Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung Nächste ÜberarbeitungBeide Seiten der Revision | ||
centos:ldap:tecbind [10.11.2011 14:34. ] – [Konfiguration] django | centos:ldap:tecbind [17.07.2015 07:54. ] – [Abfragetest] django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Konfiguration auf Clientseite zur Client-Authentification mit technischem User ====== | ||
+ | {{: | ||
+ | |||
+ | Als Erweiterung zu unserem [[centos: | ||
+ | |||
+ | In abgesicherten Umgebungen wird der Zugriff auf den LDAP-Server nicht von jedermann ohne Passwort, auch //anonymous bind// genannt unterbunden. Stattdessen muss ich der Klient bei den Anfragen eines technischen Users bedienen, der auch ein Passwort benutzt, welches dem LDAP-Server bekannt ist. | ||
+ | |||
+ | Auch hier wollen wir bei den betreffenden Clients die Authentifizierung der einzelnen User nicht mehr gegen die lokale **/ | ||
+ | |||
+ | ===== technischer User für LDAP-Server-Zugriff ===== | ||
+ | Bei unserem Anwendungsbeispiel gehen wir von einem bereits installiertem und konfiguriertem OpenLDAP-Server aus, wie im Kapitel [[centos: | ||
+ | |||
+ | ==== Konfiguration ==== | ||
+ | Im ersten Schritt werden wir uns nun einen eigenen speziellen technischen User anlegen, mit dem später die Anfragen an unseren OpenLDAp-Server gerichtet werden sollen. | ||
+ | |||
+ | Der Einfachheit halber wollen wir hierzu folgenden User in unserem DIT((**D**irectory **I**nformation **T**ree)) hinterlegen: | ||
+ | * **cn=Technischeruser, | ||
+ | |||
+ | Unser User benötigt natürlich auch ein entsprechendes Passwort, welches wir nun wir folgt anlegen. | ||
+ | # slappasswd -h {SSHA} | ||
+ | |||
+ | New password: | ||
+ | | ||
+ | | ||
+ | |||
+ | Im nächsten Schritt legen wir uns eine Konfigurationsdatei im ***.LDIF**-Format an, die Die Definition unseres speziellen Users beinhaltet. Wir legen also im Verzeichnis // | ||
+ | # vim / | ||
+ | |||
+ | <file bash / | ||
+ | dn: cn=Technischeruser, | ||
+ | cn: Technischeruser | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | userPassword: | ||
+ | </ | ||
+ | |||
+ | <WRAP round important> | ||
+ | |||
+ | # service slapd stop | ||
+ | |||
+ | | ||
+ | </ | ||
+ | |||
+ | Mit folgendem Befehl importieren wir nun die Daten aus der LDIF-Datei in den DIT. | ||
+ | # slapadd -v -l / | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | <WRAP round important> | ||
+ | |||
+ | # service slapd start | ||
+ | |||
+ | | ||
+ | </ | ||
+ | |||
+ | ==== Abfragetest ==== | ||
+ | Wir können nun unsere Konfiguration überprüfen und eine LDAP-Abfrage mit unserem gerade angelegtem // | ||
+ | # ldapsearch -x -LLL -H ldap:// | ||
+ | |||
+ | <code bash> | ||
+ | dn: cn=Technischeruser, | ||
+ | cn: Technischeruser | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | userPassword:: | ||
+ | </ | ||
+ | |||
+ | ===== Deaktivierung des " | ||
+ | In unserer abgesicherten Umgebung sollen ausschließlich authentifizierte Abfragen und Zugriffe auf unseren OpenLADP-Server gestattet sein. Hierzu haben wir uns im vorherigem [[centos: | ||
+ | |||
+ | ==== Konfiguration ==== | ||
+ | Zur Deaktivierung werden wir nun unsere zentrale Konfiguration im OpenLDAP-Server anpassen. | ||
+ | |||
+ | Zum besseren Verständnis fragen wir erst eiunmal die aktuelle Konfiguration ab. | ||
+ | # ldapsearch -W -x -D cn=config -b cn=config " | ||
+ | |||
+ | <code bash> | ||
+ | # extended LDIF | ||
+ | # | ||
+ | # LDAPv3 | ||
+ | # base < | ||
+ | # filter: (objectclass=olcGlobal) | ||
+ | # requesting: ALL | ||
+ | # | ||
+ | |||
+ | # config | ||
+ | dn: cn=config | ||
+ | objectClass: | ||
+ | cn: config | ||
+ | olcConfigFile: | ||
+ | olcConfigDir: | ||
+ | olcAllows: bind_v2 | ||
+ | olcArgsFile: | ||
+ | olcAttributeOptions: | ||
+ | olcAuthzPolicy: | ||
+ | olcConcurrency: | ||
+ | olcConnMaxPending: | ||
+ | olcConnMaxPendingAuth: | ||
+ | olcGentleHUP: | ||
+ | olcIdleTimeout: | ||
+ | olcIndexSubstrIfMaxLen: | ||
+ | olcIndexSubstrIfMinLen: | ||
+ | olcIndexSubstrAnyLen: | ||
+ | olcIndexSubstrAnyStep: | ||
+ | olcIndexIntLen: | ||
+ | olcLocalSSF: | ||
+ | olcLogLevel: | ||
+ | olcPidFile: / | ||
+ | olcReadOnly: | ||
+ | olcReferral: | ||
+ | olcReverseLookup: | ||
+ | olcSaslSecProps: | ||
+ | olcSockbufMaxIncoming: | ||
+ | olcSockbufMaxIncomingAuth: | ||
+ | olcThreads: 16 | ||
+ | olcTLSCRLCheck: | ||
+ | olcTLSVerifyClient: | ||
+ | olcToolThreads: | ||
+ | olcWriteTimeout: | ||
+ | |||
+ | # search result | ||
+ | search: 2 | ||
+ | result: 0 Success | ||
+ | |||
+ | # numResponses: | ||
+ | # numEntries: 1 | ||
+ | </ | ||
