centos:ldap:annonbind

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
Letzte ÜberarbeitungBeide Seiten der Revision
centos:ldap:annonbind [10.11.2011 07:48. ] – Rechtschreibkorrektur djangocentos:ldap:annonbind [08.11.2017 07:51. ] – Konfiguration auf Clientseite zur Client-Authentification via anonymous bind #openldap django
Zeile 1: Zeile 1:
 +====== Konfiguration auf Clientseite zur Client-Authentification via anonymous bind ======
 +{{:centos:ldap-logo.png?nolink&167 |OpenLDAP Logo}}
 +
 +Bei den betreffenden Clients wollen wir nun die Authentifizierung der einzelnen User nicht mehr gegen die lokale **/etc/shadow** laufen lassen, denn dazu müssten wir nun auf jedem Host die User manuell (nach)pflegen. Schließlich sollen die User, egal an welchem Host sie sich anmelden, immer auch das gleiche Passwort benutzen können. Nicht zuletzt aus diesem Gründen, haben wir uns für einen zentralen //OpenLDAP-Server// entschieden. 
 +
 +Die nachfolgende Beschreibung nutzt bei der Realisierung keinen [[https://fedorahosted.org/sssd/|System Security Services Daemon]] **sssd**. Auf diesen werden wir noch in einem separatem Kapitel detailliert eingehen.
 +===== Installation =====
 +Wie bereits erwähnt, verzichten wir im ersten Schritt auf den [[https://fedorahosted.org/sssd/|System Security Services Daemon]]. Als erstes deinstallieren wir den **sssd**, sofern dieser zuvor installiert worden war.
 +   # yum remove sssd
 +
 +Auf der Clientseite benötigen wir nachfolgende Pakete, die wir bei Bedarf mit Unterstützung von **YUM** nachinstallieren.
 +  * **openldap**
 +  * **openldap-clients**
 +  * **pam_ldap**
 +  * **nss-pam-ldapd**
 +  * **pam**
 +  * **glibc**
 +  * **authconfig**
 +
 +   # yum install openldap openldap-clients pam_ldap nss-pam-ldapd pam glibc authconfig -y
 +
 +Was uns die einzelnen Pakete mit ins System bringen, erkunden wir bei Bedarf mit dem Aufruf mit dem Aufruf von **//rpm -qil//**.
 +==== openldap ====
 +   # rpm -qil openldap
 +<code>Name        : openldap                     Relocations: (not relocatable)
 +Version     : 2.4.19                            Vendor: CentOS
 +Release     : 15.el6_0.2                    Build Date: Sat 25 Jun 2011 12:30:55 PM CEST
 +Install Date: Sun 16 Oct 2011 04:00:01 PM CEST      Build Host: c6b6.bsys.dev.centos.org
 +Group       : System Environment/Daemons    Source RPM: openldap-2.4.19-15.el6_0.2.src.rpm
 +Size        : 696888                           License: OpenLDAP
 +Signature   : RSA/8, Wed 06 Jul 2011 03:42:02 AM CEST, Key ID 0946fca2c105b9de
 +Packager    : CentOS BuildSystem <http://bugs.centos.org>
 +URL         : http://www.openldap.org/
 +Summary     : LDAP support libraries
 +Description :
 +OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
 +Protocol) applications and development tools. LDAP is a set of
 +protocols for accessing directory services (usually phone book style
 +information, but other information is possible) over the Internet,
 +similar to the way DNS (Domain Name System) information is propagated
 +over the Internet. The openldap package contains configuration files,
 +libraries, and documentation for OpenLDAP.
 +/etc/openldap
 +/etc/openldap/cacerts
 +/etc/openldap/ldap.conf
 +/usr/lib64/liblber-2.4.so.2
 +/usr/lib64/liblber-2.4.so.2.5.2
 +/usr/lib64/libldap-2.4.so.2
 +/usr/lib64/libldap-2.4.so.2.5.2
 +/usr/lib64/libldap_r-2.4.so.2
 +/usr/lib64/libldap_r-2.4.so.2.5.2
 +/usr/share/doc/openldap-2.4.19
 +/usr/share/doc/openldap-2.4.19/ANNOUNCEMENT
 +/usr/share/doc/openldap-2.4.19/CHANGES
 +/usr/share/doc/openldap-2.4.19/COPYRIGHT
 +/usr/share/doc/openldap-2.4.19/LICENSE
 +/usr/share/doc/openldap-2.4.19/README
 +/usr/share/man/man5/ldap.conf.5.gz
 +/usr/share/man/man5/ldif.5.gz
 +</code>
 +
 +==== openldap-clients ====
 +   # rpm -qil openldap-clients
 +<code>Name        : openldap-clients             Relocations: (not relocatable)
 +Version     : 2.4.19                            Vendor: CentOS
 +Release     : 15.el6_0.2                    Build Date: Sat 25 Jun 2011 12:30:55 PM CEST
 +Install Date: Fri 28 Oct 2011 09:17:51 AM CEST      Build Host: c6b6.bsys.dev.centos.org
 +Group       : Applications/Internet         Source RPM: openldap-2.4.19-15.el6_0.2.src.rpm
 +Size        : 612692                           License: OpenLDAP
 +Signature   : RSA/8, Wed 06 Jul 2011 03:42:03 AM CEST, Key ID 0946fca2c105b9de
 +Packager    : CentOS BuildSystem <http://bugs.centos.org>
 +URL         : http://www.openldap.org/
 +Summary     : LDAP client utilities
 +Description :
 +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
 +Protocol) applications and development tools. LDAP is a set of
 +protocols for accessing directory services (usually phone book style
 +information, but other information is possible) over the Internet,
 +similar to the way DNS (Domain Name System) information is propagated
 +over the Internet. The openldap-clients package contains the client
 +programs needed for accessing and modifying OpenLDAP directories.
 +/usr/bin/ldapadd
 +/usr/bin/ldapcompare
 +/usr/bin/ldapdelete
 +/usr/bin/ldapexop
 +/usr/bin/ldapmodify
 +/usr/bin/ldapmodrdn
 +/usr/bin/ldappasswd
 +/usr/bin/ldapsearch
 +/usr/bin/ldapurl
 +/usr/bin/ldapwhoami
 +/usr/share/man/man1/ldapadd.1.gz
 +/usr/share/man/man1/ldapcompare.1.gz
 +/usr/share/man/man1/ldapdelete.1.gz
 +/usr/share/man/man1/ldapexop.1.gz
 +/usr/share/man/man1/ldapmodify.1.gz
 +/usr/share/man/man1/ldapmodrdn.1.gz
 +/usr/share/man/man1/ldappasswd.1.gz
 +/usr/share/man/man1/ldapsearch.1.gz
 +/usr/share/man/man1/ldapurl.1.gz
 +/usr/share/man/man1/ldapwhoami.1.gz
 +</code>
 +
 +==== pam_ldap ====
 +   # rpm -qil pam_ldap
 +<code>Name        : pam_ldap                     Relocations: (not relocatable)
 +Version     : 185                               Vendor: CentOS
 +Release     : 5.el6                         Build Date: Mon 23 Aug 2010 08:00:38 AM CEST
 +Install Date: Sun 16 Oct 2011 02:57:36 PM CEST      Build Host: c6b2.bsys.dev.centos.org
 +Group       : System Environment/Base       Source RPM: pam_ldap-185-5.el6.src.rpm
 +Size        : 158003                           License: LGPLv2+
 +Signature   : RSA/8, Sun 03 Jul 2011 06:53:46 AM CEST, Key ID 0946fca2c105b9de
 +Packager    : CentOS BuildSystem <http://bugs.centos.org>
 +URL         : http://www.padl.com/OSS/pam_ldap.html
 +Summary     : PAM module for LDAP
 +Description :
 +pam_ldap is a module for Linux-PAM that supports password changes, server-
 +enforced password policies, access authorization, and crypted hashes.
 +/etc/pam_ldap.conf
 +/etc/pam_ldap.secret
 +/lib64/security/pam_ldap.so
 +/usr/share/doc/pam_ldap-185
 +/usr/share/doc/pam_ldap-185/AUTHORS
 +/usr/share/doc/pam_ldap-185/COPYING
 +/usr/share/doc/pam_ldap-185/COPYING.LIB
 +/usr/share/doc/pam_ldap-185/ChangeLog
 +/usr/share/doc/pam_ldap-185/NEWS
 +/usr/share/doc/pam_ldap-185/README
 +/usr/share/doc/pam_ldap-185/README.TLS
 +/usr/share/doc/pam_ldap-185/ldapns.schema
 +/usr/share/doc/pam_ldap-185/ns-pwd-policy.schema
 +/usr/share/doc/pam_ldap-185/pam.d
 +/usr/share/doc/pam_ldap-185/pam.d/chfn
 +/usr/share/doc/pam_ldap-185/pam.d/chsh
 +/usr/share/doc/pam_ldap-185/pam.d/ftp
 +/usr/share/doc/pam_ldap-185/pam.d/gdm
 +/usr/share/doc/pam_ldap-185/pam.d/halt
 +/usr/share/doc/pam_ldap-185/pam.d/imap
 +/usr/share/doc/pam_ldap-185/pam.d/kde
 +/usr/share/doc/pam_ldap-185/pam.d/linuxconf
 +/usr/share/doc/pam_ldap-185/pam.d/linuxconf-pair
 +/usr/share/doc/pam_ldap-185/pam.d/login
 +/usr/share/doc/pam_ldap-185/pam.d/mcserv
 +/usr/share/doc/pam_ldap-185/pam.d/other
 +/usr/share/doc/pam_ldap-185/pam.d/passwd
 +/usr/share/doc/pam_ldap-185/pam.d/pop
 +/usr/share/doc/pam_ldap-185/pam.d/poweroff
 +/usr/share/doc/pam_ldap-185/pam.d/ppp
 +/usr/share/doc/pam_ldap-185/pam.d/reboot
 +/usr/share/doc/pam_ldap-185/pam.d/rexec
 +/usr/share/doc/pam_ldap-185/pam.d/rlogin
 +/usr/share/doc/pam_ldap-185/pam.d/rsh
 +/usr/share/doc/pam_ldap-185/pam.d/samba
 +/usr/share/doc/pam_ldap-185/pam.d/shutdown
 +/usr/share/doc/pam_ldap-185/pam.d/ssh
 +/usr/share/doc/pam_ldap-185/pam.d/su
 +/usr/share/doc/pam_ldap-185/pam.d/vlock
 +/usr/share/doc/pam_ldap-185/pam.d/xdm
 +/usr/share/doc/pam_ldap-185/pam.d/xlock
 +/usr/share/doc/pam_ldap-185/pam.d/xscreensaver
 +/usr/share/doc/pam_ldap-185/pam.d/xserver
 +/usr/share/man/man5/pam_ldap.5.gz
 +</code>
 +
 +==== nss-pam-ldapd ====
 +   # rpm -qil nss-pam-ldapd
 +<code>Name        : nss-pam-ldapd                Relocations: (not relocatable)
 +Version     : 0.7.5                             Vendor: CentOS
 +Release     : 3.el6                         Build Date: Wed 25 Aug 2010 06:51:48 PM CEST
 +Install Date: Sun 16 Oct 2011 03:03:28 PM CEST      Build Host: c6b3.bsys.dev.centos.org
 +Group       : System Environment/Base       Source RPM: nss-pam-ldapd-0.7.5-3.el6.src.rpm
 +Size        : 464737                           License: LGPLv2+
 +Signature   : RSA/8, Sun 03 Jul 2011 06:47:54 AM CEST, Key ID 0946fca2c105b9de
 +Packager    : CentOS BuildSystem <http://bugs.centos.org>
 +URL         : http://arthurdejong.org/nss-pam-ldapd/
 +Summary     : An nsswitch module which uses directory servers
 +Description :
 +The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name
 +service information (users, groups, etc.) on behalf of a lightweight
 +nsswitch module.
