Барабанов ldap и Все-все-все
TRANSCRIPT
-
7/26/2019 Ldap --
1/55
1 LDAP --.
LDAP --.
, alekseybb@a!l."# , $%&&'.&(.(( ) (%&&'.&*.(+ ) %
2- : 3 3 8 . - , !.
, LDAP Linu, ! "
#!$% % LDAP& ' ( !& ) * +LDAP, ! (# ($ (*$& $ - $% , (."% +#, # (*$, *$ (!& / * ( (0 ( $% -$% $% ($!$% &
1 , ! !2 * #&3 * ,
( % & 1 , !$ 4u45 * 644 LDAP PA7 LDAP * ("" # $% ( ". PADL 489:; P:? L:@ ( . ( (* !( $% ! ( LDAP& ! *, & B ", #$ C(# +,!."% $, ! - % & E FG>n 48u=H> $! , !." * !, &
I, ! # ! C# ,! ( ($ $% (& ', , * + #2+ % # %# (! ++ J&8=iK & ', # ., ( $ ! $& (, ! !, ! .&
/ # (" M::GNOO;;;&
-
7/26/2019 Ldap --
2/55
2 LDAP --.
1. ............................................................................................................................................31.1. ...............................................................................................................................31.2. ! LDAP.............................................................................................."
2. #$$...............................................................................................................................................%2.1.&! #$$ LDAP..........................................................................................................................%
2.2.'( )! *+!,........................................................................................2.3./ 0 ...........................................................................................................122.".4! #$$ LDAP..........................................................................................................................132.5.40 /) #$$ LDAP..............................................................................................1%
3. PA6.............................................................................................................................................223.1.&! ! PA6 LDAP........................................................................................................223.2.40 /) PA6 LDAP.............................................................................................253.3.&! 789:;2.........................................................................................................................2?3.".4! 789:;2...........................................................................................................................2%3.5.&! 789:@87...........................................................................................................................3B3.?.4! 789:@87.............................................................................................................................32
3.%.&! 78CC 789:;2.........................................................................................................333.. 4! 78CC 789:;2..........................................................................................................33.E.&! 78CC 789:@87............................................................................................................"B3.1B.4! 78CC 789:@87..........................................................................................................."33.11. F/ PA6G...................................................................................................................................""
4 A. '0 !................................................................................................................."%H.1.' / IJJK- LDAP........................................................."%H.2.' / )/ )! @87IJCMI............................................................"%A.3.F+*, LDAP..........................................................................................................."%A.".&! *) /0 LDAP........................................................................................................"H.5.F+*, ! LDAP.........................................................................................................."
H.?.F+*, #$$............................................................................................................................"A.%.'-!) PA6 *0 C;.................................................................................................."E4 N. 00O )!/!O /(!.............................................................................................5B4 . ) $;$Q 789-B.%%.............................................................................................52
.1.4)0! R!* )(......................................................................................52.2.N!R0 ,! !!.......................................................................................53.3.4 /!...........................................................................................................5"
-
7/26/2019 Ldap --
3/55
3 LDAP --.
(. .
(.(./ 012.
X $ %$ & _ !, ! (! $% & ,
*, $ * #$ ( Linu& I, ! LDAP #0 $ $ ! # , ! D6\DiR:inKuiRM>@ 6^ W ', !2 , *.$ $& ' # +($ -%& `, , ! $ $. . 4u45 Linu Q&a&b, * $ %$ $, $ * %$ $ *$,$, & 3! * , ! -$ $$ $$ ( . $ 4u45 Q&a&b&
I*, ! caU&cde&b&bOUf& B, * -.( gcaU&cde&b&c& 899iH>&]8H: & B \hD6^ R>=Q>=&899iH>&]8H: & $ *$ $( * $ ( $&
I ( ($ LDAP % ( # * *& 3(, $ 0 - ($ @Hj899iH>, @Hj]8H:, ! (! @8Sn:j899iH>, @8Sn:j]8H:&
` ( ($ (! ( $ .*, ($$ LDAP =88:@n, =88: @iR:inKuiRM>@ n, $" - LDAP, & #$( LDAP ( LDAP ( &' !$ ( ( #& l -, ( $% ( ($, * ( + #% (, (, $ =88:@n, #$ #$ ( .$ .$( ($ LDAP, ( (!$% %& `# , ( ( =88:@n #!% ( LDAP - # $& - ! D6 #( Hnj]@
-
7/26/2019 Ldap --
4/55
" LDAP --.
