当前位置: 技术问答>linux和unix
openldap添加digest-md5认证问题
来源: 互联网 发布时间:2017-02-11
本文导语: 我的openldap服务器已经搭建起来了,但是现在只支持匿名登录,现在要加入sasl的digest-md5认证 slapd.conf文件配置: database bdb suffix "dc=it,dc=com" rootdn "cn=root,dc=it,dc=com" sasl-regexp ...
我的openldap服务器已经搭建起来了,但是现在只支持匿名登录,现在要加入sasl的digest-md5认证
slapd.conf文件配置:
database bdb
suffix "dc=it,dc=com"
rootdn "cn=root,dc=it,dc=com"
sasl-regexp
uid=(.*),cn=digest-md5,cn=auth
uid=$1,dc=it,dc=com
使用saslpasswd2 -c qq (设置密码:123) 密码被保存到/etc/sasldb2
ldap里面已经添加了用户qq的记录
linux:~ # ldapsearch -b "dc=it,dc=com" -x
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# it.com
dn: dc=it,dc=com
objectClass: dcObject
objectClass: organization
dc: it
o: Corporation
description: d Corporation
# qq, it.com
dn: uid=qq,dc=it,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: qq
cn: qq
sn: qq
telephoneNumber: 138888888
userPassword:: e1NTSEF9V0I4cnRjTUVlK2d5Q09tQktERUNaQVB5NDQyMW5aT0k=
使用md5方式时
linux:~ # ldapsearch -D "uid=qq,dc=it,dc=com" -Y digest-md5 -U qq
(输入密码123)
提示:ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
用以下命令发现已经保存有qq的密码,但是还是不行
linux:~ # sasldblistusers2
mike@linux: userPassword
qq@linux: userPassword
root@linux: userPassword
mike@linux: cmusaslsecretOTP
qq@linux: cmusaslsecretOTP
root@linux: cmusaslsecretOTP
希望有用过这个功能的帮忙分析一下
slapd.conf文件配置:
database bdb
suffix "dc=it,dc=com"
rootdn "cn=root,dc=it,dc=com"
sasl-regexp
uid=(.*),cn=digest-md5,cn=auth
uid=$1,dc=it,dc=com
使用saslpasswd2 -c qq (设置密码:123) 密码被保存到/etc/sasldb2
ldap里面已经添加了用户qq的记录
linux:~ # ldapsearch -b "dc=it,dc=com" -x
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# it.com
dn: dc=it,dc=com
objectClass: dcObject
objectClass: organization
dc: it
o: Corporation
description: d Corporation
# qq, it.com
dn: uid=qq,dc=it,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: qq
cn: qq
sn: qq
telephoneNumber: 138888888
userPassword:: e1NTSEF9V0I4cnRjTUVlK2d5Q09tQktERUNaQVB5NDQyMW5aT0k=
使用md5方式时
linux:~ # ldapsearch -D "uid=qq,dc=it,dc=com" -Y digest-md5 -U qq
(输入密码123)
提示:ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
用以下命令发现已经保存有qq的密码,但是还是不行
linux:~ # sasldblistusers2
mike@linux: userPassword
qq@linux: userPassword
root@linux: userPassword
mike@linux: cmusaslsecretOTP
qq@linux: cmusaslsecretOTP
root@linux: cmusaslsecretOTP
希望有用过这个功能的帮忙分析一下
|
使用OpenLDAP进行Samba用户和系统用户的身份验证过程 - -
Tag: LDAP,samba,验证
1 安装OpenLDAP
我们的系统环境是CentOS4.0,系统安装完成后如果没有安装OpenLDAP,可以在安装光盘中找到相关的RPM包;OpenLDAP包括了如下4RPM包;
openldap-2.2.13-2.i386.rpm
openldap-servers-2.2.13-2.i386.rpm
openldap-clients-2.2.13-2.i386.rpm
openldap-devel-2.2.13-2.i386.rpm
注意:openldap-2.2.13-2.i386.rpm一定先安装,否则在安装server和Client包时会报错;
2 安装管理工具:
smbldap-tools-0.9.1-1.noarch.rpm
smbldap-installer-1.2.1.tgz
以上文件可以在http://samba.IDEALX.org/.这里下载
先解压smbldap-installer-1.2.1.tgz
tar -zxvf smbldap-installer-1.2.1.tgz
进入smbldap-installer/rpms目录
安装所有的rpm包,可能有些包安装不成功,可以先将能安装的全部安装;
在安装smbldap-tools-0.9.1-1.noarch.rpm
rpm –ivh smbldap-tools-0.9.1-1.noarch.rpm
完成再安装smbldap-installer/rpms目录下安装未成功的rpm包。
进入smbldap-installer目录下执行smb-ldap.pl完成系统默认设置。
./ smb-ldap.pl
根据提示输入自己的网络信息往下执行既可。
我采用了http://www.idealx.org/prj/samba/smbldap-howto.fr.html中的ldif文件的例子。
dc=yvan_ldap,dc=ORG
|
`--- ou=Users : 存储用户信息
|
`--- ou=Computers :存储计算机信息
|
`--- ou=Groups :系统组信息