 +/etc/nslcd.conf
 +/etc/rc.d/init.d/nslcd
 +/lib64/libnss_ldap.so.2
 +/usr/lib64/libnss_ldap.so
 +/usr/sbin/nslcd
 +/usr/share/doc/nss-pam-ldapd-0.7.5
 +/usr/share/doc/nss-pam-ldapd-0.7.5/AUTHORS
 +/usr/share/doc/nss-pam-ldapd-0.7.5/COPYING
 +/usr/share/doc/nss-pam-ldapd-0.7.5/ChangeLog
 +/usr/share/doc/nss-pam-ldapd-0.7.5/HACKING
 +/usr/share/doc/nss-pam-ldapd-0.7.5/NEWS
 +/usr/share/doc/nss-pam-ldapd-0.7.5/README
 +/usr/share/doc/nss-pam-ldapd-0.7.5/TODO
 +/usr/share/man/man5/nslcd.conf.5.gz
 +/usr/share/man/man8/nslcd.8.gz
 +/var/run/nslcd
 +</code>
 +
 +==== pam ====
 +   # rpm -qil pam
 +<code>Name        : pam                          Relocations: (not relocatable)
 +Version     : 1.1.1                             Vendor: CentOS
 +Release     : 4.el6_0.1                     Build Date: Sat 25 Jun 2011 05:32:51 AM CEST
 +Install Date: Sun 16 Oct 2011 04:02:20 PM CEST      Build Host: c6b5.bsys.dev.centos.org
 +Group       : System Environment/Base       Source RPM: pam-1.1.1-4.el6_0.1.src.rpm
 +Size        : 2241000                          License: BSD and GPLv2+
 +Signature   : RSA/8, Wed 06 Jul 2011 03:44:29 AM CEST, Key ID 0946fca2c105b9de
 +Packager    : CentOS BuildSystem <http://bugs.centos.org>
 +URL         : http://www.us.kernel.org/pub/linux/libs/pam/index.html
 +Summary     : An extensible library which provides authentication for applications
 +Description :
 +PAM (Pluggable Authentication Modules) is a system security tool that
 +allows system administrators to set authentication policy without
 +having to recompile programs that handle authentication.
 +/etc/pam.d
 +/etc/pam.d/config-util
 +/etc/pam.d/fingerprint-auth
 +/etc/pam.d/other
 +/etc/pam.d/password-auth
 +/etc/pam.d/smartcard-auth
 +/etc/pam.d/system-auth
 +/etc/security
 +/etc/security/access.conf
 +/etc/security/chroot.conf
 +/etc/security/console.apps
 +/etc/security/console.handlers
 +/etc/security/console.perms
 +/etc/security/console.perms.d
 +/etc/security/group.conf
 +/etc/security/limits.conf
 +/etc/security/limits.d
 +/etc/security/limits.d/90-nproc.conf
 +/etc/security/namespace.conf
 +/etc/security/namespace.d
 +/etc/security/namespace.init
 +/etc/security/opasswd
 +/etc/security/pam_env.conf
 +/etc/security/sepermit.conf
 +/etc/security/time.conf
 +/lib/security
 +/lib64/libpam.so.0
 +/lib64/libpam.so.0.82.2
 +/lib64/libpam_misc.so.0
 +/lib64/libpam_misc.so.0.82.0
 +/lib64/libpamc.so.0
 +/lib64/libpamc.so.0.82.1
 +/lib64/security
 +/lib64/security/pam_access.so
 +/lib64/security/pam_chroot.so
 +/lib64/security/pam_console.so
 +/lib64/security/pam_cracklib.so
 +/lib64/security/pam_debug.so
 +/lib64/security/pam_deny.so
 +/lib64/security/pam_echo.so
 +/lib64/security/pam_env.so
 +/lib64/security/pam_exec.so
 +/lib64/security/pam_faildelay.so
 +/lib64/security/pam_filter
 +/lib64/security/pam_filter.so
 +/lib64/security/pam_filter/upperLOWER
 +/lib64/security/pam_ftp.so
 +/lib64/security/pam_group.so
 +/lib64/security/pam_issue.so
 +/lib64/security/pam_keyinit.so
 +/lib64/security/pam_lastlog.so
 +/lib64/security/pam_limits.so
 +/lib64/security/pam_listfile.so
 +/lib64/security/pam_localuser.so
 +/lib64/security/pam_loginuid.so
 +/lib64/security/pam_mail.so
 +/lib64/security/pam_mkhomedir.so
 +/lib64/security/pam_motd.so
 +/lib64/security/pam_namespace.so
 +/lib64/security/pam_nologin.so
 +/lib64/security/pam_permit.so
 +/lib64/security/pam_postgresok.so
 +/lib64/security/pam_pwhistory.so
 +/lib64/security/pam_rhosts.so
 +/lib64/security/pam_rootok.so
 +/lib64/security/pam_securetty.so
 +/lib64/security/pam_selinux.so
 +/lib64/security/pam_selinux_permit.so
 +/lib64/security/pam_sepermit.so
 +/lib64/security/pam_shells.so
 +/lib64/security/pam_stress.so
 +/lib64/security/pam_succeed_if.so
 +/lib64/security/pam_tally2.so
 +/lib64/security/pam_time.so
 +/lib64/security/pam_timestamp.so
 +/lib64/security/pam_tty_audit.so
 +/lib64/security/pam_umask.so
 +/lib64/security/pam_unix.so
 +/lib64/security/pam_unix_acct.so
 +/lib64/security/pam_unix_auth.so
 +/lib64/security/pam_unix_passwd.so
 +/lib64/security/pam_unix_session.so
 +/lib64/security/pam_userdb.so
 +/lib64/security/pam_warn.so
 +/lib64/security/pam_wheel.so
 +/lib64/security/pam_xauth.so
 +/sbin/mkhomedir_helper
 +/sbin/pam_console_apply
 +/sbin/pam_tally2
 +/sbin/pam_timestamp_check
 +/sbin/unix_chkpwd
 +/sbin/unix_update
 +/usr/share/doc/pam-1.1.1
 +/usr/share/doc/pam-1.1.1/Copyright
 +/usr/share/doc/pam-1.1.1/Linux-PAM_SAG.txt
 +/usr/share/doc/pam-1.1.1/html
 +/usr/share/doc/pam-1.1.1/html/Linux-PAM_SAG.html
 +/usr/share/doc/pam-1.1.1/html/sag-author.html
 +/usr/share/doc/pam-1.1.1/html/sag-configuration-directory.html
 +/usr/share/doc/pam-1.1.1/html/sag-configuration-example.html
 +/usr/share/doc/pam-1.1.1/html/sag-configuration-file.html
 +/usr/share/doc/pam-1.1.1/html/sag-configuration.html
 +/usr/share/doc/pam-1.1.1/html/sag-copyright.html
 +/usr/share/doc/pam-1.1.1/html/sag-introduction.html
 +/usr/share/doc/pam-1.1.1/html/sag-module-reference.html
 +/usr/share/doc/pam-1.1.1/html/sag-overview.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_access.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_cracklib.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_debug.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_deny.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_echo.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_env.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_exec.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_faildelay.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_filter.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_ftp.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_group.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_issue.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_keyinit.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_lastlog.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_limits.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_listfile.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_localuser.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_loginuid.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_mail.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_mkhomedir.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_motd.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_namespace.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_nologin.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_permit.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_pwhistory.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_rhosts.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_rootok.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_securetty.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_selinux.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_shells.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_succeed_if.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_tally.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_tally2.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_time.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_timestamp.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_umask.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_unix.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_userdb.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_warn.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_wheel.html
 +/usr/share/doc/pam-1.1.1/html/sag-pam_xauth.html
 +/usr/share/doc/pam-1.1.1/html/sag-security-issues-other.html
 +/usr/share/doc/pam-1.1.1/html/sag-security-issues-wrong.html
 +/usr/share/doc/pam-1.1.1/html/sag-security-issues.html
 +/usr/share/doc/pam-1.1.1/html/sag-see-also.html
 +/usr/share/doc/pam-1.1.1/html/sag-text-conventions.html
 +/usr/share/doc/pam-1.1.1/rfc86.0.txt
 +/usr/share/doc/pam-1.1.1/txts
 +/usr/share/doc/pam-1.1.1/txts/README.pam_access
 +/usr/share/doc/pam-1.1.1/txts/README.pam_chroot
 +/usr/share/doc/pam-1.1.1/txts/README.pam_console
 +/usr/share/doc/pam-1.1.1/txts/README.pam_cracklib
 +/usr/share/doc/pam-1.1.1/txts/README.pam_debug
 +/usr/share/doc/pam-1.1.1/txts/README.pam_deny
 +/usr/share/doc/pam-1.1.1/txts/README.pam_echo