($ "$& m$ .*$ *$ $ , &
$ +# $ . !, . , $ - *& - *
. -, (* . "$ ." #$&
` , $ LDAP ($ , (% $%,!$ ( $ + !&
(.%.342 5 LDAP.
I* #, % ( LDAP & ` " - # $& I *!& E* ( #!$
4?&uid e=&pres&subinde samba2rimar;roup)>? e=inde samba?omain5ame e=inde default subserver:~ #
` =88:@n +( $ CR>H=>:& R]
-
7/26/2019 Ldap --
5/55
5 LDAP --.
$% +( %- # %&
' $ , ! * $ 4
-
7/26/2019 Ldap --
6/55
? LDAP --.
$G@2F8I? E $2H5A?+2F)A+2?F2+G+I)
I$ $ (. ! !$% ( + O>:HOR?RH8n9iKO8G>n]@:HOR?RH8n9iKO8G>n]@)H5.Lslapd
tcp ! ! 1C.!.!.1:3JD !.!.!.!:L A>)H5 16JC/slapdserver:~ #
-
7/26/2019 Ldap --
7/55
% LDAP --.
3 # LDAP % (&
%. 677.
X ( .!$% %( + (, *
( ! ! + , 644 `! B*$ ' \6 4>=QiH> 4;i:HM^& 1, ( , (. * $% + $ ui@, $ *& 3 (, - ui@ ( 644 LDAP (.! , ! . $ +$ ui@,$ * $% $% (%, O>:HOG
-
7/26/2019 Ldap --
8/55
LDAP --.
server:~ # cat /etc/ldap.conf | grep -v ^# | grep -v ^$host 1C.!.!.1:3JDbase dc%office&dc%localnetnssFbaseFpass'd ou%2eople&dc%office&dc%localnetOonenssFbaseFshado' ou%2eople&dc%office&dc%localnetOonenssFbaseFgroup ou%roups&dc%office&dc%localnetOonebinddn cn%ldapadmin&dc%office&dc%localnetbindp' secretserver:~ #
) ( LDAP, ( ($,$ ! + .*%, % #%, D6( $ % ( , ,# $ & I ( =88:@n, !$ # ($ LDAP&
1- ( C8ujP>8G]>,@Hj899iH>,@Hj]8H:z8n>& ` ( ( 8ujP>8G]>,@Hj899iH>,@Hj]8H: LDAP, (& ($ Cz8n>, !. % * CRu \ Ru:=>>^, ! (! . #&
B$ 644 * + O>:HOnRR;i:HM&H8n9& p #+ !($!& *$ . ." ,!." ( ! + .*, #&
server:~ # cat /etc/nss'itch.conf | grep EP^pass'dE|^shado'E|^groupEQpass'd: files ldap
shado': files ldapgroup: files ldapserver:~ #
3 $ ( ( (, ( LDAP& 3 ! ! $% (% .*, + ". 644& { g & ' ! LDAP ( $ ($, ,! $ ($, LDAP& B " % .* #& &
%.%.9: ;5 .
W, ! * LDAP * #$ .*$& ' ! + ! , , ! #$ .* $, (*& , $ , !$ *$ (, ( =88: -, ( $ =88: ( LDAP, ( =88: ( ($&
1& B LDAP #&
server:~ # cat /etc/nss'itch.conf | grep ^EPpass'dE|shado'E|groupEQ
-
7/26/2019 Ldap --
9/55
E LDAP --.
pass'd: ldap filesshado': ldap filesgroup: ldap filesserver:~ #
I# + !$ $ =88:&
server:~ # cat Nroot.ldifRRHN dn: uid%root&ou%2eople&dc%office&dc%localnetN uid: rootN cn: rootN sn: rootN ob
-
7/26/2019 Ldap --
10/55
1B LDAP --.