+ | Die Änderung an diesewr Konfiguration nehmen wir nun nicht an Hand einer Änderung einer zentralen Konfigurationsdatei vor, wie wir dies unter Umstaänden von früheren Installationen unter CentOS 5 gewohnt waren. | ||
+ | |||
+ | Die Änderungen erfolgen mit Hilfe eines ***.LDIF**-Datei. Wir legen uns also diese im gewohnten Verzeichnis // | ||
+ | # vim / | ||
+ | |||
+ | <file bash / | ||
+ | dn: cn=config | ||
+ | changetype: modify | ||
+ | add: olcDisallows | ||
+ | olcDisallows: | ||
+ | - | ||
+ | add: olcRequires | ||
+ | olcRequires: | ||
+ | </ | ||
+ | |||
+ | Zur Übernahme der Änderungen in den laufenden OpenLDAP-Server **slapd**, die wir gerade in der LDIP-Datei definiert haben, benutzen wir den Befehl **ldapmodify** | ||
+ | # ldapmodify -W -x -D cn=config -f / | ||
+ | |||
+ | Enter LDAP Password: | ||
+ | | ||
+ | |||
+ | Fragen wir nun erneiut die Konfiguration unseres **slapd** ab, so finden wir am Ende die erfolgte Änderung aus unserer ldif-Datei: | ||
+ | * **olcDisallows: | ||
+ | * **olcRequires: | ||
+ | |||
+ | # ldapsearch -W -x -D cn=config -b cn=config " | ||
+ | <code bash> | ||
+ | # extended LDIF | ||
+ | # | ||
+ | # LDAPv3 | ||
+ | # base < | ||
+ | # filter: (objectclass=olcGlobal) | ||
+ | # requesting: ALL | ||
+ | # | ||
+ | |||
+ | # config | ||
+ | dn: cn=config | ||
+ | objectClass: | ||
+ | cn: config | ||
+ | olcConfigFile: | ||
+ | olcConfigDir: | ||
+ | olcAllows: bind_v2 | ||
+ | olcArgsFile: | ||
+ | olcAttributeOptions: | ||
+ | olcAuthzPolicy: | ||
+ | olcConcurrency: | ||
+ | olcConnMaxPending: | ||
+ | olcConnMaxPendingAuth: | ||
+ | olcGentleHUP: | ||
+ | olcIdleTimeout: | ||
+ | olcIndexSubstrIfMaxLen: | ||
+ | olcIndexSubstrIfMinLen: | ||
+ | olcIndexSubstrAnyLen: | ||
+ | olcIndexSubstrAnyStep: | ||
+ | olcIndexIntLen: | ||
+ | olcLocalSSF: | ||
+ | olcLogLevel: | ||
+ | olcPidFile: / | ||
+ | olcReadOnly: | ||
+ | olcReferral: | ||
+ | olcReverseLookup: | ||
+ | olcSaslSecProps: | ||
+ | olcSockbufMaxIncoming: | ||
+ | olcSockbufMaxIncomingAuth: | ||
+ | olcThreads: 16 | ||
+ | olcTLSCRLCheck: | ||
+ | olcTLSVerifyClient: | ||
+ | olcToolThreads: | ||
+ | olcWriteTimeout: | ||
+ | olcDisallows: | ||
+ | olcRequires: | ||
+ | |||
+ | # search result | ||
+ | search: 2 | ||
+ | result: 0 Success | ||
+ | |||
+ | # numResponses: | ||
+ | # numEntries: 1 | ||
+ | </ | ||
+ | ==== Abfragetest ==== | ||
+ | Versuchen wir nun eine anonymous-bind Abfrage gegen unseren OpenLDAP-Server hat dies keinen Erfolg und wir bekommen einen entsprechenden Warnhinweis. | ||
+ | # ldapsearch -x -LLL -H ldap:// | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | Die Abfrage unseres Nutzers //Django// erfolgt nun richtiger Wiese mit Hilfe unseres technischen Users // | ||
+ | # ldapsearch -x -LLL -H ldap:// | ||
+ | <code bash> | ||
+ | dn: uid=django, | ||
+ | uid: django | ||
+ | cn: Django | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | shadowLastChange: | ||
+ | shadowMin: 0 | ||
+ | shadowMax: 99999 | ||
+ | shadowWarning: | ||
+ | loginShell: /bin/bash | ||
+ | uidNumber: 500 | ||
+ | gidNumber: 500 | ||
+ | homeDirectory: | ||
+ | gecos: Django | ||
+ | </ | ||
+ | |||
+ | ===== Zugriffsrechte beschränken ===== | ||
+ | Mit Hilfe des nachfolgenden Befehls kann kontrolliert werden, welche Zugriffsrechte in den aktuell enthaltenen Benutzerstrukturen im DIT((**D**irectory **I**nformation **T**ree)) enthaltenn sind. Somit kann man sich einen Überblick verschaffen, | ||
+ | # ldapsearch -W -x -D cn=config -b olcDatabase={-1}frontend, | ||
+ | <code bash> | ||
+ | Enter LDAP Password: | ||
+ | # extended LDIF | ||
+ | # | ||
+ | # LDAPv3 | ||
+ | # base < | ||
+ | # filter: (objectclass=*) | ||
+ | # requesting: ALL | ||
+ | # | ||
+ | |||
+ | # {-1}frontend, | ||
+ | dn: olcDatabase={-1}frontend, | ||
+ | olcPasswordHash: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | olcDatabase: | ||
+ | olcAccess: {0}to attrs=userPassword | ||
+ | olcAccess: {1}to * by self write by dn.base=" | ||
+ | olcAddContentAcl: | ||
+ | olcLastMod: TRUE | ||
+ | olcMaxDerefDepth: | ||
+ | olcReadOnly: | ||
+ | olcSchemaDN: | ||
+ | olcMonitoring: | ||
+ | |||
+ | # search result | ||
+ | search: 2 | ||
+ | result: 0 Success | ||
+ | |||
+ | # numResponses: | ||
+ | # numEntries: 1 | ||
+ | </ | ||
+ | Die beiden Zeilen mit dem vorangestelltem **olcAccess** wollen wir uns kurz genauer ansehen. | ||
+ | |||
+ | Die vorangestellten Zeilen haben folgende Bedeutung: | ||
+ | |||
+ | * **userPassword** | ||
+ | * kann nur vom **„Eigentümer selbst“** // | ||
+ | * oder von **„dn.base=„cn=manager, | ||
+ | * oder von **„anonymous“** // | ||
+ | * und von allen anderen kann //kein Zugriff// durchgeführt werden. | ||
+ | * ** * (auf den gesamten Baum)** | ||
+ | * kann nur vom **„Eigentümer selbst“** // | ||
