Открыть Электронные книги
Категории
Открыть Аудиокниги
Категории
Открыть Журналы
Категории
Открыть Документы
Категории
,
Samba
Postfix (not implemented)
PAM_LDAP NSS_LDAP
openldap-server
PAM pam_ldap
ldap
nss_ldap
ACL
(TLS)
.
Sisyphus
slapd.conf
ldap.conf openldap
SAMBA PDC+LDAP+TLS
Squid+LDAP+TLS
, , LDAP.
: , :)
nirvana.home.
PAM_LDAP NSS_LDAP
openldap.
(, , , shell)
LDAP .
/etc/passwd /etc/shadow (, ,
), ,
openldap.
: ALM2.4 Sisyphus.
:
client1 # apt-get install pam_ldap nss_ldap
ldap
ldapserver # apt-get install openldap-servers
openldap-server
ldap-, :
1. /etc/openldap/slapd.conf database
2. suffix ,
suffix "dc=<youhostname>,dc=<youdomainname>"
( )
suffix "dc=nirvana,dc=home"
1. rootdn .
dn, .
rootpw, ( sasl + krb5),
, pwgen.
2. directory ldap:
directory /var/lib/ldap/bases/nirvana.home
(ACL) , .
1. slapd (# service slapd start)
LDAP c , , LDAP
public interface:
[root@huygens sysconfig]# netstat -al | grep LISTEN tcp 0 0 *:ldap *:* LISTEN
tcp
0 *:ldap
*:*
LISTEN
-/var/log/ldap/slapd.log
syslogd.
:
newentry.ldif:
dn: dc=nirvana,dc=home
objectClass: organization
objectClass: dcObject
dc: nirvana
o: home
dn: ou=People,dc=nirvana,dc=home
objectClass: organizationalUnit
ou: People
dc=nirvana,dc=home suffix ( ).
objectClass ,
o: home.
, (
, ou=People ou=accounts).
ldap.
# ldapadd -x -f newentry.ldif -h ' slapd' -D < rootdn> -w < rootpw>
-w -W stdin (
openldap-clients,
ldapadd).
:
# ldapadd -x -f newentry.ldif -h localhost -D cn=admin,dc=nirvana,dc=home -w secret
:
adding new entry "dc=nirvana, dc=home"
adding new entry "ou=People,dc=nirvana,dc=home"
, gq,
shadow/tcb migration-tools
tcb ( ??).
.
tcb, tcb shadow
tcb_unconvert tcb-utils.
( )
# cd /usr/share/openldap/migration
# edit migration_common.ph
.... set $DEFAULT_BASE to you rootdn...
# ./migrate_passwd.pl /etc/passwd > ~/accounts.ldif
accounts.ldif LDIF
Open LDAP.
accounts.ldif ,
.
:
# ldapadd -f ~/accounts.ldif -h ' slapd' -p 389 -x -D < rootdn> -w < rootpw>
, :
ldapserver# service slapd stop
ldapserver# slapadd -b < suffix> -l ~/accounts.ldif
, ldap.
.
nss_ldap pam_ldap.
ALM2.4 :
/etc/ldap.conf ( /etc/openldap/ldap.conf).
sisyphus :
/etc/nss_ldap.conf /etc/pam_ldap.conf
:
#
# ( , ,
# )
base <suffix>
# Universal Resource Identifier - ldap
# , <protocol>://<hostname>/
# ldap ( ),
# ldaps ( SSL/TLS). ( )
uri <uri to ldapserver>
# , "" (bind)
# ldap , -
#
binddn <DN to bind with>
# - DN root.
# , ( ) .
# ( passwd <username> - root
rootbinddn <dn to bind as root>
# ldap , 389 ldap,
# 636 ldaps ( , ldap server)
port <port number>
# , :
# sub -
# base -
# one - ?
scope <scope for search>
#.....
# ,
#.....