 +/usr/share/doc/pam-1.1.1/txts/README.pam_env
 +/usr/share/doc/pam-1.1.1/txts/README.pam_exec
 +/usr/share/doc/pam-1.1.1/txts/README.pam_faildelay
 +/usr/share/doc/pam-1.1.1/txts/README.pam_filter
 +/usr/share/doc/pam-1.1.1/txts/README.pam_ftp
 +/usr/share/doc/pam-1.1.1/txts/README.pam_group
 +/usr/share/doc/pam-1.1.1/txts/README.pam_issue
 +/usr/share/doc/pam-1.1.1/txts/README.pam_keyinit
 +/usr/share/doc/pam-1.1.1/txts/README.pam_lastlog
 +/usr/share/doc/pam-1.1.1/txts/README.pam_limits
 +/usr/share/doc/pam-1.1.1/txts/README.pam_listfile
 +/usr/share/doc/pam-1.1.1/txts/README.pam_localuser
 +/usr/share/doc/pam-1.1.1/txts/README.pam_loginuid
 +/usr/share/doc/pam-1.1.1/txts/README.pam_mail
 +/usr/share/doc/pam-1.1.1/txts/README.pam_mkhomedir
 +/usr/share/doc/pam-1.1.1/txts/README.pam_motd
 +/usr/share/doc/pam-1.1.1/txts/README.pam_namespace
 +/usr/share/doc/pam-1.1.1/txts/README.pam_nologin
 +/usr/share/doc/pam-1.1.1/txts/README.pam_permit
 +/usr/share/doc/pam-1.1.1/txts/README.pam_postgresok
 +/usr/share/doc/pam-1.1.1/txts/README.pam_pwhistory
 +/usr/share/doc/pam-1.1.1/txts/README.pam_rhosts
 +/usr/share/doc/pam-1.1.1/txts/README.pam_rootok
 +/usr/share/doc/pam-1.1.1/txts/README.pam_securetty
 +/usr/share/doc/pam-1.1.1/txts/README.pam_selinux
 +/usr/share/doc/pam-1.1.1/txts/README.pam_sepermit
 +/usr/share/doc/pam-1.1.1/txts/README.pam_shells
 +/usr/share/doc/pam-1.1.1/txts/README.pam_stress
 +/usr/share/doc/pam-1.1.1/txts/README.pam_succeed_if
 +/usr/share/doc/pam-1.1.1/txts/README.pam_tally
 +/usr/share/doc/pam-1.1.1/txts/README.pam_tally2
 +/usr/share/doc/pam-1.1.1/txts/README.pam_time
 +/usr/share/doc/pam-1.1.1/txts/README.pam_timestamp
 +/usr/share/doc/pam-1.1.1/txts/README.pam_tty_audit
 +/usr/share/doc/pam-1.1.1/txts/README.pam_umask
 +/usr/share/doc/pam-1.1.1/txts/README.pam_unix
 +/usr/share/doc/pam-1.1.1/txts/README.pam_userdb
 +/usr/share/doc/pam-1.1.1/txts/README.pam_warn
 +/usr/share/doc/pam-1.1.1/txts/README.pam_wheel
 +/usr/share/doc/pam-1.1.1/txts/README.pam_xauth
 +/usr/share/locale/ar/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/as/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/bn_IN/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/ca/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/cs/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/da/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/de/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/es/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/fi/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/fr/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/gu/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/hi/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/hu/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/it/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/ja/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/kk/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/km/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/kn/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/ko/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/ml/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/mr/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/ms/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/nb/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/nl/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/or/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/pa/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/pl/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/pt/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/pt_BR/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/ru/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/si/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/sk/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/sr/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/sr@latin/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/sv/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/ta/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/te/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/tr/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/uk/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/zh_CN/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/zh_TW/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/locale/zu/LC_MESSAGES/Linux-PAM.mo
 +/usr/share/man/man5/access.conf.5.gz
 +/usr/share/man/man5/config-util.5.gz
 +/usr/share/man/man5/console.apps.5.gz
 +/usr/share/man/man5/console.handlers.5.gz
 +/usr/share/man/man5/console.perms.5.gz
 +/usr/share/man/man5/group.conf.5.gz
 +/usr/share/man/man5/limits.conf.5.gz
 +/usr/share/man/man5/namespace.conf.5.gz
 +/usr/share/man/man5/pam.conf.5.gz
 +/usr/share/man/man5/pam.d.5.gz
 +/usr/share/man/man5/pam_env.conf.5.gz
 +/usr/share/man/man5/sepermit.conf.5.gz
 +/usr/share/man/man5/system-auth.5.gz
 +/usr/share/man/man5/time.conf.5.gz
 +/usr/share/man/man8/PAM.8.gz
 +/usr/share/man/man8/mkhomedir_helper.8.gz
 +/usr/share/man/man8/pam.8.gz
 +/usr/share/man/man8/pam_access.8.gz
 +/usr/share/man/man8/pam_console.8.gz
 +/usr/share/man/man8/pam_console_apply.8.gz
 +/usr/share/man/man8/pam_cracklib.8.gz
 +/usr/share/man/man8/pam_debug.8.gz
 +/usr/share/man/man8/pam_deny.8.gz
 +/usr/share/man/man8/pam_echo.8.gz
 +/usr/share/man/man8/pam_env.8.gz
 +/usr/share/man/man8/pam_exec.8.gz
 +/usr/share/man/man8/pam_faildelay.8.gz
 +/usr/share/man/man8/pam_filter.8.gz
 +/usr/share/man/man8/pam_ftp.8.gz
 +/usr/share/man/man8/pam_group.8.gz
 +/usr/share/man/man8/pam_issue.8.gz
 +/usr/share/man/man8/pam_keyinit.8.gz
 +/usr/share/man/man8/pam_lastlog.8.gz
 +/usr/share/man/man8/pam_limits.8.gz
 +/usr/share/man/man8/pam_listfile.8.gz
 +/usr/share/man/man8/pam_localuser.8.gz
 +/usr/share/man/man8/pam_loginuid.8.gz
 +/usr/share/man/man8/pam_mail.8.gz
 +/usr/share/man/man8/pam_mkhomedir.8.gz
 +/usr/share/man/man8/pam_motd.8.gz
 +/usr/share/man/man8/pam_namespace.8.gz
 +/usr/share/man/man8/pam_nologin.8.gz
 +/usr/share/man/man8/pam_permit.8.gz
 +/usr/share/man/man8/pam_postgresok.8.gz
 +/usr/share/man/man8/pam_pwhistory.8.gz
 +/usr/share/man/man8/pam_rhosts.8.gz
 +/usr/share/man/man8/pam_rootok.8.gz
 +/usr/share/man/man8/pam_securetty.8.gz
 +/usr/share/man/man8/pam_selinux.8.gz
 +/usr/share/man/man8/pam_sepermit.8.gz
 +/usr/share/man/man8/pam_shells.8.gz
 +/usr/share/man/man8/pam_succeed_if.8.gz
 +/usr/share/man/man8/pam_tally2.8.gz
 +/usr/share/man/man8/pam_time.8.gz
 +/usr/share/man/man8/pam_timestamp.8.gz
 +/usr/share/man/man8/pam_timestamp_check.8.gz
 +/usr/share/man/man8/pam_tty_audit.8.gz
 +/usr/share/man/man8/pam_umask.8.gz
 +/usr/share/man/man8/pam_unix.8.gz
 +/usr/share/man/man8/pam_userdb.8.gz
 +/usr/share/man/man8/pam_warn.8.gz
 +/usr/share/man/man8/pam_wheel.8.gz
 +/usr/share/man/man8/pam_xauth.8.gz
 +/usr/share/man/man8/unix_chkpwd.8.gz
 +/usr/share/man/man8/unix_update.8.gz
 +/var/log/tallylog
 +/var/run/console
 +/var/run/sepermit
 +</code>
 +
 +==== glibc ====
 +   # rpm -qil glibc
 +<code>Name        : glibc                        Relocations: (not relocatable)
 +Version     : 2.12                              Vendor: CentOS
 +Release     : 1.7.el6_0.5                   Build Date: Sat 25 Jun 2011 02:40:43 PM CEST
 +Install Date: Sun 16 Oct 2011 03:59:30 PM CEST      Build Host: c6b6.bsys.dev.centos.org
 +Group       : System Environment/Libraries   Source RPM: glibc-2.12-1.7.el6_0.5.src.rpm
 +Size        : 12619595                         License: LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
 +Signature   : RSA/8, Wed 06 Jul 2011 03:38:32 AM CEST, Key ID 0946fca2c105b9de
 +Packager    : CentOS BuildSystem <http://bugs.centos.org>
 +URL         : http://sources.redhat.com/glibc/
 +Summary     : The GNU libc libraries
 +Description :
 +The glibc package contains standard libraries which are used by
 +multiple programs on the system. In order to save disk space and
 +memory, as well as to make upgrading easier, common system code is
 +kept in one place and shared between programs. This particular package
 +contains the most important sets of shared libraries: the standard C
 +library and the standard math library. Without these two libraries, a
 +Linux system will not function.
