手当たり次第に書くんだ

CentOS7 LDAPクライアント設定

目的

LDAPクライアントの設定を行う。

設定方針

設定方針を参照する。

対象ホスト

内部サーバー

前提条件

マニュアル名:「LDAPサーバー構築」が完了していること。

設定手順

authconfig設定

authconfigの初期値

authconfigの初期値は下記のとおりである。

[root@centos ~]# authconfig --test

caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "SAMBA"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
myhostname is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = ""
 krb5 realm via dns is disabled
 krb5 kdc = ""
 krb5 kdc via dns is disabled
 krb5 admin server = ""
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
SSSD smartcard support is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
 SMB workgroup = "SAMBA"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
 IPAv2 server = ""
 IPAv2 realm = ""
 IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_faillock is disabled (deny=4 unlock_time=1200)
pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled

設定変更

[root@centos ~]# authconfig --enableldap --enableldapauth --ldapserver=ldaps://localhost/ --ldapbasedn=dc=mydomain,dc=com --update

authconfigの変更後

設定変更後は下記のように設定値が変わる。

[root@centos ~]# authconfig --test

caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldaps://localhost/"
 LDAP base DN = "dc=mydomain,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "SAMBA"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
myhostname is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = ""
 krb5 realm via dns is disabled
 krb5 kdc = ""
 krb5 kdc via dns is disabled
 krb5 admin server = ""
pam_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldaps://localhost/"
 LDAP base DN = "dc=mydomain,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
SSSD smartcard support is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
 SMB workgroup = "SAMBA"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
 IPAv2 server = ""
 IPAv2 realm = ""
 IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_faillock is disabled (deny=4 unlock_time=1200)
pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled

手動設定が必要なファイル

以降は、authconfigで自動設定されないため手動で設定する必要がある。

/etc/nslcd.conf

tls_reqcert allowは、LDAPで使用する証明書が自己署名である場合に必須の設定。

[root@centos ~]# vim /etc/nslcd.conf

(中略)
uri ldaps://localhost/
(中略)
base dc=mydomain,dc=com
(中略)
ssl no
(中略)
tls_cacertdir /etc/openldap/cacerts

■ 下記を最終行に追記する

tls_reqcert allow
binddn cn=Reader,dc=mydomain,dc=com
bindpw [password]

■ パスワードを平文で記述するファイルとなるためパーティションが600であることを確認する

[root@centos ~]# ls -l /etc/nslcd.conf

-rw------- 1 root root 4986  3月 30 20:48 /etc/nslcd.conf

/etc/openldap/ldap.conf

TLS_REQCERT allowは、LDAPで使用する証明書が自己署名である場合に必須の設定。

[root@centos ~]# vim /etc/openldap/ldap.conf

TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://localhost/
BASE dc=mydomain,dc=com

■ 下記を最終行に追記する

TLS_REQCERT allow

ルート証明書配置

[root@centos ~]# cp /etc/easy-rsa/pki/ca.crt /etc/openldap/cacerts

nslcd再起動

[root@centos ~]# systemctl restart nslcd

戻る

CentOS7 LDAPクライアント設定

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)

トップへ戻る