Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
lpi2:ldap-user [2022/09/02 07:46] ingo_wichmann [Benutzer anlegen] |
lpi2:ldap-user [2022/09/16 08:35] |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== OpenLDAP als Login-Server ====== | ||
- | ===== Minimalkonfiguration für nss/pam/sssd ===== | ||
- | Der OpenLDAP Server ''slapd'' muß wie in [[ldap]] gezeigt vorkonfiguriert sein. Darüber hinaus sind folgende Einstellungen notwendig: | ||
- | |||
- | ==== Entscheidung: rfc2307 oder rfc2307bis-01 ? ==== | ||
- | |||
- | * [[http://tools.ietf.org/html/draft-howard-rfc2307bis-01|rfc2307bis-01]] (expired: 20.08.2005){{:rfc2307bis-draft01.ldif|LDIF}} | ||
- | * [[http://tools.ietf.org/html/draft-howard-rfc2307bis-02|rfc2307bis-02]] (expired: 10.02.2010) | ||
- | |||
- | * openSuSE: default ist rfc2307bis | ||
- | * debian: default ist rfc2307, alternativ rfc2307bis.schema z.B. aus dem Paket ''fusiondirectory'' | ||
- | * ceontos: default ist rfc2307 | ||
- | |||
- | -> [[ldap-schema|Schema-Änderung]] nötig? | ||
- | ==== Variante slapd.conf ==== | ||
- | Debian: | ||
- | <file txt /etc/ldap/slapd.conf> | ||
- | … | ||
- | include /etc/ldap/schema/nis.schema | ||
- | include /etc/ldap/schema/inetorgperson.schema | ||
- | … | ||
- | </file> | ||
- | |||
- | CentOS: | ||
- | <file txt /etc/openldap/slapd.conf> | ||
- | … | ||
- | include /etc/openldap/schema/nis.schema | ||
- | include /etc/openldap/schema/inetorgperson.schema | ||
- | … | ||
- | </file> | ||
- | |||
- | openSuSE: | ||
- | <file txt /etc/openldap/slapd.conf> | ||
- | … | ||
- | include /etc/openldap/schema/inetorgperson.schema | ||
- | include /etc/openldap/schema/rfc2307bis.schema | ||
- | include /etc/openldap/schema/yast.schema | ||
- | … | ||
- | </file> | ||
- | |||
- | ==== Variante slapd.d/ ==== | ||
- | ldapsearch -b cn=schema,cn=config -LLL dn | ||
- | <file> | ||
- | … | ||
- | dn: cn={0}core,cn=schema,cn=config | ||
- | dn: cn={1}cosine,cn=schema,cn=config | ||
- | dn: cn={2}nis,cn=schema,cn=config | ||
- | dn: cn={3}inetorgperson,cn=schema,cn=config | ||
- | … | ||
- | </file> | ||
- | |||
- | |||
- | |||
- | |||
- | ===== OrganizationalUnits anlegen ===== | ||
- | OrganizationalUnits "people" und "groups" für Benutzer und Gruppen im LDAP-Baum anlegen: (( Die Kursschreibweise ''ldapadd -x -W'' ohne Angabe des Admin-Kontos funktioniert nur, wenn vorher eine [[ldap-client|Client-Konfigurationsdatei]] ''.ldaprc'' oder ''ldap.conf'' angelegt wurde )) | ||
- | <code bash> | ||
- | DOMAIN="dc=linuxhotel,dc=de" | ||
- | ldapadd -x -W <<LDIF | ||
- | </code> | ||
- | <file> | ||
- | dn: ou=people,$DOMAIN | ||
- | objectClass: top | ||
- | objectClass: organizationalUnit | ||
- | ou: people | ||
- | |||
- | dn: ou=groups,$DOMAIN | ||
- | objectclass: top | ||
- | objectclass: organizationalUnit | ||
- | ou: groups | ||
- | </file> | ||
- | <code bash>LDIF</code> | ||
- | |||
- | ===== Gruppe anlegen ===== | ||
- | <code bash> | ||
- | DOMAIN="dc=linuxhotel,dc=de" | ||
- | ldapadd -x -W <<LDIF | ||
- | </code> | ||
- | |||
- | rfc2307 / Debian, RedHat: | ||
- | <file> | ||
- | dn: cn=ldapusers,ou=groups,$DOMAIN | ||
- | objectClass: top | ||
- | objectClass: posixGroup | ||
- | gidNumber: 10000 | ||
- | cn: ldapusers | ||
- | </file> | ||
- | |||
- | rfc2307bis / SuSE: | ||
- | <file> | ||
- | dn: cn=ldapusers,ou=groups,$DOMAIN | ||
- | objectClass: top | ||
- | objectClass: groupOfNames | ||
- | objectClass: posixGroup | ||
- | memberUid: nutzer | ||
- | member: uid=nutzer,ou=people,$DOMAIN | ||
- | gidNumber: 10000 | ||
- | cn: ldapusers | ||
- | </file> | ||
- | <code bash>LDIF</code> | ||
- | |||
- | ===== Benutzer anlegen ===== | ||
- | <code bash> | ||
- | DOMAIN="dc=linuxhotel,dc=de" | ||
- | USERNAME=nutzer | ||
- | UIDNUMBER=10023 | ||
- | </code> | ||
- | tee user.ldif <<LDIF | ||
- | <code bash> | ||
- | dn: uid=$USERNAME,ou=people,$DOMAIN | ||
- | objectClass: top | ||
- | objectClass: posixAccount | ||
- | objectClass: account | ||
- | cn: mein nutzer | ||
- | uid: $USERNAME | ||
- | uidNumber: $UIDNUMBER | ||
- | gidNumber: 10000 | ||
- | homeDirectory: /home/$USERNAME | ||
- | loginShell: /bin/bash | ||
- | </code> | ||
- | <code bash>LDIF</code> | ||
- | ldapadd -x -W -f user.ldif | ||
- | ldappasswd -x -W -S "uid=$USERNAME,ou=people,$DOMAIN" | ||