+ | * oder von **„dn.base=„cn=manager, | ||
+ | * oder von allen anderen //lesender Zugriff// durchgeführt werden. | ||
+ | |||
+ | <WRAP round info>Zur Änderung dieser bereits vorhandenen Zugriffsberechtigungen muß erst die vorhandene aktuelle ACL-Konfiguration gelöscht und anschließend die künftige ACL-Konfiguration neu angelegt werden.</ | ||
+ | |||
+ | |||
+ | ==== Konfiguration ==== | ||
+ | <WRAP round important> | ||
+ | |||
+ | Vielmehr legen wir uns zwei **.ldif**-Dateien an, mit Hilfe derer wir die Anpassung der Benutzerrechte anpassen. | ||
+ | |||
+ | - **Löschen** der aktuellen ACL-Konfiguration: | ||
+ | delete: olcAccess | ||
+ | olcAccess: to attrs=userPassword | ||
+ | olcAccess: to * by self write by dn.base=" | ||
+ | - **Neuanlage** der zukünftigen ACL-Konfiguration: | ||
+ | add: olcAccess | ||
+ | olcAccess: to attrs=userPassword, | ||
+ | olcAccess: to dn=" | ||
+ | olcAccess: to dn=" | ||
+ | olcAccess: to dn.regex=" | ||
+ | olcAccess: to dn.regex=" | ||
+ | olcAccess: to * by self write by dn.base=" | ||
+ | |||
+ | Anschließend laden wir die beiden **.LDIF**-Dateien in den OpenLDAP-Server und löschen die bestehenden Zugriffsregelungen und tragen unsere neuen ein. | ||
+ | - **Löschen** der aktuellen ACL-Konfiguration: | ||
+ | modifying entry " | ||
+ | |||
+ | </ | ||
+ | - **Neuanlage** der neuen ACL-Konfiguration: | ||
+ | modifying entry " | ||
+ | |||
+ | </ | ||
+ | Ob nun unsere Änderungen in den laufenden slampd-Prozess übernommen wurden überprüfen wir am einfachsten mit dem nachfolgenden Aufruf, der die gesamten Zugriffsrechte in den aktuell enthaltenen Benutzerstrukturen im DIT((**D**irectory **I**nformation **T**ree)) enthalten sind. | ||
+ | # ldapsearch -W -x -D cn=config -b olcDatabase={-1}frontend, | ||
+ | <code bash> | ||
+ | # extended LDIF | ||
+ | # | ||
+ | # LDAPv3 | ||
+ | # base < | ||
+ | # filter: (objectclass=*) | ||
+ | # requesting: ALL | ||
+ | # | ||
+ | |||
+ | # {-1}frontend, | ||
+ | dn: olcDatabase={-1}frontend, | ||
+ | olcPasswordHash: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | olcDatabase: | ||
+ | olcAddContentAcl: | ||
+ | olcLastMod: TRUE | ||
+ | olcMaxDerefDepth: | ||
+ | olcReadOnly: | ||
+ | olcSchemaDN: | ||
+ | olcMonitoring: | ||
+ | olcAccess: {0}to attrs=userPassword, | ||
+ | olcAccess: {1}to dn=" | ||
+ | olcAccess: {2}to dn=" | ||
+ | olcAccess: {3}to dn.regex=" | ||
+ | olcAccess: {4}to dn.regex=" | ||
+ | olcAccess:: ezV9dG8gKiAgYnkgc2VsZiB3cml0ZSAgYnkgZG4uYmFzZT0igVsZiz1uYXVzY2gsZGM9b3JnIiB3cml0ZSAgKiAgYnkgYnkgKiByZWFkIA== | ||
+ | |||
+ | # search result | ||
+ | search: 2 | ||
+ | result: 0 Success | ||
+ | |||
+ | # numResponses: | ||
+ | # numEntries: 1 | ||
+ | </ | ||
+ | ==== Überprüfung ==== | ||
+ | Zur Überprüfung ob unsere neu gesetzten Zugriffsregelung auch greifen versuchen wir im ersten Schritt, die Daten des Nutzers **bigchief** abzufragen, dies jedoch als Nutzer **django**. | ||
+ | # ldapsearch -x -LLL -H ldap:// | ||
+ | |||
+ | Enter LDAP Password: | ||
+ | <WRAP round important> | ||
+ | Rufen wir die Daten des zugrhörigen Nutzers, ab so klappt dies natürlich wie erhofft. Im folgenden Beispiel frägt also der Nutzer **django** die Daten des Nutzers **django** ab. | ||
+ | # ldapsearch -x -LLL -H ldap:// | ||
+ | <code bash> | ||
+ | dn: uid=django, | ||
+ | uid: django | ||
+ | cn: Django | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | userPassword:: | ||
+ | | ||
+ | shadowLastChange: | ||
+ | shadowMin: 0 | ||
+ | shadowMax: 99999 | ||
+ | shadowWarning: | ||
+ | loginShell: /bin/bash | ||
+ | uidNumber: 500 | ||
+ | gidNumber: 500 | ||
+ | homeDirectory: | ||
+ | gecos: Django | ||
+ | </ | ||
+ | Nach wie vor kann aber unser technischer User mit dem gleichlautenden Namen // | ||
+ | # ldapsearch -x -LLL -H ldap:// | ||
+ | <code bash> | ||
+ | dn: uid=django, | ||
+ | uid: django | ||
+ | cn: Django | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | userPassword:: | ||
+ | | ||
+ | shadowLastChange: | ||
+ | shadowMin: 0 | ||
+ | shadowMax: 99999 | ||
+ | shadowWarning: | ||
+ | loginShell: /bin/bash | ||
+ | uidNumber: 500 | ||
+ | gidNumber: 500 | ||
+ | homeDirectory: | ||
+ | gecos: Django | ||
+ | |||
+ | </ | ||
+ | # ldapsearch -x -LLL -H ldap:// | ||
+ | <code bash> | ||
+ | dn: uid=bigchief, | ||
+ | uid: bigchief | ||
+ | cn: BigChief | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | userPassword:: | ||
+ | | ||
+ | shadowLastChange: | ||
+ | shadowMin: 0 | ||
+ | shadowMax: 99999 | ||
+ | shadowWarning: | ||
+ | loginShell: /bin/bash | ||
+ | uidNumber: 501 | ||
+ | gidNumber: 501 | ||
+ | homeDirectory: | ||