 +/etc/gai.conf
 +/etc/ld.so.cache
 +/etc/ld.so.conf
 +/etc/ld.so.conf.d
 +/etc/localtime
 +/etc/nsswitch.conf
 +/etc/rpc
 +/lib64/ld-2.12.so
 +/lib64/ld-linux-x86-64.so.2
 +/lib64/libBrokenLocale-2.12.so
 +/lib64/libBrokenLocale.so.1
 +/lib64/libSegFault.so
 +/lib64/libanl-2.12.so
 +/lib64/libanl.so.1
 +/lib64/libc-2.12.so
 +/lib64/libc.so.6
 +/lib64/libcidn-2.12.so
 +/lib64/libcidn.so.1
 +/lib64/libcrypt-2.12.so
 +/lib64/libcrypt.so.1
 +/lib64/libdl-2.12.so
 +/lib64/libdl.so.2
 +/lib64/libm-2.12.so
 +/lib64/libm.so.6
 +/lib64/libnsl-2.12.so
 +/lib64/libnsl.so.1
 +/lib64/libnss_compat-2.12.so
 +/lib64/libnss_compat.so.2
 +/lib64/libnss_dns-2.12.so
 +/lib64/libnss_dns.so.2
 +/lib64/libnss_files-2.12.so
 +/lib64/libnss_files.so.2
 +/lib64/libnss_hesiod-2.12.so
 +/lib64/libnss_hesiod.so.2
 +/lib64/libnss_nis-2.12.so
 +/lib64/libnss_nis.so.2
 +/lib64/libnss_nisplus-2.12.so
 +/lib64/libnss_nisplus.so.2
 +/lib64/libpthread-2.12.so
 +/lib64/libpthread.so.0
 +/lib64/libresolv-2.12.so
 +/lib64/libresolv.so.2
 +/lib64/librt-2.12.so
 +/lib64/librt.so.1
 +/lib64/libthread_db-1.0.so
 +/lib64/libthread_db.so.1
 +/lib64/libutil-2.12.so
 +/lib64/libutil.so.1
 +/lib64/rtkaio
 +/lib64/rtkaio/librt.so.1
 +/lib64/rtkaio/librtkaio-2.12.so
 +/sbin/ldconfig
 +/sbin/sln
 +/usr/lib64/gconv
 +/usr/lib64/gconv/ANSI_X3.110.so
 +/usr/lib64/gconv/ARMSCII-8.so
 +/usr/lib64/gconv/ASMO_449.so
 +/usr/lib64/gconv/BIG5.so
 +/usr/lib64/gconv/BIG5HKSCS.so
 +/usr/lib64/gconv/BRF.so
 +/usr/lib64/gconv/CP10007.so
 +/usr/lib64/gconv/CP1125.so
 +/usr/lib64/gconv/CP1250.so
 +/usr/lib64/gconv/CP1251.so
 +/usr/lib64/gconv/CP1252.so
 +/usr/lib64/gconv/CP1253.so
 +/usr/lib64/gconv/CP1254.so
 +/usr/lib64/gconv/CP1255.so
 +/usr/lib64/gconv/CP1256.so
 +/usr/lib64/gconv/CP1257.so
 +/usr/lib64/gconv/CP1258.so
 +/usr/lib64/gconv/CP737.so
 +/usr/lib64/gconv/CP775.so
 +/usr/lib64/gconv/CP932.so
 +/usr/lib64/gconv/CSN_369103.so
 +/usr/lib64/gconv/CWI.so
 +/usr/lib64/gconv/DEC-MCS.so
 +/usr/lib64/gconv/EBCDIC-AT-DE-A.so
 +/usr/lib64/gconv/EBCDIC-AT-DE.so
 +/usr/lib64/gconv/EBCDIC-CA-FR.so
 +/usr/lib64/gconv/EBCDIC-DK-NO-A.so
 +/usr/lib64/gconv/EBCDIC-DK-NO.so
 +/usr/lib64/gconv/EBCDIC-ES-A.so
 +/usr/lib64/gconv/EBCDIC-ES-S.so
 +/usr/lib64/gconv/EBCDIC-ES.so
 +/usr/lib64/gconv/EBCDIC-FI-SE-A.so
 +/usr/lib64/gconv/EBCDIC-FI-SE.so
 +/usr/lib64/gconv/EBCDIC-FR.so
 +/usr/lib64/gconv/EBCDIC-IS-FRISS.so
 +/usr/lib64/gconv/EBCDIC-IT.so
 +/usr/lib64/gconv/EBCDIC-PT.so
 +/usr/lib64/gconv/EBCDIC-UK.so
 +/usr/lib64/gconv/EBCDIC-US.so
 +/usr/lib64/gconv/ECMA-CYRILLIC.so
 +/usr/lib64/gconv/EUC-CN.so
 +/usr/lib64/gconv/EUC-JISX0213.so
 +/usr/lib64/gconv/EUC-JP-MS.so
 +/usr/lib64/gconv/EUC-JP.so
 +/usr/lib64/gconv/EUC-KR.so
 +/usr/lib64/gconv/EUC-TW.so
 +/usr/lib64/gconv/GB18030.so
 +/usr/lib64/gconv/GBBIG5.so
 +/usr/lib64/gconv/GBGBK.so
 +/usr/lib64/gconv/GBK.so
 +/usr/lib64/gconv/GEORGIAN-ACADEMY.so
 +/usr/lib64/gconv/GEORGIAN-PS.so
 +/usr/lib64/gconv/GOST_19768-74.so
 +/usr/lib64/gconv/GREEK-CCITT.so
 +/usr/lib64/gconv/GREEK7-OLD.so
 +/usr/lib64/gconv/GREEK7.so
 +/usr/lib64/gconv/HP-GREEK8.so
 +/usr/lib64/gconv/HP-ROMAN8.so
 +/usr/lib64/gconv/HP-ROMAN9.so
 +/usr/lib64/gconv/HP-THAI8.so
 +/usr/lib64/gconv/HP-TURKISH8.so
 +/usr/lib64/gconv/IBM037.so
 +/usr/lib64/gconv/IBM038.so
 +/usr/lib64/gconv/IBM1004.so
 +/usr/lib64/gconv/IBM1008.so
 +/usr/lib64/gconv/IBM1008_420.so
 +/usr/lib64/gconv/IBM1025.so
 +/usr/lib64/gconv/IBM1026.so
 +/usr/lib64/gconv/IBM1046.so
 +/usr/lib64/gconv/IBM1047.so
 +/usr/lib64/gconv/IBM1097.so
 +/usr/lib64/gconv/IBM1112.so
 +/usr/lib64/gconv/IBM1122.so
 +/usr/lib64/gconv/IBM1123.so
 +/usr/lib64/gconv/IBM1124.so
 +/usr/lib64/gconv/IBM1129.so
 +/usr/lib64/gconv/IBM1130.so
 +/usr/lib64/gconv/IBM1132.so
 +/usr/lib64/gconv/IBM1133.so
 +/usr/lib64/gconv/IBM1137.so
 +/usr/lib64/gconv/IBM1140.so
 +/usr/lib64/gconv/IBM1141.so
 +/usr/lib64/gconv/IBM1142.so
 +/usr/lib64/gconv/IBM1143.so
 +/usr/lib64/gconv/IBM1144.so
 +/usr/lib64/gconv/IBM1145.so
 +/usr/lib64/gconv/IBM1146.so
 +/usr/lib64/gconv/IBM1147.so
 +/usr/lib64/gconv/IBM1148.so
 +/usr/lib64/gconv/IBM1149.so
 +/usr/lib64/gconv/IBM1153.so
 +/usr/lib64/gconv/IBM1154.so
 +/usr/lib64/gconv/IBM1155.so
 +/usr/lib64/gconv/IBM1156.so
 +/usr/lib64/gconv/IBM1157.so
 +/usr/lib64/gconv/IBM1158.so
 +/usr/lib64/gconv/IBM1160.so
 +/usr/lib64/gconv/IBM1161.so
 +/usr/lib64/gconv/IBM1162.so
 +/usr/lib64/gconv/IBM1163.so
 +/usr/lib64/gconv/IBM1164.so
 +/usr/lib64/gconv/IBM1166.so
 +/usr/lib64/gconv/IBM1167.so
 +/usr/lib64/gconv/IBM12712.so
 +/usr/lib64/gconv/IBM1364.so
 +/usr/lib64/gconv/IBM1371.so
 +/usr/lib64/gconv/IBM1388.so
 +/usr/lib64/gconv/IBM1390.so
 +/usr/lib64/gconv/IBM1399.so
 +/usr/lib64/gconv/IBM16804.so
 +/usr/lib64/gconv/IBM256.so
 +/usr/lib64/gconv/IBM273.so
 +/usr/lib64/gconv/IBM274.so
 +/usr/lib64/gconv/IBM275.so
 +/usr/lib64/gconv/IBM277.so
 +/usr/lib64/gconv/IBM278.so
 +/usr/lib64/gconv/IBM280.so
 +/usr/lib64/gconv/IBM281.so
 +/usr/lib64/gconv/IBM284.so
 +/usr/lib64/gconv/IBM285.so
 +/usr/lib64/gconv/IBM290.so
 +/usr/lib64/gconv/IBM297.so
 +/usr/lib64/gconv/IBM420.so
 +/usr/lib64/gconv/IBM423.so
 +/usr/lib64/gconv/IBM424.so
 +/usr/lib64/gconv/IBM437.so
 +/usr/lib64/gconv/IBM4517.so
 +/usr/lib64/gconv/IBM4899.so
 +/usr/lib64/gconv/IBM4909.so
 +/usr/lib64/gconv/IBM4971.so
 +/usr/lib64/gconv/IBM500.so
 +/usr/lib64/gconv/IBM5347.so
 +/usr/lib64/gconv/IBM803.so
 +/usr/lib64/gconv/IBM850.so
 +/usr/lib64/gconv/IBM851.so
 +/usr/lib64/gconv/IBM852.so
 +/usr/lib64/gconv/IBM855.so
 +/usr/lib64/gconv/IBM856.so
 +/usr/lib64/gconv/IBM857.so
 +/usr/lib64/gconv/IBM860.so
 +/usr/lib64/gconv/IBM861.so
 +/usr/lib64/gconv/IBM862.so
 +/usr/lib64/gconv/IBM863.so
 +/usr/lib64/gconv/IBM864.so
 +/usr/lib64/gconv/IBM865.so
 +/usr/lib64/gconv/IBM866.so
 +/usr/lib64/gconv/IBM866NAV.so
 +/usr/lib64/gconv/IBM868.so
 +/usr/lib64/gconv/IBM869.so
 +/usr/lib64/gconv/IBM870.so
 +/usr/lib64/gconv/IBM871.so
 +/usr/lib64/gconv/IBM874.so
 +/usr/lib64/gconv/IBM875.so
 +/usr/lib64/gconv/IBM880.so
 +/usr/lib64/gconv/IBM891.so
 +/usr/lib64/gconv/IBM901.so
 +/usr/lib64/gconv/IBM902.so
 +/usr/lib64/gconv/IBM903.so
 +/usr/lib64/gconv/IBM9030.so
 +/usr/lib64/gconv/IBM904.so
 +/usr/lib64/gconv/IBM905.so
 +/usr/lib64/gconv/IBM9066.so
 +/usr/lib64/gconv/IBM918.so
 +/usr/lib64/gconv/IBM921.so
 +/usr/lib64/gconv/IBM922.so
 +/usr/lib64/gconv/IBM930.so
 +/usr/lib64/gconv/IBM932.so
 +/usr/lib64/gconv/IBM933.so
 +/usr/lib64/gconv/IBM935.so
 +/usr/lib64/gconv/IBM937.so
 +/usr/lib64/gconv/IBM939.so
 +/usr/lib64/gconv/IBM943.so
 +/usr/lib64/gconv/IBM9448.so
 +/usr/lib64/gconv/IEC_P27-1.so
 +/usr/lib64/gconv/INIS-8.so
 +/usr/lib64/gconv/INIS-CYRILLIC.so
 +/usr/lib64/gconv/INIS.so
 +/usr/lib64/gconv/ISIRI-3342.so
 +/usr/lib64/gconv/ISO-2022-CN-EXT.so
 +/usr/lib64/gconv/ISO-2022-CN.so
 +/usr/lib64/gconv/ISO-2022-JP-3.so
 +/usr/lib64/gconv/ISO-2022-JP.so
 +/usr/lib64/gconv/ISO-2022-KR.so
 +/usr/lib64/gconv/ISO-IR-197.so
 +/usr/lib64/gconv/ISO-IR-209.so
 +/usr/lib64/gconv/ISO646.so
 +/usr/lib64/gconv/ISO8859-1.so
 +/usr/lib64/gconv/ISO8859-10.so
 +/usr/lib64/gconv/ISO8859-11.so
 +/usr/lib64/gconv/ISO8859-13.so
 +/usr/lib64/gconv/ISO8859-14.so
 +/usr/lib64/gconv/ISO8859-15.so
 +/usr/lib64/gconv/ISO8859-16.so
 +/usr/lib64/gconv/ISO8859-2.so
 +/usr/lib64/gconv/ISO8859-3.so
 +/usr/lib64/gconv/ISO8859-4.so
 +/usr/lib64/gconv/ISO8859-5.so
 +/usr/lib64/gconv/ISO8859-6.so
 +/usr/lib64/gconv/ISO8859-7.so
 +/usr/lib64/gconv/ISO8859-8.so
 +/usr/lib64/gconv/ISO8859-9.so
 +/usr/lib64/gconv/ISO8859-9E.so
 +/usr/lib64/gconv/ISO_10367-BOX.so
 +/usr/lib64/gconv/ISO_11548-1.so
 +/usr/lib64/gconv/ISO_2033.so
 +/usr/lib64/gconv/ISO_5427-EXT.so
 +/usr/lib64/gconv/ISO_5427.so
 +/usr/lib64/gconv/ISO_5428.so
 +/usr/lib64/gconv/ISO_6937-2.so
 +/usr/lib64/gconv/ISO_6937.so
 +/usr/lib64/gconv/JOHAB.so
 +/usr/lib64/gconv/KOI-8.so
 +/usr/lib64/gconv/KOI8-R.so
 +/usr/lib64/gconv/KOI8-RU.so
 +/usr/lib64/gconv/KOI8-T.so
 +/usr/lib64/gconv/KOI8-U.so
 +/usr/lib64/gconv/LATIN-GREEK-1.so
 +/usr/lib64/gconv/LATIN-GREEK.so
 +/usr/lib64/gconv/MAC-CENTRALEUROPE.so
 +/usr/lib64/gconv/MAC-IS.so
 +/usr/lib64/gconv/MAC-SAMI.so
 +/usr/lib64/gconv/MAC-UK.so
 +/usr/lib64/gconv/MACINTOSH.so
 +/usr/lib64/gconv/MIK.so
 +/usr/lib64/gconv/NATS-DANO.so
 +/usr/lib64/gconv/NATS-SEFI.so
 +/usr/lib64/gconv/PT154.so
 +/usr/lib64/gconv/RK1048.so
 +/usr/lib64/gconv/SAMI-WS2.so
 +/usr/lib64/gconv/SHIFT_JISX0213.so
 +/usr/lib64/gconv/SJIS.so
 +/usr/lib64/gconv/T.61.so
 +/usr/lib64/gconv/TCVN5712-1.so
 +/usr/lib64/gconv/TIS-620.so
 +/usr/lib64/gconv/TSCII.so
 +/usr/lib64/gconv/UHC.so
 +/usr/lib64/gconv/UNICODE.so
 +/usr/lib64/gconv/UTF-16.so
 +/usr/lib64/gconv/UTF-32.so
