最新はこちらを参照して下さい。
目的
LDAPクライアントの設定を行う。
設定方針
設定方針を参照する。
対象ホスト
内部サーバー
前提条件
マニュアル名:「LDAPサーバー構築」が完了していること。
設定手順
authconfig設定
authconfigの初期値
authconfigの初期値は下記のとおりである。
※authconfigはCentOS8では削除されており、CentOS7の後半のバージョンでは推奨されませんのでSSSDを使用して下さい。
[root@centos ~]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = ""
LDAP base DN = ""
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "SAMBA"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
myhostname is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = ""
krb5 realm via dns is disabled
krb5 kdc = ""
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is disabled
LDAP+TLS is disabled
LDAP server = ""
LDAP base DN = ""
LDAP schema = "rfc2307"
pam_pkcs11 is disabled
SSSD smartcard support is disabled
use only smartcard for login is disabled
smartcard module = ""
smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = "SAMBA"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is disabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = ""
IPAv2 realm = ""
IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_faillock is disabled (deny=4 unlock_time=1200)
pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
設定変更
[root@centos ~]# authconfig --enableldap --enableldapauth --ldapserver=ldaps://localhost/ --ldapbasedn=dc=mydomain,dc=com --update
authconfigの変更後
設定変更後は下記のように設定値が変わる。
[root@centos ~]# authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is disabled LDAP server = "ldaps://localhost/" LDAP base DN = "dc=mydomain,dc=com" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "SAMBA" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap range = "16777216-33554431" nss_sss is enabled by default nss_wins is disabled nss_mdns4_minimal is disabled myhostname is enabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is disabled krb5 realm = "" krb5 realm via dns is disabled krb5 kdc = "" krb5 kdc via dns is disabled krb5 admin server = "" pam_ldap is enabled LDAP+TLS is disabled LDAP server = "ldaps://localhost/" LDAP base DN = "dc=mydomain,dc=com" LDAP schema = "rfc2307" pam_pkcs11 is disabled SSSD smartcard support is disabled use only smartcard for login is disabled smartcard module = "" smartcard removal action = "" pam_fprintd is disabled pam_ecryptfs is disabled pam_winbind is disabled SMB workgroup = "SAMBA" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled IPAv2 is disabled IPAv2 domain was not joined IPAv2 server = "" IPAv2 realm = "" IPAv2 domain = "" pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=) pam_passwdqc is disabled () pam_access is disabled () pam_faillock is disabled (deny=4 unlock_time=1200) pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077) Always authorize local users is enabled () Authenticate system accounts against network services is disabled
手動設定が必要なファイル
以降は、authconfigで自動設定されないため手動で設定する必要がある。
/etc/nslcd.conf
tls_reqcert allowは、LDAPで使用する証明書が自己署名である場合に必須の設定。
[root@centos ~]# vim /etc/nslcd.conf (中略) uri ldaps://localhost/ (中略) base dc=mydomain,dc=com (中略) ssl no (中略) tls_cacertdir /etc/openldap/cacerts ■ 下記を最終行に追記する tls_reqcert allow binddn cn=Reader,dc=mydomain,dc=com bindpw [password] ■ パスワードを平文で記述するファイルとなるためパーティションが600であることを確認する [root@centos ~]# ls -l /etc/nslcd.conf -rw------- 1 root root 4986 3月 30 20:48 /etc/nslcd.conf
/etc/openldap/ldap.conf
TLS_REQCERT allowは、LDAPで使用する証明書が自己署名である場合に必須の設定。
[root@centos ~]# vim /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/cacerts URI ldaps://localhost/ BASE dc=mydomain,dc=com ■ 下記を最終行に追記する TLS_REQCERT allow
ルート証明書配置
[root@centos ~]# cp /etc/easy-rsa/pki/ca.crt /etc/openldap/cacerts
nslcd再起動
[root@centos ~]# systemctl restart nslcd
CentOS 7 LDAP クライアント設定
この投稿は古い情報です。最新はこちらを参照して下さい。
https://www.si1230.com/?p=40633