作者 主題: [筆記]LDAP服務實做筆記! (二)  (閱讀 70305 次)

0 會員 與 1 訪客 正在閱讀本文。

kenduest

  • 酷!學園 學長們
  • 俺是博士!
  • *****
  • 文章數: 3673
    • 檢視個人資料
    • http://kenduest.sayya.org
[筆記]LDAP服務實做筆記! (二)
« 回覆 #30 於: 2006-07-30 02:30 »
引述: "leiw"
看過鳥哥我ssh文章, sshd_config裡有 #UserLogin no, 但我的CentOS4.2 沒有這個, 常試過加進去, 但不能restart...
Thank


1. 使用 UseLogin,但是沒有 UserLogin

2. 基本上你原本的問題不知道與 UseLogin 配置關係為何 ?

==
I am kenduest - 小州

my website: http://kenduest.sayya.org/

leiw

  • 鑽研的研究生
  • *****
  • 文章數: 669
    • 檢視個人資料
[筆記]LDAP服務實做筆記! (二)
« 回覆 #31 於: 2006-07-31 15:13 »
Thank kenduest.

那CentOS就不能用useradd加進LDAP ? right ?

EvenChen

  • 可愛的小學生
  • *
  • 文章數: 1
    • 檢視個人資料
[筆記]LDAP服務實做筆記! (二)
« 回覆 #32 於: 2007-07-25 00:26 »
LDAP 可以取代本機的認證嗎?
不然怎設 127.0.0.1 ?
認證的時候 LDAP 應該還沒被啟動吧?

日京三子

  • 全區板主
  • 俺是博士!
  • *****
  • 文章數: 8824
    • 檢視個人資料
    • http://www.24online.cjb.net
[筆記]LDAP服務實做筆記! (二)
« 回覆 #33 於: 2007-07-25 08:27 »
引述: "EvenChen"
LDAP 可以取代本機的認證嗎?

引述: "EvenChen"
不然怎設 127.0.0.1 ?
某種環境來說,是
引述: "EvenChen"
認證的時候 LDAP 應該還沒被啟動吧?
當然,你要確定,「服務」已經啟動了。
哈克不愛的多合一輸入平台----->新香草口味
過去的時間不斷流逝,抹去的眼淚已成追憶;
乾枯的雙手無力阻止,再會了我遠去的曾經。

tonyvan123

  • 活潑的大學生
  • ***
  • 文章數: 447
    • 檢視個人資料
回覆: [筆記]LDAP服務實做筆記! (二)
« 回覆 #34 於: 2008-11-17 16:54 »
Fedore COre 9 + Postfix (包括aliases的設定)
OPENLDAP ON FecoreCore9
# postfix和sshd
1. 關於pam的設定
1.1 system-auth
  #%PAM-1.0
  auth required pam_env.so
  auth sufficient pam_unix.so nullok try_first_pass
  auth requisite pam_succeed_if.so uid >= 500 quiet
  auth sufficient pam_ldap.so use_first_pass
  auth required pam_deny.so
 
  account required pam_unix.so broken_shadow
  account sufficient pam_localuser.so
  account sufficient pam_succeed_if.so uid < 500 quiet
  account [default=bad success=ok user_unknown=ignore] pam_ldap.so
  account required pam_permit.so
  password requisite pam_cracklib.so try_first_pass retry=3
  password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
  password sufficient pam_ldap.so use_authtok
  password required pam_deny.so
 
  session optional pam_keyinit.so revoke
  session required pam_limits.so
  session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
  session required pam_unix.so
  session optional pam_ldap.so
1.2 smtp
  #%PAM-1.0
  auth required pam_env.so
  auth sufficient pam_ldap.so use_first_pass
  auth sufficient pam_unix.so nullok try_first_pass
  auth required pam_deny.so
 
  account sufficient pam_ldap.so
  account sufficient pam_localuser.so
  account sufficient pam_succeed_if.so uid > 100 quiet_success
  account required pam_unix.so broken_shadow
 
  password sufficient pam_ldap.so
  password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
  password requisite pam_cracklib.so try_first_pass retry=3
  password required pam_deny.so
 
  session optional pam_keyinit.so revoke
  session optional pam_ldap.so
  session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
  session required pam_limits.so
  session required pam_unix.so