 +/usr/lib64/gconv/UTF-7.so
 +/usr/lib64/gconv/VISCII.so
 +/usr/lib64/gconv/gconv-modules
 +/usr/lib64/gconv/gconv-modules.cache
 +/usr/lib64/gconv/libCNS.so
 +/usr/lib64/gconv/libGB.so
 +/usr/lib64/gconv/libISOIR165.so
 +/usr/lib64/gconv/libJIS.so
 +/usr/lib64/gconv/libJISX0213.so
 +/usr/lib64/gconv/libKSC.so
 +/usr/libexec/getconf
 +/usr/libexec/getconf/POSIX_V6_LP64_OFF64
 +/usr/libexec/getconf/POSIX_V7_LP64_OFF64
 +/usr/sbin/glibc_post_upgrade.x86_64
 +/usr/sbin/iconvconfig
 +/usr/sbin/iconvconfig.x86_64
 +/usr/share/doc/glibc-2.12
 +/usr/share/doc/glibc-2.12/BUGS
 +/usr/share/doc/glibc-2.12/CONFORMANCE
 +/usr/share/doc/glibc-2.12/COPYING
 +/usr/share/doc/glibc-2.12/COPYING.LIB
 +/usr/share/doc/glibc-2.12/FAQ
 +/usr/share/doc/glibc-2.12/INSTALL
 +/usr/share/doc/glibc-2.12/LICENSES
 +/usr/share/doc/glibc-2.12/NEWS
 +/usr/share/doc/glibc-2.12/NOTES
 +/usr/share/doc/glibc-2.12/PROJECTS
 +/usr/share/doc/glibc-2.12/README
 +/usr/share/doc/glibc-2.12/README.hesiod
 +/usr/share/doc/glibc-2.12/README.libm
 +/var/cache/ldconfig
 +/var/cache/ldconfig/aux-cache
 +</code>
 +
 +==== authconfig ====
 +   # rpm -qil authconfig
 +<code>Name        : authconfig                   Relocations: (not relocatable)
 +Version     : 6.1.4                             Vendor: CentOS
 +Release     : 6.el6                         Build Date: Thu 11 Nov 2010 01:40:47 AM CET
 +Install Date: Sun 16 Oct 2011 02:58:06 PM CEST      Build Host: c5b2.bsys.dev.centos.org
 +Group       : System Environment/Base       Source RPM: authconfig-6.1.4-6.el6.src.rpm
 +Size        : 1816496                          License: GPLv2+
 +Signature   : RSA/8, Sun 03 Jul 2011 06:03:13 AM CEST, Key ID 0946fca2c105b9de
 +Packager    : CentOS BuildSystem <http://bugs.centos.org>
 +URL         : https://fedorahosted.org/authconfig
 +Summary     : Command line tool for setting up authentication from network services
 +Description :
 +Authconfig is a command line utility which can configure a workstation
 +to use shadow (more secure) passwords.  Authconfig can also configure a
 +system to be a client for certain networked user information and
 +authentication schemes.
 +/etc/pam.d/fingerprint-auth-ac
 +/etc/pam.d/password-auth-ac
 +/etc/pam.d/smartcard-auth-ac
 +/etc/pam.d/system-auth-ac
 +/etc/sysconfig/authconfig
 +/usr/lib64/python2.6/site-packages/acutilmodule.so
 +/usr/sbin/authconfig
 +/usr/sbin/authconfig-tui
 +/usr/sbin/cacertdir_rehash
 +/usr/share/authconfig
 +/usr/share/authconfig/authconfig-tui.py
 +/usr/share/authconfig/authconfig-tui.pyc
 +/usr/share/authconfig/authconfig-tui.pyo
 +/usr/share/authconfig/authconfig.py
 +/usr/share/authconfig/authconfig.pyc
 +/usr/share/authconfig/authconfig.pyo
 +/usr/share/authconfig/authinfo.py
 +/usr/share/authconfig/authinfo.pyc
 +/usr/share/authconfig/authinfo.pyo
 +/usr/share/authconfig/dnsclient.py
 +/usr/share/authconfig/dnsclient.pyc
 +/usr/share/authconfig/dnsclient.pyo
 +/usr/share/authconfig/msgarea.py
 +/usr/share/authconfig/msgarea.pyc
 +/usr/share/authconfig/msgarea.pyo
 +/usr/share/authconfig/shvfile.py
 +/usr/share/authconfig/shvfile.pyc
 +/usr/share/authconfig/shvfile.pyo
 +/usr/share/doc/authconfig-6.1.4
 +/usr/share/doc/authconfig-6.1.4/COPYING
 +/usr/share/doc/authconfig-6.1.4/NOTES
 +/usr/share/doc/authconfig-6.1.4/README.samba3
 +/usr/share/doc/authconfig-6.1.4/TODO
 +/usr/share/locale/ar/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/as/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/bal/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/bg/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/bn/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/bn_IN/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/bs/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ca/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/cs/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/cy/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/da/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/de/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/el/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/en_GB/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/es/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/et/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/fa/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/fi/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/fr/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/gl/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/gu/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/he/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/hi/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/hr/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/hu/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/hy/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/id/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/is/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/it/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ja/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ka/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/kn/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ko/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ku/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/lo/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/lv/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/mai/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/mk/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ml/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/mr/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ms/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/my/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/nb/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/nl/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/nn/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/or/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/pa/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/pl/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/pt/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/pt_BR/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ro/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ru/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/si/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/sk/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/sl/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/sq/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/sr/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/sr@latin/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/sv/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ta/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/te/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/tg/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/tr/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/uk/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/ur/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/vi/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/wa/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/zh_CN/LC_MESSAGES/authconfig.mo
 +/usr/share/locale/zh_TW/LC_MESSAGES/authconfig.mo
 +/usr/share/man/man5/fingerprint-auth-ac.5.gz
 +/usr/share/man/man5/password-auth-ac.5.gz
 +/usr/share/man/man5/smartcard-auth-ac.5.gz
 +/usr/share/man/man5/system-auth-ac.5.gz
 +/usr/share/man/man8/authconfig-tui.8.gz
 +/usr/share/man/man8/authconfig.8.gz
 +/usr/share/man/man8/cacertdir_rehash.8.gz
 +/var/lib/authconfig
 +</code>
 +===== Konfiguration =====
 +Die Konfiguration unseres Clients nehmen wir am einfachsten mit Hilfe des Programmes **//authconfig//** aus dem RPM-Paket **authconfig-gtk** vor. Hierzu rufen wir **authconfig** mit den nötigen Optionen für unsere (Test-)Umgebung auf.
 +
 +  * **disablemd5** MD5 Passworter abschalten
 +  * **passalgo** Definition des Passworthash-Algoritmuses
 +  * **enablemkhomedir** Homedirectory  beim ersten Login eines neuen Users automatisch anlegen
 +  * **enableldap** LDAP User Informationen aktivieren
 +  * **enableldapauth** LDAP Authentifizierung aktivieren
 +  * **ldapserver** LDAP Servername oder URI Definition
 +  * **ldapbasedn** LDAP Basde DN Definition
 +  * **update** Update der Konfigurationsdateien mit den gesetzten Werten.
 +
 +Eine ausführliche Beschreibung der optionen erhält man übder die Manpage von authconfig oder beim Aufruf der Option //--help//
 +   # authconfig --help
 +
 +Wir Konfigurieren nun also unsere LDAP-Client-Authentifizierung wie folgt.
