Autentisering via LDAP och Kerberos i CentOS 7: Difference between revisions
Jump to navigation
Jump to search
m →SSSD |
mNo edit summary |
||
| (31 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Denna guide | __NOTOC__ | ||
Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i CentOS 7. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com. | |||
__TOC__ | |||
=== Kerberos === | |||
Installera följande: | Installera följande: | ||
{{RootCmd| | {{RootCmd|yum install krb5-workstation sssd}} | ||
Spara undan befintlig settings: | Spara undan befintlig settings: | ||
{{RootCmd|<nowiki>authconfig --savebackup=original</nowiki>}} | {{RootCmd|<nowiki>authconfig --savebackup=original</nowiki>}} | ||
Enable:a autentisering via Kerberos: | |||
{{RootCmd|<nowiki>authconfig --krb5kdc=ns.example.com --krb5adminserver=ns.example.com --krb5realm=EXAMPLE.COM --update</nowiki>}} | |||
Testa att du kan skaffa en Kerberos ticket. | |||
{{RootCmd| | Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals: | ||
{{RootCmd|kadmin -p kadmin/admin}} | |||
Kör kadmin kommandot: | |||
{{bc|kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM}} | |||
Spara sen nycklarna i filen /etc/krb5.keytab: | |||
{{bc|kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM}} | |||
Logga ut från kadmin. | |||
=== SSSD === | |||
Editera filen /etc/sssd/sssd.conf: | |||
{{bc|1= | {{bc|1= | ||
[sssd] | [sssd] | ||
config_file_version = 2 | config_file_version = 2 | ||
services = nss | services = nss, pam | ||
domains = LOCAL, | domains = LOCAL, EXAMPLE.COM | ||
[nss] | [nss] | ||
| Line 36: | Line 37: | ||
entry_cache_timeout = 300 | entry_cache_timeout = 300 | ||
entry_cache_nowait_percentage = 75 | entry_cache_nowait_percentage = 75 | ||
[pam] | |||
reconnection_retries = 3 | |||
[domain/LOCAL] | [domain/LOCAL] | ||
| Line 42: | Line 46: | ||
access_provider = permit | access_provider = permit | ||
[domain/ | [domain/EXAMPLE.COM] | ||
debug_level = 0 | |||
enumerate = false | |||
min_id = 5000 | |||
cache_credentials = true | cache_credentials = true | ||
id_provider = ldap | |||
auth_provider = krb5 | |||
chpass_provider = krb5 | |||
access_provider = simple | access_provider = simple | ||
sudo_provider = none | |||
ldap_uri = ldap://ns.example.com | ldap_uri = ldap://ns.example.com | ||
ldap_search_base = dc=example,dc=com | ldap_search_base = dc=example,dc=com | ||
| Line 58: | Line 63: | ||
ldap_tls_cacert = /etc/openldap/cacerts/example.com-ca.crt | ldap_tls_cacert = /etc/openldap/cacerts/example.com-ca.crt | ||
krb5_realm = EXAMPLE.COM | |||
krb5_server = ns.example.com | |||
krb5_kpasswd = ns.example.com | |||
}} | }} | ||
| Line 66: | Line 73: | ||
{{RootCmd|cacertdir_rehash /etc/openldap/cacerts}} | {{RootCmd|cacertdir_rehash /etc/openldap/cacerts}} | ||
Starta sssd: | |||
{{RootCmd|authconfig --enablesssd --update}} | {{RootCmd|systemctl enable sssd | ||
|systemctl start sssd}} | |||
Enable:a användarinformation via SSSD: | |||
{{RootCmd|authconfig --enablesssd --enablesssdauth --update}} | |||
Kontrollera med: | |||
{{RootCmd|getent passwd <user> | |||
|getent group <group> | |||
}} | |||
== LDAP == | |||
Installera: | |||
{{RootCmd|yum install openldap-client}} | |||
{{RootCmd|<nowiki>authconfig --ldapserver=ns.example.com --ldapbasedn="dc=example,dc=com" --enableldapstarttls --update</nowiki>}} | |||
Kontrollera med: | Kontrollera med: | ||
{{RootCmd| | {{RootCmd|kinit anna | ||
| | |ldapwhoami | ||
|kdestroy | |||
|<nowiki>ldapwhoami -D uid=anna,ou=people,dc=example,dc=com -W</nowiki>}} | |||
[[Category: | [[Category:GammalGuide]] | ||
Latest revision as of 12:59, 12 August 2023
Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i CentOS 7. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com.
Kerberos
Installera följande:
Spara undan befintlig settings:
Enable:a autentisering via Kerberos:
Testa att du kan skaffa en Kerberos ticket.
Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals:
Kör kadmin kommandot:
kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM
Spara sen nycklarna i filen /etc/krb5.keytab:
kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM
Logga ut från kadmin.
SSSD
Editera filen /etc/sssd/sssd.conf:
[sssd] config_file_version = 2 services = nss, pam domains = LOCAL, EXAMPLE.COM [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] reconnection_retries = 3 [domain/LOCAL] id_provider = local auth_provider = local access_provider = permit [domain/EXAMPLE.COM] debug_level = 0 enumerate = false min_id = 5000 cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = simple sudo_provider = none ldap_uri = ldap://ns.example.com ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = true ldap_tls_cacert = /etc/openldap/cacerts/example.com-ca.crt krb5_realm = EXAMPLE.COM krb5_server = ns.example.com krb5_kpasswd = ns.example.com
Kopiera ditt CA certifikat till filen /etc/openldap/cacerts/example.com-ca.crt, kör sedan kommandot:
Starta sssd:
Enable:a användarinformation via SSSD:
Kontrollera med:
LDAP
Installera:
Kontrollera med: