|
Титла: OpenIndiana - подкарване на LDAP за SAMBA Публикувано от: tmcdos в Mar 05, 2012, 12:59 Инсталирал съм Solaris - OpenIndiana 151a, SAMBA 3.5.5 и OpenLDAP 2.4.13
SAMBA работи, LDAP сървъра също - мога да се логна в него и дори си създадох няколко профила вътре (posixAccount). SAMBA обаче не взима на доверие UID от свойствата на профила в LDAP, ами пробва с Get_PwNam и не успява. getent passwd ldap_user не ми показва нищо. /etc/openldap/slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/solaris.schema include /etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=domain,dc=com" rootdn "cn=admin,dc=domain,dc=com" rootpw my-secret password-hash {CLEARTEXT} directory /var/openldap monitoring off authz-regexp uid=([^,]*),cn=[^,]*,cn=[^,]*,cn=auth uid=$1,OU=users,DC=domain,DC=com authz-regexp uid=([^,]*),cn=[^,]*,cn=auth uid=$1,OU=users,DC=domain,DC=com authz-regexp uid=([^,]*),cn=[^,]*,cn=auth cn=$1,DC=domain,DC=com authz-policy to access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none access to attrs=sambaLMPassword,sambaNTPassword by dn="uid=samba_admin,dc=domain,dc=com" read by * none access to dn.base="" by * read /etc/openldap/init.ldif: dn: dc=domain,dc=com dc: domain o: Office objectclass: dcObject objectclass: organization objectclass: top dn: cn=admin,dc=domain,dc=com cn: admin objectclass: organizationalRole dn: ou=groups,dc=domain,dc=com objectclass: organizationalUnit objectclass: top ou: groups dn: ou=machines,dc=domain,dc=com objectclass: organizationalUnit objectclass: top ou: machines dn: ou=users,dc=domain,dc=com objectclass: organizationalUnit objectclass: top ou: users dn: sambaDomainName=domain,dc=domain,dc=com objectclass: sambaDomain objectclass: top sambaalgorithmicridbase: 10000 sambadomainname: domain sambasid: S-1-5-21-1 dn: uid=samba_admin,dc=domain,dc=com objectclass: account objectclass: simpleSecurityObject objectclass: top uid: samba_admin userpassword: {SSHA}V4aSjZpxJs0jroIXrKAZKYRdDf7+M9H/ /etc/nsswitch.conf: passwd: files ldap group: files ldap hosts: files dns mdns ipnodes: files dns mdns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: files automount: files aliases: files services: files printers: user files auth_attr: files prof_attr: files project: files tnrhtp: files tnrhdb: files Добавил съм в /etc/pam.conf: login auth sufficient pam_ldap.so.1 other auth sufficient pam_ldap.so.1 other account sufficient pam_ldap.so.1 Настроил съм профил USER с nwamcfg: activation-mode manual enabled true nameservices files,dns,ldap nameservices-config-file "/etc/nsswitch.conf" dns-nameservice-configsrc manual dns-nameservice-domain "domain.com" dns-nameservice-servers "192.168.2.1" dns-nameservice-search "domain.com" ldap-nameservice-configsrc manual ldap-nameservice-servers "127.0.0.1" default-domain "domain.com" /var/ldap/ldap_client_cred: NS_LDAP_BINDDN= cn=admin,dc=domain,dc=com NS_LDAP_BINDPASSWD= my-secret /var/ldap/ldap_client_file: NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= 127.0.0.1 NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com NS_LDAP_CACHETTL= 0 NS_LDAP_AUTH= simple NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=users,dc=domain,dc=com NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=domain,dc=com NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=users,dc=domain,dc=com Това ми е първи сблъсък със SOLARIS и съм като в небрано лозе. Титла: Re: OpenIndiana - подкарване на LDAP за SAMBA Публикувано от: tmcdos в Mar 07, 2012, 14:29 Проблемът се реши с редактиране на NWAM профила Automatic и повторно изпълнение на ldapclient:
ldapclient manual -v \ -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a proxyDN=cn=admin,dc=domain,dc=com \ -a proxyPassword=my-secret \ -a defaultServerList=127.0.0.1:389 \ -a defaultSearchBase=dc=domain,dc=com \ -a domainName=domain.com \ -a followReferrals=false \ -a attributeMap=group:userpassword=userPassword \ -a attributeMap=group:memberuid=memberUid \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:gecos=cn \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=homeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:shadowflag=shadowFlag \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=posixGroup \ -a objectClassMap=passwd:posixAccount=posixAccount \ -a objectClassMap=shadow:shadowAccount=shadowAccount \ -a serviceSearchDescriptor=passwd:ou=users,dc=domain,dc=com?sub \ -a serviceSearchDescriptor=group:ou=groups,dc=domain,dc=com?sub и малка корекция в /etc/nsswitch.ldap - да използва DNS за hosts |