 +   # authconfig --disablemd5 --passalgo=sha256 --enablemkhomedir --enableldap --enableldapauth --ldapserver=ldap.dmz.nausch.org --ldapbasedn="dc=nausch,dc=org" --update
 +
 +   nslcd starten:                                              OK  ]
 +   oddjobd starten:                                            OK  ]
 +
 +Die einzelnen Konfigurationsdateien, die mit dem vorgenannten Programmaufruf angepasst wurden, werden wir uns im Detail betrachten, ggf. anpassen und mit Bearbeitungsvermerken versehen, damit wir später noch nachvollziehen können, welche Änderungen 
 +im Detail notwendig waren um die LDAP Client Authentifizierung aktiviert werden konnte.
 +
 +Zur Dokumentation und ggf. spätere weitere Dokumentationsschritte versehen wir optional alle Änderungen mit einem Kommntar, ala:
 +**# Django : Datum [optionaler Grund]**.
 +
 +==== authconfig ====
 +In der Konfigurationsdatei //**/etc/sysconfig/authconfig**// setzen wir die beiden folgenden Werte von **no** auf **yes**:
 +  * **USELDAP=yes** //(LDAP-Authentifizierung aktivieren.)//
 +  * **FORCELEGACY=yes** //(CentOS 6 nutzt standardmäßig TLS für die LDAP-Authentifizierung. Mit diesem Schalter wird diese Voreinstellung deaktiviert und die die unverschlüsselte Kommunikation mit dem LDAP-Server erzwungen.)//
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/sysconfig/authconfig
 +<file bash /etc/sysconfig/authconfig>
 +USEMKHOMEDIR=no
 +USEPAMACCESS=no
 +CACHECREDENTIALS=yes
 +USESSSDAUTH=no
 +USESHADOW=yes
 +USEWINBIND=no
 +USEDB=no
 +FORCELEGACY=yes
 +USEFPRINTD=yes
 +FORCESMARTCARD=no
 +PASSWDALGORITHM=sha512
 +USELDAPAUTH=no
 +USEPASSWDQC=no
 +USELOCAUTHORIZE=yes
 +USECRACKLIB=yes
 +USEWINBINDAUTH=no
 +USESMARTCARD=no
 +USELDAP=yes
 +USENIS=no
 +USEKERBEROS=no
 +USESYSNETAUTH=no
 +USESMBAUTH=no
 +USESSSD=no
 +USEHESIOD=no
 +</file>
 +
 +==== ldap.conf ====
 +In der Konfigurationsdatei //**/etc/openldap/ldap.conf**// tragen wir folgende Daten nach:
 +  * **BASE    dc=nausch, dc=org**
 +  * **URI     ldap://ldap.dmz.nausch.org**
 +  * **TLS_CACERTDIR /etc/openldap/cacerts**
 +
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/openldap/ldap.conf
 +<file bash /etc/openldap/ldap.conf>
 +#
 +# LDAP Defaults
 +#
 +
 +# See ldap.conf(5) for details
 +# This file should be world readable but not world writable.
 +
 +#BASE   dc=example, dc=com
 +#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 +
 +#SIZELIMIT      12
 +#TIMELIMIT      15
 +#DEREF          never
 +
 +# Django : 2011-10-28 LDAP Client Authentication
 +BASE    dc=nausch, dc=org
 +URI     ldap://ldap.dmz.nausch.org
 +TLS_CACERTDIR /etc/openldap/cacerts
 +</file>
 +
 +==== pam_ldap.conf ====
 +In der Konfigurationsdatei //**/etc/pam_ldap.conf**// tragen wir folgende Daten nach:
 +  * **base dc=nausch,dc=org**
 +  * **uri ldap://ldap.dmz.nausch.org**
 +  * **ssl no**
 +  * **tls_cacertdir /etc/openldap/cacerts**
 +  * **pam_password sha512**
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/pam_ldap.conf
 +<file bash /etc/pam_ldap.conf>
 +# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
 +#
 +# This is the configuration file for the LDAP nameservice
 +# switch library and the LDAP PAM module.
 +#
 +# The man page for this file is pam_ldap(5)
 +#
 +# PADL Software
 +# http://www.padl.com
 +#
 +
 +# Your LDAP server. Must be resolvable without using LDAP.
 +# Multiple hosts may be specified, each separated by a 
 +# space. How long nss_ldap takes to failover depends on
 +# whether your LDAP client library supports configurable
 +# network or connect timeouts (see bind_timelimit).
 +
 +# Django : 2011-10-28 LDAP Client-Authentication
 +# default : host 127.0.0.1
 +
 +# The distinguished name of the search base.
 +# Django : 2011-10-28 LDAP Client-Authentication
 +# base dc=example,dc=com
 +base dc=nausch,dc=org
 +
 +# Another way to specify your LDAP server is to provide an
 +# uri with the server name. This allows to use
 +# Unix Domain Sockets to connect to a local LDAP Server.
 +#uri ldap://127.0.0.1/
 +#uri ldaps://127.0.0.1/   
 +#uri ldapi://%2fvar%2frun%2fldapi_sock/
 +# Note: %2f encodes the '/' used as directory separator
 +
 +# The LDAP version to use (defaults to 3
 +# if supported by client library)
 +#ldap_version 3
 +
 +# The distinguished name to bind to the server with.
 +# Optional: default is to bind anonymously.
 +#binddn cn=proxyuser,dc=example,dc=com
 +
 +# The credentials to bind with. 
 +# Optional: default is no credential.
 +#bindpw secret
 +
 +# The distinguished name to bind to the server with
 +# if the effective user ID is root. Password is
 +# stored in /etc/ldap.secret (mode 600)
 +#rootbinddn cn=manager,dc=example,dc=com
 +
 +# The port.
 +# Optional: default is 389.
 +#port 389
 +
 +# The search scope.
 +#scope sub
 +#scope one
 +#scope base
 +
 +# Search timelimit
 +#timelimit 30
 +
 +# Bind/connect timelimit
 +#bind_timelimit 30
 +
 +# Reconnect policy: hard (default) will retry connecting to
 +# the software with exponential backoff, soft will fail
 +# immediately.
 +#bind_policy hard
 +
 +# Idle timelimit; client will close connections
 +# (nss_ldap only) if the server has not been contacted
 +# for the number of seconds specified below.
 +#idle_timelimit 3600
 +
 +# Filter to AND with uid=%s
 +#pam_filter objectclass=account
 +
 +# The user ID attribute (defaults to uid)
 +#pam_login_attribute uid
 +
 +# Search the root DSE for the password policy (works
 +# with Netscape Directory Server)
 +#pam_lookup_policy yes
 +
 +# Check the 'host' attribute for access control
 +# Default is no; if set to yes, and user has no
 +# value for the host attribute, and pam_ldap is
 +# configured for account management (authorization)
 +# then the user will not be allowed to login.
 +#pam_check_host_attr yes
 +
 +# Check the 'authorizedService' attribute for access
 +# control
 +# Default is no; if set to yes, and the user has no
 +# value for the authorizedService attribute, and
 +# pam_ldap is configured for account management
 +# (authorization) then the user will not be allowed
 +# to login.
 +#pam_check_service_attr yes
 +
 +# Group to enforce membership of
 +#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
 +
 +# Group member attribute
 +#pam_member_attribute uniquemember
 +
 +# Specify a minium or maximum UID number allowed
 +#pam_min_uid 0
 +#pam_max_uid 0
 +
 +# Template login attribute, default template user
 +# (can be overriden by value of former attribute
 +# in user's entry)
 +#pam_login_attribute userPrincipalName
 +#pam_template_login_attribute uid
 +#pam_template_login nobody
 +
 +# HEADS UP: the pam_crypt, pam_nds_passwd,
 +# and pam_ad_passwd options are no
 +# longer supported.
 +#
 +# Do not hash the password at all; presume
 +# the directory server will do it, if
 +# necessary. This is the default.
 +#pam_password clear
 +
 +# Hash password locally; required for University of
 +# Michigan LDAP server, and works with Netscape
 +# Directory Server if you're using the UNIX-Crypt
 +# hash mechanism and not using the NT Synchronization
 +# service. 
 +#pam_password crypt
 +
 +# Remove old password first, then update in
 +# cleartext. Necessary for use with Novell
 +# Directory Services (NDS)
 +#pam_password clear_remove_old
 +#pam_password nds
 +
 +# RACF is an alias for the above. For use with
 +# IBM RACF
 +#pam_password racf
 +
 +# Update Active Directory password, by
 +# creating Unicode password and updating
 +# unicodePwd attribute.
 +#pam_password ad
 +
 +# Use the OpenLDAP password change
 +# extended operation to update the password.
 +#pam_password exop
 +
 +# Redirect users to a URL or somesuch on password
 +# changes.
 +#pam_password_prohibit_message Please visit http://internal to change your password.
 +
 +# RFC2307bis naming contexts
 +# Syntax:
 +# nss_base_XXX          base?scope?filter
 +# where scope is {base,one,sub}
 +# and filter is a filter to be &'d with the
 +# default filter.
 +# You can omit the suffix eg:
 +# nss_base_passwd       ou=People,
 +# to append the default base DN but this
 +# may incur a small performance impact.
 +#nss_base_passwd        ou=People,dc=example,dc=com?one
 +#nss_base_shadow        ou=People,dc=example,dc=com?one
 +#nss_base_group         ou=Group,dc=example,dc=com?one
 +#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
 +#nss_base_services      ou=Services,dc=example,dc=com?one
 +#nss_base_networks      ou=Networks,dc=example,dc=com?one
 +#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
 +#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
 +#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
 +#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
 +#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
 +#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
 +#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
 +
 +# attribute/objectclass mapping
 +# Syntax:
 +#nss_map_attribute      rfc2307attribute        mapped_attribute
 +#nss_map_objectclass    rfc2307objectclass      mapped_objectclass
 +
 +# configure --enable-nds is no longer supported.
 +# NDS mappings
 +#nss_map_attribute uniqueMember member
 +
 +# Services for UNIX 3.5 mappings
 +#nss_map_objectclass posixAccount User
 +#nss_map_objectclass shadowAccount User
 +#nss_map_attribute uid msSFU30Name
 +#nss_map_attribute uniqueMember msSFU30PosixMember
 +#nss_map_attribute userPassword msSFU30Password
 +#nss_map_attribute homeDirectory msSFU30HomeDirectory
 +#nss_map_attribute homeDirectory msSFUHomeDirectory
 +#nss_map_objectclass posixGroup Group
 +#pam_login_attribute msSFU30Name
 +#pam_filter objectclass=User
 +#pam_password ad
 +
 +# configure --enable-mssfu-schema is no longer supported.