1.3 dovecot
  #%PAM-1.0
  auth required pam_nologin.so
  auth include system-auth
  account include system-auth
  session include system-auth
1.4 smtp.postfix
  #%PAM-1.0
  auth include system-auth
  account include system-auth
1.5 /etc/pam.d/sshd
  #%PAM-1.0
  auth required pam_ldap.so
  account required pam_ldap.so
  password required pam_cracklib.so
  password sufficient pam_ldap.so
  session required pam_ldap.so

2. 關於slapd.conf部份
  include /etc/openldap/schema/corba.schema
  include /etc/openldap/schema/core.schema
  include /etc/openldap/schema/cosine.schema
  include /etc/openldap/schema/duaconf.schema
  include /etc/openldap/schema/dyngroup.schema
  include /etc/openldap/schema/inetorgperson.schema
  include /etc/openldap/schema/java.schema
  include /etc/openldap/schema/misc.schema
  include /etc/openldap/schema/nis.schema
  include /etc/openldap/schema/openldap.schema
  include /etc/openldap/schema/ppolicy.schema
  include /etc/openldap/schema/collective.schema
  include /etc/openldap/schema/postfix.schema
  allow bind_v2
  loglevel 296
  pidfile /var/run/openldap/slapd.pid
  argsfile /var/run/openldap/slapd.args
  security ssf=1 update_ssf=112 simple_bind=64
  database bdb
  suffix "dc=your-domain,dc=idv,dc=tw"
  rootdn "uid=root,ou=People,dc=your-domain,dc=idv,dc=tw"
  rootpw secret
  directory /var/lib/ldap
  index objectClass eq,pres
  index ou,cn,mail,surname,givenname eq,pres,sub
  index uidNumber,gidNumber,loginShell eq,pres
  index uid,memberUid eq,pres,sub
  index nisMapName,nisMapEntry eq,pres,sub
  database monitor
  access to attrs=userPassword
  by self write
  by dn="uid=dovecot,ou=People,dc=your-domain,dc=idv,dc=tw" read
  by dn="uid=root,ou=People,dc=your-domain,dc=idv,dc=tw" write
  by * auth

2.1 dovecot.conf
  base_dir = /var/run/dovecot/
  protocols = pop3
  shutdown_clients = yes
  syslog_facility = mail
  ssl_disable = yes

  mail_location = mbox:/var/mail/%u
  client_workarounds = oe6-fetch-no-newmail outlook-idle
  protocol imap {
  listen = *:143
  }
  protocol pop3 {
  }
  auth default {
  mechanisms = plain
  passdb ldap {
  args = /etc/dovecot-ldap.conf
  }
 
  userdb ldap {
  args = /etc/dovecot-ldap.conf
  }
  user = root
  }
 
  listen = *
  ssl_listen =

2.2 dovecot-ldap.conf
  auth_bind = yes
  hosts = dns.your-domain.idv.tw
  auth_bind_userdn = uid=%u,dc=your-domain,dc=idv,dc=tw
  ldap_version = 3
  base = dc=your-domain, dc=idv, dc=tw
  scope = subtree
  mail_location = mbox:~/mail:INBOX=/var/mail/%u
  user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
  pass_attrs = uid=user,userPassword=password
  user_filter = (&(objectClass=posixAccount)(uid=%u))
  default_pass_scheme = LDAP-MD5
  user_global_uid = dovecot
  user_global_gid = mail