|
`--- ou=DSA
3 配置
入到/etc/openldap目录下
cd /etc/openldap
3.1 LDAP服务器端的配置
vi slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/samba.schema
略…………
以上include 的文件在/etc/openldap/schema目录下;
注意:/etc/openldap/schema/samba.schema本来是不存在的,我们为了完成LDAP与samba用户的验证;可在samba源码目录中的/usr/share/doc/samba-xx/LDAP/路径中找到该文件;把它拷贝到openldap的schema目录;
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
…………
database bdb
suffix "dc= yvan_ldap,dc=com"
rootdn "cn=root,dc= yvan_ldap,dc=com"
略…………
rootpw {SSHA}MjvfmavWounJXLvLuZakIAc/WEyiinGh
上述以 yvan_ldap.com 范例 suffix "dc= yvan_ldap,dc=com" 管理者為 root rootdn "cn=root,dc=yvan_ldap,dc=com" ;使用管理者密碼 rootpw {SSHA}MjvfmavWounJXLvLuZakIAc/WEyiinGh
管理者密碼的產生 #slappasswd
New password
Re-enter new password
{SSHA}MjvfmavWounJXLvLuZakIAc/WEyiinGh
接下來再拷到sldap.conf 的 rootpw 即可 。
启动服务器使配置生效
Service ldap start
测试服务器
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
如果命令执行成功,返回一些信息,则说明服务器正常运行了。如果启动不成功,它会提示一些出错信息,多数是slapd.conf配置出错。仔细核查一下配置文档再重启服务器再次测试;
3.2 LDAP客户端的配置
客户端的配置文档是ldap.conf,配置如下内容:
HOST 127.0.0.1 //服务器的地址,我们用的是本机;
BASE dc=yvan_ldap,dc=com //在服务器的slapd.conf 中的suffix
3.3 Samba服务器的配置
修改samba配置文件
vi /etc/samba/smb.conf
|#======================= Global Settings =============================
[global]
workgroup = YVAN_LDAP
netbios name = YVAN_SERVER
server string = YVAN_LDAP Server
…………
min passwd length = 5
obey pam restrictions = No
ldap passwd sync = Yes
81| time server = Yes
log level = 0
syslog = 0
mangling method = hash2
dos charset = 850
unix charset = ISO8859-1
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
logon script = startup.bat
#Added by moquist
logon drive = F:
logon home =
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=yvan_ldap,dc=com
ldap suffix = dc=yvan_ldap,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
#ldap ssl = start tls
ldap delete dn = Yes
…………
# use the smbldap-tools scripts
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
#delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
…………
#============================ Share Definitions ==================
[homes]
comment = Home Directories
valid users = %S
browseable = yes
writable = yes
#create mask = 0664
#directory mask = 0775
# this prevents users from browsing other peoples' files
create mask = 0600
directory mask = 0700
…………
[profiles]
path = /opt/samba/profiles
writeable = yes
browseable = no
#create mode = 0644
#directory mode = 0755
# this prevents users from browsing other peoples' profiles
create mode = 0600
directory mode = 0700
…………
3.4 系统认证配置
/etc/pam.d/system-auth,配置如下
其中auth、account、password、session中都有ldap模块才能完成系统的认证。
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid
Tag: LDAP,samba,验证
1 安装OpenLDAP
我们的系统环境是CentOS4.0,系统安装完成后如果没有安装OpenLDAP,可以在安装光盘中找到相关的RPM包;OpenLDAP包括了如下4RPM包;
openldap-2.2.13-2.i386.rpm
openldap-servers-2.2.13-2.i386.rpm
openldap-clients-2.2.13-2.i386.rpm
openldap-devel-2.2.13-2.i386.rpm
注意:openldap-2.2.13-2.i386.rpm一定先安装,否则在安装server和Client包时会报错;
2 安装管理工具:
smbldap-tools-0.9.1-1.noarch.rpm
smbldap-installer-1.2.1.tgz
以上文件可以在http://samba.IDEALX.org/.这里下载
先解压smbldap-installer-1.2.1.tgz
tar -zxvf smbldap-installer-1.2.1.tgz
进入smbldap-installer/rpms目录
安装所有的rpm包,可能有些包安装不成功,可以先将能安装的全部安装;
在安装smbldap-tools-0.9.1-1.noarch.rpm