 +# Services for UNIX 2.0 mappings
 +#nss_map_objectclass posixAccount User
 +#nss_map_objectclass shadowAccount user
 +#nss_map_attribute uid msSFUName
 +#nss_map_attribute uniqueMember posixMember
 +#nss_map_attribute userPassword msSFUPassword
 +#nss_map_attribute homeDirectory msSFUHomeDirectory
 +#nss_map_attribute shadowLastChange pwdLastSet
 +#nss_map_objectclass posixGroup Group
 +#nss_map_attribute cn msSFUName
 +#pam_login_attribute msSFUName
 +#pam_filter objectclass=User
 +#pam_password ad
 +
 +# RFC 2307 (AD) mappings
 +#nss_map_objectclass posixAccount user
 +#nss_map_objectclass shadowAccount user
 +#nss_map_attribute uid sAMAccountName
 +#nss_map_attribute homeDirectory unixHomeDirectory
 +#nss_map_attribute shadowLastChange pwdLastSet
 +#nss_map_objectclass posixGroup group
 +#nss_map_attribute uniqueMember member
 +#pam_login_attribute sAMAccountName
 +#pam_filter objectclass=User
 +#pam_password ad
 +
 +# configure --enable-authpassword is no longer supported
 +# AuthPassword mappings
 +#nss_map_attribute userPassword authPassword
 +
 +# AIX SecureWay mappings
 +#nss_map_objectclass posixAccount aixAccount
 +#nss_base_passwd ou=aixaccount,?one
 +#nss_map_attribute uid userName
 +#nss_map_attribute gidNumber gid
 +#nss_map_attribute uidNumber uid
 +#nss_map_attribute userPassword passwordChar
 +#nss_map_objectclass posixGroup aixAccessGroup
 +#nss_base_group ou=aixgroup,?one
 +#nss_map_attribute cn groupName
 +#nss_map_attribute uniqueMember member
 +#pam_login_attribute userName
 +#pam_filter objectclass=aixAccount
 +#pam_password clear
 +
 +# Netscape SDK LDAPS
 +#ssl on
 +
 +# Netscape SDK SSL options
 +#sslpath /etc/ssl/certs
 +
 +# OpenLDAP SSL mechanism
 +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
 +#ssl start_tls
 +#ssl on
 +
 +# OpenLDAP SSL options
 +# Require and verify server certificate (yes/no)
 +# Default is to use libldap's default behavior, which can be configured in
 +# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
 +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
 +#tls_checkpeer yes
 +
 +# CA certificates for server certificate verification
 +# At least one of these are required if tls_checkpeer is "yes"
 +#tls_cacertfile /etc/ssl/ca.cert
 +#tls_cacertdir /etc/ssl/certs
 +
 +# Seed the PRNG if /dev/urandom is not provided
 +#tls_randfile /var/run/egd-pool
 +
 +# SSL cipher suite
 +# See man ciphers for syntax
 +#tls_ciphers TLSv1
 +
 +# Client certificate and key
 +# Use these, if your server requires client authentication.
 +#tls_cert
 +#tls_key
 +
 +# Disable SASL security layers. This is needed for AD.
 +#sasl_secprops maxssf=0
 +
 +# Override the default Kerberos ticket cache location.
 +#krb5_ccname FILE:/etc/.ldapcache
 +
 +# SASL mechanism for PAM authentication - use is experimental
 +# at present and does not support password policy control
 +#pam_sasl_mech DIGEST-MD5
 +
 +# Django : 2011-10-28 LDAP Client-Authentication, automatisch eingetragen mit Hilfe von authconfig
 +uri ldap://ldap.dmz.nausch.org
 +ssl no
 +tls_cacertdir /etc/openldap/cacerts
 +pam_password sha256
 +
 +</file>
 +==== nslcd.conf ====
 +In der Konfigurationsdatei //**/etc/nslcd.conf**// tragen wir folgende Daten nach:
 +  * **uri ldap://ldap.dmz.nausch.org**
 +  * **base dc=nausch,dc=org**
 +  * **ssl no**
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/nslcd.conf
 +<file bash /etc/nslcd.conf>
 +# This is the configuration file for the LDAP nameservice
 +# switch library's nslcd daemon. It configures the mapping
 +# between NSS names (see /etc/nsswitch.conf) and LDAP
 +# information in the directory.
 +# See the manual page nslcd.conf(5) for more information.
 +
 +# The uri pointing to the LDAP server to use for name lookups.
 +# Multiple entries may be specified. The address that is used
 +# here should be resolvable without using LDAP (obviously).
 +#uri ldap://127.0.0.1/
 +#uri ldaps://127.0.0.1/
 +#uri ldapi://%2fvar%2frun%2fldapi_sock/
 +# Note: %2f encodes the '/' used as directory separator
 +# uri ldap://127.0.0.1/
 +
 +# The LDAP version to use (defaults to 3
 +# if supported by client library)
 +#ldap_version 3
 +
 +# The distinguished name of the search base.
 +# base dc=example,dc=com
 +
 +# The distinguished name to bind to the server with.
 +# Optional: default is to bind anonymously.
 +#binddn cn=proxyuser,dc=example,dc=com
 +
 +# The credentials to bind with.
 +# Optional: default is no credentials.
 +# Note that if you set a bindpw you should check the permissions of this file.
 +#bindpw secret
 +
 +# The distinguished name to perform password modifications by root by.
 +#rootpwmoddn cn=admin,dc=example,dc=com
 +
 +# The default search scope.
 +#scope sub
 +#scope one
 +#scope base
 +
 +# Customize certain database lookups.
 +#base   group  ou=Groups,dc=example,dc=com
 +#base   passwd ou=People,dc=example,dc=com
 +#base   shadow ou=People,dc=example,dc=com
 +#scope  group  onelevel
 +#scope  hosts  sub
 +
 +# Bind/connect timelimit.
 +#bind_timelimit 30
 +
 +# Search timelimit.
 +#timelimit 30
 +
 +# Idle timelimit. nslcd will close connections if the
 +# server has not been contacted for the number of seconds.
 +#idle_timelimit 3600
 +
 +# Use StartTLS without verifying the server certificate.
 +#ssl start_tls
 +#tls_reqcert never
 +
 +# CA certificates for server certificate verification
 +#tls_cacertdir /etc/ssl/certs
 +#tls_cacertfile /etc/ssl/ca.cert
 +
 +# Seed the PRNG if /dev/urandom is not provided
 +#tls_randfile /var/run/egd-pool
 +
 +# SSL cipher suite
 +# See man ciphers for syntax
 +#tls_ciphers TLSv1
 +
 +# Client certificate and key
 +# Use these, if your server requires client authentication.
 +#tls_cert
 +#tls_key
 +
 +# NDS mappings
 +#map group uniqueMember member
 +
 +# Mappings for Services for UNIX 3.5
 +#filter passwd (objectClass=User)
 +#map    passwd uid              msSFU30Name
 +#map    passwd userPassword     msSFU30Password
 +#map    passwd homeDirectory    msSFU30HomeDirectory
 +#map    passwd homeDirectory    msSFUHomeDirectory
 +#filter shadow (objectClass=User)
 +#map    shadow uid              msSFU30Name
 +#map    shadow userPassword     msSFU30Password
 +#filter group  (objectClass=Group)
 +#map    group  uniqueMember     msSFU30PosixMember
 +
 +# Mappings for Services for UNIX 2.0
 +#filter passwd (objectClass=User)
 +#map    passwd uid              msSFUName
 +#map    passwd userPassword     msSFUPassword
 +#map    passwd homeDirectory    msSFUHomeDirectory
 +#map    passwd gecos            msSFUName
 +#filter shadow (objectClass=User)
 +#map    shadow uid              msSFUName
 +#map    shadow userPassword     msSFUPassword
 +#map    shadow shadowLastChange pwdLastSet
 +#filter group  (objectClass=Group)
 +#map    group  uniqueMember     posixMember
 +
 +# Mappings for Active Directory
 +#pagesize 1000
 +#referrals off
 +#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
 +#map    passwd uid              sAMAccountName
 +#map    passwd homeDirectory    unixHomeDirectory
 +#map    passwd gecos            displayName
 +#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
 +#map    shadow uid              sAMAccountName
 +#map    shadow shadowLastChange pwdLastSet
 +#filter group  (objectClass=group)
 +#map    group  uniqueMember     member
 +
 +# Mappings for AIX SecureWay
 +#filter passwd (objectClass=aixAccount)
 +#map    passwd uid              userName
 +#map    passwd userPassword     passwordChar
 +#map    passwd uidNumber        uid
 +#map    passwd gidNumber        gid
 +#filter group  (objectClass=aixAccessGroup)
 +#map    group  cn               groupName
 +#map    group  uniqueMember     member
 +#map    group  gidNumber        gid
 +uid nslcd
 +gid ldap
 +# This comment prevents repeated auto-migration of settings.
 +# Django : 2011-10-28 LDAP Client Authentication, angefügt durch den Aufruf von authconfig
 +uri ldap://ldap.dmz.nausch.org/
 +base dc=nausch,dc=org
 +ssl no
 +tls_cacertdir /etc/openldap/cacerts
 +</file>
 +==== nsswitch.conf ====
 +In der Konfigurationsdatei //**/etc/pam.d/system-auth**// tragen wir folgende Daten nach:
 +  * **passwd:     files ldap**
 +  * **shadow:     files ldap**
 +  * **group:      files ldap**
 +
 +  * **netgroup:   ldap**
 +
 +  * **automount:  files ldap**
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/nsswitch.conf
 +<file bash /etc/nsswitch.conf>
 +#
 +# /etc/nsswitch.conf
 +#
 +# An example Name Service Switch config file. This file should be
 +# sorted with the most-used services at the beginning.
 +#
 +# The entry '[NOTFOUND=return]' means that the search for an
 +# entry should stop if the search in the previous entry turned
 +# up nothing. Note that if the search failed due to some other reason
 +# (like no NIS server responding) then the search continues with the
 +# next entry.
 +#
 +# Valid entries include:
 +#
 +#       nisplus                 Use NIS+ (NIS version 3)
 +#       nis                     Use NIS (NIS version 2), also called YP
 +#       dns                     Use DNS (Domain Name Service)
 +#       files                   Use the local files
 +#       db                      Use the local database (.db) files
 +#       compat                  Use NIS on compat mode
 +#       hesiod                  Use Hesiod for user lookups
 +#       [NOTFOUND=return]       Stop searching if not found so far
 +#
 +
 +# To use db, put the "db" in front of "files" for entries you want to be
 +# looked up first in the databases
 +#
 +# Example:
 +#passwd:    db files nisplus nis
 +#shadow:    db files nisplus nis
 +#group:     db files nisplus nis
 +
 +# Django : 2011-10-28 LDAP Client Authentication
 +# default
 +# passwd:     files
 +# shadow:     files
 +# group:      files
 +passwd:     files ldap
 +shadow:     files ldap
 +group:      files ldap
 +
 +#hosts:     db files nisplus nis dns
 +hosts:      files dns
 +
 +# Example - obey only what nisplus tells us...