+ | gecos: BigChief | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Konfiguration des Clients ===== | ||
+ | Die Konfiguration unseres Clients nehmen wir am einfachsten mit Hilfe des Programmes **// | ||
+ | |||
+ | * **disablesmartcard** SmartCard-Unterstützung deaktivieren | ||
+ | * **disablefingerprint** Fingerprintleser deaktivierung | ||
+ | * **disablemd5** MD5 Passworter abschalten | ||
+ | * **passalgo** Definition des Passworthash-Algoritmuses | ||
+ | * **enablemkhomedir** Homedirectory | ||
+ | * **enableldap** LDAP User Informationen aktivieren | ||
+ | * **enableldapauth** LDAP Authentifizierung aktivieren | ||
+ | * **ldapserver** LDAP Servername oder URI Definition | ||
+ | * **ldapbasedn** LDAP Basde DN Definition | ||
+ | * **update** Update der Konfigurationsdateien mit den gesetzten Werten. | ||
+ | |||
+ | Eine ausführliche Beschreibung der optionen erhält man übder die Manpage von authconfig oder beim Aufruf der Option // | ||
+ | # authconfig --help | ||
+ | |||
+ | Wir Konfigurieren nun also unsere LDAP-Client-Authentifizierung wie folgt. | ||
+ | # authconfig --disablesmartcard --disablefingerprint --disablemd5 --passalgo=sha256 --enablemkhomedir --enableldap --enableldapauth --ldapserver=ldap.dmz.nausch.org --ldapbasedn=" | ||
+ | |||
+ | nslcd starten: | ||
+ | | ||
+ | |||
+ | Die einzelnen Konfigurationsdateien, | ||
+ | im Detail notwendig waren um die LDAP Client Authentifizierung aktiviert werden konnte. | ||
+ | |||
+ | Zur Dokumentation und ggf. spätere weitere Dokumentationsschritte versehen wir optional alle Änderungen mit einem Kommntar, ala: | ||
+ | **# Django : Datum [optionaler Grund]**. | ||
+ | |||
+ | ==== authconfig ==== | ||
+ | In der Konfigurationsdatei // | ||
+ | * **USELDAP=yes** // | ||
+ | * **FORCELEGACY=yes** //(CentOS 6 nutzt standardmäßig TLS für die LDAP-Authentifizierung. Mit diesem Schalter wird diese Voreinstellung deaktiviert und die die unverschlüsselte Kommunikation mit dem LDAP-Server erzwungen.)// | ||
+ | |||
+ | Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**. | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | USEMKHOMEDIR=no | ||
+ | USEPAMACCESS=no | ||
+ | CACHECREDENTIALS=yes | ||
+ | USESSSDAUTH=no | ||
+ | USESHADOW=yes | ||
+ | USEWINBIND=no | ||
+ | USEDB=no | ||
+ | FORCELEGACY=yes | ||
+ | USEFPRINTD=yes | ||
+ | FORCESMARTCARD=no | ||
+ | PASSWDALGORITHM=sha512 | ||
+ | USELDAPAUTH=no | ||
+ | USEPASSWDQC=no | ||
+ | USELOCAUTHORIZE=yes | ||
+ | USECRACKLIB=yes | ||
+ | USEWINBINDAUTH=no | ||
+ | USESMARTCARD=no | ||
+ | USELDAP=yes | ||
+ | USENIS=no | ||
+ | USEKERBEROS=no | ||
+ | USESYSNETAUTH=no | ||
+ | USESMBAUTH=no | ||
+ | USESSSD=no | ||
+ | USEHESIOD=no | ||
+ | </ | ||
+ | |||
+ | ==== ldap.conf ==== | ||
+ | In der Konfigurationsdatei // | ||
+ | * **BASE | ||
+ | * **URI | ||
+ | * **TLS_CACERTDIR / | ||
+ | |||
+ | |||
+ | Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**. | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # | ||
+ | # LDAP Defaults | ||
+ | # | ||
+ | |||
+ | # See ldap.conf(5) for details | ||
+ | # This file should be world readable but not world writable. | ||
+ | |||
+ | #BASE | ||
+ | #URI ldap:// | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Django : 2011-10-28 LDAP Client Authentication | ||
+ | BASE dc=nausch, dc=org | ||
+ | URI | ||
+ | TLS_CACERTDIR / | ||
+ | </ | ||
+ | |||
+ | ==== pam_ldap.conf ==== | ||
+ | In der Konfigurationsdatei // | ||
+ | * **binddn dc=nausch, | ||
+ | * **bindpw Klaus-ist-der-groesste!** | ||
+ | * **uri ldap:// | ||
+ | * **ssl no** | ||
+ | * **tls_cacertdir / | ||
+ | * **pam_password sha512** | ||
+ | |||
+ | Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**. | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ | ||
+ | # | ||
+ | # This is the configuration file for the LDAP nameservice | ||
+ | # switch library and the LDAP PAM module. | ||
+ | # | ||
+ | # The man page for this file is pam_ldap(5) | ||
+ | # | ||
+ | # PADL Software | ||
+ | # http:// | ||
+ | # | ||
+ | |||
+ | # Your LDAP server. Must be resolvable without using LDAP. | ||
+ | # Multiple hosts may be specified, each separated by a | ||
+ | # space. How long nss_ldap takes to failover depends on | ||
+ | # whether your LDAP client library supports configurable | ||
+ | # network or connect timeouts (see bind_timelimit). | ||
+ | |||
+ | # Django : 2011-10-28 LDAP Client-Authentication | ||
+ | # default : host 127.0.0.1 | ||
+ | |||
+ | # The distinguished name of the search base. | ||
+ | # Django : 2011-11-10 LDAP Client-Authentication | ||
+ | # base dc=example, | ||
+ | binddn dc=nausch, | ||
+ | |||
+ | # Another way to specify your LDAP server is to provide an | ||