# ,
# uid=%s
# ,
# ( openldap)
# :
# pam_filter allow_server_login=1
pam_filter <filter>
# , , uid
# ( )
pam_login_attribute <login attribute>
# groupname
# .
#pam_groupdn cn=<groupname>,ou=Groups,dc=nirvana,dc=home
# pam_groupdn
#pam_member_attribute
# uid
# , pam_ldap
pam_min_uid <number>
pam_max_uid <number>
# ,
# pam_ldap openldap .
# : clear crypt nds ad exop
# _clear_, ,
#
# OpenLDAP migration-tools
# tcb --
# crypt, , tls/ssl.
pam_password < >
# ,
# url,
# ( ldapv3 - kpasswd)
pam_password_prohibit_message
#............
# ,
#............
# ,
#
# nss_base_passwd - passwd
# nss_base_shadow - shadow
# nss_base_group - group
nss_base_passwd
ou=People,<suffix>
nss_base_shadow
ou=People,<suffix>
nss_base_group
ou=Group,<suffix>
# TLS/SSL
# TLS/SSL
#.....
, :
( )
base dc=nirvana,dc=home
uri ldaps://nirvana.home/
rootbinddn cn=admin,dc=nirvana,dc=home
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password crypt
nss_base_passwd
ou=People,dc=nirvana,dc=home
nss_base_shadow
ou=People,dc=nirvana,dc=home
nss_base_group
ou=Group,dc=nirvana,dc=home
#ssl on
#tls_checkpeer yes
#tls_cacertfile /etc/openldap/ssl/cacert.pem
PAM pam_ldap
pam pam_ldap , '>'
/etc/pam.d/system-auth
#%PAM-1.0
> auth sufficient /lib/security/pam_ldap.so
auth
required
> account
sufficient /lib/security/pam_ldap.so
account required
password required
pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4
similar=deny random=42 enforce=users retry=3
> password
password required
use_first_pass
> session
optional /lib/security/pam_ldap.so
session required
pam_tcb.so
sessionrequired
session required
pam_limits.so
sshd (- pam_userpass)
xscreensaver (- <PAMROOT>/system-auth-user_first_pass)
/etc/pam.d/sshd
#%PAM-1.0
auth
required
pam_userpass.so
> auth
sufficient
pam_ldap.so use_first_pass
auth required
use_first_pass
auth
pam_nologin.so
required
account include
system-auth
password include
system-auth
session include
system-auth
/etc/pam.d/system-auth-use_first_pass
#%PAM-1.0
> auth sufficient
/lib/security/pam_ldap.so
auth
required
> password
sufficient
password required
use_first_pass
/lib/security/pam_ldap.so
use_first_pass
ldap
, - ldap.
( .)
/etc/pam.d/passwd .
#%PAM-1.0
auth
sufficient
/lib/security/pam_ldap.so
include
system-auth
account include
system-auth
password include
system-auth
session required
pam_deny.so
c ,
/etc/pam.d/system-auth.
nss_ldap
NSS , glibc,
(files, dns, nis, nisplus, ldap).
, nss_ldap, /etc/nsswitch.conf
.
passwd, shadow group .
#LDAP
passwd:
shadow:
group:
: , ldap ,
(rpm, sh, vi) segfault.
file:///usr/share/doc/nss_ldap-220/README.ALT
.
ldap ( vasya pupkin :-) ).
(, gq ldapadd).
:
( # root, $ )
0. $ ldapsearch -x -h 'ldap://<hostname>/' -d -1
1. # id vasya
2. # su vasya
3. # ssh vasya@localhost
4. vasya$ id vasya
5. vasya$ stat .
6. vasya$ exit
7. # su <user not in ldap>
8. user$ id vasya
9. user$ su vasya
10. user$ ssh vasya@localhost
:
0: acl uri
1: /etc/nsswitch.conf , nss_ /etc/ldap.conf
2: vasya (
pam_mkhomedir), pam.d/system-auth
3: vasya (
pam_mkhomedir), sshd, (, ?)
4: /etc/ldap.conf
/etc/openldap/ldap.conf ( , tls/ssl)
5: ( ) owner group.
6: :-).
7: :-).
8: 4.
9: /etc/nsswitch.conf /etc/ldap.conf.
10: .
-: , uri /etc/ldap.conf,
acl ldap .