server:~ # getent pass'd | grep ^rootroot::!:!:root:/root:/bin/bashserver:~ # getent shado' | grep ^rootroot::1C!JD:!:1!!!!::::server:~ #
` ( =88: LDAP&
server:~ # ldapmodif; -a -v -? cn%ldapadmin&dc%office&dc%localnet -*ldap://localhost - -' secret -f root.ldifldapFinitializeP ldap://localhost Qadd uid: rootadd cn: rootadd sn: rootadd obfgC)7Cadding ne' entr; uid%root&ou%2eople&dc%office&dc%localnetmodif; complete
server:~ #
I ( g .*, LDAP2.* &
server:~ # getent pass'd | grep ^rootroot::!:!:root:/root:/bin/bashroot::!:!:root:/root:/bin/bashserver:~ # getent shado' | grep ^rootroot:.v)l9r>fgC)7C:1C!JD::1!!!!::::!root::1C!JD:!:1!!!!::::server:~ #
' V 3 * ( =88: . (=88:2.* LDAP&
-
7/26/2019 Ldap --
11/55
11 LDAP --.
aleTse;bbUserver:~N su - root2ass'ord:server:~ # iduid%!ProotQ gid%!ProotQ groups%!ProotQ&6!1PcvsQserver:~ #
I $ & $ , g !& p! ( # .*& I ( !% ( * ,*"# ( LDAP, # ("", * ("$ + LDAP ( OQ
-
7/26/2019 Ldap --
12/55
12 LDAP --.
server:~ # rcnscd stop)hutting do'n 5ame )ervice 8ache ?aemon doneserver:~ #
I $ + *
.!# - nRH@&
%.?. 55BC E5.
{$ , $ ! ($% % $ 644 ( LDAP, ( $% .* &, ( % .* =88: & 1 * !$% $ ($ , ! . =88: *&
B! ( ( # ( R:$ , * # . +( CRR&
server:~ # useradd -m -p MmTpass'd satest =1M atestserver:~ # cat /etc/pass'd | grep atestatest::1!!:1!!::/home/atest:/bin/bashserver:~ #
# ui@, $-, cbb~& I, ! (* +(# ( ($ &
aleTse;bbUserver:~N su - atest2ass'ord:atestUserver:~N id
uid%1!!PatestQ gid%1!!PusersQ #$%1!!PusersQ&1PuucpQ&1"PdialoutQ&1PaudioQ&33PvideoQatestUserver:~N eitlogoutaleTse;bbUserver:~N
3 ( #!# ( LDAP, #, (!.", * C]R:& ` ( ( $ ( 4
-
7/26/2019 Ldap --
13/55
-
7/26/2019 Ldap --
14/55
1" LDAP --.
` ! .! "# (, ! TR>?, R: ". $ Ru, ( +($ RR: ( ]R:& ( Ru PA7 $." (&
server:~ # cat /etc/pam.d/su | grep -v ^# | grep -v ^$auth sufficient pamFrootoT.soauth re=uired pamFuniC.so nulloT #setFsecrpcaccount re=uired pamFuniC.sopass'ord re=uired pamFp'checT.so nulloTpass'ord re=uired pamFuniC.so nulloT useFfirstFpass useFauthtoTsession re=uired pamFuniC.so debug # none or traceserver:~ #
PA7 $ Ru 4u45 Linu&) # , ! PA7 ( LDAP .
+. $% .*% % +$% $% PA7! !( 644&
U&f&c& I nRR c& + $% .*% & *$ ." (& I .! (&
aleTse;bbUserver:~N su - atest2ass'ord:atestUserver:~N id
uid%1!!PatestQ gid%1!!PusersQ #$%1!!PusersQ&1PuucpQ&1"PdialoutQ&1
PaudioQ&33PvideoQatestUserver:~N eitlogoutaleTse;bbUserver:~N su - atest2ass'ord:
su: $aleTse;bbUserver:~N
B" # .* ! . $.* LDAP& /+ .* ( LDAP (*& 3 $ (*$ ( $%
( LDAP ( $ ., (- , !.*$ LDAP (. ($ &
U&f&U& I nRR U&W ( .* ( GS:1C"16:1:DDDDD:1:::atest:*=4"dmV
-
7/26/2019 Ldap --
15/55
15 LDAP --.
' &
aleTse;bbUserver:~N su - atest2ass'ord:atestUserver:~N id
uid%1!!CPatestQ gid%613P?omain @sersQ#$
%613P?omain @sersQ&1PuucpQ&1"PdialoutQ&1PaudioQ&33PvideoQatestUserver:~NatestUserver:~N eitlogoutaleTse;bbUserver:~N su - atest2ass'ord:
su: $aleTse;bbUserver:~N
W $ , !. +. $ ( (($ LDAP&
) , ! ! % !& ', % ! ! (, $644&
U&f&o& I nRR o&W ( %- ( RM
-
7/26/2019 Ldap --
16/55
1? LDAP --.