+ | # uri with the server name. This allows to use | ||
+ | # Unix Domain Sockets to connect to a local LDAP Server. | ||
+ | #uri ldap:// | ||
+ | #uri ldaps:// | ||
+ | #uri ldapi:// | ||
+ | # Note: %2f encodes the '/' | ||
+ | |||
+ | # The LDAP version to use (defaults to 3 | ||
+ | # if supported by client library) | ||
+ | # | ||
+ | |||
+ | # The distinguished name to bind to the server with. | ||
+ | # Optional: default is to bind anonymously. | ||
+ | #binddn cn=proxyuser, | ||
+ | |||
+ | # The credentials to bind with. | ||
+ | # Optional: default is no credential. | ||
+ | #bindpw secret | ||
+ | # Django : 2011-11-10 LDAP Client-Authentication | ||
+ | bindpw Klaus-ist-der-groesste! | ||
+ | |||
+ | # The distinguished name to bind to the server with | ||
+ | # if the effective user ID is root. Password is | ||
+ | # stored in / | ||
+ | #rootbinddn cn=manager, | ||
+ | |||
+ | # The port. | ||
+ | # Optional: default is 389. | ||
+ | #port 389 | ||
+ | |||
+ | # The search scope. | ||
+ | #scope sub | ||
+ | #scope one | ||
+ | #scope base | ||
+ | |||
+ | # Search timelimit | ||
+ | #timelimit 30 | ||
+ | |||
+ | # Bind/ | ||
+ | # | ||
+ | |||
+ | # Reconnect policy: hard (default) will retry connecting to | ||
+ | # the software with exponential backoff, soft will fail | ||
+ | # immediately. | ||
+ | # | ||
+ | |||
+ | # Idle timelimit; client will close connections | ||
+ | # (nss_ldap only) if the server has not been contacted | ||
+ | # for the number of seconds specified below. | ||
+ | # | ||
+ | |||
+ | # Filter to AND with uid=%s | ||
+ | #pam_filter objectclass=account | ||
+ | |||
+ | # The user ID attribute (defaults to uid) | ||
+ | # | ||
+ | |||
+ | # Search the root DSE for the password policy (works | ||
+ | # with Netscape Directory Server) | ||
+ | # | ||
+ | |||
+ | # Check the ' | ||
+ | # Default is no; if set to yes, and user has no | ||
+ | # value for the host attribute, and pam_ldap is | ||
+ | # configured for account management (authorization) | ||
+ | # then the user will not be allowed to login. | ||
+ | # | ||
+ | |||
+ | # Check the ' | ||
+ | # control | ||
+ | # Default is no; if set to yes, and the user has no | ||
+ | # value for the authorizedService attribute, and | ||
+ | # pam_ldap is configured for account management | ||
+ | # (authorization) then the user will not be allowed | ||
+ | # to login. | ||
+ | # | ||
+ | |||
+ | # Group to enforce membership of | ||
+ | # | ||
+ | |||
+ | # Group member attribute | ||
+ | # | ||
+ | |||
+ | # Specify a minium or maximum UID number allowed | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Template login attribute, default template user | ||
+ | # (can be overriden by value of former attribute | ||
+ | # in user's entry) | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # HEADS UP: the pam_crypt, pam_nds_passwd, | ||
+ | # and pam_ad_passwd options are no | ||
+ | # longer supported. | ||
+ | # | ||
+ | # Do not hash the password at all; presume | ||
+ | # the directory server will do it, if | ||
+ | # necessary. This is the default. | ||
+ | # | ||
+ | |||
+ | # Hash password locally; required for University of | ||
+ | # Michigan LDAP server, and works with Netscape | ||
+ | # Directory Server if you're using the UNIX-Crypt | ||
+ | # hash mechanism and not using the NT Synchronization | ||
+ | # service. | ||
+ | # | ||
+ | |||
+ | # Remove old password first, then update in | ||
+ | # cleartext. Necessary for use with Novell | ||
+ | # Directory Services (NDS) | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # RACF is an alias for the above. For use with | ||
+ | # IBM RACF | ||
+ | # | ||
+ | |||
+ | # Update Active Directory password, by | ||
+ | # creating Unicode password and updating | ||
+ | # unicodePwd attribute. | ||
+ | # | ||
+ | |||
+ | # Use the OpenLDAP password change | ||
+ | # extended operation to update the password. | ||
+ | # | ||
+ | |||
+ | # Redirect users to a URL or somesuch on password | ||
+ | # changes. | ||
+ | # | ||
+ | |||
+ | # RFC2307bis naming contexts | ||
+ | # Syntax: | ||
+ | # nss_base_XXX | ||
+ | # where scope is {base, | ||
+ | # and filter is a filter to be &' | ||
+ | # default filter. | ||
+ | # You can omit the suffix eg: | ||
+ | # nss_base_passwd | ||
+ | # to append the default base DN but this | ||
+ | # may incur a small performance impact. | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # attribute/ | ||
+ | # Syntax: | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # configure --enable-nds is no longer supported. | ||
+ | # NDS mappings | ||
+ | # | ||
+ | |||
+ | # Services for UNIX 3.5 mappings | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | #pam_filter objectclass=User | ||
