdn  “cn=Manager,dc=r105,dc=com”                               
rootpw  123456   #設定密碼為123456                            
#註解下列幾行                                                       
#index objectClass     eq,pres                         
#index ou,cn,mail,surname,givenname eq,pres,sub                        
#index uidNumber,gidNumber,loginShell eq,pres                          
#index uid,memberUid    eq,pres,sub                       
#index nisMapName,nisMapEntry  eq,pres,sub                     
#新增下列幾行                                                       
Index  cn,sn,uid,displayName   pres,sub,eq                      
Index  uidNumber,gidNumber   eq                              
Index  sambaSID     eq                             
Index  sambaPrimaryGroupSID   eq                             
Index  sambaDomainName   eq                              
Index  objectClass     pres,wq                            
Index  default      sub                                   
 
修改 ldap.conf 設定檔
#vi /etc/openldap/ldap.conf
HOST 127.0.0.1                                                         
BASE dc=r105,dc=com                                                  
 
啟動 LDAP Server
/etc/rc.d/init.d/ldap start
 
修改 Samba Server中的 smb.conf 設定檔
#vi /etc/samba/smb.conf
Passdb backend = ldapsam:ldap://127.0.0.1/                                 
ldap suffix = “dc=r105,dc=com”                                           
ldap machine suffix = ou=Computers                                      
ldap admin dn = “cn=Manager,dc=r105,dc=com”                                
ldap delete dn = no                                                    
ldap ssl = no                                                          
 
重新啟動 SambaServer
/etc/rc.d/init.d/smb restart
 
將LDAP Server管理者帳號的密碼存入 /etc/samba/secrets.tdb中
#Smbpasswd  - w secret
Setting stored password for “cn=Manager,dc=r105,dc=com” in secrets.
tdb
 
增加Samba管理者帳號到LDAP Server
在LDAP Server上建立 root.ldif
#vi root.ldif
Dn: cn=Manager,dc=r105,dc=com                                         
objectClass: inetorgPerson                                               
uid: Manager                                                             
cn: Manager                                                          
sn: Manager                                                               
 
存檔後執行下列指令
#Ldapadd  -f root.ldif  -D “cn=Manager,dc=r105,dc=com”  -w 123456 -x
Adding new entry “dc=r105,dc=com”
Adding new entry “cn=Manager,dc=r105,dc=com”
 
下列指令可以測試是否成功加入
#Ldapsearch  -x -b “dc=r105,dc=com”
 
將Samba管理者密碼寫入LDAP Server
#Smbpasswd  -a Manager
New SMB Passwd:
Retype new SMB passwd:
Added user Manager
 
查詢剛才的設定
#ldapserch  -x  -b “cn=Manager,dc=r105,dc=com”
會有比之前多很多的info
 
 
增加Samba使用者帳號到LDAP Server
在Samba新增使用者帳號但不給密碼
#adduser user1
 
接著在LDAP Server 建立user1.ldif
#vi user1.ldif
Dn: cn=user1,dc=r105,dc=com                                            
objectClass: inetOrgperson                                              
uid: user1                                                            
cn: user1                                                             
sh: user1                                                            
然後執行下列指令
#ldapadd  -f user1.ldif  -D “cn=Manager,dc=r105,dc=com”  -w 123456 -x
Adding new entry “uid: user1, dc=r105, dc=com “
 
查詢是否成功新增
#ldapsearch  -x  -b “cn=user1, dc=r105, dc=com”
 
設定使用者密碼,一樣是在LDAP Server上設定
#smbpasswd  -a user1
New SMB password:
Retry new SMB password:
Added user user1.
 

參考資料
 
Network Manage 有效率的網路管理方案建議 (建置手札) by
350@ms12.url.com.tw
 
Linux 與 Windows共舞, 異質平台整合方案 施威銘研究室著
ISBN 957-442-084-1
  评论这张
 
阅读(557)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017