( .* G
-
7/26/2019 Ldap --
17/55
-
7/26/2019 Ldap --
18/55
1 LDAP --.
` $ # ]R:, - LDAP *# ( ( LDAP&
` $ *$ LDAP .*& m - =88:@n # +!# ( ( LDAP, $$ $ .*, $ .* ]@=
( ( # ! +& I +( $C=8;R>=& I ( .* LDAP, #! ( %- H=?G: ( $&
server:~ # cat Nldapbro'ser.ldiffRRHN dn: cn%ldapbro'ser&dc%office&dc%localnetN cn: ldapbro'serN sn: ldapbro'serN ob
-
7/26/2019 Ldap --
19/55
1E LDAP --.
server:~ #
' 644 LDAP , !$ LDAP( $ ( ]@=&
server:~ # cat /etc/ldap.conf | grep -v ^# | grep -v ^$
host 1C.!.!.1:3JDbase dc%office&dc%localnetnssFbaseFpass'd ou%2eople&dc%office&dc%localnetOonenssFbaseFshado' ou%2eople&dc%office&dc%localnetOonenssFbaseFgroup ou%roups&dc%office&dc%localnetOonebinddn cn%ldapbro'ser&dc%office&dc%localnetbindp' bro'serserver:~ #
3 * .* LDAP &
server:~ # getent pass'd | grep atestatest::1!!C:613:ffice @ser:/home/atest:/bin/bashserver:~ # getent shado' | grep atestatest:*=4"dmV g !# (, g * (&
I ($ R>
-
7/26/2019 Ldap --
20/55
2B LDAP --.
-r'-r----- 1 root shado' 11! Wul 1" C!:!6 /etc/shado'server:~ #
I . ( ( , ( ]@= ! uR>=P
-
7/26/2019 Ldap --
21/55
21 LDAP --.
! $% %-, % ! $-". &
1, , ( $- ( ( ( ## ( =88:@n % & 3(, ( # . #* ( * % .*
LDAP ($ &
O>:HO]@
-
7/26/2019 Ldap --
22/55
22 LDAP --.
?. PAH.
PA7 I#*$ E /+ \P]uKK Au:>n:iHR^. . , .". *$+ ( Linu, $ (%.* & B ! ( +
& $- 644 LDAP, # (PA7 $! *, # + ( LDAP (!$( !( 644& 1 PA7 * $ (LDAP ( 644& I , ! # #&
?.(.85 5 PAH LDAP.
PA7 , 0$% & ' , (
( % LDAP ! , ! ! G
-
7/26/2019 Ldap --
23/55
23 LDAP --.
pass'd: filesshado': filesgroup: filesHserver:~ #server:~ # cat /etc/nss'itch.conf | grep ^EPpass'dE|shado'E|groupEQpass'd: files
shado': filesgroup: filesserver:~ # cat /etc/nss'itch.conf N/etc/nss'itch.conf.noldapserver:~ #
' ( * , ! * (&
server:~ # getent pass'd | grep atestatest::1!!:1!!::/home/atest:/bin/bashserver:~ # getent shado' | grep atestatest:v3ul;C?@@dl5o:1C"16:1:DDDDD:1:::
server:~ #
3 644 " LDAP, .* LDAP, +. % , ($% PA7 LDAP &
( PA7 LDAP " ". ."#, (#, !, GtuiRi:> g " -# $ (! " #$ ( ! ## ($ #
=>tui=>@ g !# $ # $ % $%, !$% (!
Ru99iHi>n: g " -# $
(! " ($ (, ! (# ($ # %, $"% +# =>tui=>@ (!, * #$ (, # (! #
-
7/26/2019 Ldap --
24/55
2" LDAP --.
8G:i8n
-
7/26/2019 Ldap --
25/55
-
7/26/2019 Ldap --
26/55
2? LDAP --.