3. postfix的設定
3.1 main.cf
  queue_directory = /var/spool/postfix
  command_directory = /usr/sbin
  daemon_directory = /usr/libexec/postfix
  data_directory = /var/lib/postfix
  address_verify_map = hash:/var/lib/postfix/verify
  mail_spool_directory = /var/mail
  mail_owner = postfix
  mailbox=/var/mail
  myhostname = ms1.your-domain.idv.tw
  mydomain = your-domain.idv.tw
  myorigin = $mydomain
  inet_interfaces = all
  mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
  local_recipient_maps = unix:passwd.byname $alias_maps
  unknown_local_recipient_reject_code = 550
 
  alias_maps = hash:/etc/postfix/aliases, ldap:/etc/postfix/ldap-aliases.cf
 
  debug_peer_level = 2
  debugger_command =
  PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
  ddd $daemon_directory/$process_name $process_id & sleep 5
  sendmail_path = /usr/sbin/sendmail.postfix
  setgid_group = postdrop
  html_directory = no
  manpage_directory = /usr/share/man
  sample_directory = /usr/share/doc/postfix-2.5.1/samples
  header_checks = regexp:/etc/postfix/header_checks
  body_checks = regexp:/etc/postfix/body_checks
  inet_protocols = all
  broken_sasl_auth_clients = yes
  smtpd_sasl_local_domain = ' '
  smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_unknown_reverse_client_hostname
  smtpd_client_restrictions = permit_sasl_authenticated
  smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc- ignorant.org
  3.2 ldap-aliases.cf
  server_host = dns.your-domain.idv.tw
  search_base = dc=your-domain,dc=idv,dc=tw
  server_port = 389
  query_filter = mail=%s
  result_format = %s
  result_attribute = mailacceptinggeneralid
  scope = sub
  bind = no

4. ldif格式
4.1 base.ldif
  dn: dc=your-domain,dc=idv,dc=tw
  objectClass: top
  objectClass: domain
  dc: your-domain
4.2 container.ldif
  dn: ou=People,dc=your-domain,dc=idv,dc=tw
  objectClass: top
  objectClass: organizationalUnit
  ou: People

  dn: ou=Group,dc=your-domain,dc=idv,dc=tw
  objectClass: top
  objectClass: organizationalUnit
  ou: Group

  dn: ou=Friend,dc=your-domain,dc=idv,dc=tw
  objectClass: top
  objectClass: organizationalUnit
  ou: Friend
 
  dn: ou=guest,dc=your-domain,dc=idv,dc=tw
  objectClass: top
  objectClass: organizationalUnit
  ou: guest
 
  dn: ou=Admin,dc=your-domain,dc=idv,dc=tw
  objectClass: top
  objectClass: organizationalUnit
  ou: Admin

4.3 user.ldif
  dn: uid=tonyvan,ou=People,dc=your-domain,dc=idv,dc=tw
  uid: tonyvan
  cn: tonyvan
  sn: tonyvan
  objectClass: person
  objectClass: inetOrgPerson
  objectClass: posixAccount
  objectClass: top
  objectClass: shadowAccount
  userPassword: {crypt}12345.
  shadowLastChange: 14073
  shadowMax: 99999
  shadowWarning: 7
  loginShell: /bin/bash
  uidNumber: 501
  gidNumber: 100
  homeDirectory: /home/tonyvan
  mail: tonyvan@your-domain.idv.tw
4.4 group.ldif
  dn: cn=wheel,ou=Group,dc=your-domain,dc=idv,dc=tw
  objectClass: posixGroup
  objectClass: top
  cn: wheel
  userPassword: {crypt}87
  gidNumber: 10
  memberUid: j3p4.k9
  memberUid: root
4.5 mail aliases base ldif
4.5.1 aliases.base.ldif
  dn: ou=Aliases,dc=your-domain,dc=idv,dc=tw
  ou: Aliases
  objectClass: inetLocalMailRecipient
  objectClass: organizationalUnit
  objectClass: top
4.5.2 aliases.supervisior.ldif
  dn: cn=supervisior,ou=Aliases,dc=your-domain,dc=idv,dc=tw
  cn: supervisior
  sn: supervisior
  objectClass: inetOrgPerson
  objectClass: organizationalPerson
  mail: supervisior
  mailacceptinggeneralid: tonyvan@your-domain.idv.tw
  mailacceptinggeneralid: j3p4.k9@your-domain.idv.tw