Afficher la pageAnciennes révisionsLiens de retourHaut de page Cette page est en lecture seule. Vous pouvez afficher le texte source, mais ne pourrez pas le modifier. Contactez votre administrateur si vous pensez qu'il s'agit d'une erreur. ====== Client LDAP avec autofs ====== ==== Client sous Ubuntu 16.04 ==== <note important>Avant de suivre l'installation suivante, s'il y a des comptes locaux sur la machine cliente, il faut les déplacer si on souhaite les utiliser plus tard. Pour cela, on utilise la commande : ''usermod -d NEWHOME -m USER'' Il ne faut pas crée le nouveau home, il est créé automatiquement.</note> * Installation des paquets suivant : ''ldap-utils'' ''autofs-ldap'' ''ldap-auth-client'' ''nscd'' ''libnss-ldapd'' ''libpam-ldapd'' ''libpam-mount'' * Modification du fichier ''/etc/ldap/ldap.conf'' <Code> # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=i2m,dc=univ-amu,dc=fr URI ldap://ldap.i2m.univ-amu.fr ldap_version 3 scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_password md5 nss_base_passwd ou=accounts,dc=i2m,dc=univ-amu,dc=fr nss_base_shadow ou=accounts,dc=i2m,dc=univ-amu,dc=fr nss_base_group ou=Groups,dc=i2m,dc=univ-amu,dc=fr ssl start_tls tls_reqcert allow #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/openldap/ca-certs tls_cacertdir /etc/ssl/certs nss_initgroups_ignoreusers avahi,backup,bin,bind,colord,daemon,fetchmail,games,gnats,irc,klog,libuuid,list,lp,mail,man,messagebus,news,nslcd,proxy,root,smmsp,smmta,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data,x2gouser </Code> * Modification du fichier ''/etc/default/autofs'' <Code> # # Init syatem options # # If the kernel supports using the autofs miscellanous device # and you wish to use it you must set this configuration option # to "yes" otherwise it will not be used. # master_map_name="/etc/auto.master" timeout=300 browse_mode="no" logging="verbose" LDAP_URI="ldap://ldap.i2m.univ-amu.fr" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="ou" ENTRY_ATTRIBUTE="cn" VALUE_ATTRIBUTE="automountInformation" USE_MISC_DEVICE="yes" # # Use OPTIONS to add automount(8) command line options that # will be used when the daemon is started. # #OPTIONS="" # </Code> * Modification du fichier ''/etc/auto.master'' <Code> # # Sample auto.master file # This is a 'master' automounter map and it has the following format: # mount-point [map-type[,format]:]map [options] # For details of the format look at auto.master(5). # #/misc /etc/auto.misc # # NOTE: mounts done from a hosts map will be mounted with the # "nosuid" and "nodev" options unless the "suid" and "dev" # options are explicitly given. # /net -hosts # # Include /etc/auto.master.d/*.autofs # The included files must conform to the format of this file. # #+dir:/etc/auto.master.d # # Include central master map if it can be found using # nsswitch sources. # # Note that if there are entries for /net or /misc (as # above) in the included master map any keys that are the # same will not be seen as the first read key seen takes # precedence. # #+auto.master /home ldap://ldap.i2m.univ-amu.fr/ou=auto.home,dc=i2m,dc=univ-amu,dc=fr </Code> * Modification du fichier ''/etc/autofs_ldap_auth.conf'' <Code> <?xml version="1.0" ?> <!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. --> <autofs_ldap_sasl_conf usetls="yes" tlsrequired="no" authrequired="no" /> </Code> * Modification du fichier ''/etc/nsswitch.conf'' <Code> /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. # pre_auth-client-config # passwd: compat ldap passwd: files ldap # pre_auth-client-config # group: compat ldap group: files ldap # pre_auth-client-config # shadow: compat ldap shadow: files ldap gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files # pre_auth-client-config # netgroup: nis netgroup: nis automount: files ldap </Code> * On exécute la commande ''auth-client-config -t nss -p lac_ldap'' * Modification du fichier ''/etc/nslcd.conf'' <Code> # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://ldap.i2m.univ-amu.fr # The search base that will be used for all queries. base dc=i2m,dc=univ-amu,dc=fr # The LDAP protocol version to use. ldap_version 3 # The DN to bind with for normal lookups. #binddn cn=annonymous,dc=example,dc=net #bindpw secret # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options ssl start_tls tls_reqcert allow tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub </Code> * On redémarre les services nslcd et nscd : ''service nslcd restart'' & ''service nscd restart'' * On lance la commande ''pam-auth-update'' * On modifie le fichier ''/etc/pam.d/common-session'' <Code> # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_mount.so session [success=ok default=ignore] pam_ldap.so minimum_uid=1000 session optional pam_systemd.so # end of pam-auth-update config </Code> * On récupère les certificats de protis et on les place dans le répertoire ''/etc/ssl/certs/'' <code>scp -r chabrol@147.94.64.48:/home/chabrol/cert/* /etc/ssl/openldap</code> * On crée le répertoire : ''mkdir -p /etc/ssl/openldap'' * Copie du certificat de protis ''/etc/ssl/openldap/ca-certs'' sur la machine cliente (au même emplacement) * On redémarre autofs : ''service autofs restart'' * Le fichier ''/etc/ldap.conf'' devrait ressembler à ça : <Code> ###DEBCONF### ## ## Configuration of this file will be managed by debconf as long as the ## first line of the file says '###DEBCONF###' ## ## You should use dpkg-reconfigure to configure this file via debconf ## # The distinguished name of the search base. base dc=i2m,dc=univ-amu,dc=fr # Another way to specify your LDAP server is to provide an uri ldap://ldap.i2m.univ-amu.fr # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The port. # Optional: default is 389. #port 389 # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5 # Netscape SDK LDAPS #ssl on # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5 </Code> client_ldap.txt Dernière modification : 2019/10/07 15:38de chabrol