644, ! * & I $ %- RRM
-
7/26/2019 Ldap --
27/55
-
7/26/2019 Ldap --
28/55
2 LDAP --.
server:~ # cat /etc/pass'd.atest | grep -v atest N/etc/pass'dserver:~ # getent pass'd | grep atestatest::1!!C:613:ffice @ser:/home/atest:/bin/bashserver:~ # getent shado' | grep atestatest:=1I0tJ3?+sC>S:1C"16:1:DDDDD:1:::server:~ #
I&
aleTse;bbUserver:~N su -c id atest2ass'ord:
uid%1!!CPatestQ gid%613P?omain @sersQ #$%613P?omain @sersQ&1PuucpQ&1"PdialoutQ&1PaudioQ&33PvideoQaleTse;bbUserver:~N su -c id atest2ass'ord:
uid%1!!CPatestQ gid%613P?omain @sersQ #$%613P?omain @sersQ&1PuucpQ&1"PdialoutQ&1PaudioQ&33PvideoQ
aleTse;bbUserver:~N
3 % ( .* LDAP !( $ & 1 , ! , "$ + ( (. ! $ ## ( (-# + (2(- &
o&f&o& I uniU o&
I( ( RM
-
7/26/2019 Ldap --
29/55
2E LDAP --.
server:~ # getent pass'd | grep atestatest::1!!:1!!::/home/atest:/bin/bashatest::1!!C:613:ffice @ser:/home/atest:/bin/bashserver:~ # getent shado' | grep atestserver:~ #
( &
aleTse;bbUserver:~N su -c id atest2ass'ord:
su: $aleTse;bbUserver:~N su -c id atest2ass'ord:
uid%1!!PatestQ gid%1!!PusersQ #$%1!!PusersQ&1PuucpQ&1"PdialoutQ&1PaudioQ&33PvideoQaleTse;bbUserver:~N
_$ $ , %- # * (%, .*$ $&
o&f&q& I uniU q&
. +. # .* , ( # #&
server:~ # cat /etc/shado'.atest | grep -v ^atest N/etc/shado'server:~ # echo atest:L::::::: NN/etc/shado'server:~ # getent pass'd | grep atestatest::1!!:1!!::/home/atest:/bin/bashatest::1!!C:613:ffice @ser:/home/atest:/bin/bashserver:~ # getent shado' | grep atestatest:L:::::::server:~ #
I&
aleTse;bbUserver:~N su -c id atest2ass'ord:
su: $aleTse;bbUserver:~N su -c id atest2ass'ord:
uid%1!!PatestQ gid%1!!PusersQ #$%1!!PusersQ&1PuucpQ&1"PdialoutQ&1PaudioQ&33PvideoQaleTse;bbUserver:~N
1 # (*& X $ .* $ (&
I #& I !$ ($ $ #!, $ 644 LDAP&
-
7/26/2019 Ldap --
30/55
3B LDAP --.
uniU c uniU U uniU o uniU f uniU q
G
-
7/26/2019 Ldap --
31/55
31 LDAP --.
RuHH>RRj@8n> n>;kt@j@8n> uR>=kunTn8;njiKn8=> @>9;kt@j@8n> uR>=kunTn8;njiKn8=>
-
7/26/2019 Ldap --
32/55
32 LDAP --.
server:~ #
X uR>k9i=R:kG
-
7/26/2019 Ldap --
33/55
33 LDAP --.
Y$ .* !* .&
aleTse;bbUserver:~N su -c id atest2ass'ord:
su: $aleTse;bbUserver:~N su -c id atest
2ass'ord:uid%1!!CPatestQ gid%613P?omain @sersQ #$%613P?omain @sersQ&1PuucpQ&1"PdialoutQ&1PaudioQ&33PvideoQaleTse;bbUserver:~N
/+ % ( $% ( LDAP&
o&d&f& I G
-
7/26/2019 Ldap --
34/55
3" LDAP --.
B *, ."% PA7, , ! ! ( ( $%%- .* (& X" (*, ( (, ( # =88:& W ($ G:HOG
-
7/26/2019 Ldap --
35/55
35 LDAP --.
atestUserver:~N iduid%1!!PatestQ gid%1!!PusersQ [\]_%1!!PusersQ&1PuucpQ&1"PdialoutQ&1PaudioQ&33PvideoQatestUserver:~N pass'd8hanging pass'ord for atest.Hnter loginPA?+2Q pass'ord:5e' pass'ord:
Ge-enter ne' pass'ord:A?+2 pass'ord information update failed: @nTno'n error
2ass'ord changedatestUserver:~N
I !# $ %- ( (&
server:~ # getent pass'd | grep ^atestatest::1!!:1!!::/home/atest:/bin/bashatest::1!!C:613:ffice @ser:/home/atest:/bin/bash
server:~ # getent shado' | grep ^atestatest:$1$KzzzTIz$Trsp0ep1>hd=Vg68.zH!:1C"C!:1:DDDDD:1:::atest::::::::!server:~ #
#- LDAP . . +(, , *$ ( !( 5n:>=, ! # $!#- $ ($, $! (- * (. (&
atestUserver:~N pass'd
8hanging pass'ord for atest.Hnter loginPA?+2Q pass'ord:A?+2 2ass'ord incorrect: tr; againHnter loginPA?+2Q pass'ord:A?+2 2ass'ord incorrect: tr; againHnter loginPA?+2Q pass'ord:A?+2 2ass'ord incorrect: tr; againld 2ass'ord:5e' pass'ord:Ge-enter ne' pass'ord:2ass'ord changedatestUserver:~N
#&
server:~ # getent shado' | grep ^atestatest:$1$+d'z8Htz$=7'=b4
-
7/26/2019 Ldap --
36/55
3? LDAP --.
