我正在尝试使用 nslcd 在多个 AD 域、example.com 和 sub.exmaple.com 中设置我们的 linux 服务器。
nslcd 的当前设置非常简单,适用于域 example.com:
uid nslcd
gid ldap
uri ldaps://dc1.example.com:636
base dc=example,dc=com
binddn cn=srv_authuser,ou=server,dc=example,dc=com
bindpw ----
tls_reqcert never
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map passwd uid sAMAccountName
map passwd uidNumber objectSid:S-1-5-21-4129304498-564803152-741489137
map passwd gidNumber gidNumber
map passwd loginShell "/bin/bash"
map passwd homeDirectory "/home/$sAMAccountName"
map passwd gecos displayName)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map group gidNumber objectSid:S-1-5-21-4129304498-564803152-741489137
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
tls_cacertdir /etc/openldap/cacerts
ssl on
是否可以使用 nslcd (pam-nss-ldap) 为 sub.domain.com 设置第二个 ldap 查询,还是只能通过 sssd 来实现?如果绑定用户在 sub.domain.com 上拥有管理员权限,他是否也可以获取密码/帐户数据?
谢谢
答案1
仅使用 nslcd 无法实现您想要的功能。相反,您必须使用 slapd 提供的虚假域名和 slapd-meta 或 slapd-ldap 后端来配置虚假 LDAP 服务器。然后,您将添加 AD 服务器到 fakedomain.local。完成后,您将能够将您的客户端注册到 fakedomain.local,其中包含几个域。然后,您将能够列出来自两个不同 LDAP 服务器的用户。
以下是 LDAP 代理配置的示例:
sudo yum install -y openldap openldap-客户端 openldap-服务器
猫/etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
allow bind_v2
allow bind_anon_cred
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap/
moduleload rwm.la
moduleload back_ldap.la
moduleload back_meta.la
loglevel 4095
attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
#Active Directory1
database meta
suffix "dc=fakedomain,dc=local"
uri "ldap://ipofyourldap1:389/dc=fakedomain,dc=local"
readonly yes
lastmod off
suffixmassage "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real1,dc=domain"
idassert-bind bindmethod=simple
binddn="CN=userwithadminrights,OU=users,OU=office,DC=real1,DC=domain"
credentials="yourplaintextpassword"
idassert-authzFrom "*"
#Active Directory2
database meta
suffix "dc=fakedomain,dc=local"
uri "ldap://ipofyourldap2:389/dc=fakedomain,dc=local"
readonly yes
lastmod off
suffixmassage "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real2,dc=domain"
idassert-bind bindmethod=simple
binddn="CN=userwithadminrights,OU=users,OU=office,DC=real2,DC=domain"
credentials="yourplaintextpassword"
idassert-authzFrom "*"
添加以下内容:
#####################ADD TO /etc/openldap/schema/inetorgperson.schema############
attributetype ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
#####################ADD TO /etc/openldap/schema/inetorgperson.schema############
sudo rm -r /etc/openldap/slapd.d && sudo mkdir /etc/openldap/slapd.d && sudo chown -R ldap.ldap /etc/openldap/slapd.d
sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
sudo slapd -d 1