[root@server1 ~]# cat /etc/resolv.conf
search localdomain ghost.com
nameserver 10.10.1.1
[root@server1 ~]#yum -y install nss-pam-ldapd openldap-clients telnet
通过nss-pam-ldapd验证需要配置以下几个文件,其中system-auth-ac和password-auth-ac修改是一样的。
[root@server1 ~]# cat /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://ad.ghost.com:389 #
base ou=GHOST,dc=ghost,dc=com #OU, DC一定要对应,管理组最好也建立在这个OU下
binddn cn=linux_ad,cn=users,dc=ghost,dc=com #cn,dn的信息可以通过AD中账号Aittribute Editor中distinguishedName的值进行查看。
bindpw linux_ad
scope group sub
scope hosts sub
bind_timelimit 3
timelimit 3
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*))
map passwd homeDirectory unixHomeDirectory
filter shadow (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*))
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
scope sub
ssl off
tls_reqcert never
[root@server1 ~]# cat /etc/nsswitch.conf
passwd: files ldap #添加ldap验证方式
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
[root@server1 ~]# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass #添加ldap验证方式
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so #添加ldap验证方式
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok #添加ldap验证方式
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so #添加ldap验证方式
测试AD 389端口是否正常
[root@server1 ~]# telnet 10.10.1.1 389
Trying 10.10.1.1...
Connected to 10.10.1.1.
Escape character is '^]'.
启动nslcd服务
[root@server1 ~]# systemctl start nslcd
[root@server1 ~]# systemctl status nslcd
● nslcd.service - Naming services LDAP client daemon.
Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-02-07 16:29:57 CST; 13s ago
Process: 6904 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
Main PID: 6905 (nslcd)
CGroup: /system.slice/nslcd.service
└─6905 /usr/sbin/nslcd
Feb 07 16:29:57 server1.ghost.com systemd[1]: Starting Naming services LDAP client daemon....
Feb 07 16:29:57 server1.ghost.com systemd[1]: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start.
Feb 07 16:29:57 server1.ghost.com nslcd[6905]: version 0.8.13 starting
Feb 07 16:29:57 server1.ghost.com nslcd[6905]: accepting connections
Feb 07 16:29:57 server1.ghost.com systemd[1]: Started Naming services LDAP client daemon..
Feb 07 16:30:06 server1.ghost.com systemd[1]: Started Naming services LDAP client daemon..
使用ldapsearch命令测试是否验证成功。
ldapsearch -h ad.ghost.com -b dc=ghost,dc=com -D cn=linux_ad,cn=users,dc=ghost,dc=com -W -p 389
查看linux系统中是否存在zhangsan
[root@server1 ~]# id zhangsan
uid=10001(zhangsan) gid=10000 groups=10000
到此Centos 通过AD账号验证已经成功啦!!!
CentOS 6相关配置
yum install nss-pam-ldapd -y
yum install pam_ldap -y
[root@server2 ~]vim /etc/nslcd.conf uid nslcd
gid ldap
base ou=Basers,dc=ad,dc=your_domain,dc=com
uri ldap://ad.your_domain.com:389/
binddn cn=linux_ad,cn=users,dc=ad,dc=your_domain,dc=com
bindpw linux_ad
scope group sub
scope hosts sub
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*))
map passwd homeDirectory unixHomeDirectory
filter shadow (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*))
map shadow shadowLastChange pwdLastSet
filter group (&(objectClass=group)(gidNumber=*))
map group uniqueMember member
bind_timelimit 3
timelimit 3
scope sub
ssl no
tls_reqcert never
[root@server2 ~]vim /etc/nsswitch.conf
Replace passwd/shadow/group lines with:
passwd: files ldap [NOTFOUND=return UNAVAIL=return]
shadow: files ldap [NOTFOUND=return UNAVAIL=return]
group: files ldap [NOTFOUND=return UNAVAIL=return]
sudoers: files ldap [NOTFOUND=return UNAVAIL=return]
[root@server2 ~]cat /etc/pam.d/system-auth-ac and cat /etc/pam.d/password-auth-ac
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
[root@server2 ~]vim /etc/pam_ldap.conf
base ou=Basers,dc=ad,dc=your_domain,dc=com
binddn cn=linux_ad,cn=users,dc=ad,dc=your_domain,dc=com
bindpw linux_ad
uri ldap://ad.your_domain.com
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
网友评论