LDAP基于kerberos的sasl認證
環境:預設kerberos伺服器已經建立
KDC:server1.example.com:192.168.32.31
LDAP伺服器:station2.example.com 192.168.32.32
一、将ldap服務加入到kerberos中
[root@station2 ~]# kadmin
Authenticating as principal root/[email protected] with password.
Password for root/[email protected]:
kadmin: addprinc ldap/station2.example.com
kadmin: ktadd -k /etc/ldap.keytab
二、ldap開啟kerberos的支援
[root@station2 ~]#vi /etc/sysconfig/dirsrv
KRB5_KTNAME=/etc/ldap.keytab ; export KRB5_KTNAME
[root@station2 ~]#vi /etc/sysconfig/dirsrv-admin
三、通過redhat-idm-console編輯sasl設定
1、SASL Mapping設定中add一個sasl map
l name選項中填:
gssapi-map
l Regular Expression選項中填:
uid=(.*),cn=station2.example.com,cn=gssapi,cn=auth
l Search Base DN選項中填:
uid=\1,ou=People,dc=station2,dc=example,dc=com
l search filter選項中填:
(objectclass=*)
<a target="_blank" href="http://blog.51cto.com/attachment/201104/232144258.png"></a>
2、重新開機dirsrv和dirsrv-admin服務後測試
[root@station2 ~]#service dirsrv restart
[root@station2 ~]#service dirsrv-admin restart
[root@station2 ldap]# ldapsearch -Y GSSAPI "uid=guest2002" -LLL SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL installing layers
dn: uid=guest2002,ou=People,dc=station2,dc=example,dc=com
uid: guest2002
cn: guest2002
sn: guest2002
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15083
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 2002
gidNumber: 2000
homeDirectory: /home/guests/guest2002
本文轉自netsword 51CTO部落格,原文連結:http://blog.51cto.com/netsword/549146
![1、Linux 指令行使用技巧[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)