&
#, * ."& ` "&
pass'dX316C1Y: pamFuniC: pamFsmFchauthtoTPQ called
slapdXC!!Y: conn%"6 fd%16 +88H2 from >2%1C.!.!.1:36J3 P>2%1C.!.!.1:3JDQslapdXCC!Y: conn%"6 op%! 4>5? dn%cn%ldapbro'ser&dc%office&dc%localnetmethod%1CJslapdXCC!Y: conn%"6 op%! 4>5? dn%cn%ldapbro'ser&dc%office&dc%localnetmech%simple ssf%!slapdXCC!Y: conn%"6 op%! GH)@A tag%D err%! tet%slapdXCC!Y: conn%"6 op%1 )G8* base%ou%2eople&dc%office&dc%localnet scope%1filter%Puid%atestQslapdXCC!Y: conn%"6 op%1 )H+G8* GH)@A tag%1!1 err%! nentries%1 tet%slapdXCJ!3JY: conn%"6 op%C 4>5? anon;mous mech%implicit ssf%!slapdXCJ!3JY: conn%"6 op%C 4>5? dn%uid%atest&ou%2eople&dc%office&dc%localnetmethod%1CJ
slapdXCJ!3JY: conn%"6 op%C 4>5? dn%uid%atest&ou%2eople&dc%office&dc%localnetmech%simple ssf%!slapdXCJ!3JY: conn%"6 op%C GH)@A tag%D err%! tet%slapdXCJ!3JY: conn%"6 op%3 4>5? anon;mous mech%implicit ssf%!slapdXCJ!3JY: conn%"6 op%3 4>5? dn%cn%ldapbro'ser&dc%office&dc%localnetmethod%1CJslapdXCJ!3JY: conn%"6 op%3 4>5? dn%cn%ldapbro'ser&dc%office&dc%localnetmech%simple ssf%!slapdXCJ!3JY: conn%"6 op%3 GH)@A tag%D err%! tet%pass'dX316C1Y: pamFuniC: pamFldap/pamFsmFchauthtoTPQ returned !pass'dX316C1Y: pamFuniC: pamFsmFchauthtoTPQ calledslapdXCC!Y: conn%"6 op% I? dn%uid%atest&ou%2eople&dc%office&dc%localnetslapdXCC!Y: conn%"6 op% I? attr%user2ass'ordslapdXCC!Y: conn%"6 op% GH)@A tag%1!3 err%6! tet%pass'dX316C1Y: pamFldap: ldapFmodif;Fs >nsufficient accesspass'dX316C1Y: pamFuniC: pamFldap/pamFsmFchauthtoTPQ returned "slapdXCJ!3JY: conn%"6 op%6 @54>5?slapdXCJ!3JY: conn%"6 fd%16 closed
I! % , G
-
7/26/2019 Ldap --
37/55
3% LDAP --.
atestUserver:~N pass'd8hanging pass'ord for atest.Hnter loginPA?+2Q pass'ord:5e' pass'ord:Ge-enter ne' pass'ord:A?+2 pass'ord information changed for atestatestUserver:~N
B, ! ! # ( LDAP&
server:~ # getent shado' | grep ^atestatest:=1I0tJ3?+sC>S:1C"16:1:DDDDD:1:::atest::::::::!server:~ # ldapsearch -AAA -* ldap://localhost -?cn%ldapadmin&dc%office&dc%localnet - -' secret Puid%atestQ user2ass'orddn: uid%atest&ou%2eople&dc%office&dc%localnetuser2ass'ord:: bK!7Z5!Ig%%
server:~ #
3 (, $ ( LDAP, ( *& ( ( LDAP, ( $& , ., #, !- (- (. ( LDAP&I, ! # % ! &
` G
-
7/26/2019 Ldap --
38/55
3 LDAP --.
server:~ #
) * , ! + PA7 % LDAP rx6D , PA7 C$ %- RRM
-
7/26/2019 Ldap --
39/55
3E LDAP --.
