Ldap | Chia-An Leehttps://calee0219.github.io/tag/ldap/LdapHugoBlox Kit (https://hugoblox.com)en-us©Mon, 09 Aug 2021 07:48:37 +0800https://calee0219.github.io/media/icon_hu_da05098ef60dc2e7.pngLdaphttps://calee0219.github.io/tag/ldap/LDAPhttps://calee0219.github.io/blog/note_ldap/Mon, 09 Aug 2021 07:48:37 +0800https://calee0219.github.io/blog/note_ldap/<h2 id="freeipa">freeIPA</h2> <h2 id="openldap">OpenLDAP</h2> <h3 id="server">Server</h3> <h4 id="nfs">NFS</h4> <h4 id="nis">NIS</h4> <h4 id="ldap">LDAP</h4> <h3 id="client">Client</h3> <h4 id="nfs-1">NFS</h4> <h4 id="nis-1">NIS</h4> <h4 id="ldap-1">LDAP</h4> <ul> <li>需要下載 <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"> sudo yum update <span class="o">&amp;&amp;</span> yum install openldap openldap-clients nss-pam-ldapd </span></span></code></pre></div></li> <li>複製 server 端的 CAe</li> <li>產生 config <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">authconfig --enableldap --enableldapauth --ldapserver<span class="o">=</span>ldaps://ldaps.cs.nctu.edu.tw --ldapbasedn<span class="o">=</span><span class="s2">&#34;dc=cs,dc=nctu,dc=edu,dc=tw&#34;</span> --update </span></span></code></pre></div>設定檔: <code>/etc/openldap/ldap.conf</code> : <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">BASE dc=cs,dc=nctu,dc=edu,dc=tw </span></span><span class="line"><span class="cl">URI ldaps://ldaps.cs.nctu.edu.tw/ </span></span><span class="line"><span class="cl">TLS_REQCERT allow </span></span><span class="line"><span class="cl">TLS_CIPHER_SUITE=AES256 </span></span><span class="line"><span class="cl">TLS_CACERTDIR /etc/ssl/certs/csrootca.crt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">filter passwd (memberof=cn=cs-ta,ou=MemberGroup,dc=cs,dc=nctu,dc=edu,dc=tw) # 如果要限制只有 cs-ta groups 的資訊才會被透過 LDAP 進來了話 </span></span></code></pre></div></li> <li>重啟服務 <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo systemctl restart nslcd </span></span><span class="line"><span class="cl">sudo systemctl restart nscd </span></span></code></pre></div></li> <li>檢查 <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ldapsearch -D <span class="s2">&#34;uid=calee,ou=People,dc=cs,dc=nctu,dc=edu,dc=tw&#34;</span> -W <span class="nv">uid</span><span class="o">=</span>xxx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ypwhich : 查詢 NIS Server </span></span><span class="line"><span class="cl">ypchsh:改變 NIS 上使用者登入的 Shell </span></span><span class="line"><span class="cl">ypchfn:改變 NIS 上使用者的完整名稱跟相關資訊,也就是 /etc/passwd 中的第五個欄位 </span></span><span class="line"><span class="cl">ypmatch:查詢 NIS map 的 KEY </span></span><span class="line"><span class="cl">yptest:測試 NIS 的設定,如果可以跑出來 NIS 上的使用者則代表可以查詢 </span></span></code></pre></div>-D uid 裡面的是去登入 ldaps.cs.nctu.edu.tw 的帳號,之後問問密碼,使用 uid 使用者的密碼登入搜尋</li> </ul> <h2 id="cache-solution">Cache Solution</h2> <ul> <li> <p>SSSD </p> </li> <li> <p>NSCD</p> </li> </ul>