Autentisering via LDAP och Kerberos i CentOS 7: Difference between revisions

From Peters wiki
Jump to navigation Jump to search
← Older editNewer edit →
mNo edit summary
mNo edit summary
Line 23: Line 23:


{{RootCmd|yum install sssd openldap-clients}}
{{RootCmd|yum install sssd openldap-clients}}
Edit /etc/sssd/sssd.conf:
{{bc|1=
[sssd]
config_file_version = 2
services = nss
domains = LOCAL, example.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[domain/LOCAL]
id_provider = local
auth_provider = local
access_provider = permit
[domain/kerwien.se]
enumerate = true
auth_provider = krb5
krb5_server = ns.example.com
krb5_realm = EXAMPLE.COM
cache_credentials = true
access_provider = simple
chpass_provider = krb5
id_provider = ldap
ldap_uri = ldap://ns.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/openldap/cacerts/example.com-ca.crt
sudo_provider = none
}}


[[Category:Guide]]
[[Category:Guide]]

Revision as of 20:01, 24 October 2015

Denna guide är under utveckling.

Installera följande:

root # yum install krb5-workstation pam_krb5 nss-pam-ldapd

Spara undan befintlig settings:

root # authconfig --savebackup=original

Kopiera CA cert till /etc/openldap/cacerts.

root # authconfig --enableldap --ldapserver="ldap://ns1.kerwien.se/" --ldapbasedn="dc=kerwien,dc=se" --enableldapstarttls --enablekrb5 --krb5kdc="ns1.kerwien.se" --krb5adminserver="ns1.kerwien.se" --krb5realm="KERWIEN.SE" --enablecache --update

Om certifikatet adderas till cacerts mappen efter authconfig kommandot måste följande kommandon köras:

root # cacertdir_rehash /etc/openldap/cacerts
root # systemctl restart nslcd

SSSD

Installera följande:

root # yum install krb5-workstation pam_krb5
root # authconfig --enablekrb5 --krb5kdc="ns1.kerwien.se" --krb5adminserver="ns1.kerwien.se" --krb5realm="KERWIEN.SE" --update

Testa att du kan skaffa en Kerberos ticket.

root # yum install sssd openldap-clients

Edit /etc/sssd/sssd.conf: 

[sssd]
config_file_version = 2
services = nss
domains = LOCAL, example.com

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[domain/LOCAL]
id_provider = local
auth_provider = local
access_provider = permit

[domain/kerwien.se]
enumerate = true
auth_provider = krb5
krb5_server = ns.example.com
krb5_realm = EXAMPLE.COM
cache_credentials = true

access_provider = simple
chpass_provider = krb5

id_provider = ldap
ldap_uri = ldap://ns.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/openldap/cacerts/example.com-ca.crt

sudo_provider = none
Retrieved from "http://www.kerwien.se/index.php?title=Autentisering_via_LDAP_och_Kerberos_i_CentOS_7&oldid=3046"