atest::::::::!server:~ # ldapsearch -AAA -* ldap://localhost -?cn%ldapadmin&dc%office&dc%localnet - -' secret Puid%atestQ user2ass'orddn: uid%atest&ou%2eople&dc%office&dc%localnetuser2ass'ord:: e35zaKDbCtrG9H;@ZGC@p@zG?9@GCh'5!6=IH7z@nh!5lT%
server:~ #
$ LDAP, ! ."&
atestUserver:~N pass'd8hanging pass'ord for atest.Hnter loginPA?+2Q pass'ord:5e' pass'ord:Ge-enter ne' pass'ord:A?+2 pass'ord information changed for atestatestUserver:~N
' $ %- LDAP , *& # LDAP # .*, # &
atestUserver:~N pass'd8hanging pass'ord for atest.Hnter loginPA?+2Q pass'ord:2ass'ord change abortedld 2ass'ord:pass'd: +uthentication failureatestUserver:~N
I$ %- ( (&
o&e&o& I G
-
7/26/2019 Ldap --
40/55
"B LDAP --.
o&e&f& I GZ pass'ord:Hnter ne' @5>Z pass'ord:Get;pe ne' @5>Z pass'ord:atestUserver:~N
) $ #- $ # .*,! ! # RM
-
7/26/2019 Ldap --
41/55
"1 LDAP --.
" ! ( # %- LDAP&
atestUserver:~N pass'd8hanging pass'ord for atest.8hanging pass'ord for atestPcurrentQ @5>Z pass'ord:Hnter ne' @5>Z pass'ord:Get;pe ne' @5>Z pass'ord:A?+2 pass'ord information changed for atestatestUserver:~N
3 +, ! ( ! * %- ( RM
-
7/26/2019 Ldap --
42/55
"2 LDAP --.
pamFpass'ord eopnssFbaseFpass'd ou%2eople&dc%office&dc%localnetOonenssFbaseFshado' ou%2eople&dc%office&dc%localnetOonenssFbaseFgroup ou%roups&dc%office&dc%localnetOonebinddn cn%ldapbro'ser&dc%office&dc%localnetbindp' bro'serserver:~ #
3 ! g $ %- LDAP .-& 1 , $ $- R]
-
7/26/2019 Ldap --
43/55
"3 LDAP --.
iKn8=>k
-
7/26/2019 Ldap --
44/55
"" LDAP --.
8hanging pass'ord for atest.8hanging pass'ord for atestPcurrentQ @5>Z pass'ord:Hnter ne' @5>Z pass'ord:Get;pe ne' @5>Z pass'ord:A?+2 pass'ord information changed for atestatestUserver:~N
(*, *. , ! ! ( & 3 ( % %(&
server:~ # getent pass'd | grep ^atestatest::1!!:1!!::/home/atest:/bin/bashatest::1!!C:613:ffice @ser:/home/atest:/bin/bashserver:~ # getent shado' | grep ^atestatest:KG."u/H;%server:~ #
o&cb&U& I G
-
7/26/2019 Ldap --
45/55
-
7/26/2019 Ldap --
46/55
"? LDAP --.
G
-
7/26/2019 Ldap --
47/55
"% LDAP --.
[6x (. !( G
-
7/26/2019 Ldap --
48/55
" LDAP --.
FE A. 9B 5.
) $* !$ !, $- - $% $ $($ ! !&
/&c&p ( # =88:2.* LDAP&
server:~ # cat root.ldifdn: uid%root&ou%2eople&dc%office&dc%localnetuid: rootcn: rootsn: rootob
-
7/26/2019 Ldap --
49/55
"E LDAP --.
