Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationEventAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
20
Help us understand the problem. What is going on with this article?

More than 5 years have passed since last update.

@imura81gt

[Linux]authconfigを使ったldap認証設定(nss_ldap/pam_ldap)

こんな私向け

  • viで編集するの面倒
  • なんとか設定できたけど、su - [ユーザ] 、初回ログイン時にディレクトリできねえって人
  • ldap認証設定いろいろ面倒だわー
  • /etc/pam.d/ 配下のファイル触るとか面倒だわー

インストール

コマンド
yum install authconfig

初回ログイン時に/home/[ユーザ] ディレクトリ作成

コマンド
authconfig --enablemkhomedir --update

ldapサーバ設定

コマンド
authconfig --ldapserver="ldap://10.0.0.2/ ldap://10.0.0.3/" --update

ldap有効(nss_ldap:genent等libc系ツールが使う,nsswitch.confもこっち)

コマンド
authconfig --enableldap  --update

ldap認証有効(pam_ldap:login,telnetd等が使う)

コマンド
authconfig --enableldapauth --update

こっから先は面倒なまま

bindpw,binddn,filter groupはauthconfigで設定できなかった。
sedをつかうか
chefでやるならこんな感じ

bindpw

recipe
ruby_block "insert_line_bindpw" do
  block do
    file = Chef::Util::FileEdit.new("/etc/nslcd.conf")
    file.insert_line_if_no_match("^bindpw #{node[:ldap][:bindpw]}", "bindpw #{node[:ldap][:bindpw]}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end

binddn

recipe
ruby_block "insert_line_binddn" do
  block do
    file = Chef::Util::FileEdit.new("/etc/nslcd.conf")
    file.insert_line_if_no_match("^binddn #{node[:ldap][:binddn]}", "binddn #{node[:ldap][:binddn]}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end

filter group

recipe
ruby_block "insert_line_filter_group" do
  block do
    file = Chef::Util::FileEdit.new("/etc/nslcd.conf")
    file.insert_line_if_no_match("^filter group " + Regexp.escape(node[:ldap][:filter][:group]), "filter group #{node[:ldap][:filter][:group]}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end

追記2014/3/5

sudo-ldap.confの設定が抜けていたのと
pam_ldap.confの設定が微妙な感じだった。
全部authconfigでできればいいのに。

/etc/nslcd.conf
ruby_block "insert_line_/etc/nslcd.conf" do
  block do
    file = Chef::Util::FileEdit.new("/etc/nslcd.conf")
    file.insert_line_if_no_match("^bindpw #{node[:ldap][:bindpw]}", "bindpw #{node[:ldap][:bindpw]}")
    file.write_file
    file.insert_line_if_no_match("^binddn #{node[:ldap][:binddn]}", "binddn #{node[:ldap][:binddn]}")
    file.write_file
    file.insert_line_if_no_match("^filter group " + Regexp.escape(node[:ldap][:filter][:group]), "filter group #{node[:ldap][:filter][:group]}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end
pam_ldap.conf
ruby_block "insert_line_/etc/pam_ldap.conf" do
  block do
    file = Chef::Util::FileEdit.new("/etc/pam_ldap.conf")
    file.insert_line_if_no_match("^bindpw #{node[:ldap][:bindpw]}", "bindpw #{node[:ldap][:bindpw]}")
    file.write_file
    file.insert_line_if_no_match("^binddn #{node[:ldap][:binddn]}", "binddn #{node[:ldap][:binddn]}")
    file.write_file
    file.insert_line_if_no_match("^uri ldap://127.0.0.1/}", "uri ldap://127.0.0.1/}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end
sudo-ldap.conf
ruby_block "insert_line_/etc/sudo-ldap.conf" do
  block do
    file = Chef::Util::FileEdit.new("/etc/sudo-ldap.conf")
    file.insert_line_if_no_match("^bindpw #{node[:ldap][:bindpw]}", "bindpw #{node[:ldap][:bindpw]}")
    file.write_file
    file.insert_line_if_no_match("^binddn #{node[:ldap][:binddn]}", "binddn #{node[:ldap][:binddn]}")
    file.write_file
    file.insert_line_if_no_match("^sudoers_base #{node[:ldap][:sudoers_base]}", "sudoers_base #{node[:ldap][:sudoers_base]}")
    file.write_file
    file.insert_line_if_no_match("^uri ldap://127.0.0.1/}", "uri ldap://127.0.0.1/}")
    file.write_file
  end
  notifies :restart, "service[nslcd]"
end

参考URL

20
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
20
Help us understand the problem. What is going on with this article?