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
use Net::LDAP;
use strict;
my $TCB_ROOT = $ENV{TCB_ROOT};
my $PASSWD = $ENV{PASSWD};
my $BASEDN = $ENV{BASEDN};
my $FILTER = $ENV{FILTER};
my $BINDDN = $ENV{BINDDN};
my $PASSWORD = $ENV{PASSWORD};
my $URI = $ENV{URI};
my $VERIFY = $ENV{VERIFY};
my $CAFILE = $ENV{CAFILE};
my $MIN_UID_NUMBER = $ENV{MIN_UID_NUMBER};
my $MAX_UID_NUMBER = $ENV{MAX_UID_NUMBER};
$TCB_ROOT = "$ENV{HOME}/etc/tcb" if $TCB_ROOT eq "";
$PASSWD = "$ENV{HOME}/etc/passwd" if $PASSWD eq "";
$BASEDN = "dc=nirvana,dc=home" if $BASEDN eq "";
$BINDDN = "cn=tcb,$BASEDN" if $BINDDN eq "";
$URI = "ldap://ldap.server/" if $URI eq "";
$VERIFY = "never" if $VERIFY eq "";
$CAFILE = "/etc/openldap/ssl/cacert.pem" if $CAFILE eq "";
$MIN_UID_NUMBER = 500 if $MIN_UID_NUMBER eq "";
$MAX_UID_NUMBER = 65535 if $MAX_UID_NUMBER eq "";
my @passwd;
my %shadow;
sub getuid
{
my $name = $_[0];
my (undef, undef, $uid) = getpwnam($name);
return $uid;
}
sub getgid
{
my $name = $_[0];
my (undef, undef, $gid) = getgrnam($name);
return $gid;
}
sub add_passwd
{
my $e = $_[0];
my $pe; #password entry
$pe = join(':', $e->get_value('uid'), 'x', $e->get_value('uidNumber'),
$e->get_value('gidNumber'), $e->get_value('gecos'),
$e->get_value('homeDirectory'), $e->get_value('loginshell'));
# ????
$passwd[$#passwd + 1] = $pe;
}
sub add_shadow
{
my $e = $_[0];
my $se;
my ($uid, $passwd);
$uid = $e->get_value('uid');
$passwd = $e->get_value('userPassword');
return if($passwd !~ /{crypt}(.*)/i);
$passwd = $1;
$se = join(':', $uid, $passwd,
$e->get_value('shadowLastChange')."", $e->get_value('shadowMin')."",
$e->get_value('shadowMax')."", $e->get_value('shadowWarning')."",
$e->get_value('shadowInactive')."",
$e->get_value('shadowExpire')."",
$e->get_value('shadowFlag')."");
$shadow{$uid} = $se;
}
sub write_passwd
{
# PASSWD_FILE - is file for /etc/passwd entries
open(PASSWD_TEMPLATE,"<$PASSWD")
or die "Cannot open system users file";
my @ldappasswd = @passwd;
@passwd = ();
while(<PASSWD_TEMPLATE>)
{
my @entry;
chomp;
@entry = split /:/;
next if $entry[2] == undef;
if( $entry[2] < $MIN_UID_NUMBER or $entry[2] > $MAX_UID_NUMBER )
{
@passwd = (@passwd, $_);
}
}
close(PASSWD_TEMPLATE);
# copy it
@passwd = (@passwd, "", @ldappasswd);
system("cp $PASSWD $PASSWD-");
open(PASSWD_FILE,">$PASSWD");
# print PASSWD_FILE "# LDAP users\n";
for my $var (@passwd)
{
print PASSWD_FILE "$var\n";
}
close(PASSWD_FILE);
if ( $< == 0 )
{
chown getuid("root"), getgid("root"), $PASSWD;
chmod 0644, $PASSWD;
}
}
sub write_shadow
{
mkdir "$TCB_ROOT" if ( ! -d "$TCB_ROOT" );
if ( $< == 0 )
{
chown getuid("root"), getgid("shadow"), $TCB_ROOT;
chmod 0710, $TCB_ROOT;
}
foreach my $key (keys %shadow)
{
mkdir "$TCB_ROOT/$key" if ( ! -d "$TCB_ROOT/$key" );
open(TCB_FILE, ">$TCB_ROOT/$key/shadow");
print TCB_FILE $shadow{$key}."\n";
close(TCB_FILE);
if ( $< == 0 )
{
chown getuid($key), getgid("auth"), "$TCB_ROOT/$key";
write_shadow();
ACL
ACL :
1.
