这是在 CentOS 上
我阅读了各种 openldap howto,他们提到 /etc/openldap/ldap.conf 并编辑 /etc/nsswitch.conf
我安装了 openldap-clients。这就是我所知道的,这就是我应该做的。我不知道还能做什么或尝试什么。是不是应该有一个 ldap 二进制文件来处理服务器连接之类的东西?客户端上的 slapd 实例?我真的不明白这在客户端是如何工作的。现在的目标是简单地在 ldap 数据库中定义用户,以便能够 ssh 到本地网络上的客户端计算机。
ldap.conf 在不同教程中提到的各个位置也有符号链接:
/etc/openldap/ldap.conf #real file
/etc/ssh/ldap.conf
/etc/ldap.conf
ldap.conf:
pam_login_attribute uid
base dc=lan,dc=archives,dc=net
uri ldap://directory.lan.archives.net/
pam_min_uid 100
#pam_password_prohibit_message Please visit http://accounts.cs.sunyit.edu/ to change your password.
nss_base_passwd ou=people,dc=lan,dc=archives,dc=net
nss_base_shadow ou=people,dc=lan,dc=archives,dc=net
nss_base_group ou=groups,dc=lan,dc=archives,dc=net
bind_policy soft
# Enable SSL
ssl start_tls
tls_reqcert demand
TLS_CACERT /etc/pki/tls/certs/archivesCA.crt
# Extra SSL settings
#tls_checkpeer no
#tls_reqcert never
# Disable SSL
#ssl off
#TLS never
timelimit 10
bind_timelimit 10
idle_timelimit 3600
#sudoers_base ou=sudoers,dc=lan,dc=archives,dc=net
# Require host tag in ldap
# System hostname must match DNS records
#pam_check_host_attr yes
nsswitch.conf:
...
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
...
我的/etc/sssd/sssd.conf:
[domain/LDAP]
id_provider = ldap
cache_credentials = False
ldap_search_base = dc=lan,dc=archives,dc=net
ldap_uri = ldap://directory.lan.archives.net/
ldap_schema = rfc2307bis
id_provider = ldap
auth_provider = ldap
#chpass_provider = ldap
ldap_network_timeout = 3
ldap_id_use_start_tls = True
ldap_tls_reqcert = demand
#ldap_tls_cacert = /opt/work/certs/archivesCA.crt
#ldap_tls_reqcert = never
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd