LDAP基于kerberos的sasl认证
环境:默认kerberos服务器已经建立
KDC:server1.example.com:192.168.32.31
LDAP服务器:station2.example.com 192.168.32.32
一、将ldap服务加入到kerberos中
[root@station2 ~]# kadmin
Authenticating as principal root/[email protected] with password.
Password for root/[email protected]:
kadmin: addprinc ldap/station2.example.com
kadmin: ktadd -k /etc/ldap.keytab
二、ldap开启kerberos的支持
[root@station2 ~]#vi /etc/sysconfig/dirsrv
KRB5_KTNAME=/etc/ldap.keytab ; export KRB5_KTNAME
[root@station2 ~]#vi /etc/sysconfig/dirsrv-admin
三、通过redhat-idm-console编辑sasl设置
1、SASL Mapping设置中add一个sasl map
l name选项中填:
gssapi-map
l Regular Expression选项中填:
uid=(.*),cn=station2.example.com,cn=gssapi,cn=auth
l Search Base DN选项中填:
uid=\1,ou=People,dc=station2,dc=example,dc=com
l search filter选项中填:
(objectclass=*)
<a target="_blank" href="http://blog.51cto.com/attachment/201104/232144258.png"></a>
2、重启dirsrv和dirsrv-admin服务后测试
[root@station2 ~]#service dirsrv restart
[root@station2 ~]#service dirsrv-admin restart
[root@station2 ldap]# ldapsearch -Y GSSAPI "uid=guest2002" -LLL SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL installing layers
dn: uid=guest2002,ou=People,dc=station2,dc=example,dc=com
uid: guest2002
cn: guest2002
sn: guest2002
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15083
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 2002
gidNumber: 2000
homeDirectory: /home/guests/guest2002
本文转自netsword 51CTO博客,原文链接:http://blog.51cto.com/netsword/549146
![1、Linux 命令行使用技巧[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)