2. (loginShell,gecos,cn,uid)
3. userPassword
4. userPassword, loginShell, gecos
5. TCB ( )
ACL:
<YOUR ADMIN DN> DN (
uid=davinchi,ou=People,dc=vnet1)
access to attr=cn,givenName,sn,gecos
by dn="^<YOUR ADMIN DN>$" write
by self write
by users read
access to attr=loginShell,gecos
by dn="^<YOUR ADMIN DN>$" write
by self write
by * read
access to attr=userPassword
by dn="^<YOUR ADMIN DN>$" write
by anonymous auth
by self write
by * none
(TLS)
, LDAP'
( ) - LDAP' ,
( ) (
LDAP)
ldap ( , -.) (
- )
.
.
.
ALT LINUX MASTER 2.4.
:
[stalker@ring stalker]$ rpm -qa | grep ssl
openssl-0.9.7d-alt1
libssl-0.9.7d-alt1
.
CA.pl openssl-0.9.7d-alt1.
/var/lib/ssl/misc CA.pl ,
cd /etc/openldap/
/var/lib/ssl/misc/CA.pl -newca
, ldap .
[stalker@fs stalker]$ nslookup ring.local
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server:
Address:
192.168.1.1
192.168.1.1#53
Name: ring.local
Address: 192.168.1.111
ldap-.
Common Name ring.local
ldap- . IP 192.168.1.111
. ring.local.
CN ,
SASL/KRB5.
Generating a 1024 bit RSA private key
...........++++++
.....++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:<sobakazlaya:)>
Verifying - Enter PEM pass phrase:<sobakazlaya>
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:ru
State or Province Name (full name) [Some-State]:Privolzhskiy Region
Locality Name (eg, city) []:Penza
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyveryCOOLwork
Organizational Unit Name (eg, section) []:SysAdmin
Common Name (eg, your name or your server's hostname) []:ring.local
Email Address []:root@ring.local
nslookup ring.local, : Common Name
LDAP ip-, nslookup.
:
demoCA cacert.pem
openssl req -new -nodes -keyout newreq.pem -out newreq.pem
[root@ring.local openldap]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
.................++++++
.....++++++
writing new private key to 'newreq.pem'
= ru
= Privolzhskiy Region
= Penza
= MyveryCOOLwork
organizationalUnitName = SysAdmin
commonName
emailAddress
= ring.local
= root@ring.local
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
< >
X509v3 Authority Key Identifier:
< >
DirName:/C=ru/ST=Privolzhskiy
Region/L=Penza/O=MyveryCOOLwork/OU=root/CN=ring.local/emailAddress=root@ring.local
serial:00
Certificate is to be certified until Mar 15 12:33:44 2006 GMT (365 days)
Sign the certificate? [y/n]:y
. , ,
.
.
Sisyphus
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap/ssl/crt.pem
TLSCertificateKeyFile /etc/openldap/ssl/key.pem
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSVerifyClient never
, , service slapd start, slapd
.
ldap.conf openldap
/etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/ssl/cacert.pem
ldap ldaps URI.
ldap ,
127.0.0.1
/etc/sysconfig ldap
:
########################################
# SLAPD Proccess options
########################################
0 127.0.0.1:389
tcp
0 0.0.0.0:636
0.0.0.0:*
0.0.0.0:*
LISTEN
8395/slapd
LISTEN
[root@ring.local openldap]# openssl s_client -connect ring.local:636 -showcerts -state -CAfile
/etc/openldap/ssl/cacert.pem
openssl s_client -connect ring.local:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
verify return:1
depth=0 /C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
--Certificate chain
0 s:/C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
i:/C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
<>
-----BEGIN CERTIFICATE----<>
-----END CERTIFICATE------Server certificate
subject=/C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
issuer=/C=ru/ST=Privolzhskiy
Region/L=Penza/O=RCC/OU=root/CN=ring.local/emailAddress=root@ring.local
< >
--No client certificate CA names sent
--SSL handshake has read 971 bytes and written 346 bytes
--New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher
: AES256-SHA
Session-ID: 8CB1768A5F90E71FDA7D0CBF47003E36AE9E12643BC35378132DDB111EC1C852
Session-ID-ctx:
Master-Key:
996B7555686CDA1142B83CA67BE43C46F6EDCC6567713C00E42F4ECAAD1BAC7EABDE4BB0E7D
04C5C72165AB253658498
Key-Arg : None
Start Time: 1110890913
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
ldap.conf nss_ldap
ldap.conf nss_ldap /etc
base dc=ring,dc=local
uri ldaps://ring.local/
ssl on
tls_cacertfile /etc/openldap/certs/cacert.pem
tls_checkpeer yes
ssl on
( man-in-middle ).