+ | # | ||
+ | |||
+ | # configure --enable-mssfu-schema is no longer supported. | ||
+ | # Services for UNIX 2.0 mappings | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | #pam_filter objectclass=User | ||
+ | # | ||
+ | |||
+ | # RFC 2307 (AD) mappings | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | #pam_filter objectclass=User | ||
+ | # | ||
+ | |||
+ | # configure --enable-authpassword is no longer supported | ||
+ | # AuthPassword mappings | ||
+ | # | ||
+ | |||
+ | # AIX SecureWay mappings | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | #pam_filter objectclass=aixAccount | ||
+ | # | ||
+ | |||
+ | # Netscape SDK LDAPS | ||
+ | #ssl on | ||
+ | |||
+ | # Netscape SDK SSL options | ||
+ | #sslpath / | ||
+ | |||
+ | # OpenLDAP SSL mechanism | ||
+ | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 | ||
+ | #ssl start_tls | ||
+ | #ssl on | ||
+ | |||
+ | # OpenLDAP SSL options | ||
+ | # Require and verify server certificate (yes/no) | ||
+ | # Default is to use libldap' | ||
+ | # / | ||
+ | # OpenLDAP 2.0 and earlier is " | ||
+ | # | ||
+ | |||
+ | # CA certificates for server certificate verification | ||
+ | # At least one of these are required if tls_checkpeer is " | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Seed the PRNG if / | ||
+ | # | ||
+ | |||
+ | # SSL cipher suite | ||
+ | # See man ciphers for syntax | ||
+ | # | ||
+ | |||
+ | # Client certificate and key | ||
+ | # Use these, if your server requires client authentication. | ||
+ | #tls_cert | ||
+ | #tls_key | ||
+ | |||
+ | # Disable SASL security layers. This is needed for AD. | ||
+ | # | ||
+ | |||
+ | # Override the default Kerberos ticket cache location. | ||
+ | # | ||
+ | |||
+ | # SASL mechanism for PAM authentication - use is experimental | ||
+ | # at present and does not support password policy control | ||
+ | # | ||
+ | |||
+ | # Django : 2011-10-28 LDAP Client-Authentication, | ||
+ | uri ldap:// | ||
+ | ssl no | ||
+ | tls_cacertdir / | ||
+ | pam_password sha256 | ||
+ | |||
+ | </ | ||
+ | ==== nslcd.conf ==== | ||
+ | In der Konfigurationsdatei // | ||
+ | * **uri ldap:// | ||
+ | * **binddn dc=nausch, | ||
+ | * **bindpw Klaus-ist-der-groesste!** | ||
+ | * **ssl no** | ||
+ | |||
+ | Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**. | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # This is the configuration file for the LDAP nameservice | ||
+ | # switch library' | ||
+ | # between NSS names (see / | ||
+ | # information in the directory. | ||
+ | # See the manual page nslcd.conf(5) for more information. | ||
+ | |||
+ | # The uri pointing to the LDAP server to use for name lookups. | ||
+ | # Multiple entries may be specified. The address that is used | ||
+ | # here should be resolvable without using LDAP (obviously). | ||
+ | #uri ldap:// | ||
+ | #uri ldaps:// | ||
+ | #uri ldapi:// | ||
+ | # Note: %2f encodes the '/' | ||
+ | # uri ldap:// | ||
+ | |||
+ | # The LDAP version to use (defaults to 3 | ||
+ | # if supported by client library) | ||
+ | # | ||
+ | |||
+ | # The distinguished name of the search base. | ||
+ | # base dc=example, | ||
+ | |||
+ | # The distinguished name to bind to the server with. | ||
+ | # Optional: default is to bind anonymously. | ||
+ | #binddn cn=proxyuser, | ||
+ | |||
+ | # The credentials to bind with. | ||
+ | # Optional: default is no credentials. | ||
+ | # Note that if you set a bindpw you should check the permissions of this file. | ||
+ | #bindpw secret | ||
+ | # Django : LDAP Client Authentifizierung mit technischem User | ||
+ | bindpw Klaus-ist-der-groesste! | ||
+ | |||
+ | # The distinguished name to perform password modifications by root by. | ||
+ | # | ||
+ | |||
+ | # The default search scope. | ||
+ | #scope sub | ||
+ | #scope one | ||
+ | #scope base | ||
+ | |||
+ | # Customize certain database lookups. | ||
+ | #base | ||
+ | #base | ||
+ | #base | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Bind/ | ||
+ | # | ||
+ | |||
+ | # Search timelimit. | ||
+ | #timelimit 30 | ||
+ | |||
+ | # Idle timelimit. nslcd will close connections if the | ||
+ | # server has not been contacted for the number of seconds. | ||
+ | # | ||
+ | |||
+ | # Use StartTLS without verifying the server certificate. | ||
+ | #ssl start_tls | ||
+ | # | ||
+ | |||
+ | # CA certificates for server certificate verification | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Seed the PRNG if / | ||
+ | # | ||
+ | |||
+ | # SSL cipher suite | ||
+ | # See man ciphers for syntax | ||
+ | # | ||
+ | |||
+ | # Client certificate and key | ||
+ | # Use these, if your server requires client authentication. | ||
+ | #tls_cert | ||
+ | #tls_key | ||
+ | |||
+ | # NDS mappings | ||
+ | #map group uniqueMember member | ||
+ | |||
+ | # Mappings for Services for UNIX 3.5 | ||
+ | #filter passwd (objectClass=User) | ||
+ | #map passwd uid msSFU30Name | ||
+ | #map passwd userPassword | ||
+ | #map passwd homeDirectory | ||
+ | #map passwd homeDirectory | ||
+ | #filter shadow (objectClass=User) | ||
+ | #map shadow uid msSFU30Name | ||
+ | #map shadow userPassword | ||
+ | #filter group (objectClass=Group) | ||
+ | #map group uniqueMember | ||
+ | |||
+ | # Mappings for Services for UNIX 2.0 | ||
+ | #filter passwd (objectClass=User) | ||
+ | #map passwd uid msSFUName | ||
+ | #map passwd userPassword | ||
+ | #map passwd homeDirectory | ||
+ | #map passwd gecos msSFUName | ||
+ | #filter shadow (objectClass=User) | ||
+ | #map shadow uid msSFUName | ||
+ | #map shadow userPassword | ||
+ | #map shadow shadowLastChange pwdLastSet | ||
+ | #filter group (objectClass=Group) | ||
+ | #map group uniqueMember | ||
+ | |||
+ | # Mappings for Active Directory | ||
+ | #pagesize 1000 | ||
+ | #referrals off | ||
+ | #filter passwd (& | ||
+ | #map passwd uid sAMAccountName | ||
+ | #map passwd homeDirectory | ||
+ | #map passwd gecos displayName | ||
+ | #filter shadow (& | ||
+ | #map shadow uid sAMAccountName | ||
+ | #map shadow shadowLastChange pwdLastSet | ||
+ | #filter group (objectClass=group) | ||
+ | #map group uniqueMember | ||
+ | |||
+ | # Mappings for AIX SecureWay | ||
+ | #filter passwd (objectClass=aixAccount) | ||
+ | #map passwd uid userName | ||
+ | #map passwd userPassword | ||
+ | #map passwd uidNumber | ||
+ | #map passwd gidNumber | ||
+ | #filter group (objectClass=aixAccessGroup) | ||
+ | #map group cn | ||
+ | #map group uniqueMember | ||
+ | #map group gidNumber | ||
+ | uid nslcd | ||
+ | gid ldap | ||
+ | # This comment prevents repeated auto-migration of settings. | ||
+ | # Django : 2011-10-28 LDAP Client Authentication, | ||
+ | uri ldap:// | ||
+ | binddn cn=Technischeruser, | ||
+ | ssl no | ||
+ | tls_cacertdir / | ||
+ | </ | ||
+ | ==== nsswitch.conf ==== | ||
+ | In der Konfigurationsdatei // | ||
+ | * **passwd: | ||
+ | * **shadow: | ||
+ | * **group: | ||
+ | |||
+ | * **netgroup: | ||
+ | |||
+ | * **automount: | ||
+ | |||
+ | Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**. | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # | ||
+ | # / | ||
+ | # | ||
+ | # An example Name Service Switch config file. This file should be | ||
+ | # sorted with the most-used services at the beginning. | ||
+ | # | ||
+ | # The entry ' | ||
+ | # entry should stop if the search in the previous entry turned | ||
+ | # up nothing. Note that if the search failed due to some other reason | ||
+ | # (like no NIS server responding) then the search continues with the | ||
+ | # next entry. | ||
+ | # | ||
+ | # Valid entries include: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # To use db, put the " | ||
+ | # looked up first in the databases | ||
+ | # | ||
+ | # Example: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Django : 2011-10-28 LDAP Client Authentication | ||
+ | # default | ||
+ | # passwd: | ||
+ | # shadow: | ||
+ | # group: | ||
+ | passwd: | ||
+ | shadow: | ||
+ | group: | ||
+ | |||
+ | # | ||
+ | hosts: | ||
+ | |||
+ | # Example - obey only what nisplus tells us... | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | #rpc: nisplus [NOTFOUND=return] files | ||
+ | # | ||
+ | # | ||
+ | |||
+ | bootparams: nisplus [NOTFOUND=return] files | ||
+ | |||
+ | ethers: | ||
+ | netmasks: | ||
+ | networks: | ||
+ | protocols: | ||
+ | rpc: files | ||
+ | services: | ||
+ | |||
+ | # Django : 2011-10-28 LDAP Client Authentication | ||
+ | # default | ||
+ | # netgroup: | ||
+ | netgroup: | ||
+ | |||
+ | publickey: | ||
+ | |||
+ | # Django : 2011-10-28 LDAP Client Authentication | ||
+ | # default | ||
+ | # automount: | ||
+ | automount: | ||
+ | aliases: | ||
+ | </ | ||
+ | |||
+ | ==== system-auth ==== | ||
+ | Durch den Aufruf des Programmes [[centos: | ||
+ | |||
+ | * **/ | ||
+ | * **/ | ||
+ | * **/ | ||
+ | * **/ | ||
+ | * **/ | ||
+ | |||
+ | Zur Bearbeitung der Konfigurationsdatei nutzen wir wie so oft immer unseren Editor der Wahl **vim**. | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | #%PAM-1.0 | ||
+ | # This file is auto-generated. | ||
+ | # User changes will be destroyed the next time authconfig is run. | ||
+ | auth required | ||
+ | auth sufficient | ||
+ | auth required | ||
+ | |||
+ | account | ||
+ | account | ||
+ | account | ||
+ | account | ||
+ | account | ||
+ | |||
+ | password | ||
+ | |||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | </ | ||
