OpenLDAP Active Directory整合步驟
阿新 • • 發佈:2020-12-13
技術標籤:# 3.3. Active Directory域管理# 5.1. centos
OpenLDAP Active Directory整合
注意 ***三個連續字元替代這三個字
:
1. centos7 open***安裝ldap外掛以支援ldap驗證
# 安裝open***-auth-ldap yum install open***-auth-ldap -y # 進入open***伺服器認證配置資料夾 cd /etc/open***/auth/ # 備份預設配置檔案 cp ldap.conf ldap.conf.bak # 開始修改配置,清空內容進行編輯 echo > ldap.conf # 修改ldap配置檔案 vim ldap.conf # 修改並貼上配置 # 重啟 systemctl restart open***@server
ldap.conf
<LDAP> # AD伺服器地址 URL ldap://192.168.xxx.xxx # 管理員DN BindDN CN=Administrator,CN=Users,DC=GOING-LINK,DC=com # 管理員密碼 Password [email protected]$%Y45%^F^#GH # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable yes # Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # 基礎DN BaseDN "OU=甄雲科技,DC=going-link,DC=com" # 使用者搜尋過濾條件 SearchFilter "(&(sAMAccountName=%u)(accountStatus=active))" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_***_users <Group> BaseDN "ou=Groups,dc=example,dc=com" SearchFilter "(|(cn=developers)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_***_eng </Group> </Authorization>
測試連線
# 安裝 openldap-clients yum install -y openldap-clients # 搜尋實驗 並輸入密碼 ldapsearch -x -W -D "CN=Administrator,CN=Users,DC=GOING-LINK,DC=com" -b "DC=GOING-LINK,DC=com" -h 192.168.1.62 -s one dn -LLL [email protected]$%Y45%^F^#GH ldapsearch -x -W -D "CN=Administrator,CN=Users,DC=GOING-LINK,DC=com" -b "DC=going-link,DC=com" -h 192.168.1.62 ldapsearch -x -W -D "CN=Administrator,CN=Users,DC=GOING-LINK,DC=com" -b "OU=disabled,DC=going-link,DC=com" -h 192.168.1.62
2. open***服務端配置檔案增加配置
plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u"
client-cert-not-required
username-as-common-name
3. open***客戶端測試
暫未測試成功