ldap.conf /etc/openldap
- openldap-server /etc
openldap.
ldap.conf.
(: , rpm -qf /etc/openldap/ldap.conf => openldap-clients)
-rw-r--r-- 1 root root 333 Apr 25 10:59 ldap.conf
:
URI
ldaps://ring.local
TLS_CACERT /etc/openldap/ssl/cacert.pem
cacert,
nss_ldap .
[root@ring.local openldap]# ls -la ./ssl
total 12
drwxr-xr-x 2 ldap ldap 51 Apr 21 11:32 .
drwxr-xr-x 6 root root 140 Apr 21 12:43 ..
-rw-r--r-- 2 ldap ldap 1265 Apr 21 11:31 cacert.pem
-rw-r----- 2 ldap ldap 3628 Apr 21 11:32 crt.pem
-rw-r----- 2 ldap ldap 1587 Apr 21 11:32 key.pem
SAMBA PDC+LDAP+TLS
LDAP+
.
: 3 , .
NSS_LDAP ( ).
/etc/openldap/ldap.conf . , (
, LDAP )
+, ()
/etc/openldap/ldap.conf CA-.
nss_ldap , ().
. :
encrypt passwords = yes
unix password sync = no
# LDAP
#
#( . , IP- -
LDAP # )
passdb backend = ldapsam:ldaps://ring.local
ldap ssl = off
ldap admin dn = "cn=admin,dc=MyveryCOOLwork"
#
ldap suffix = dc=MyveryCOOLwork
# , .
admin users = zombie
# SAMBA .
ldap admin dn = "cn=admin,dc=MyveryCOOLwork"
# ,
ldap user suffix = ou=Users
# ,
ldap group suffix = ou=Groups
# , ,
ldap machine suffix = ou=Computers
ldap delete dn = no
# , uid. .
ldap filter = (uid=%u)
# smbpasswd LDAP ;-)
ldap passwd sync = yes
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = yes
# 6. Domain Control Options:
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations or Primary Domain Controller for WinNT and Win2k
domain logons = yes
# The add user script is used by a domain member to add local user accounts
path = /var/lib/samba/profiles
path = /home/%U
browseable = yes
guest ok = no
writable = yes
smbpasswd -w LDAP.
. smbpasswd ....
SAMBA lDAP':
homeDirectory
loginShell
sambaAcctFlags
sambaHomeDrive
sambaHomePath
sambaKickoffTime
sambaLMPassword
sambaLogoffTime
sambaLogonTime
sambaNTPassword
sambaPasswordHistory
sambaPrimaryGroupSID
sambaProfilePath
sambaPwdCanChange
sambaPwdLastSet
sambaSID
uid
uidNumber
userPassword
POSIX ACCOUNT!
.
homeDirectory : /home/anton
sambaHomeDrive : R:
sambaHomePath : \\ring.local\anton
sambaProfilePath : \\ring.local\profiles\anton
/profiles/username
R: () /home/anton (
sambaHomePat UNC .) NETBIOS NAME ,
.
LDAP.
Squid+LDAP+TLS
- squid openldap- .
.. -
cat /etc/squid/squid.conf |grep ldap
LDAP
OpenLDAP
LDAP *NIXP.ru
OpenLDAP
OpenLDAP backends
, : ALTLinux/Dokumentacija/OpenLDAP/TLS
ALTLinux//OpenLDAP
ALTLinux//SSH
AltLinux//OpenLDAP
AltLinux//SSH
Sysadmin
TZ/
Windows/Desktop/Utils
/