+ | |||
+ | # vim / | ||
+ | <file bash / | ||
+ | #%PAM-1.0 | ||
+ | # This file is auto-generated. | ||
+ | # User changes will be destroyed the next time authconfig is run. | ||
+ | auth required | ||
+ | auth sufficient | ||
+ | auth requisite | ||
+ | auth sufficient | ||
+ | auth required | ||
+ | |||
+ | account | ||
+ | account | ||
+ | account | ||
+ | account | ||
+ | account | ||
+ | |||
+ | password | ||
+ | password | ||
+ | password | ||
+ | password | ||
+ | |||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | </ | ||
+ | |||
+ | # vim / | ||
+ | <file bash / | ||
+ | #%PAM-1.0 | ||
+ | # This file is auto-generated. | ||
+ | # User changes will be destroyed the next time authconfig is run. | ||
+ | auth required | ||
+ | auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only | ||
+ | auth required | ||
+ | |||
+ | account | ||
+ | account | ||
+ | account | ||
+ | account | ||
+ | account | ||
+ | |||
+ | password | ||
+ | |||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | </ | ||
+ | |||
+ | # vim / | ||
+ | <file bash / | ||
+ | #%PAM-1.0 | ||
+ | auth | ||
+ | account | ||
+ | </ | ||
+ | |||
+ | # vim / | ||
+ | <file bash / | ||
+ | #%PAM-1.0 | ||
+ | # This file is auto-generated. | ||
+ | # User changes will be destroyed the next time authconfig is run. | ||
+ | auth required | ||
+ | auth sufficient | ||
+ | auth sufficient | ||
+ | auth requisite | ||
+ | auth sufficient | ||
+ | auth required | ||
+ | |||
+ | account | ||
+ | account | ||
+ | account | ||
+ | account | ||
+ | account | ||
+ | |||
+ | password | ||
+ | password | ||
+ | password | ||
+ | password | ||
+ | |||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | session | ||
+ | </ | ||
+ | ==== automatischer Systemstart des nslc-Dämon ==== | ||
+ | Damit nun beim nächsten Start des Systems der notwendige **naming services LDAP client daemon** kurz **nslcd** mit gestartet wird, versetzen wir das Startscript in den Modus "// | ||
+ | # chkconfig nslcd on | ||
+ | Den Status überprüfen wir bei Bedarf mittels: | ||
+ | # chkconfig --list | grep nslcd | ||
+ | |||
+ | | ||
+ | |||
+ | Zum Abschluss unserer Konfiguration starten wir nun unseren CentOS 6 Client einmal durch. | ||
+ | # reboot | ||
+ | ===== Test ===== | ||
+ | ==== LDAP Abfrage ==== | ||
+ | Zur Abfrage eines LDAP-Users können wir folgenden Aufruf verwenden: | ||
+ | $ ldapsearch -x -LLL -H ldap:// | ||
+ | <code bash> | ||
+ | dn: uid=django, | ||
+ | uid: django | ||
+ | cn: Django | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | userPassword:: | ||
+ | | ||
+ | shadowLastChange: | ||
+ | shadowMin: 0 | ||
+ | shadowMax: 99999 | ||
+ | shadowWarning: | ||
+ | loginShell: /bin/bash | ||
+ | uidNumber: 500 | ||
+ | gidNumber: 500 | ||
+ | homeDirectory: | ||
+ | gecos: Django | ||
+ | </ | ||
+ | |||
+ | |||
+ | LDAP-Abfrage mit dem User //Django// aber mit **falschem** Passwort: | ||
+ | $ ldapsearch -x -LLL -H ldap:// | ||
+ | |||
+ | < | ||
+ | ldap_bind: Invalid credentials (49)</ | ||
+ | |||
+ | LDAP-Abfrage mit dem User //Django// aber mit **richtigem** Passwort: | ||
+ | $ ldapsearch -x -LLL -H ldap:// | ||
+ | |||
+ | < | ||
+ | dn: uid=django, | ||
+ | uid: django | ||
+ | cn: Django | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | userPassword:: | ||
+ | | ||
+ | shadowLastChange: | ||
+ | shadowMin: 0 | ||
+ | shadowMax: 99999 | ||
+ | shadowWarning: | ||
+ | loginShell: /bin/bash | ||
+ | uidNumber: 500 | ||
+ | gidNumber: 500 | ||
+ | homeDirectory: | ||
+ | gecos: Django | ||
+ | |||
+ | </ | ||
+ | ==== Clienttest ==== | ||
+ | Die erfolgreiche Konfiguration unseres Rechners überprüfen wir so: | ||
+ | - Mit **getent** lassen wir uns die Informationen eines Users anzeigen, der sowohl in der /etc/shadow wie auch im zentralen LDAP-Verzeichnisdienst hinterlegt ist. Wenn alles gut gelaufen ist, werden uns zwei Einträge präsentiert. < | ||
+ | django: | ||
+ | django: | ||
+ | - Als nächstes wählen wir einen Nutzer der nur im LDAP-Verzeichnisdienst einen Account hat, nicht aber auf der lokalen Maschine. < | ||
+ | bigchief: | ||
+ | - Dann melden wir uns nun an unserem Client als ein Benutzer an, der lokal auf der Maschine nicht existiert, werden wir beim Login nach dem Passwort gefragt, welches gegen den zentralen OpenLDAP-Server verifiziert wird. Ist das Passwort richtig wird auch gleich das zugehörige Nutzer-Homeverzeichnis angelegt. < | ||
+ | Password: | ||
+ | Creating directory '/ | ||
+ | [bigchief@vml010008 ~]$ </ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ====== Links ====== | ||
+ | * **[[centos: | ||
+ | * **[[wiki: | ||
+ | * **[[http:// | ||
+ | |||
+ | ~~DISCUSSION~~ | ||