 +#services:   nisplus [NOTFOUND=return] files
 +#networks:   nisplus [NOTFOUND=return] files
 +#protocols:  nisplus [NOTFOUND=return] files
 +#rpc:        nisplus [NOTFOUND=return] files
 +#ethers:     nisplus [NOTFOUND=return] files
 +#netmasks:   nisplus [NOTFOUND=return] files     
 +
 +bootparams: nisplus [NOTFOUND=return] files
 +
 +ethers:     files
 +netmasks:   files
 +networks:   files
 +protocols:  files
 +rpc:        files
 +services:   files
 +
 +# Django : 2011-10-28 LDAP Client Authentication
 +# default
 +# netgroup:   nisplus
 +netgroup:   ldap
 +
 +publickey:  nisplus
 +
 +# Django : 2011-10-28 LDAP Client Authentication
 +# default
 +# automount:  files nisplus
 +automount:  files ldap
 +aliases:    files nisplus
 +</file>
 +
 +==== system-auth ====
 +Durch den Aufruf des Programmes [[centos:ldap:annonbind#konfiguration|authconfig]] wurden die folgenden **pam.d**-Konfigurationsdateien angepasst:
 +
 +  * **/etc/pam.d/fingerprint-auth**
 +  * **/etc/pam.d/password-auth**
 +  * **/etc/pam.d/smartcard-auth**
 +  * **/etc/pam.d/smtp**
 +  * **/etc/pam.d/system-auth**
 +
 +Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**.
 +   # vim /etc/pam.d/fingerprint-auth
 +<file bash /etc/pam.d/fingerprint-auth>
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required      pam_env.so
 +auth        sufficient    pam_fprintd.so
 +auth        required      pam_deny.so
 +
 +account     required      pam_unix.so broken_shadow
 +account     sufficient    pam_localuser.so
 +account     sufficient    pam_succeed_if.so uid < 500 quiet
 +account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 +account     required      pam_permit.so
 +
 +password    required      pam_deny.so
 +
 +session     optional      pam_keyinit.so revoke
 +session     required      pam_limits.so
 +session     optional      pam_oddjob_mkhomedir.so
 +session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session     required      pam_unix.so
 +session     optional      pam_ldap.so
 +</file>
 +
 +   # vim /etc/pam.d/password-auth
 +<file bash /etc/pam.d/password-auth>
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required      pam_env.so
 +auth        sufficient    pam_unix.so nullok try_first_pass
 +auth        requisite     pam_succeed_if.so uid >= 500 quiet
 +auth        sufficient    pam_ldap.so use_first_pass
 +auth        required      pam_deny.so
 +
 +account     required      pam_unix.so broken_shadow
 +account     sufficient    pam_localuser.so
 +account     sufficient    pam_succeed_if.so uid < 500 quiet
 +account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 +account     required      pam_permit.so
 +
 +password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 +password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
 +password    sufficient    pam_ldap.so use_authtok
 +password    required      pam_deny.so
 +
 +session     optional      pam_keyinit.so revoke
 +session     required      pam_limits.so
 +session     optional      pam_oddjob_mkhomedir.so
 +session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session     required      pam_unix.so
 +session     optional      pam_ldap.so
 +</file>
 +
 +   # vim /etc/pam.d/smartcard-auth
 +<file bash /etc/pam.d/smartcard-auth>
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required      pam_env.so
 +auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
 +auth        required      pam_deny.so
 +
 +account     required      pam_unix.so broken_shadow
 +account     sufficient    pam_localuser.so
 +account     sufficient    pam_succeed_if.so uid < 500 quiet
 +account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 +account     required      pam_permit.so
 +
 +password    required      pam_pkcs11.so
 +
 +session     optional      pam_keyinit.so revoke
 +session     required      pam_limits.so
 +session     optional      pam_oddjob_mkhomedir.so
 +session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session     required      pam_unix.so
 +session     optional      pam_ldap.so
 +</file>
 +
 +   # vim /etc/pam.d/smtp
 +<file bash /etc/pam.d/smtp>
 +#%PAM-1.0
 +auth       include      password-auth
 +account    include      password-auth
 +</file>
 +
 +   # vim /etc/pam.d/system-auth
 +<file bash /etc/pam.d/system-auth>
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required      pam_env.so
 +auth        sufficient    pam_fprintd.so
 +auth        sufficient    pam_unix.so nullok try_first_pass
 +auth        requisite     pam_succeed_if.so uid >= 500 quiet
 +auth        sufficient    pam_ldap.so use_first_pass
 +auth        required      pam_deny.so
 +
 +account     required      pam_unix.so broken_shadow
 +account     sufficient    pam_localuser.so
 +account     sufficient    pam_succeed_if.so uid < 500 quiet
 +account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 +account     required      pam_permit.so
 +
 +password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 +password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
 +password    sufficient    pam_ldap.so use_authtok
 +password    required      pam_deny.so
 +
 +session     optional      pam_keyinit.so revoke
 +session     required      pam_limits.so
 +session     optional      pam_oddjob_mkhomedir.so
 +session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session     required      pam_unix.so
 +session     optional      pam_ldap.so
 +</file>
 +==== automatischer Systemstart des nslc-Dämon ====
 +Damit nun beim nächsten Start des Systems der notwendige **naming services LDAP client daemon** kurz **nslcd** mit gestartet wird, versetzen wir das Startscript in den Modus "//on//".
 +   # chkconfig nslcd on
 +Den Status überprüfen wir bei Bedarf mittels:
 +   # chkconfig --list | grep nslcd
 +
 +   nslcd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
 +
 +Zum Abschluss unserer Konfiguration starten wir nun unseren CentOS 6 Client einmal durch.
 +   # reboot
 +===== Test =====
 +==== LDAP Abfrage ====
 +Zur Abfrage eines LDAP-Users können wir folgenden Aufruf verwenden:
 +   $ ldapsearch -x -LLL -H ldap://ldap.dmz.nausch.org -b "dc=nausch,dc=org" "uid=bigchief"
 +
 +<code>dn: uid=bigchief,ou=People,dc=nausch,dc=org
 +uid: bigchief
 +cn: BigChief
 +objectClass: account
 +objectClass: posixAccount
 +objectClass: top
 +objectClass: shadowAccount
 +shadowLastChange: 15274
 +shadowMin: 0
 +shadowMax: 99999
 +shadowWarning: 7
 +loginShell: /bin/bash
 +uidNumber: 501
 +gidNumber: 501
 +homeDirectory: /home/bigchief
 +gecos: BigChief
 +</code>
 +
 +LDAP-Abfrage mit dem User //Django// aber mit **falschem** Passwort:
 +   $ ldapsearch -x -LLL -H ldap://ldap.dmz.nausch.org -b "dc=nausch,dc=org" "uid=django" -W -D "uid=django,ou=People,dc=nausch,dc=org"
 +
 +<code>Enter LDAP Password: 
 +ldap_bind: Invalid credentials (49)</code>
 +
 +LDAP-Abfrage mit dem User //Django// aber mit **richtigem** Passwort:
 +   $ ldapsearch -x -LLL -H ldap://ldap.dmz.nausch.org -b "dc=nausch,dc=org" "uid=django" -W -D "uid=django,ou=People,dc=nausch,dc=org"
 +
 +<code>Enter LDAP Password: 
 +dn: uid=django,ou=People,dc=nausch,dc=org
 +uid: django
 +cn: Django
 +objectClass: account
 +objectClass: posixAccount
 +objectClass: top
 +objectClass: shadowAccount
 +userPassword:: e2NyeXB0fSQ2JENna3VQVFplJDRiT2wvR2dSMUg4OWlxQjRtaU4yYVN5VndHUWE
 + 2SVlum31nScH3fFiSt31nV0lLd3pPzlxd2tFYWJQdTZUL1BITWNXcWFLbW9KUnd6NlhwVTd3Vm0x
 +shadowLastChange: 15272
 +shadowMin: 0
 +shadowMax: 99999
 +shadowWarning: 7
 +loginShell: /bin/bash
 +uidNumber: 500
 +gidNumber: 500
 +homeDirectory: /home/django
 +gecos: Django
 +
 +</code>
 +==== Clienttest ====
 +Die erfolgreiche Konfiguration unseres Rechners überprüfen wir so:
 +  - Mit **getent** lassen wir uns die Informationen eines Users anzeigen, der sowohl in der /etc/shadow wie auch im zentralen LDAP-Verzeichnisdienst hinterlegt ist. Wenn alles gut gelaufen ist, werden uns zwei Einträge präsentiert. \\ \\ <code>$ getent passwd | grep django
 +django:x:500:500::/home/django:/bin/bash
 +django:x:500:500:Django:/home/django:/bin/bash</code>
 +  - Als nächstes wählen wir einen Nutzer der nur im LDAP-Verzeichnisdienst einen Account hat, nicht aber auf der lokalen Maschine. \\ \\ <code>$ getent passwd | grep bigchief
 +bigchief:x:501:501:BigChief:/home/bigchief:/bin/bash </code>
 +  - Dann melden wir uns nun an unserem Client als ein Benutzer an, der lokal auf der Maschine nicht existiert, werden wir beim Login nach dem Passwort gefragt, welches gegen den zentralen OpenLDAP-Server verifiziert wird. Ist das Passwort richtig wird auch gleich das zugehörige Nutzer-Homeverzeichnis angelegt. \\ \\ <code>[django@vml010008 ~]$ su - ruben</code><code>Password:</code><code>Creating directory '/home/ruben'.</code>
 +
 +{{ :centos:ldap:client_ldap_auth.png?500 |Bildschirmhardcopy bei der Anmeldung am Client (mit LDAP auth)}}
 +====== Links ======
 +  * **[[centos:ldap:start|Zurück zum Kapitel >>OpenLDAP Server unter CentOS 6.x<<]]**
 +  * **[[wiki:start|Zurück zu >>Projekte und Themenkapitel<<]]**
 +  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
 +
 +~~AUTOTWEET:~~
  
  • centos/ldap/annonbind.txt
  • Zuletzt geändert: 22.07.2019 15:03.
  • von 127.0.0.1