RHCA教程:rhe423-8 LDAP基于Kerberos的sasl认证

LDAP基于kerberos的sasl认证

环境：默认kerberos服务器已经建立

 

      KDC：server1.example.com：192.168.32.31

      LDAP服务器：station2.example.com 192.168.32.32

一、将ldap服务加入到kerberos中

[root@station2 ~]# kadmin

Authenticating as principal root/[email protected] with password.

Password for root/[email protected]:

kadmin:  addprinc ldap/station2.example.com

kadmin:  ktadd  -k /etc/ldap.keytab

 

二、ldap开启kerberos的支持

[root@station2 ~]#vi /etc/sysconfig/dirsrv

KRB5_KTNAME=/etc/ldap.keytab ; export KRB5_KTNAME

[root@station2 ~]#vi /etc/sysconfig/dirsrv-admin

KRB5_KTNAME=/etc/ldap.keytab ; export KRB5_KTNAME

 

三、通过RedHat-idm-console编辑sasl设置

1、SASL Mapping设置中add一个sasl map

<!--[if !supportLists]-->l  <!--[endif]-->name选项中填：

gssapi-map

<!--[if !supportLists]-->l  <!--[endif]-->Regular Expression选项中填：

uid=(.*),cn=station2.example.com,cn=gssapi,cn=auth

<!--[if !supportLists]-->l  <!--[endif]-->Search Base DN选项中填：

uid=\1,ou=People,dc=station2,dc=example,dc=com

<!--[if !supportLists]-->l  <!--[endif]-->search filter选项中填：

（objectclass=*）

2、重启dirsrv和dirsrv-admin服务后测试

[root@station2 ~]#service dirsrv restart

[root@station2 ~]#service dirsrv-admin restart

[root@station2 ldap]# ldapsearch -Y GSSAPI "uid=guest2002" -LLL                                   SASL/GSSAPI authentication started

SASL username: [email protected]

SASL SSF: 56

SASL installing layers

dn: uid=guest2002,ou=People,dc=station2,dc=example,dc=com

uid: guest2002

cn: guest2002

sn: guest2002

mail: [email protected]

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

shadowLastChange: 15083

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 2002

gidNumber: 2000

homeDirectory: /home/guests/guest2002

 

注：kdc的配置见http://www.linuxidc.com/Linux/2011-04/34702.htm