cachesize !!!!dbcachesize "!!!!!!!suffi dc%office&dc%localnetrootdn cn%ldapadmin&dc%office&dc%localnetrootp' ())*+,"n!nsv012456*o78+sa!'9pdirector; /var/lib/ldapinde ob? e=inde member@>?&uid e=&pres&subinde samba2rimar;roup)>? e=inde samba?omain5ame e=inde default subinclude /etc/openldap/slapd.access.confserver:~ #
I$ %- CR>H=>:&
A&f&1 ($ LDAP&
server:~ # cat /etc/openldap/slapd.access.conf | grep -v ^# | grep -v ^$access to dn%.L&dc%office&dc%localnet attr%user2ass'ord b; anon;mous auth b; self 'rite b; L noneaccess to dn%.L&dc%office&dc%localnet b; self 'rite
b; L readserver:~ #
/&q&+# LDAP&
server:~ # cat /etc/ldap.conf | grep -v ^# | grep -v ^$host 1C.!.!.1:3JDbase dc%office&dc%localnetpamFpass'ord eopnssFbaseFpass'd ou%2eople&dc%office&dc%localnetOonenssFbaseFshado' ou%2eople&dc%office&dc%localnetOonenssFbaseFgroup ou%roups&dc%office&dc%localnetOoneserver:~ #
p $ &
server:~ # cat /etc/ldap.secretbro'serserver:~ # ls -l /etc/ldap.secret-r'------- 1 root root J Wul 1" C1:6C /etc/ldap.secretserver:~ #
/&d&+# 644&
-
7/26/2019 Ldap --
50/55
5B LDAP --.
server:~ # cat /etc/nss'itch.conf | grep -v ^# | grep -v ^$pass'd: files ldapshado': files ldapgroup: files ldaphosts: files dnsnet'orTs: files dnsservices: files
protocols: filesrpc: filesethers: filesnetmasTs: filesnetgroup: filespublicTe;: filesbootparams: filesautomount: files nisaliases: filesserver:~ #
A&~&p2 PA7 $ Ru&
server:~ # cat /etc/pam.d/su | grep -v ^# | grep -v ^$auth sufficient pamFrootoT.soauth Xsuccess%done ne'FauthtoTFre=d%done userFunTno'n%ignoreauthinfoFunavail%ignore default%badY pamFuniFauth.soauth re=uired pamFldap.so useFfirstFpassaccount sufficient pamFuniC.soaccount re=uired pamFldap.sopass'ord re=uired pamFp'checT.so nulloTpass'ord sufficient pamFuniC.so nulloT useFfirstFpass useFauthtoT
pass'ord re=uired pamFldap.so useFfirstFpass useFauthtoTsession sufficient pamFuniC.sosession re=uired pamFldap.soserver:~ #
/&e&p2 PA7 $ G
-
7/26/2019 Ldap --
51/55
51 LDAP --.
FE . BB, ;, :5.
m(. $ $, $($ % $& I % ($% *& W* % , # *& 1 *, ! 4u45 Linu Qa&b& B , . !$%
!&
_&c& % *$% +$ $ (* !$ #, # (* ( #- (#(! Cini:jOinORM (# # #$ -& , ($ * ( !( CS8un: 28 =>S8un:,=; O ! &
_&U& '( + !( 644 LDAP ( $
$ %- $% & { ( (* ( & / # H=?G:#! (! %-&
nRRk]@
-
7/26/2019 Ldap --
52/55
52 LDAP --.
3 , # ( # $ LDAP .* ! 644 LDAP& 1 ( PA7 ( + $ , (*$( # $% ( LDAP ! $%, $% $% (% .*& , *$ !$% *&
G
-
7/26/2019 Ldap --
53/55
53 LDAP --.
FE . S; 7#7T Ia-&.**.
.(.F;B5 54 55):> , " ( #$( % #% & I#, kG=;=i:>, $ ( ($ %-, , #, kG>& I , ! GG, ." ( , $ !. , (". iKH=?G:& X. -&
I ( kG]>:> $( kG=;=i:>& (, G:> $ ! .&
/L update the pass'ord databasePsQ -- race conditions..O L/
retval % FdoFsetpassPpamh& user& passFold& tpass& ctrl&
-
7/26/2019 Ldap --
54/55
5" LDAP --.
rememberQ`
FpamFdeletePtpassQ`passFold % passFne' % 5@AA`
` ($ $( kG=;=i:>&
/L update the pass'ord databasePsQ -- race conditions..O L/
retval % FdoFsetpassPpamh& user& passFold& tpass& ctrl& rememberQ`
FpamFover'ritePtpassQ`passFold % passFne' % 5@AA`
3%#! ." ( G E2 .
B ". G
-
7/26/2019 Ldap --
55/55
55 LDAP --.
X- . 4u45 a&b, G