rpm –ivh smbldap-tools-0.9.1-1.noarch.rpm
完成再安装smbldap-installer/rpms目录下安装未成功的rpm包。
进入smbldap-installer目录下执行smb-ldap.pl完成系统默认设置。
./ smb-ldap.pl
根据提示输入自己的网络信息往下执行既可。
我采用了http://www.idealx.org/prj/samba/smbldap-howto.fr.html中的ldif文件的例子。
dc=yvan_ldap,dc=ORG
|
`--- ou=Users : 存储用户信息
|
`--- ou=Computers :存储计算机信息
|
`--- ou=Groups :系统组信息
|
`--- ou=DSA
3 配置
入到/etc/openldap目录下
cd /etc/openldap
3.1 LDAP服务器端的配置
vi slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/samba.schema
略…………
以上include 的文件在/etc/openldap/schema目录下;
注意:/etc/openldap/schema/samba.schema本来是不存在的,我们为了完成LDAP与samba用户的验证;可在samba源码目录中的/usr/share/doc/samba-xx/LDAP/路径中找到该文件;把它拷贝到openldap的schema目录;
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
…………
database bdb
suffix "dc= yvan_ldap,dc=com"
rootdn "cn=root,dc= yvan_ldap,dc=com"
略…………
rootpw {SSHA}MjvfmavWounJXLvLuZakIAc/WEyiinGh
上述以 yvan_ldap.com 范例 suffix "dc= yvan_ldap,dc=com" 管理者為 root rootdn "cn=root,dc=yvan_ldap,dc=com" ;使用管理者密碼 rootpw {SSHA}MjvfmavWounJXLvLuZakIAc/WEyiinGh
管理者密碼的產生 #slappasswd
New password
Re-enter new password
{SSHA}MjvfmavWounJXLvLuZakIAc/WEyiinGh
接下來再拷到sldap.conf 的 rootpw 即可 。
启动服务器使配置生效
Service ldap start
测试服务器
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
如果命令执行成功,返回一些信息,则说明服务器正常运行了。如果启动不成功,它会提示一些出错信息,多数是slapd.conf配置出错。仔细核查一下配置文档再重启服务器再次测试;
3.2 LDAP客户端的配置
客户端的配置文档是ldap.conf,配置如下内容:
HOST 127.0.0.1 //服务器的地址,我们用的是本机;
BASE dc=yvan_ldap,dc=com //在服务器的slapd.conf 中的suffix
3.3 Samba服务器的配置
修改samba配置文件
vi /etc/samba/smb.conf
|#======================= Global Settings =============================
[global]
workgroup = YVAN_LDAP
netbios name = YVAN_SERVER
server string = YVAN_LDAP Server
…………
min passwd length = 5
obey pam restrictions = No
ldap passwd sync = Yes
81| time server = Yes
log level = 0
syslog = 0
mangling method = hash2
dos charset = 850
unix charset = ISO8859-1
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
logon script = startup.bat
#Added by moquist
logon drive = F:
logon home =
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=yvan_ldap,dc=com
ldap suffix = dc=yvan_ldap,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
#ldap ssl = start tls
ldap delete dn = Yes
…………
# use the smbldap-tools scripts
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
#delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
…………
#============================ Share Definitions ==================
[homes]
comment = Home Directories
valid users = %S
browseable = yes
writable = yes
#create mask = 0664
#directory mask = 0775
# this prevents users from browsing other peoples' files
create mask = 0600
directory mask = 0700
…………
[profiles]
path = /opt/samba/profiles
writeable = yes
browseable = no
#create mode = 0644
#directory mode = 0755
# this prevents users from browsing other peoples' profiles
create mode = 0600
directory mode = 0700
…………
3.4 系统认证配置
/etc/pam.d/system-auth,配置如下
其中auth、account、password、session中都有ldap模块才能完成系统的认证。
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid
您可能感兴趣的文章:
本站(WWW.)旨在分享和传播互联网科技相关的资讯和技术,将尽最大努力为读者提供更好的信息聚合和浏览方式。
本站(WWW.)站内文章除注明原创外,均为转载、整理或搜集自网络。欢迎任何形式的转载,转载请注明出处。
本站(WWW.)站内文章除注明原创外,均为转载、整理或搜集自网络。欢迎任何形式的转载,转载请注明出处。
站内导航:
特别声明:169IT网站部分信息来自互联网,如果侵犯您的权利,请及时告知,本站将立即删除!