Help us understand the problem. What is going on with this article?

[Linux]authconfigを使ったldap認証設定(nss_ldap/pam_ldap)

More than 5 years have passed since last update.

こんな私向け

  • viで編集するの面倒
  • なんとか設定できたけど、su - [ユーザ] 、初回ログイン時にディレクトリできねえって人
  • ldap認証設定いろいろ面倒だわー
  • /etc/pam.d/ 配下のファイル触るとか面倒だわー

インストール

コマンド
yum install authconfig

初回ログイン時に/home/[ユーザ] ディレクトリ作成

コマンド
authconfig --enablemkhomedir --update

ldapサーバ設定

コマンド
authconfig --ldapserver="ldap://10.0.0.2/ ldap://10.0.0.3/" --update

ldap有効(nss_ldap:genent等libc系ツールが使う,nsswitch.confもこっち)

コマンド
authconfig --enableldap  --update

ldap認証有効(pam_ldap:login,telnetd等が使う)

コマンド
authconfig --enableldapauth --update

こっから先は面倒なまま

bindpw,binddn,filter groupはauthconfigで設定できなかった。
sedをつかうか
chefでやるならこんな感じ

bindpw

recipe
ruby_block "insert_line_bindpw" do
  block do
    file = Chef::Util::FileEdit.new("/etc/nslcd.conf")
    file.insert_line_if_no_match("^bindpw #{node[:ldap][:bindpw]}", "bindpw #{node[:ldap][:bindpw]}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end

binddn

recipe
ruby_block "insert_line_binddn" do
  block do
    file = Chef::Util::FileEdit.new("/etc/nslcd.conf")
    file.insert_line_if_no_match("^binddn #{node[:ldap][:binddn]}", "binddn #{node[:ldap][:binddn]}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end

filter group

recipe
ruby_block "insert_line_filter_group" do
  block do
    file = Chef::Util::FileEdit.new("/etc/nslcd.conf")
    file.insert_line_if_no_match("^filter group " + Regexp.escape(node[:ldap][:filter][:group]), "filter group #{node[:ldap][:filter][:group]}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end

追記2014/3/5

sudo-ldap.confの設定が抜けていたのと
pam_ldap.confの設定が微妙な感じだった。
全部authconfigでできればいいのに。

/etc/nslcd.conf
ruby_block "insert_line_/etc/nslcd.conf" do
  block do
    file = Chef::Util::FileEdit.new("/etc/nslcd.conf")
    file.insert_line_if_no_match("^bindpw #{node[:ldap][:bindpw]}", "bindpw #{node[:ldap][:bindpw]}")
    file.write_file
    file.insert_line_if_no_match("^binddn #{node[:ldap][:binddn]}", "binddn #{node[:ldap][:binddn]}")
    file.write_file
    file.insert_line_if_no_match("^filter group " + Regexp.escape(node[:ldap][:filter][:group]), "filter group #{node[:ldap][:filter][:group]}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end
pam_ldap.conf
ruby_block "insert_line_/etc/pam_ldap.conf" do
  block do
    file = Chef::Util::FileEdit.new("/etc/pam_ldap.conf")
    file.insert_line_if_no_match("^bindpw #{node[:ldap][:bindpw]}", "bindpw #{node[:ldap][:bindpw]}")
    file.write_file
    file.insert_line_if_no_match("^binddn #{node[:ldap][:binddn]}", "binddn #{node[:ldap][:binddn]}")
    file.write_file
    file.insert_line_if_no_match("^uri ldap://127.0.0.1/}", "uri ldap://127.0.0.1/}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end
sudo-ldap.conf
ruby_block "insert_line_/etc/sudo-ldap.conf" do
  block do
    file = Chef::Util::FileEdit.new("/etc/sudo-ldap.conf")
    file.insert_line_if_no_match("^bindpw #{node[:ldap][:bindpw]}", "bindpw #{node[:ldap][:bindpw]}")
    file.write_file
    file.insert_line_if_no_match("^binddn #{node[:ldap][:binddn]}", "binddn #{node[:ldap][:binddn]}")
    file.write_file
    file.insert_line_if_no_match("^sudoers_base #{node[:ldap][:sudoers_base]}", "sudoers_base #{node[:ldap][:sudoers_base]}")
    file.write_file
    file.insert_line_if_no_match("^uri ldap://127.0.0.1/}", "uri ldap://127.0.0.1/}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end

参考URL

http://l-w-i.net/t/fedora/ldap_001.txt

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした